gh0strat | 65be78bcd702e54d9f7dbaee0dde3434bc4bd771ab03f0a668c741f09debe09e

General

Target

ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe
Size

284KB
MD5

ceab889bef0bffba08ed9c44ba315253
SHA1

e15a05386b1154a9f81c950b01e44039dac2736d
SHA256

65be78bcd702e54d9f7dbaee0dde3434bc4bd771ab03f0a668c741f09debe09e
SHA512

74129cf029a3e02de3710672cdf57a0a6f0bfcc05c8923bfc27f8fc9eb177b0e42cac8928abed4172a716d6b9dd062a066c66894d0cc903314c204a4aa5026f0
SSDEEP

6144:nsaY8p9zxcO9ToDjAD3BFl9Tr3epr2qzrzNoSnNpXATf6q/Bj6vq6:nsaY8rBTonADRVetNzVoSNSLTV6d

Score

10^/10

gh0strat bootkit discovery persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018741-15.dat	family_gh0strat
behavioral1/files/0x000e000000017467-27.dat	family_gh0strat
behavioral1/files/0x000700000001919c-34.dat	family_gh0strat
behavioral1/memory/2768-37-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2768-39-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 3 IoCs

pid	Process
884	37 AV hacker.exe
2772	av.exe
2604	hsplvlcxfv

Loads dropped DLL 8 IoCs

pid	Process
824	ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe
824	ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe
824	ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe
2772	av.exe
2772	av.exe
2772	av.exe
2772	av.exe
2768	svchost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/824-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/824-21-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vdafxbnyce	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	av.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hsplvlcxfv

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2604	hsplvlcxfv
2768	svchost.exe
2768	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2604	hsplvlcxfv
Token: SeBackupPrivilege	2604	hsplvlcxfv
Token: SeBackupPrivilege	2604	hsplvlcxfv
Token: SeRestorePrivilege	2604	hsplvlcxfv
Token: SeBackupPrivilege	2768	svchost.exe
Token: SeRestorePrivilege	2768	svchost.exe
Token: SeBackupPrivilege	2768	svchost.exe
Token: SeBackupPrivilege	2768	svchost.exe
Token: SeSecurityPrivilege	2768	svchost.exe
Token: SeSecurityPrivilege	2768	svchost.exe
Token: SeBackupPrivilege	2768	svchost.exe
Token: SeBackupPrivilege	2768	svchost.exe
Token: SeSecurityPrivilege	2768	svchost.exe
Token: SeBackupPrivilege	2768	svchost.exe
Token: SeBackupPrivilege	2768	svchost.exe
Token: SeSecurityPrivilege	2768	svchost.exe
Token: SeBackupPrivilege	2768	svchost.exe
Token: SeRestorePrivilege	2768	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 884	824	ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe	31
PID 824 wrote to memory of 884	824	ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe	31
PID 824 wrote to memory of 884	824	ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe	31
PID 824 wrote to memory of 884	824	ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe	31
PID 824 wrote to memory of 2772	824	ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe	32
PID 824 wrote to memory of 2772	824	ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe	32
PID 824 wrote to memory of 2772	824	ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe	32
PID 824 wrote to memory of 2772	824	ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe	32
PID 824 wrote to memory of 2772	824	ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe	32
PID 824 wrote to memory of 2772	824	ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe	32
PID 824 wrote to memory of 2772	824	ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe	32
PID 2772 wrote to memory of 2604	2772	av.exe	33
PID 2772 wrote to memory of 2604	2772	av.exe	33
PID 2772 wrote to memory of 2604	2772	av.exe	33
PID 2772 wrote to memory of 2604	2772	av.exe	33
PID 2772 wrote to memory of 2604	2772	av.exe	33
PID 2772 wrote to memory of 2604	2772	av.exe	33
PID 2772 wrote to memory of 2604	2772	av.exe	33

C:\Users\Admin\AppData\Local\Temp\ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ceab889bef0bffba08ed9c44ba315253_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\Temp\37 AV hacker.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\37 AV hacker.exe"
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Users\Admin\AppData\Local\Temp\Temp\av.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\av.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - \??\c:\users\admin\appdata\local\temp\hsplvlcxfv
    "C:\Users\Admin\AppData\Local\Temp\Temp\av.exe" a -sc:\users\admin\appdata\local\temp\temp\av.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\programdata\drm\%sessionname%\lordg.cc3

Filesize
23.0MB

MD5
88d6fad5b6385c60900d7bfe7282d87b

SHA1
7b4d67a6a07201d646576581c4e4be3e8bab924b

SHA256
54f651d061371f141e0f01c9091cd3730f89e5ee22df309984cef6d8bec1c815

SHA512
2ed927e70956eb41fc391e05ad070a6444bbb00c90d501cb0c21a428e3b2b76510fa2ce41919f28588f1c3c6e756ed190438a362bfda4b3caefbe63b4950b6ab

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\37 AV hacker.exe

Filesize
276KB

MD5
69c546d3921fdc114768693a5c570f24

SHA1
45d871e51e3665bb1786638a0772fd168e6106d9

SHA256
6066e6feb6f764aab44669f77c9cc2d20ee39ff2667f94820a395972675d017d

SHA512
cb9f6afd247dc7acb09cafaadcf90a9c9b46b6486cea5be417f712e0be3b91a094ed978321589747096a5a4ce2e12b4b4913f8f51797fe7fb3703b3bc965c8b8

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\av.exe

Filesize
204KB

MD5
cc0f23ca399c797260f7135cd23f5eee

SHA1
6e50a6006d65e8f07f1b26a936ee03143ff60896

SHA256
3747b670c116dd0b3f3a6fc47c34060cb801917a8d8822b9624298ad8933073d

SHA512
734244af868cb986285cc94aeff5c3ed3b64efff17cce48d0834088e96a066d2ceae46bfca7efe341ebd84258a5337c0ba96b43ea24513bf0b24987acdd12c44

Download Submit
\Users\Admin\AppData\Local\Temp\hsplvlcxfv

Filesize
22.6MB

MD5
79fd7c49b8388b7f5815011f582cf081

SHA1
a50ef01df5fffc8159f00e7f9ba6f33ecfc1a4bc

SHA256
c39318dceb9dc4bdbf2579c78b925c300b4b7f96cd6369b3830659d8408c5949

SHA512
5673fc328ed289d02fca7f31fcf66fd43a05c6426a0e2774f546e161e41c50c5546845436f241169a431a0bea1596ebc3c888566972cbe82bef86060d6ab9464

Download Submit
memory/824-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/824-12-0x0000000001E00000-0x0000000001E48000-memory.dmp

Filesize
288KB

Download
memory/824-13-0x0000000001E00000-0x0000000001E48000-memory.dmp

Filesize
288KB

Download
memory/824-21-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/884-14-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2768-36-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2768-37-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2768-39-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads