gh0strat | bca7e90a839e552b03a61a74f0b18023b94963ed17b8557e902d6fe8ddd021e7

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6d6b23e1d0aae268a74cf5d43202f3d_JaffaCakes118.exe
Size

155KB
MD5

b6d6b23e1d0aae268a74cf5d43202f3d
SHA1

5b0d8bf4637995aaf54767e52ca1a1d27b031be6
SHA256

bca7e90a839e552b03a61a74f0b18023b94963ed17b8557e902d6fe8ddd021e7
SHA512

603e0627cbf2efc48bd4038767ed45de04cbec38864be24d03f4037731cb6cc36818559824694a32e8f53fa5292fad2e025bcaa5bccbe6b04b7c8033645077d8
SSDEEP

3072:sJuGnYhTbK80khbOvf9xHwm1PXBmXZFeA28pM6EdePl9dehiv80P80Cnp8d6kL:sJueTk1ONdwaWB28edeP/deUv80P80Ak

Score

10^/10

gh0strat discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233d6-4.dat	family_gh0strat
behavioral2/files/0x000700000002342b-8.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FA03E4D-8DE2-448f-BF89-0E619F60AF8A}	b6d6b23e1d0aae268a74cf5d43202f3d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FA03E4D-8DE2-448f-BF89-0E619F60AF8A}\stubpath = "C:\\Windows\\system32\\inaphxbit.exe"	b6d6b23e1d0aae268a74cf5d43202f3d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3944	inaphxbit.exe

Loads dropped DLL 1 IoCs

pid	Process
2352	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inaphxbit.exe	b6d6b23e1d0aae268a74cf5d43202f3d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inaphxbit.exe_lang.ini	b6d6b23e1d0aae268a74cf5d43202f3d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inaphxbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6d6b23e1d0aae268a74cf5d43202f3d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1468	b6d6b23e1d0aae268a74cf5d43202f3d_JaffaCakes118.exe
1468	b6d6b23e1d0aae268a74cf5d43202f3d_JaffaCakes118.exe
3944	inaphxbit.exe
3944	inaphxbit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	b6d6b23e1d0aae268a74cf5d43202f3d_JaffaCakes118.exe
Token: SeDebugPrivilege	3944	inaphxbit.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 3944	1468	b6d6b23e1d0aae268a74cf5d43202f3d_JaffaCakes118.exe	84
PID 1468 wrote to memory of 3944	1468	b6d6b23e1d0aae268a74cf5d43202f3d_JaffaCakes118.exe	84
PID 1468 wrote to memory of 3944	1468	b6d6b23e1d0aae268a74cf5d43202f3d_JaffaCakes118.exe	84
PID 3944 wrote to memory of 2352	3944	inaphxbit.exe	85
PID 3944 wrote to memory of 2352	3944	inaphxbit.exe	85
PID 3944 wrote to memory of 2352	3944	inaphxbit.exe	85
PID 3944 wrote to memory of 2352	3944	inaphxbit.exe	85

C:\Users\Admin\AppData\Local\Temp\b6d6b23e1d0aae268a74cf5d43202f3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6d6b23e1d0aae268a74cf5d43202f3d_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\inaphxbit.exe
  C:\Windows\system32\inaphxbit.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\userinit.exe
    userinit.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240609921_lang.dll

Filesize
122KB

MD5
e04ba83bc92ea39f5667cadfb236d4f0

SHA1
3bb9395cc4048522025c534cb7bd59170daa224a

SHA256
4424cdbfdbc616a8758881bc99e8a542e7142a73b95262cf718736a6d3bd340b

SHA512
c3aec6490dfecd0fd79f131cb032b288ed2a947276d320c84c320688bc36b00bc1e32aa67eaa2642e8e6c04f6d82723a45d9f9fe9d8f840cc8c8c6a56d35d87a

Download Submit
C:\Windows\SysWOW64\inaphxbit.exe

Filesize
155KB

MD5
d647698362ed6da65337d80d26020be4

SHA1
f3541ab37685de5d68fb5c6054934856331c163b

SHA256
07d6142da822bf96f520f052d57af215d647c1f3f5a3e89c1b8c0b76621114ad

SHA512
05d50b4077735fe6f68e134859ed39b234b1135a0b7bbbe341c90ab5aa4df8957f8505dc0f07ad0af9469a769ff725d2665d698d823b7c0fc9479a75ae42447c

Download Submit