gh0strat | 023d3b4d9ccb843ceb8e367ae2dd2a84a7d9834bdcc2dac60a112f10eb4ad189

Analysis

max time kernel
133s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe
Size

96KB
MD5

bdeae0db47216ff68d46763fe6cab9f8
SHA1

b8f1fe96444e83c1a48497c7469c04ed5e9c7787
SHA256

023d3b4d9ccb843ceb8e367ae2dd2a84a7d9834bdcc2dac60a112f10eb4ad189
SHA512

bf825dd542f62c1fe6ec688940812d46bbb4aa72c394e53017e90871044dc457675f9d9baf377d04a9b176c967a108e6225ffc0df8f6933710785f2519c5d0a4
SSDEEP

1536:xhFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr5lqiOaN:x3S4jHS8q/3nTzePCwNUh4E95l8aN

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023465-14.dat	family_gh0strat
behavioral2/memory/4436-16-0x0000000000400000-0x000000000044E2EC-memory.dmp	family_gh0strat
behavioral2/memory/4720-19-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1424-24-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2292-29-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
4436	gpvwitbbue

Executes dropped EXE 1 IoCs

pid	Process
4436	gpvwitbbue

Loads dropped DLL 3 IoCs

pid	Process
4720	svchost.exe
1424	svchost.exe
2292	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ywreudxudd	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ygosewsadm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yodlmavwqi	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3396	4720	WerFault.exe	93
5088	1424	WerFault.exe	99
1380	2292	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpvwitbbue
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4436	gpvwitbbue
4436	gpvwitbbue

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4436	gpvwitbbue
Token: SeBackupPrivilege	4436	gpvwitbbue
Token: SeBackupPrivilege	4436	gpvwitbbue
Token: SeRestorePrivilege	4436	gpvwitbbue
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeRestorePrivilege	4720	svchost.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeSecurityPrivilege	4720	svchost.exe
Token: SeSecurityPrivilege	4720	svchost.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeSecurityPrivilege	4720	svchost.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeSecurityPrivilege	4720	svchost.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeRestorePrivilege	4720	svchost.exe
Token: SeBackupPrivilege	1424	svchost.exe
Token: SeRestorePrivilege	1424	svchost.exe
Token: SeBackupPrivilege	1424	svchost.exe
Token: SeBackupPrivilege	1424	svchost.exe
Token: SeSecurityPrivilege	1424	svchost.exe
Token: SeSecurityPrivilege	1424	svchost.exe
Token: SeBackupPrivilege	1424	svchost.exe
Token: SeBackupPrivilege	1424	svchost.exe
Token: SeSecurityPrivilege	1424	svchost.exe
Token: SeBackupPrivilege	1424	svchost.exe
Token: SeBackupPrivilege	1424	svchost.exe
Token: SeSecurityPrivilege	1424	svchost.exe
Token: SeBackupPrivilege	1424	svchost.exe
Token: SeRestorePrivilege	1424	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeRestorePrivilege	2292	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeSecurityPrivilege	2292	svchost.exe
Token: SeSecurityPrivilege	2292	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeSecurityPrivilege	2292	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeSecurityPrivilege	2292	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeRestorePrivilege	2292	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 4436	2628	bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe	87
PID 2628 wrote to memory of 4436	2628	bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe	87
PID 2628 wrote to memory of 4436	2628	bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628
- \??\c:\users\admin\appdata\local\gpvwitbbue
  "C:\Users\Admin\AppData\Local\Temp\bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\bdeae0db47216ff68d46763fe6cab9f8_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4436

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 844
  2⤵
  - Program crash
  PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4720 -ip 4720
1⤵
PID:940

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1052
  2⤵
  - Program crash
  PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1424 -ip 1424
1⤵
PID:3648

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1100
  2⤵
  - Program crash
  PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2292 -ip 2292
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
b0b33a9326e0bce67d5a2ec6b86723a8

SHA1
684eced70f81b00f05e0b80179befef9350cf386

SHA256
b5d9a96afc483b0485674009d4ded3758811484127b99a60f9bf30c4b523af91

SHA512
92ca6be74b7dd4323fa14b3ca6d85c34fc14d719d9cf42343d8e2ba4e37810b0fc48892a7e69459d174c835b478a3ecc4e59bc5adf8103d56c2f3894cf81714e

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
e5bf6bc14c98f7e912026e8386722b62

SHA1
e46d2d54dab20ebb9c4084bee69f74ee769d13b1

SHA256
10c3d02dc0179307fe3fc09029d8ce695858e7b2934a467320fed4e0f47729e2

SHA512
1f0ddf98ecd9aae39b2be6f96496e3238d84c3eb21747b7756d17b79c3d4226bd8a3698bf9bbedc76643767b73d2ae5c70b0e5d7577a1bba9964b591b1bcab7e

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\oguvy.cc3

Filesize
20.1MB

MD5
8eb32f0aab7a7b9c23cf1197cc9e06d1

SHA1
3d1f1e6f906b5d7463f68100d966451b3f867391

SHA256
5424679fc32b28f1c2deffe8d78f7dc56e98584ed5f80bbf457446d593983fe2

SHA512
74ac8f8c9c3e7276d61193e2e42514d9aa192a30c472b548ecea75628110d41650710627a889797eab812c39b97bf69b276c4d6b75ad5a21b57f10c5db020765

Download Submit
\??\c:\users\admin\appdata\local\gpvwitbbue

Filesize
23.0MB

MD5
42f9f75e87de93fb359459f759cbcc1f

SHA1
d73a2877073b071ebf9d9bd378b320e47bf3e4a4

SHA256
58307f81ce30eb5480d4b28d642e845ad4ed23256996e1940464f42ad53ec6b6

SHA512
fd0d428e694b596c9a6da935e94a10aea4235344b4c9be367765b59e999f33b08cb9a84e7d383913560467c9987aa60264649f80f3890e44ec7f7a46bfccd89e

Download Submit
memory/1424-24-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1424-21-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/2292-29-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2292-26-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/2628-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2628-0-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/2628-9-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/4436-11-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/4436-16-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/4720-19-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4720-17-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download