gh0strat | 4461a68e2003027a37d9fcbb7ee2bd8b256cda068cdf47180a7dca0bea0d5411

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf2ab674b2e54532406183c9d8d8ac0f_JaffaCakes118.exe
Size

196KB
MD5

cf2ab674b2e54532406183c9d8d8ac0f
SHA1

4f0a794e1bd3266f81d5bd1351d53df009ee31c7
SHA256

4461a68e2003027a37d9fcbb7ee2bd8b256cda068cdf47180a7dca0bea0d5411
SHA512

0b1dc171f9c3cf6e91cf3a8d3888573ee27006f618ae2cd4dbe4fe123bd18e27edcab5cfcf07bdcded3fb93e9b7f85c9bacaf5a25a6de326797947a53e6b0ba0
SSDEEP

3072:0/cLQSvOsVsWT1CsL1U1ODuI8Jb8oBNU/4jOxpIMXim:0/OQSvOHW4sL1U1OCtJ4sk4jOhSm

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2272-18-0x0000000000400000-0x0000000000432000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2272	gtjmvtnxlw

Executes dropped EXE 1 IoCs

pid	Process
2272	gtjmvtnxlw

Loads dropped DLL 2 IoCs

pid	Process
1148	cf2ab674b2e54532406183c9d8d8ac0f_JaffaCakes118.exe
1148	cf2ab674b2e54532406183c9d8d8ac0f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf2ab674b2e54532406183c9d8d8ac0f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtjmvtnxlw

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2272	gtjmvtnxlw

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2272	gtjmvtnxlw
Token: SeBackupPrivilege	2272	gtjmvtnxlw
Token: SeBackupPrivilege	2272	gtjmvtnxlw
Token: SeRestorePrivilege	2272	gtjmvtnxlw

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2272	1148	cf2ab674b2e54532406183c9d8d8ac0f_JaffaCakes118.exe	28
PID 1148 wrote to memory of 2272	1148	cf2ab674b2e54532406183c9d8d8ac0f_JaffaCakes118.exe	28
PID 1148 wrote to memory of 2272	1148	cf2ab674b2e54532406183c9d8d8ac0f_JaffaCakes118.exe	28
PID 1148 wrote to memory of 2272	1148	cf2ab674b2e54532406183c9d8d8ac0f_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\cf2ab674b2e54532406183c9d8d8ac0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf2ab674b2e54532406183c9d8d8ac0f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148
- \??\c:\users\admin\appdata\local\gtjmvtnxlw
  "C:\Users\Admin\AppData\Local\Temp\cf2ab674b2e54532406183c9d8d8ac0f_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\cf2ab674b2e54532406183c9d8d8ac0f_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272

C:\Windows\SysWOW64\svchost.exE
C:\Windows\SysWOW64\svchost.exE -k ???s????h
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k regsvc
1⤵
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\gtjmvtnxlw

Filesize
24.0MB

MD5
8a97138e32b6223c8bc750345aea497c

SHA1
233ba843faba233fb43ae1d4dadc69153248f361

SHA256
4edc6261584b79dfcda34c0553afdda2b595ea49d2a11b7a27eabad8acb9c6aa

SHA512
754dee959cd3cdfd42207fb0c4ea48984b012fe08919c5ceeaf348cc122affe6811ca3bcc2736407eb5984f43b6a337f6014405660b21d5d66606430f9ead30a

Download Submit
memory/1148-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1148-10-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1148-9-0x0000000000220000-0x0000000000252000-memory.dmp

Filesize
200KB

Download
memory/1148-12-0x0000000000220000-0x0000000000252000-memory.dmp

Filesize
200KB

Download
memory/1148-19-0x0000000000220000-0x0000000000252000-memory.dmp

Filesize
200KB

Download
memory/2272-13-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2272-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download