gh0strat

General

Target

d38229eca5ab47826960e317450a5d0f_JaffaCakes118
Size

140KB
Sample

240908-eryfnaxejc
MD5

d38229eca5ab47826960e317450a5d0f
SHA1

0149efaa0c1dfea729df20732ed7e95d203947f1
SHA256

29dc645f66a9e283ecc3422f7490252aa6b01077e3b40debf52cb465e16a30a5
SHA512

1f16fd39f16bd85377c7af22e5e340b349fad0c15ee33d220e6d9835153c6f5c50fb885dff473e62f880112fe6b68a3ae6177bd54326b055245a1f5aad119c43
SSDEEP

3072:QFt8VhCHYGJNQruAI9h+H4Fagas2EqdNcXNWAjH:Q0VhCHJ2ruAg+H4FBd2ndN6v

Score

10^/10

Malware Config

Targets

- Target
  
  d38229eca5ab47826960e317450a5d0f_JaffaCakes118
- Size
  
  140KB
- MD5
  
  d38229eca5ab47826960e317450a5d0f
- SHA1
  
  0149efaa0c1dfea729df20732ed7e95d203947f1
- SHA256
  
  29dc645f66a9e283ecc3422f7490252aa6b01077e3b40debf52cb465e16a30a5
- SHA512
  
  1f16fd39f16bd85377c7af22e5e340b349fad0c15ee33d220e6d9835153c6f5c50fb885dff473e62f880112fe6b68a3ae6177bd54326b055245a1f5aad119c43
- SSDEEP
  
  3072:QFt8VhCHYGJNQruAI9h+H4Fagas2EqdNcXNWAjH:Q0VhCHJ2ruAg+H4FBd2ndN6v
Score

10^/10

gh0strat modiloader discovery persistence rat trojan
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader Second Stage
- Server Software Component: Terminal Services DLL
  persistence
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Gh0st RAT payload

ModiLoader, DBatLoader

ModiLoader Second Stage

Server Software Component: Terminal Services DLL

Deletes itself

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2