gh0strat | 0ec3803ec106786b2e9394bc4f53c95d95236a6df2fe72487515f45b861242dc

Analysis

max time kernel
94s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe122b7ae0f9fd8d0fbefe031c57e276_JaffaCakes118.exe
Size

192KB
MD5

fe122b7ae0f9fd8d0fbefe031c57e276
SHA1

e8728f97a6c9393a2b90cff12162e15b07afe9be
SHA256

0ec3803ec106786b2e9394bc4f53c95d95236a6df2fe72487515f45b861242dc
SHA512

8af155c9f65c77f67b12d6714b805827b578d7c7effdd284a56b5e8131aa2e402057cd2b98e84244c179b4492416a52ff60e86a31ff6ab9f280f2c820abc1b44
SSDEEP

3072:Snd4FNcJId/NgytvzCzzBpp/SBYPXHex7BJSjNEJXo6j2:yd4FNcwlpUBVPHSSZEi

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/436-4-0x0000000000400000-0x0000000000431000-memory.dmp	family_gh0strat
behavioral2/files/0x000800000002344c-12.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2344	iqwhxg

Executes dropped EXE 1 IoCs

pid	Process
2344	iqwhxg

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe122b7ae0f9fd8d0fbefe031c57e276_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iqwhxg

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
436	fe122b7ae0f9fd8d0fbefe031c57e276_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeBackupPrivilege	2344	iqwhxg
Token: SeRestorePrivilege	2344	iqwhxg

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 2344	436	fe122b7ae0f9fd8d0fbefe031c57e276_JaffaCakes118.exe	82
PID 436 wrote to memory of 2344	436	fe122b7ae0f9fd8d0fbefe031c57e276_JaffaCakes118.exe	82
PID 436 wrote to memory of 2344	436	fe122b7ae0f9fd8d0fbefe031c57e276_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\fe122b7ae0f9fd8d0fbefe031c57e276_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe122b7ae0f9fd8d0fbefe031c57e276_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:436
- \??\c:\users\admin\appdata\local\iqwhxg
  "C:\Users\Admin\AppData\Local\Temp\fe122b7ae0f9fd8d0fbefe031c57e276_JaffaCakes118.exe"a -s
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry
1⤵
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lvgoqvvjdj.dat

Filesize
153KB

MD5
bbfdca96f70cc10defda7a8cbdc3f776

SHA1
93e9e9285660c6304a760759da9eeaf7cd50d6b5

SHA256
b789cfc248b9ea67db7a5d69a0d52ee74ce70ad883711db5d36d1f07d670ae1b

SHA512
fdad9bf21551c9533fb2678d45818df1cecdcf40ddc0fdeab54993e76fdd265e4eb4cfedbcae1285e300d37d6c774cd8b4fb1a1c7a420258ee9d3c46df91f3fe

Download Submit
C:\Users\Admin\AppData\Local\iqwhxg

Filesize
192KB

MD5
80eeadf49d3b2a8268549c8e4423fa56

SHA1
c05b7d185e51df6caabc6629ca9571fdf66cfbe7

SHA256
d4a4308672be484114f4b301614a2ebda54065852609ac389a87ad454bcc7207

SHA512
894f23448596a0aa9f5e64406e27c382995911277d6f90dd5f231189d01487ca466df3297fa16eed72a328c6312767d507f2aac7b4a26a15747cc5450b546c57

Download Submit
memory/436-4-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download