gh0strat | 54c853e55e36974799a679378caf56dba406594ee39e3f3cd62cf55068b60fa4

General

Target

2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe
Size

209KB
MD5

2db1a033d3f0974c71c389be19576620
SHA1

2d33f9ebfe44748a750d6f356125c11712abb13e
SHA256

54c853e55e36974799a679378caf56dba406594ee39e3f3cd62cf55068b60fa4
SHA512

9f73d336df42891278018e64bcf1733cde29d4fee25fcfcb66b5196744c27e44485d2c050ce08a0eca7f830e275917b8d19abe0f8776f81ff3546f34172ab5fd
SSDEEP

3072:3AOFLU1tvzBWHWVKhqvEzO/V1VrNYQkCA+HFSWvF3TBftxnob2AP:3qdWHA9DNYtEHhvF3TBlxnobB

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023bed-9.dat	family_gh0strat
behavioral2/memory/2824-12-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2824-16-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2824	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yjsoft.ini	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\yjsoft.ini	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\windows\alg.exe	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe
File created	C:\Windows\Sys.VBS	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe
File created	C:\WINDOWS\FF13.exe	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe
File created	C:\WINDOWS\FF12.exe	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe
File created	C:\windows\alg.exe	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3520	2824	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2824	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe
2824	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe
2824	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe
2824	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe
2824	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe
2824	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	2824	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe
Token: SeRestorePrivilege	2824	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 3456	2824	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe	85
PID 2824 wrote to memory of 3456	2824	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe	85
PID 2824 wrote to memory of 3456	2824	2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2db1a033d3f0974c71c389be19576620_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\Sys.VBS"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1420
  2⤵
  - Program crash
  PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2824 -ip 2824
1⤵
PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Sys.VBS

Filesize
1KB

MD5
e5baac34de9a9068a0c901392f21efe5

SHA1
77f9cb2be96bfbf4e0eefb27b759faeb13b50b29

SHA256
7fa5d6fb181d48105524c2836db0671faf8454d7236a74b434075ce64b52a7a9

SHA512
dac036e3136abdb14c799b52f91ccfa39699943b980276d563072d63a5bbd5fdf975cdce04f1df832d8a19735231a7ed9a52eddff2b6f2cc47b4b8a1aa62f374

Download Submit
C:\Windows\SysWOW64\yjsoft.ini

Filesize
5.1MB

MD5
e08b681d85836e405d80264fc7bda4ed

SHA1
f700532d309fa436b8d3283c40e4a5c7c023747d

SHA256
f2ba4e50b7aa698069e70d144135b66264c15b4391a4248ec29215f83e46f8cc

SHA512
aaee0fce44f295423b0faef0b58eceb58c2e422dbf6ce4ceb2797f2c44febddc7e5775107a5a0ed6c6273b6f367dcd510dea7df8fd3ff9f19c886d70877eff5b

Download Submit
memory/2824-12-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2824-14-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2824-16-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing