gh0strat | 34076f2af24d5a94672159b3cf556eaaa7d83682a07bf2b25a0d7ae0bf9cb81f

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 18:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ff21ef52320a24f3361cb01dd77d810e_JaffaCakes118.exe
Size

96KB
MD5

ff21ef52320a24f3361cb01dd77d810e
SHA1

6e06bc83ac1d73515706d30982220443dc783db8
SHA256

34076f2af24d5a94672159b3cf556eaaa7d83682a07bf2b25a0d7ae0bf9cb81f
SHA512

9bfda558db57d15542629a20827e61464bc20437a1c4c95ad7ebc9615fe8b9d8c74e1a3c60e06ed03ae71a1849645ee74e38151e22f5119b9c3b203e393067aa
SSDEEP

1536:xhFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr5lqiOa8:x3S4jHS8q/3nTzePCwNUh4E95l8a8

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023613-15.dat	family_gh0strat
behavioral2/memory/5204-18-0x0000000000400000-0x000000000044E2EC-memory.dmp	family_gh0strat
behavioral2/memory/4796-21-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1444-26-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1888-31-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
5204	mlpbmcorgd

Executes dropped EXE 1 IoCs

pid	Process
5204	mlpbmcorgd

Loads dropped DLL 3 IoCs

pid	Process
4796	svchost.exe
1444	svchost.exe
1888	svchost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wcnlqgteih	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\wkkyaaojiq	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\wtysidrhum	svchost.exe
File created	C:\Windows\SysWOW64\wtysidrhum	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\wcnlqgteih	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5896	4796	WerFault.exe	92
5940	1444	WerFault.exe	98
3980	1888	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff21ef52320a24f3361cb01dd77d810e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mlpbmcorgd

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5204	mlpbmcorgd
5204	mlpbmcorgd

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	5204	mlpbmcorgd
Token: SeBackupPrivilege	5204	mlpbmcorgd
Token: SeBackupPrivilege	5204	mlpbmcorgd
Token: SeRestorePrivilege	5204	mlpbmcorgd
Token: SeBackupPrivilege	4796	svchost.exe
Token: SeRestorePrivilege	4796	svchost.exe
Token: SeBackupPrivilege	4796	svchost.exe
Token: SeBackupPrivilege	4796	svchost.exe
Token: SeSecurityPrivilege	4796	svchost.exe
Token: SeSecurityPrivilege	4796	svchost.exe
Token: SeBackupPrivilege	4796	svchost.exe
Token: SeBackupPrivilege	4796	svchost.exe
Token: SeSecurityPrivilege	4796	svchost.exe
Token: SeBackupPrivilege	4796	svchost.exe
Token: SeBackupPrivilege	4796	svchost.exe
Token: SeSecurityPrivilege	4796	svchost.exe
Token: SeBackupPrivilege	4796	svchost.exe
Token: SeRestorePrivilege	4796	svchost.exe
Token: SeBackupPrivilege	1444	svchost.exe
Token: SeRestorePrivilege	1444	svchost.exe
Token: SeBackupPrivilege	1444	svchost.exe
Token: SeBackupPrivilege	1444	svchost.exe
Token: SeSecurityPrivilege	1444	svchost.exe
Token: SeSecurityPrivilege	1444	svchost.exe
Token: SeBackupPrivilege	1444	svchost.exe
Token: SeBackupPrivilege	1444	svchost.exe
Token: SeSecurityPrivilege	1444	svchost.exe
Token: SeBackupPrivilege	1444	svchost.exe
Token: SeBackupPrivilege	1444	svchost.exe
Token: SeSecurityPrivilege	1444	svchost.exe
Token: SeBackupPrivilege	1444	svchost.exe
Token: SeRestorePrivilege	1444	svchost.exe
Token: SeBackupPrivilege	1888	svchost.exe
Token: SeRestorePrivilege	1888	svchost.exe
Token: SeBackupPrivilege	1888	svchost.exe
Token: SeBackupPrivilege	1888	svchost.exe
Token: SeSecurityPrivilege	1888	svchost.exe
Token: SeSecurityPrivilege	1888	svchost.exe
Token: SeBackupPrivilege	1888	svchost.exe
Token: SeBackupPrivilege	1888	svchost.exe
Token: SeSecurityPrivilege	1888	svchost.exe
Token: SeBackupPrivilege	1888	svchost.exe
Token: SeBackupPrivilege	1888	svchost.exe
Token: SeSecurityPrivilege	1888	svchost.exe
Token: SeBackupPrivilege	1888	svchost.exe
Token: SeRestorePrivilege	1888	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 5204	3608	ff21ef52320a24f3361cb01dd77d810e_JaffaCakes118.exe	89
PID 3608 wrote to memory of 5204	3608	ff21ef52320a24f3361cb01dd77d810e_JaffaCakes118.exe	89
PID 3608 wrote to memory of 5204	3608	ff21ef52320a24f3361cb01dd77d810e_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\ff21ef52320a24f3361cb01dd77d810e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff21ef52320a24f3361cb01dd77d810e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608
- \??\c:\users\admin\appdata\local\mlpbmcorgd
  "C:\Users\Admin\AppData\Local\Temp\ff21ef52320a24f3361cb01dd77d810e_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\ff21ef52320a24f3361cb01dd77d810e_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5204

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 804
  2⤵
  - Program crash
  PID:5896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4796 -ip 4796
1⤵
PID:5424

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 868
  2⤵
  - Program crash
  PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1444 -ip 1444
1⤵
PID:2004

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 776
  2⤵
  - Program crash
  PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3820,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:8
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1888 -ip 1888
1⤵
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mlpbmcorgd

Filesize
22.3MB

MD5
1cc83a0cc148e2f312c9b5f214b90f06

SHA1
88f3c9da15105345445706a29ad12eb90b247dda

SHA256
a3987478f83b804c25990bfbce8e09bed7fb15465f60255b75be3b4f06ad91d6

SHA512
0b86ecbd28255424ed0b43c230b311953f67eee875fd030ad61dbd9934fb728e431aa0f5d91dbc700fa67cf3e36b52d5c451a37f24211e378cb1dc571575ac4f

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
85e370c921437f5a4fe99366e3538b43

SHA1
fb74d100fc7e98c564c2db2de34b596ec7903e22

SHA256
39f2442570f7b5ce5b8a1bcab6a7b0e45db65c68bee8be90215b842c381ba703

SHA512
5c92c649521bff3b336017145c330bf51eb7b97acb45b4df03fe6b1cee2aebf1b00acfc2dc45d4cd8a1cd547858f829713ba6b886bba6a44261d4b9bcb8dcb2d

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
20d12df2469c18ab9391b2b43b98bc9a

SHA1
f281f46ed8f1ded2a0274e0a5e5d702353f15f00

SHA256
0d2089c21e4a500e1bd0b7ce0d72fb4a870510fc2deed77a32b8201ebb64f79c

SHA512
7ea89d106f467764a9818cce7c942893492cc2a6a46da290be6d95b7c966796b1d31f7855c6f4ad905bb9ae73de86b3f86ac9dd07bb2f98dc4729c20d0dd48ce

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\hhtkq.cc3

Filesize
23.0MB

MD5
b1dc7157059e86385b62b557666895b7

SHA1
78450c3d395680e90c9a5845fae04ffd5ab3ff0e

SHA256
1d2c62022212a177a4548188c00e7a953cfcd4ccc2015c3b2495e5132ff04a75

SHA512
961dd03d9a6ef6955dc972b372d49930bbaf9263cca6450155c894763ca45daaf7c9401cc4b4a2f2b3ecdc2e150fae72df1e84a647975f40ad19d83ce92c3672

Download Submit
memory/1444-26-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1444-23-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/1888-31-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1888-28-0x00000000016E0000-0x00000000016E1000-memory.dmp

Filesize
4KB

Download
memory/3608-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3608-11-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/3608-0-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/4796-19-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/4796-21-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/5204-18-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/5204-7-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/5204-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download