gh0strat | f0b67e6e8905396d6127aa7ad25f047e2537a7d15fc28207fd4186025411c0bd

General

Target

dd7565fbb173424cd438ea44a316b410_JaffaCakes118.exe
Size

112KB
MD5

dd7565fbb173424cd438ea44a316b410
SHA1

192aaee4cc47787bf7e63a1bdb9e448451e3a7f9
SHA256

f0b67e6e8905396d6127aa7ad25f047e2537a7d15fc28207fd4186025411c0bd
SHA512

dd7d41a705021515feaaa651b2c2d22168ef7b95be8c11dbb85027b26feb4d5b36eaa81e36e9d91e4c800205c73d4b5077da3fb0c9b9a43197ee1fbfd409794c
SSDEEP

3072:KpkSyGG5YgJAZYNfmb4Ujb/BRxZhvpA0RTw3o0C:KpkSyGIYgJAwfk4ipxhR9w3i

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral2/memory/2900-0-0x0000000000400000-0x000000000041E000-memory.dmp	family_gh0strat
behavioral2/files/0x0008000000023415-4.dat	family_gh0strat
behavioral2/memory/2900-6-0x0000000010000000-0x000000001001B000-memory.dmp	family_gh0strat
behavioral2/files/0x0008000000023418-11.dat	family_gh0strat
behavioral2/memory/2900-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_gh0strat
behavioral2/memory/4160-14-0x0000000010000000-0x000000001001B000-memory.dmp	family_gh0strat
behavioral2/memory/4160-15-0x0000000010000000-0x000000001001B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	dd7565fbb173424cd438ea44a316b410_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	SVCHOST.EXE

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility360.dll"	dd7565fbb173424cd438ea44a316b410_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
4160	SVCHOST.EXE

Loads dropped DLL 2 IoCs

pid	Process
2900	dd7565fbb173424cd438ea44a316b410_JaffaCakes118.exe
4160	SVCHOST.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility360.dll	dd7565fbb173424cd438ea44a316b410_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd7565fbb173424cd438ea44a316b410_JaffaCakes118.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4136	taskkill.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	taskkill.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 4136	2900	dd7565fbb173424cd438ea44a316b410_JaffaCakes118.exe	83
PID 2900 wrote to memory of 4136	2900	dd7565fbb173424cd438ea44a316b410_JaffaCakes118.exe	83
PID 2900 wrote to memory of 4136	2900	dd7565fbb173424cd438ea44a316b410_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\dd7565fbb173424cd438ea44a316b410_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd7565fbb173424cd438ea44a316b410_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im RSTray.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4136

C:\Windows\SysWOW64\SVCHOST.EXE
C:\Windows\SysWOW64\SVCHOST.EXE -K NETSVCS -s FastUserSwitchingCompatibility
1⤵
- Drops file in Drivers directory
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240611562_360.temp

Filesize
99KB

MD5
f616e0a6155e1c3801cab452ce648529

SHA1
509c5e67c90730c192eb209d1ab6c02615b07f12

SHA256
cee8b46b4637424205965f6584eb2f3cd0c062112e31b16e696b8674ad5710fe

SHA512
5bae5e243d1d8c4e8a335d674ad62676c956b389d0598bd8ffa214d21272da67fac59d81fd7b866d0d20c8217eb0c92df2e4d925cf3f0f793aca3107a5acf99d

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility360.dll

Filesize
99KB

MD5
0e059d6a0f3f08082712c2f828ea244b

SHA1
c5a5f7e6920333419d9a12e5a209ed57ac64b938

SHA256
8d356cfabe2b6a7be6434351d08b243868facd7b32d5950d6bc8b02584bd1d91

SHA512
6114c72b0f9d2ad09d97a26466d6250a2c2712f91b116f4125bc1252ce20f14708f63f5691f021fac58e0e25a886d6944b589f16d81e0d1626090e807fcf1b8e

Download Submit
memory/2900-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2900-6-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2900-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4160-14-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4160-15-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing