gh0strat | e0d62485b5250ab63c4c802a409181a2031e3d2c2a7ba47ef48acfd12ea70ff1

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Size

192KB
MD5

289a6da47bae0e135fadb98818eac301
SHA1

c6768e4ef401fcd33e4baa7f9f896f1f8957db57
SHA256

e0d62485b5250ab63c4c802a409181a2031e3d2c2a7ba47ef48acfd12ea70ff1
SHA512

d66e0649dab97f28b49ff7eec488dd95b6638632f41bda9001b3e6b42d05e9e337d45b7309f238abc43c80be8fcd96bd4ff0bf47bf32c377c29a484f127bb21d
SSDEEP

3072:OQk3DH+bK+snWjvUJfQA3f2CaxQpLlLOdnHmvJR8oIUqtY7Ovih0iT0b:OQkTH+bpsnWjvo/v2lQpUHmrlH6

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012263-2.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 3 IoCs

pid	Process
2520	svchost.exe
2068	svchost.exe
1492	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vbjmq.cc3	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
828	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	828	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	828	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeBackupPrivilege	828	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
Token: SeRestorePrivilege	828	289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\289a6da47bae0e135fadb98818eac301_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2520

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2068

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k regsvc
1⤵
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\vbjmq.cc3

Filesize
22.0MB

MD5
19c75da08c7c5b12ff8548a0c01a7aa5

SHA1
7f6684f160199c3ad1c11e8dad557398de38aeb0

SHA256
7b615c8a2e59709bdf42e34def5e24b91544eec2583ba1ef92440a025581d9ed

SHA512
3b194455cc349ab0512139f0229b5c8fc535bacc049cf4ede3c6a3b332ceb51f7e1a373c641068d0a73df52a8ee482cb8af390e6c7b14210a43db79b40dde482

Download Submit