gh0strat | 4f6eb0f993a6d9375250360caf4017b59d86f6538ed5a2b77d87a1ed26c0ff51

Analysis

max time kernel
127s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 04:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dbc9cb903613c8b747f715c3f652e5e0_JaffaCakes118.exe
Size

108KB
MD5

dbc9cb903613c8b747f715c3f652e5e0
SHA1

edec5eb6022e4b3d45ff7047481f731da370f76e
SHA256

4f6eb0f993a6d9375250360caf4017b59d86f6538ed5a2b77d87a1ed26c0ff51
SHA512

5dce9baf5e2e09187fe34b8b8c3f374bcf73bb0a2001f0bc2ebac7ca54aa593d6c76ef8169725bcbbf61ab489fdc8c5cd6094c94f5f9d19e341a219f84d17d26
SSDEEP

3072:y2ntqz/0oXE5Lnetrwwcx3kW5cevqJPO7ql:yjj3E5uEwK0Cd7

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1828-13-0x0000000010000000-0x000000001001A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winupdate.lnk	dbc9cb903613c8b747f715c3f652e5e0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1828	QQExternal.exe

Loads dropped DLL 3 IoCs

pid	Process
1788	dbc9cb903613c8b747f715c3f652e5e0_JaffaCakes118.exe
1788	dbc9cb903613c8b747f715c3f652e5e0_JaffaCakes118.exe
1788	dbc9cb903613c8b747f715c3f652e5e0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQExternal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbc9cb903613c8b747f715c3f652e5e0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1828	1788	dbc9cb903613c8b747f715c3f652e5e0_JaffaCakes118.exe	30
PID 1788 wrote to memory of 1828	1788	dbc9cb903613c8b747f715c3f652e5e0_JaffaCakes118.exe	30
PID 1788 wrote to memory of 1828	1788	dbc9cb903613c8b747f715c3f652e5e0_JaffaCakes118.exe	30
PID 1788 wrote to memory of 1828	1788	dbc9cb903613c8b747f715c3f652e5e0_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\dbc9cb903613c8b747f715c3f652e5e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbc9cb903613c8b747f715c3f652e5e0_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Roaming\AcdSee5.1\QQExternal.exe
  C:\Users\Admin\AppData\Roaming\AcdSee5.1\QQExternal.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AcdSee5.1\QQLog.dat

Filesize
21B

MD5
4205cd4708a435a5d848287516c36888

SHA1
336daa353f82c6f712bbad272183d3b262a8e162

SHA256
f59d1ee03cbba2dc4a6e7cb9242dfbcf68a35c7ca944d3e508fe23e10427cb50

SHA512
8b7611b4615044cb2dc9fa3b9df34ec55c02df8af39d6caabba519b184810228d94171efdfcbf8c2db4202e52a919a0b695972bcf902181ed5f376adbee87de9

Download Submit
\Users\Admin\AppData\Roaming\AcdSee5.1\QQExternal.exe

Filesize
108KB

MD5
dbc9cb903613c8b747f715c3f652e5e0

SHA1
edec5eb6022e4b3d45ff7047481f731da370f76e

SHA256
4f6eb0f993a6d9375250360caf4017b59d86f6538ed5a2b77d87a1ed26c0ff51

SHA512
5dce9baf5e2e09187fe34b8b8c3f374bcf73bb0a2001f0bc2ebac7ca54aa593d6c76ef8169725bcbbf61ab489fdc8c5cd6094c94f5f9d19e341a219f84d17d26

Download Submit
memory/1828-13-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download