gh0strat | 165fa9f7e043f744549831cd58108c820af3a362acbae42f0818b3158a80aed9

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f19d97e2959bf5a4b8d649b3e632400_JaffaCakes118.exe
Size

96KB
MD5

0f19d97e2959bf5a4b8d649b3e632400
SHA1

b279203b32e209aee15633fd8bc5e9b1db3ee182
SHA256

165fa9f7e043f744549831cd58108c820af3a362acbae42f0818b3158a80aed9
SHA512

7b17cc7f3c52c19b16769626b5694754593423832a52fb644ebeeded58ba4630c1e5a2f91181ca6a687d7267d5f5e836a3679be0a00a7a89baa01900459a6351
SSDEEP

1536:iIFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prCsEotChLDW:iaS4jHS8q/3nTzePCwNUh4E9CsEoOLa

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023464-15.dat	family_gh0strat
behavioral2/memory/4064-17-0x0000000000400000-0x000000000044E318-memory.dmp	family_gh0strat
behavioral2/memory/2984-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1204-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2472-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
4064	mfwhmecdfd

Executes dropped EXE 1 IoCs

pid	Process
4064	mfwhmecdfd

Loads dropped DLL 3 IoCs

pid	Process
2984	svchost.exe
1204	svchost.exe
2472	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\teqwxneaml	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tvcepkbcyp	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tvcepkbcyp	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
372	2984	WerFault.exe	83
1608	1204	WerFault.exe	91
2532	2472	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f19d97e2959bf5a4b8d649b3e632400_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mfwhmecdfd

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4064	mfwhmecdfd
4064	mfwhmecdfd

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4064	mfwhmecdfd
Token: SeBackupPrivilege	4064	mfwhmecdfd
Token: SeBackupPrivilege	4064	mfwhmecdfd
Token: SeRestorePrivilege	4064	mfwhmecdfd
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeRestorePrivilege	2984	svchost.exe
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeSecurityPrivilege	2984	svchost.exe
Token: SeSecurityPrivilege	2984	svchost.exe
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeSecurityPrivilege	2984	svchost.exe
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeSecurityPrivilege	2984	svchost.exe
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeRestorePrivilege	2984	svchost.exe
Token: SeBackupPrivilege	1204	svchost.exe
Token: SeRestorePrivilege	1204	svchost.exe
Token: SeBackupPrivilege	1204	svchost.exe
Token: SeBackupPrivilege	1204	svchost.exe
Token: SeSecurityPrivilege	1204	svchost.exe
Token: SeSecurityPrivilege	1204	svchost.exe
Token: SeBackupPrivilege	1204	svchost.exe
Token: SeBackupPrivilege	1204	svchost.exe
Token: SeSecurityPrivilege	1204	svchost.exe
Token: SeBackupPrivilege	1204	svchost.exe
Token: SeBackupPrivilege	1204	svchost.exe
Token: SeSecurityPrivilege	1204	svchost.exe
Token: SeBackupPrivilege	1204	svchost.exe
Token: SeRestorePrivilege	1204	svchost.exe
Token: SeBackupPrivilege	2472	svchost.exe
Token: SeRestorePrivilege	2472	svchost.exe
Token: SeBackupPrivilege	2472	svchost.exe
Token: SeBackupPrivilege	2472	svchost.exe
Token: SeSecurityPrivilege	2472	svchost.exe
Token: SeSecurityPrivilege	2472	svchost.exe
Token: SeBackupPrivilege	2472	svchost.exe
Token: SeBackupPrivilege	2472	svchost.exe
Token: SeSecurityPrivilege	2472	svchost.exe
Token: SeBackupPrivilege	2472	svchost.exe
Token: SeBackupPrivilege	2472	svchost.exe
Token: SeSecurityPrivilege	2472	svchost.exe
Token: SeBackupPrivilege	2472	svchost.exe
Token: SeRestorePrivilege	2472	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 4064	3432	0f19d97e2959bf5a4b8d649b3e632400_JaffaCakes118.exe	82
PID 3432 wrote to memory of 4064	3432	0f19d97e2959bf5a4b8d649b3e632400_JaffaCakes118.exe	82
PID 3432 wrote to memory of 4064	3432	0f19d97e2959bf5a4b8d649b3e632400_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\0f19d97e2959bf5a4b8d649b3e632400_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f19d97e2959bf5a4b8d649b3e632400_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3432
- \??\c:\users\admin\appdata\local\mfwhmecdfd
  "C:\Users\Admin\AppData\Local\Temp\0f19d97e2959bf5a4b8d649b3e632400_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\0f19d97e2959bf5a4b8d649b3e632400_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1084
  2⤵
  - Program crash
  PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2984 -ip 2984
1⤵
PID:1716

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1084
  2⤵
  - Program crash
  PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1204 -ip 1204
1⤵
PID:4732

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 868
  2⤵
  - Program crash
  PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2472 -ip 2472
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mfwhmecdfd

Filesize
24.9MB

MD5
b63bacf78dda9c9a963a96e4aed69b6c

SHA1
a2c9675d6443a4f25de27503f6e5f75bdfdae0e8

SHA256
93e422cc2cdc0d5cc517fe0239909f8f2fbfaafc2864c80db436fbeccb99aa6b

SHA512
0a4fac7d71f3e00172a6597668455f8b3ec88bef213314208ebcf3c6d1c03436eae1028c2338a09eda4e6d353aa725b3ed910c0d3a414d498f178e2b7844e483

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
f06b1029b1fc0d4a68754daeb854f4bd

SHA1
8e987591523eda437669964a64224a79edf404e2

SHA256
a3869302ccd6e342987db2bbb73d8abc11415541bd7042d22779ec383f232672

SHA512
11915cd922d68e4094dd9de69d8214ee479f3dd8124849c7f4f63067544c511d011191e450b89bfb8e867f24cca6d698f7faed4645901e90881511f0eef09672

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
e757c2f0f16e4c3a712ed78f1b0b13ee

SHA1
4fc9b27d71a0ebad5185e888fc4a6861195b384f

SHA256
2f21746f7ba5b1e54e731cfcc021cfaba29311346fd07a475b97cb65d9ec63c5

SHA512
5a52228c3e46ac4ed11136ef6af3172001d9d9d4633b7ad7c6aca3a4d2bf8d21a698ace1dc4735cc6c54deed06f6a005e428886ccf8c9bd22a5640b75bf5f62b

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\jnkmh.cc3

Filesize
21.0MB

MD5
343e7f967fc33ad8d6334906c0aa6561

SHA1
88ce8c402ece714af5f9a232a9fef286769fe6c4

SHA256
9bd5fbcb5b843c7242316c37eaab4546a36351c786d9ae8486dbb87ae0c17ba2

SHA512
60bf34a73310c1601957635af4a7475d485ea1bd1056b7ced057c1c44ca6274fd04624ec0d04ec274170834a82d4e81affb41b34f6c6658a03fafd04937238b7

Download Submit
memory/1204-22-0x00000000019A0000-0x00000000019A1000-memory.dmp

Filesize
4KB

Download
memory/1204-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2472-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2472-27-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/2984-18-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/2984-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3432-0-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download
memory/3432-9-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download
memory/3432-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4064-17-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download
memory/4064-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4064-7-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download