gh0strat | 7394b6d49596804f4b3a31f0499a2f327a936d1f5b83506e636ea92c646593c1 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

ff9754bf6d...18.exe

windows7-x64

ff9754bf6d...18.exe

windows10-2004-x64

Sharing

General

Target

ff9754bf6da70ff2a900bafce7b49a58_JaffaCakes118
Size

208KB
Sample

240930-ayngtaybnq
MD5

ff9754bf6da70ff2a900bafce7b49a58
SHA1

16cdbb1828180218d110ffd7c42c4c65a55bffec
SHA256

7394b6d49596804f4b3a31f0499a2f327a936d1f5b83506e636ea92c646593c1
SHA512

a5de0aa17d44c73e3c0cffd080572b0e828081fbd0afc6532229dbe903d710a8dbaf6aaeab457b2cc6f0702ec8e62bf29e0d0b237512544ca618a9aba8ab8fed
SSDEEP

3072:4iKimYGoBtIThwaDLNhHNSKbRPJce0Xgu+8HNmq61WtEl9pKY+TluMnEdrhTJJ:4iKY30Thw4LtLjJSgfcgL1b9D4EdXJ

Score

10^/10

gh0strat discovery persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

ff9754bf6da70ff2a900bafce7b49a58_JaffaCakes118.exe

Resource

win7-20240903-en

gh0strat discovery persistence rat

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

ff9754bf6da70ff2a900bafce7b49a58_JaffaCakes118.exe

Resource

win10v2004-20240802-en

gh0strat discovery persistence rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  ff9754bf6da70ff2a900bafce7b49a58_JaffaCakes118
- Size
  
  208KB
- MD5
  
  ff9754bf6da70ff2a900bafce7b49a58
- SHA1
  
  16cdbb1828180218d110ffd7c42c4c65a55bffec
- SHA256
  
  7394b6d49596804f4b3a31f0499a2f327a936d1f5b83506e636ea92c646593c1
- SHA512
  
  a5de0aa17d44c73e3c0cffd080572b0e828081fbd0afc6532229dbe903d710a8dbaf6aaeab457b2cc6f0702ec8e62bf29e0d0b237512544ca618a9aba8ab8fed
- SSDEEP
  
  3072:4iKimYGoBtIThwaDLNhHNSKbRPJce0Xgu+8HNmq61WtEl9pKY+TluMnEdrhTJJ:4iKY30Thw4LtLjJSgfcgL1b9D4EdXJ
Score

10^/10

gh0strat discovery persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratdiscoverypersistencerat

behavioral2

gh0stratdiscoverypersistencerat

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.