gh0strat | 518b446934ff93f157103844072294d485333c58e3d6e02af55d1feff072b49d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b71ad43b7fb81608ce1b36a5be5dec7d_JaffaCakes118.exe
Size

380KB
MD5

b71ad43b7fb81608ce1b36a5be5dec7d
SHA1

ec7914dada86c26417d6a91ca2068113f7970c2a
SHA256

518b446934ff93f157103844072294d485333c58e3d6e02af55d1feff072b49d
SHA512

cf056cb701adc8b97bb4b82f96d566ec0111d156431ed8ecd73398f23e490182ce384c67517874047e95e6236acac00db152e23111ef3efe0f861b6888778ace
SSDEEP

6144:S39J9xt91YUj6W+F8u5bRFF2idZecnl20lHRxp3gHPp3SBo03ty/4QTRGP/D1WiW:AxRefPF3Z4mxxEPj0AR+D1WF8qGqr

Score

10^/10

gh0strat aspackv2 discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2136-47-0x0000000010000000-0x000000001007F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	b71ad43b7fb81608ce1b36a5be5dec7d_JaffaCakes118.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	b71ad43b7fb81608ce1b36a5be5dec7d_JaffaCakes118.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b00000001202f-4.dat	aspack_v212_v242
behavioral1/files/0x00080000000166c7-51.dat	aspack_v212_v242

Loads dropped DLL 2 IoCs

pid	Process
2136	b71ad43b7fb81608ce1b36a5be5dec7d_JaffaCakes118.exe
2776	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	b71ad43b7fb81608ce1b36a5be5dec7d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b71ad43b7fb81608ce1b36a5be5dec7d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

C:\Users\Admin\AppData\Local\Temp\b71ad43b7fb81608ce1b36a5be5dec7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b71ad43b7fb81608ce1b36a5be5dec7d_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2136

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\release.tmp

Filesize
370KB

MD5
90468db3d00ccdb527d84bcf37c37532

SHA1
f7948fed8ac18b2f5c85e456d3aacac496db0479

SHA256
c8e4f18ff8bcd6ce22695956ab7f7139727cd0736b7ae9800898ed6c7ec344d2

SHA512
41ce0b1765248401407c3bda59f900b0f024ad1cff5dc69cb6a86de0bee1dcdd46556250937cbea84549c4ec2a026164e01729d7ac50b3bf389bc899bb645cdd

Download Submit
\Users\Admin\AppData\Local\Temp\dll.tmp

Filesize
370KB

MD5
e763e2fe37c5f879c8dd01298c321e14

SHA1
ecf499d4b15390911e04c4fce85120d20eab374b

SHA256
a8b2d556aab03feacfd8a4582411135a30c648a9d5dd3862b1f185a0f12587ac

SHA512
7b47c408ade588da768143e0fd7ba44538714d560e60a83c5a6959ba2d5b0731691cc7468244c988cf7637b50d50d44c0f6249e5efd7414dbf893963599b279a

Download Submit
memory/2136-26-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-21-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/2136-8-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/2136-9-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2136-10-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/2136-11-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/2136-12-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/2136-13-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/2136-14-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/2136-15-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/2136-16-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2136-17-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/2136-18-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/2136-30-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-20-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/2136-29-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-22-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/2136-23-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-24-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-25-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-0-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2136-27-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-7-0x00000000003A0000-0x00000000003F4000-memory.dmp

Filesize
336KB

Download
memory/2136-28-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-19-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/2136-31-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-32-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-33-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-34-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-35-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-36-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-37-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-38-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-39-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-40-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-41-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-42-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-43-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-44-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-45-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-46-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2136-47-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2136-6-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2136-55-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2776-58-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download