gh0strat | 6a83c655e2af8ecb8e74c9553de0a2ec2328d8bb14fd124c7c16ac510c9e4145

Analysis

max time kernel
133s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a54952b68913b7187994684d58ffc099_JaffaCakes118.exe
Size

96KB
MD5

a54952b68913b7187994684d58ffc099
SHA1

e3ac1efd9549e5165cbca9ab4d3144e6672fed5d
SHA256

6a83c655e2af8ecb8e74c9553de0a2ec2328d8bb14fd124c7c16ac510c9e4145
SHA512

ed6696f77b146166fee5c0171e818102a748be2746d7e51feb3203dbdcabcf70e2363f5973b9788f96e3e9917f672d5d2f532e39f7fdcc244c741f68f5cda4a3
SSDEEP

1536:+6FusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prEk3MSMKe7:+gS4jHS8q/3nTzePCwNUh4E9EfDKe7

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000d0000000233e0-15.dat	family_gh0strat
behavioral2/memory/1736-18-0x0000000000400000-0x000000000044E31C-memory.dmp	family_gh0strat
behavioral2/memory/1136-21-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3544-26-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3908-31-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1736	kkbvdecjix

Executes dropped EXE 1 IoCs

pid	Process
1736	kkbvdecjix

Loads dropped DLL 3 IoCs

pid	Process
1136	svchost.exe
3544	svchost.exe
3908	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yrppcpqosr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yaeikstmfm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yjcvtmoqfw	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3604	1136	WerFault.exe	93
3780	3544	WerFault.exe	98
2248	3908	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a54952b68913b7187994684d58ffc099_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kkbvdecjix
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1736	kkbvdecjix
1736	kkbvdecjix

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1736	kkbvdecjix
Token: SeBackupPrivilege	1736	kkbvdecjix
Token: SeBackupPrivilege	1736	kkbvdecjix
Token: SeRestorePrivilege	1736	kkbvdecjix
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeRestorePrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeSecurityPrivilege	1136	svchost.exe
Token: SeSecurityPrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeSecurityPrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeSecurityPrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeRestorePrivilege	1136	svchost.exe
Token: SeBackupPrivilege	3544	svchost.exe
Token: SeRestorePrivilege	3544	svchost.exe
Token: SeBackupPrivilege	3544	svchost.exe
Token: SeBackupPrivilege	3544	svchost.exe
Token: SeSecurityPrivilege	3544	svchost.exe
Token: SeSecurityPrivilege	3544	svchost.exe
Token: SeBackupPrivilege	3544	svchost.exe
Token: SeBackupPrivilege	3544	svchost.exe
Token: SeSecurityPrivilege	3544	svchost.exe
Token: SeBackupPrivilege	3544	svchost.exe
Token: SeBackupPrivilege	3544	svchost.exe
Token: SeSecurityPrivilege	3544	svchost.exe
Token: SeBackupPrivilege	3544	svchost.exe
Token: SeRestorePrivilege	3544	svchost.exe
Token: SeBackupPrivilege	3908	svchost.exe
Token: SeRestorePrivilege	3908	svchost.exe
Token: SeBackupPrivilege	3908	svchost.exe
Token: SeBackupPrivilege	3908	svchost.exe
Token: SeSecurityPrivilege	3908	svchost.exe
Token: SeSecurityPrivilege	3908	svchost.exe
Token: SeBackupPrivilege	3908	svchost.exe
Token: SeBackupPrivilege	3908	svchost.exe
Token: SeSecurityPrivilege	3908	svchost.exe
Token: SeBackupPrivilege	3908	svchost.exe
Token: SeBackupPrivilege	3908	svchost.exe
Token: SeSecurityPrivilege	3908	svchost.exe
Token: SeBackupPrivilege	3908	svchost.exe
Token: SeRestorePrivilege	3908	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 1736	4564	a54952b68913b7187994684d58ffc099_JaffaCakes118.exe	88
PID 4564 wrote to memory of 1736	4564	a54952b68913b7187994684d58ffc099_JaffaCakes118.exe	88
PID 4564 wrote to memory of 1736	4564	a54952b68913b7187994684d58ffc099_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\a54952b68913b7187994684d58ffc099_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a54952b68913b7187994684d58ffc099_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564
- \??\c:\users\admin\appdata\local\kkbvdecjix
  "C:\Users\Admin\AppData\Local\Temp\a54952b68913b7187994684d58ffc099_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\a54952b68913b7187994684d58ffc099_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 836
  2⤵
  - Program crash
  PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1136 -ip 1136
1⤵
PID:1296

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 888
  2⤵
  - Program crash
  PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3544 -ip 3544
1⤵
PID:1800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 888
  2⤵
  - Program crash
  PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3908 -ip 3908
1⤵
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\kkbvdecjix

Filesize
21.2MB

MD5
c74bd748e38c14866a4c293611e53848

SHA1
5ceebd845485818e8c68f965a5669c6dc7195fc7

SHA256
33c8088b61de05bd71e93ef9d0a220912d45e8febfab05efdb4c10316786d370

SHA512
139eaca580dff6ec3951e29e0ed335175cf70c0d664119f12b87621bdfb93cf701a70ddc581e282fdb007756540921c41f0b50a644e29a4f368357f058eaff92

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
db23942b2c1695d42dfbb9046a3ca575

SHA1
5e6c07e59e79ff4e0f94c041c01751f1009042ee

SHA256
58e0eaacb099eeedb790c8255f06be14e34d51714740a4f75919b5b2fec17c0c

SHA512
e3c2d4406cdf8c864ff6d23cdd1dc41be47fbf600e0e0b4c7f2a37c08ae93446f13dc441f6f7b6aa8911d5d6335abe4ae0869c195ecadb0590a5ceedfe7d4809

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
e54b97b8286e6709d4c89f010acf5175

SHA1
540efb939809872cb26d095ceabfa35f26396720

SHA256
ee88ba83373ac936b4e98bea22922a7663fd9245e84e8b426db45f9dbbd8b225

SHA512
3326838fcdfd2a2b144c6b05cd697b9a8575059356ec0e73a64b8db81347627ad754bf47d01fc2f05042e4934eb828107481975d1306fc7c9da89dab2468b0e2

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\oknks.cc3

Filesize
22.1MB

MD5
e2e0825da09572ed3e43b5628e9eea88

SHA1
e067ddcf2b145100d8773595918e1b7ca670da21

SHA256
97966f1fac1ac6eeb826e2da7fea6ca32ce721a28084268581e8c60c90c47219

SHA512
d5f85bd768dda1afcada30d822e866ec87ee0db8ac6985914614e2aea39d3a075e87e87293a494083bbb92be71fb6dd49f2a161a036837bf9838c4e46a0d21fe

Download Submit
memory/1136-21-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1136-19-0x0000000001AD0000-0x0000000001AD1000-memory.dmp

Filesize
4KB

Download
memory/1736-9-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/1736-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1736-18-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/3544-26-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3544-23-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/3908-28-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/3908-31-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4564-8-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/4564-0-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/4564-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download