gh0strat | 566d8e22ac7d8f5f21b99b37be4a10432b3652418f70e6cdbd45b6ea9927fe25

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d110b35ffa74bab662fd1a0e7b9fa5ba_JaffaCakes118.exe
Size

32KB
MD5

d110b35ffa74bab662fd1a0e7b9fa5ba
SHA1

e39c2d0693f42ef893935bfeb3d8ee74a6cbbf97
SHA256

566d8e22ac7d8f5f21b99b37be4a10432b3652418f70e6cdbd45b6ea9927fe25
SHA512

81690e46c22914a72a0b3ecaebad516c0b5c870d36e941ab276b75b346c5407094aa692902ace13b74a9c2dab4f4601b8894d4bc976d5adfbd653805d0331be6
SSDEEP

768:Nw2N4ape4Mm0RxD0ABx4owGAzEZrW0O4q+HkPx3b:Nw2NjpymixD0A/Nw/MBq+Ep3b

Score

10^/10

gh0strat discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/1232-8-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral2/files/0x000400000001e742-7.dat	family_gh0strat
behavioral2/memory/1748-6-0x0000000000400000-0x000000000041E000-memory.dmp	family_gh0strat
behavioral2/memory/1232-9-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	d110b35ffa74bab662fd1a0e7b9fa5ba_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1232	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1232	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	d110b35ffa74bab662fd1a0e7b9fa5ba_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d110b35ffa74bab662fd1a0e7b9fa5ba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1232	svchost.exe
1232	svchost.exe
1232	svchost.exe
1232	svchost.exe
1232	svchost.exe
1232	svchost.exe
1232	svchost.exe
1232	svchost.exe
1232	svchost.exe
1232	svchost.exe

C:\Users\Admin\AppData\Local\Temp\d110b35ffa74bab662fd1a0e7b9fa5ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d110b35ffa74bab662fd1a0e7b9fa5ba_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1748

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll

Filesize
58KB

MD5
f74b0815f700830d43cb0f31807d0c81

SHA1
7f9f4e39cb57d7917083e5e043e7253c4e222896

SHA256
491e2ace4b0fc6c81ccc510b4e10114fe409d38572393c4440e98b58861fb6b4

SHA512
be78217d289d37dadf797c80290b7e5be0f42a75b7543a512ff897cdf9aeac03b346e4772139daf9767399db1d7215ac942e12db349b2f4ee0ef29e70e714eb8

Download Submit
memory/1232-8-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1232-9-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1748-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1748-1-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1748-6-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download