gh0strat | 867600092128a155281b40c7b60b9a33795b7ceb2f3f4266b24185c6ea60dbb9

Analysis

max time kernel
150s
max time network
100s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 01:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe
Size

176KB
MD5

d56fa13c3cbd6ba8dd773c9692bc52a9
SHA1

69d621e5e668b80b32e7cda32ac91b31506a08df
SHA256

867600092128a155281b40c7b60b9a33795b7ceb2f3f4266b24185c6ea60dbb9
SHA512

693242fec25fa4552f1da97038d82dfdf72431775f2730201c33d627c7e575a1d4bd548c97c6e14169428fadd45fd531cfd9f636dbf1f854cf7e7e5e517ff1e5
SSDEEP

3072:mnosptX46JhfIf/LPJKHUWyolm9FI4rEJqiFnQCdFB9HJ09VDL:mnA1ErgIq1UQCN

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2888-0-0x0000000000400000-0x000000000042C000-memory.dmp	family_gh0strat
behavioral1/files/0x000a000000012250-3.dat	family_gh0strat
behavioral1/memory/2888-5-0x0000000000400000-0x000000000042C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2996	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2164	RUNDLL32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\temp0\QQ.exe	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe
File opened for modification	C:\Program Files\temp0\QQ.exe	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe
File created	\??\c:\Program Files\WINDOWSS.INI	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNDLL32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2888	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe
2888	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe
2888	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2164	2888	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2164	2888	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2164	2888	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2164	2888	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2164	2888	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2164	2888	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2164	2888	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2996	2888	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2996	2888	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2996	2888	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2996	2888	d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d56fa13c3cbd6ba8dd773c9692bc52a9_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\RUNDLL32.exe
  RUNDLL32 "c:\Program Files\WINDOWSS.INI" main
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c afc9fe2f418b00a0.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
9a5e9e56e868cdcab95af2631508c96e

SHA1
2e44d1effb65ecd0675681c161b653bef9268d67

SHA256
76916545a88775ffd9a7901ab646a8246bca5cc206d5d612fe13710a09063544

SHA512
77ac2cbe9f613263d84dfa5a5cb4586243be7f2f884f65f203eb4ac11a5180ef4f54766d3b4c279b43078883a86307cd87bc895cf8758f7af0e138ad7a4c83ab

Download Submit
\??\c:\Program Files\WINDOWSS.INI

Filesize
10.3MB

MD5
455fbaa2576f3c3af2ddc13720239af0

SHA1
80b505481a102cf4d5c21d697e129dbc2bf185b2

SHA256
390aee4221eacfe66a4dec1149f33de793a16fd0c002c9f054aa9c747565037e

SHA512
a9baee4fdfb95206099b6ab02e54591cbf50f7aba10a8bfdddcc5947757444b0579a78e1fb2152060f0988d2549e04121c8e82e27bf4660c9414c5f0e81be762

Download Submit
memory/2888-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2888-5-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download