gh0strat | 9675ee1a8e72899164a142c7d75643617d8093c11b370edf2abec53aefb53d71

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe
Size

684KB
MD5

b30a1d543cbde36c5e522939f4b3098d
SHA1

a7878a735a0861dec20abc139475c5719ee9cc65
SHA256

9675ee1a8e72899164a142c7d75643617d8093c11b370edf2abec53aefb53d71
SHA512

771938d0f4adc3de3036d9d0ba9dcc3927b387d17aa0df3d6843df1571484c4cae1cf5a6f8037f92a8959ee6e48ad2731d4783d354252fa15738cf8ad25466e9
SSDEEP

12288:gNNY4w/fuVqa4YYvncgVhfc8ohYEkdfDtvbOk70O7xZCgEUEuB3s7e:gNN2GVqaDYnFohODt6FOdwgEUx3s

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral1/memory/2700-4-0x0000000000400000-0x000000000070B000-memory.dmp	family_gh0strat
behavioral1/memory/2700-3-0x0000000000400000-0x000000000070B000-memory.dmp	family_gh0strat
behavioral1/memory/2700-2-0x0000000000400000-0x000000000070B000-memory.dmp	family_gh0strat
behavioral1/files/0x000b000000018634-11.dat	family_gh0strat
behavioral1/files/0x000d00000001225f-20.dat	family_gh0strat
behavioral1/memory/2700-18-0x0000000000400000-0x000000000070B000-memory.dmp	family_gh0strat
behavioral1/memory/2700-17-0x0000000010000000-0x000000001001F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2924	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2924	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Fkqk\Nrmsbhvth.pic	b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Fkqk\Nrmsbhvth.pic	b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\temp764900.dll	b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeBackupPrivilege	2700	b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe
Token: SeRestorePrivilege	2700	b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe
Token: SeBackupPrivilege	2700	b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe
Token: SeRestorePrivilege	2700	b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe
Token: SeBackupPrivilege	2700	b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe
Token: SeRestorePrivilege	2700	b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe
Token: SeBackupPrivilege	2700	b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe
Token: SeRestorePrivilege	2700	b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe
Token: SeRestorePrivilege	2700	b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe
Token: SeBackupPrivilege	2700	b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b30a1d543cbde36c5e522939f4b3098d_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fkqk\Nrmsbhvth.pic

Filesize
3.0MB

MD5
db5867a9914b6fec01cc02c43071666b

SHA1
22e60dea0ac0fc90ee8f7a6f5ce7332666410d19

SHA256
8ad9f6677009becb6d5e6fefb10915111b76992a5b198d27cf9bc79b6f9821de

SHA512
a51a94329c5c9c4d8d3034ce63ca1c8d09ac2f00d34ad2b31026cdf07f49cc1aaf0e4f0d9a6f0baa57cf6c7648e570ae59fec3767f10f4d9f668cb4aad99e471

Download Submit
C:\windows\temp764900.dll

Filesize
109KB

MD5
f84e8cba0705034704e9490e9d8e783e

SHA1
376ba123edca3bf8e8b051adaf1ea882b731ec61

SHA256
33f66528c84e77c9d04c10a2053f07bb5fd4c0bca4035298b449c32833fce21e

SHA512
b04a9023904a92a0df1149e7f0d0438f179ea4d60a8d8e3c0aafa09de2bbee7969d75ac21081df42393242d0189ea4cc7a4062a1f953f34ee748549180ca8448

Download Submit
\??\c:\NT_Path.old

Filesize
110B

MD5
a63f1733940268d73eca5bfd726db3cd

SHA1
57d99b657961bb00f2a912ad23a7f222a14f6797

SHA256
19d673d28afe85b7c34dafc26ba5347afb96298380b9cf22700f699e5eb845c8

SHA512
6b61a3a6ad120b8389bd906e87c03ba4725e19af8747890138dcffc1f7d36321c1d92ff3a0ea41fecc3b62ec46b4201f4085209b13ab3e6df05a81c91f98ab3c

Download Submit
memory/2700-0-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2700-5-0x000000000067C000-0x000000000067D000-memory.dmp

Filesize
4KB

Download
memory/2700-4-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2700-3-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2700-2-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2700-1-0x0000000000EB0000-0x00000000011BB000-memory.dmp

Filesize
3.0MB

Download
memory/2700-18-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2700-17-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download