gh0strat | 1590170a9e1db39d7dd17dd1e173dc0c117692fad525ac72ad248a2510b17e62

General

Target

d23dfb4894ee6e2b1c1f46855e92b4e9_JaffaCakes118.exe
Size

224KB
MD5

d23dfb4894ee6e2b1c1f46855e92b4e9
SHA1

8009c24d55a9bc6fa79c3fdcea46576f81b68ad8
SHA256

1590170a9e1db39d7dd17dd1e173dc0c117692fad525ac72ad248a2510b17e62
SHA512

27e40086ec5dba09c63b3710e5ecf996815b2b7255f83ff9a0be0191b286f3b21ef728459bd6c2d907de3ff436a9e2f0b063a3c956365001357ef760333eb085
SSDEEP

6144:4w0avOvtYSiod4uYzqAvZd/246Nvm7oS:RvGvViG4HOKZdem7oS

Score

10^/10

gh0strat bootkit discovery persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00060000000186b7-19.dat	family_gh0strat
behavioral1/memory/2980-23-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2980-24-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
2756	Oath.exe
2732	hqwceyfgtj

Loads dropped DLL 3 IoCs

pid	Process
2772	d23dfb4894ee6e2b1c1f46855e92b4e9_JaffaCakes118.exe
2772	d23dfb4894ee6e2b1c1f46855e92b4e9_JaffaCakes118.exe
2980	svchost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2772-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\iewvxdposp	svchost.exe
File created	C:\Windows\SysWOW64\ivjcqanqfu	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\hqwceyfgtj	Oath.exe
File opened for modification	\??\c:\windows\hqwceyfgtj	Oath.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d23dfb4894ee6e2b1c1f46855e92b4e9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oath.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hqwceyfgtj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2732	hqwceyfgtj
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2732	hqwceyfgtj
Token: SeBackupPrivilege	2732	hqwceyfgtj
Token: SeBackupPrivilege	2732	hqwceyfgtj
Token: SeRestorePrivilege	2732	hqwceyfgtj
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeRestorePrivilege	2980	svchost.exe
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeSecurityPrivilege	2980	svchost.exe
Token: SeSecurityPrivilege	2980	svchost.exe
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeSecurityPrivilege	2980	svchost.exe
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeSecurityPrivilege	2980	svchost.exe
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeRestorePrivilege	2980	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2756	2772	d23dfb4894ee6e2b1c1f46855e92b4e9_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2756	2772	d23dfb4894ee6e2b1c1f46855e92b4e9_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2756	2772	d23dfb4894ee6e2b1c1f46855e92b4e9_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2756	2772	d23dfb4894ee6e2b1c1f46855e92b4e9_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2732	2756	Oath.exe	31
PID 2756 wrote to memory of 2732	2756	Oath.exe	31
PID 2756 wrote to memory of 2732	2756	Oath.exe	31
PID 2756 wrote to memory of 2732	2756	Oath.exe	31

C:\Users\Admin\AppData\Local\Temp\d23dfb4894ee6e2b1c1f46855e92b4e9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d23dfb4894ee6e2b1c1f46855e92b4e9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\windows\temp\Oath.exe
  C:\windows\temp\Oath.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - \??\c:\windows\hqwceyfgtj
    C:\windows\temp\Oath.exe a -sc:\windows\temp\oath.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2732

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\programdata\application data\storm\update\%sessionname%\sxjvf.cc3

Filesize
21.1MB

MD5
9ee06d74266c8d488681089b4aaba8a1

SHA1
a454376e5c43c611e3776e2b6a1986b0302b69ea

SHA256
aa81d99a5299102a144ac9c591a603d8539b0c7454498d867c03dd6ce791a7f7

SHA512
34e2f73f1fa82f079c9c3072e89b4dc899f81cf5d36d25dc8141bd950e8c30478c687cd2bd3eb56d400ff5f6d2245e37e9ac4b40f0c67dc3f6bac650515989b6

Download Submit
memory/2772-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2980-21-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2980-23-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2980-24-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads