gh0strat | e4bde71cb4e1a8b90dbbd517f26cf474850e0f41a4db4ffb5092e26aba61d5bd

Analysis

max time kernel
130s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8d3f629d5e05eeb3fd5cbb89cf8e1e3_JaffaCakes118.exe
Size

94KB
MD5

b8d3f629d5e05eeb3fd5cbb89cf8e1e3
SHA1

5496d542547bede52d9013b304a5a96a0c167bbf
SHA256

e4bde71cb4e1a8b90dbbd517f26cf474850e0f41a4db4ffb5092e26aba61d5bd
SHA512

09dd159101bde86b65325e3f38da2e388181bf1ea3731edf23eca5ea0455eaf99eb2186366ae1dfd6aea2bc087db9769205af675913922d9738ee6d9b338ac88
SSDEEP

1536:piFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prMs8RmE:pIS4jHS8q/3nTzePCwNUh4E9YRmE

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023389-15.dat	family_gh0strat
behavioral2/memory/1596-17-0x0000000000400000-0x000000000044E1F0-memory.dmp	family_gh0strat
behavioral2/memory/5056-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4940-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/696-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1596	fjoywxbdux

Executes dropped EXE 1 IoCs

pid	Process
1596	fjoywxbdux

Loads dropped DLL 3 IoCs

pid	Process
5056	svchost.exe
4940	svchost.exe
696	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ypyksnortn	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ypyksnortn	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yxndaqqphi	svchost.exe
File created	C:\Windows\SysWOW64\yhkrkkmuhr	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4548	5056	WerFault.exe	97
1280	4940	WerFault.exe	102
1720	696	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8d3f629d5e05eeb3fd5cbb89cf8e1e3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fjoywxbdux
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1596	fjoywxbdux
1596	fjoywxbdux

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1596	fjoywxbdux
Token: SeBackupPrivilege	1596	fjoywxbdux
Token: SeBackupPrivilege	1596	fjoywxbdux
Token: SeRestorePrivilege	1596	fjoywxbdux
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeRestorePrivilege	5056	svchost.exe
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeSecurityPrivilege	5056	svchost.exe
Token: SeSecurityPrivilege	5056	svchost.exe
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeSecurityPrivilege	5056	svchost.exe
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeSecurityPrivilege	5056	svchost.exe
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeRestorePrivilege	5056	svchost.exe
Token: SeBackupPrivilege	4940	svchost.exe
Token: SeRestorePrivilege	4940	svchost.exe
Token: SeBackupPrivilege	4940	svchost.exe
Token: SeBackupPrivilege	4940	svchost.exe
Token: SeSecurityPrivilege	4940	svchost.exe
Token: SeSecurityPrivilege	4940	svchost.exe
Token: SeBackupPrivilege	4940	svchost.exe
Token: SeBackupPrivilege	4940	svchost.exe
Token: SeSecurityPrivilege	4940	svchost.exe
Token: SeBackupPrivilege	4940	svchost.exe
Token: SeBackupPrivilege	4940	svchost.exe
Token: SeSecurityPrivilege	4940	svchost.exe
Token: SeBackupPrivilege	4940	svchost.exe
Token: SeRestorePrivilege	4940	svchost.exe
Token: SeBackupPrivilege	696	svchost.exe
Token: SeRestorePrivilege	696	svchost.exe
Token: SeBackupPrivilege	696	svchost.exe
Token: SeBackupPrivilege	696	svchost.exe
Token: SeSecurityPrivilege	696	svchost.exe
Token: SeSecurityPrivilege	696	svchost.exe
Token: SeBackupPrivilege	696	svchost.exe
Token: SeBackupPrivilege	696	svchost.exe
Token: SeSecurityPrivilege	696	svchost.exe
Token: SeBackupPrivilege	696	svchost.exe
Token: SeBackupPrivilege	696	svchost.exe
Token: SeSecurityPrivilege	696	svchost.exe
Token: SeBackupPrivilege	696	svchost.exe
Token: SeRestorePrivilege	696	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 1596	3200	b8d3f629d5e05eeb3fd5cbb89cf8e1e3_JaffaCakes118.exe	92
PID 3200 wrote to memory of 1596	3200	b8d3f629d5e05eeb3fd5cbb89cf8e1e3_JaffaCakes118.exe	92
PID 3200 wrote to memory of 1596	3200	b8d3f629d5e05eeb3fd5cbb89cf8e1e3_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\b8d3f629d5e05eeb3fd5cbb89cf8e1e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8d3f629d5e05eeb3fd5cbb89cf8e1e3_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200
- \??\c:\users\admin\appdata\local\fjoywxbdux
  "C:\Users\Admin\AppData\Local\Temp\b8d3f629d5e05eeb3fd5cbb89cf8e1e3_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\b8d3f629d5e05eeb3fd5cbb89cf8e1e3_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1076
  2⤵
  - Program crash
  PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5056 -ip 5056
1⤵
PID:4824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 868
  2⤵
  - Program crash
  PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4940 -ip 4940
1⤵
PID:1360

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 884
  2⤵
  - Program crash
  PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 696 -ip 696
1⤵
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\fjoywxbdux

Filesize
24.5MB

MD5
6b00d330b236199e94d2ab432a2cf77f

SHA1
e3865c976af95faf684288f7d8cbffb14304f5fc

SHA256
c87aed53e4276fb4a4dbbc70816f162f813040a96d58d799b0b740b411202b1a

SHA512
fdfc1be1a42492584e701efa49ea1de711a22b980293557a488cd48c39f919eb8fadfb68e298828d13734e2f1687be55f5d70b27dc5a8da0d5ddc9533959d692

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
98189ea7f6d0a43a33fed5cdd7d780f8

SHA1
d734629e729960d4a924e7faf6367591509192fb

SHA256
f19da36c3fec463222ff8f19abb8d1c8e21aa7f5b12991d57de7c5dcb1fd2c0c

SHA512
682743ba70440518f39b79b964029df2e6e5e51492e8e3ede0d96ecf6e5446b850fba206c4269b75db3f6218a5698387b2f02a35927007dfa011d4b193bf87c0

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
4b0c84208bf3ae57efcd7f5b02f51a28

SHA1
26a1aefbdc82429f23fb9ee1b4df91a0386d2f5a

SHA256
136d0c781ab40620331f3e761a3cab31870d28b1325dff79b84b4c6e70dbf34f

SHA512
963447c8592023d5e8aa3124418bb59d03757665c55f6324699b72e601e6206e2ec20cc884427dc16f59edf069401c7318c9a72b54a0193a2e1ae21e32310395

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\cwmmd.cc3

Filesize
24.0MB

MD5
6ea93a10f9bde5e1ec30464ed92ba265

SHA1
8732b007504f324df5cdae0f46e7821f9cf63767

SHA256
ec7af4279dafd1376943ed3e05d6fa1e39658f29c3130d6b69a1e9c94dd901eb

SHA512
5217615152c09babae2597521a4bc2d198895aeb9f7a0b6db449b5d5a8c8f7971a3f2c9e243640c133e9e44216128dd0da8e83f8d13a36ddf6b143cd6f122de1

Download Submit
memory/696-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/696-27-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/1596-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1596-11-0x0000000000400000-0x000000000044E1F0-memory.dmp

Filesize
312KB

Download
memory/1596-17-0x0000000000400000-0x000000000044E1F0-memory.dmp

Filesize
312KB

Download
memory/3200-0-0x0000000000400000-0x000000000044E1F0-memory.dmp

Filesize
312KB

Download
memory/3200-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3200-10-0x0000000000400000-0x000000000044E1F0-memory.dmp

Filesize
312KB

Download
memory/4940-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4940-22-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/5056-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/5056-18-0x00000000015F0000-0x00000000015F1000-memory.dmp

Filesize
4KB

Download