gh0strat | 429cbfbe215c8c9bb4b294e530c175798b991c12c6d337ddd53628d77f2613b3

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db7ea379b08e3a2b9f93822ec4fd56a0_JaffaCakes118.exe
Size

96KB
MD5

db7ea379b08e3a2b9f93822ec4fd56a0
SHA1

9cbf33d06f676b08fa96c69aa899812d312de45e
SHA256

429cbfbe215c8c9bb4b294e530c175798b991c12c6d337ddd53628d77f2613b3
SHA512

7370f53be0ef825dab43141e7e5288f412f3e1677ac5721aad24450b6083f6ef17fbeb634bb6cfc6f7cb7bc33e0e9645c239992318f4c6a7cca6d1b01e62c5d7
SSDEEP

1536:xhFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr5lqiOa4:x3S4jHS8q/3nTzePCwNUh4E95l8a4

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000234d0-15.dat	family_gh0strat
behavioral2/memory/3516-17-0x0000000000400000-0x000000000044E2EC-memory.dmp	family_gh0strat
behavioral2/memory/4760-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3508-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4544-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
3516	jorcsjcinh

Executes dropped EXE 1 IoCs

pid	Process
3516	jorcsjcinh

Loads dropped DLL 3 IoCs

pid	Process
4760	svchost.exe
3508	svchost.exe
4544	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\acpqqxjxxg	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\akejyblvlc	svchost.exe
File created	C:\Windows\SysWOW64\akejyblvlc	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\asschentxw	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4144	4760	WerFault.exe	93
5088	3508	WerFault.exe	99
2548	4544	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jorcsjcinh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db7ea379b08e3a2b9f93822ec4fd56a0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3516	jorcsjcinh
3516	jorcsjcinh

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	3516	jorcsjcinh
Token: SeBackupPrivilege	3516	jorcsjcinh
Token: SeBackupPrivilege	3516	jorcsjcinh
Token: SeRestorePrivilege	3516	jorcsjcinh
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeRestorePrivilege	4760	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeSecurityPrivilege	4760	svchost.exe
Token: SeSecurityPrivilege	4760	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeSecurityPrivilege	4760	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeSecurityPrivilege	4760	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeRestorePrivilege	4760	svchost.exe
Token: SeBackupPrivilege	3508	svchost.exe
Token: SeRestorePrivilege	3508	svchost.exe
Token: SeBackupPrivilege	3508	svchost.exe
Token: SeBackupPrivilege	3508	svchost.exe
Token: SeSecurityPrivilege	3508	svchost.exe
Token: SeSecurityPrivilege	3508	svchost.exe
Token: SeBackupPrivilege	3508	svchost.exe
Token: SeBackupPrivilege	3508	svchost.exe
Token: SeSecurityPrivilege	3508	svchost.exe
Token: SeBackupPrivilege	3508	svchost.exe
Token: SeBackupPrivilege	3508	svchost.exe
Token: SeSecurityPrivilege	3508	svchost.exe
Token: SeBackupPrivilege	3508	svchost.exe
Token: SeRestorePrivilege	3508	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeRestorePrivilege	4544	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeSecurityPrivilege	4544	svchost.exe
Token: SeSecurityPrivilege	4544	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeSecurityPrivilege	4544	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeSecurityPrivilege	4544	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeRestorePrivilege	4544	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 3516	2964	db7ea379b08e3a2b9f93822ec4fd56a0_JaffaCakes118.exe	87
PID 2964 wrote to memory of 3516	2964	db7ea379b08e3a2b9f93822ec4fd56a0_JaffaCakes118.exe	87
PID 2964 wrote to memory of 3516	2964	db7ea379b08e3a2b9f93822ec4fd56a0_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\db7ea379b08e3a2b9f93822ec4fd56a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db7ea379b08e3a2b9f93822ec4fd56a0_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964
- \??\c:\users\admin\appdata\local\jorcsjcinh
  "C:\Users\Admin\AppData\Local\Temp\db7ea379b08e3a2b9f93822ec4fd56a0_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\db7ea379b08e3a2b9f93822ec4fd56a0_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3516

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 840
  2⤵
  - Program crash
  PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4760 -ip 4760
1⤵
PID:4924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1088
  2⤵
  - Program crash
  PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3508 -ip 3508
1⤵
PID:4580

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 888
  2⤵
  - Program crash
  PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4544 -ip 4544
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\jorcsjcinh

Filesize
24.6MB

MD5
b4430cd4e00e6218ee4272f7195edb59

SHA1
c61147169a4a5638b527ba80494cac9615b9837b

SHA256
bfb14e520f256d4896559c2a16e0243d72e9e1cbddc46600a9b9b67307ccef52

SHA512
55f2b70cf7ebbb2ffea626f383badf68c0fd7987f48d7a2c698247c9509794213bcccedf9c198894a77f9c8c9721da4dcdc5ef0113f8f066542eec355ef1721b

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
900a78e8923145fd48aca9420c837d6d

SHA1
5e8de632f119fd27f274e19d81870d1707fc0e12

SHA256
a7853ef1cd88f631daa3f24a452efb32d50c56de9c45f5af572b9e6cf1efe021

SHA512
e7a9a54965f4cc868e528a2d76d1405db6c7c536c177a04c4b8d794592333d3cbde7afd09f87596052a88ea0c0e2390199350f57ed6a43eb5b0e2bdbb33d7fe1

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
8aa7ff9d3bf17cd3731598f7aeb9fde7

SHA1
beb9b49b493ab98d83a161624afe31ec89251d00

SHA256
dd9243214f22da418e8e7082075babc84e609105528071d6067319114bb7c1d4

SHA512
864dbef0e877b0ec64c3b30c60b0e47d7896c76890fcd5c5307f66f378b9459dbb057adc2807fb23b9f52eb484b060d82c62729ea9a5efa3b0a117b6c817002d

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\xqvlo.cc3

Filesize
22.1MB

MD5
cc21105f002fad147f4762d36a62e9b7

SHA1
709841df8c48223cf9033a9d84a6bdf0ef21b4f0

SHA256
8260d375c3a22f5dfa6bf603172ff0c1e3e7b2e0b274e182f9daeedfa11e7200

SHA512
d81754f98638ea1b85c12fed24e799c603252b82ace2c4c787b2752399f9754b3f683abc5be58f12e355d0ba1db5248bcd6b4ec0a021b0cb573df1665e77422a

Download Submit
memory/2964-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2964-8-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/2964-0-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/3508-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3508-22-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download
memory/3516-17-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/3516-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3516-9-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/4544-27-0x0000000001490000-0x0000000001491000-memory.dmp

Filesize
4KB

Download
memory/4544-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4760-18-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/4760-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download