gh0strat | a2a74686807129742e697809fed5039dea1c39fbe67937b4dbbc05e7d8689349

General

Target

04de241d2401096de384b5a9b0f537d4_JaffaCakes118.exe
Size

192KB
MD5

04de241d2401096de384b5a9b0f537d4
SHA1

fe62f4ed6d3da1ec108c9cddf345b54b6b5a9786
SHA256

a2a74686807129742e697809fed5039dea1c39fbe67937b4dbbc05e7d8689349
SHA512

f7e232a6c0c6c84d85452c80f6770a35b0bb8a579e4c5f8c31a7559b9dcf8443498f4c58884d2f36fd399c8aaa5fdecdbecc86c36bbf611594b5c47be339f058
SSDEEP

3072:oH3ZmFh0Nvq3lbXtsVGja6G+UYy2Fw+hCHSmfcsUXURnpGpMXTee33r31csiH0:oHpmFh0Nvq3lbXtSCGIy26+0wxUREGXi

Score

10^/10

gh0strat bootkit discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016d2e-11.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1984	eudhbvttss

Executes dropped EXE 1 IoCs

pid	Process
1984	eudhbvttss

Loads dropped DLL 3 IoCs

pid	Process
2332	04de241d2401096de384b5a9b0f537d4_JaffaCakes118.exe
2332	04de241d2401096de384b5a9b0f537d4_JaffaCakes118.exe
2004	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ducposifea	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\NetMeeting\%SESSIONNAME%\ghttd.cc3	eudhbvttss

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04de241d2401096de384b5a9b0f537d4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eudhbvttss
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	1984	eudhbvttss
Token: SeBackupPrivilege	1984	eudhbvttss
Token: SeBackupPrivilege	1984	eudhbvttss
Token: SeRestorePrivilege	1984	eudhbvttss
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeRestorePrivilege	2004	svchost.exe
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeSecurityPrivilege	2004	svchost.exe
Token: SeSecurityPrivilege	2004	svchost.exe
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeSecurityPrivilege	2004	svchost.exe
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeSecurityPrivilege	2004	svchost.exe
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeRestorePrivilege	2004	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1984	2332	04de241d2401096de384b5a9b0f537d4_JaffaCakes118.exe	31
PID 2332 wrote to memory of 1984	2332	04de241d2401096de384b5a9b0f537d4_JaffaCakes118.exe	31
PID 2332 wrote to memory of 1984	2332	04de241d2401096de384b5a9b0f537d4_JaffaCakes118.exe	31
PID 2332 wrote to memory of 1984	2332	04de241d2401096de384b5a9b0f537d4_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\04de241d2401096de384b5a9b0f537d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04de241d2401096de384b5a9b0f537d4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- \??\c:\users\admin\appdata\local\eudhbvttss
  "C:\Users\Admin\AppData\Local\Temp\04de241d2401096de384b5a9b0f537d4_JaffaCakes118.exe"a -sc:\users\admin\appdata\local\temp\04de241d2401096de384b5a9b0f537d4_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1984

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\program files (x86)\netmeeting\%sessionname%\ghttd.cc3

Filesize
19.0MB

MD5
7ed780300f0f25e22e6f8fb64c87a5a9

SHA1
928e6b35f895fb7703a777bb3417478bba517265

SHA256
76ae26cc6182616d1e4e3fb04f375e3f4d8c73132723091a60b52bb43a56538e

SHA512
465c37e00df46dd059edd8af370fcbc8121d72b41a4754295169453fee33aecfb0388ab70d1cdebf1e7537ccb5f089122ae8b943469d28c1506fbd9c64badd9d

Download Submit
\Users\Admin\AppData\Local\eudhbvttss

Filesize
23.6MB

MD5
1aa116db48f142db803967b6a97ff6f8

SHA1
1244f67148e2909401fb7b0db3eaf726726a2f05

SHA256
b9b0e5dfc2ed433c63352f12c5ac241f49f48122a1896b695451734abd9848b1

SHA512
34595525825f1ae9687bfa4ded2558282f86041f3476c1424dab7ca348cda6f908b541d762a1fe28290bbaf61569a35ceaf18db98624c1d7a7be2d69cc09fa3d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads