gh0strat | f5ce0895952056b9ba875d475dc9029a7679fbe69b2430378d476c53b662fcd4

Analysis

max time kernel
22s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Size

160KB
MD5

2d354f129cda59fcddf0d30d97db18cf
SHA1

753425f704add5e5712d059ad96dfe9aeea364fd
SHA256

f5ce0895952056b9ba875d475dc9029a7679fbe69b2430378d476c53b662fcd4
SHA512

32aa3a5aeff68001577afaa08daa931e5ff6ca2c9222f5c9c7f64f864c93bcee1cc61dd58dee6831603b3ac4e2c763af61a2f1794217bd27f7592673a1772e62
SSDEEP

3072:XPeqovIp0YFV6icDdqwnnLLKz7OYtc9BorPuZ5KdA/s8jRfR1HU3:/eqoERFV6icDdqwnnPcOwvf8jRfRS3

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000004ed7-6.dat	family_gh0strat
behavioral1/files/0x000b000000012259-11.dat	family_gh0strat
behavioral1/memory/988-12-0x0000000010000000-0x000000001001C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\gui.sys	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2812	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2812	svchost.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Rnmeqtte.dll	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Rnmeqtte.dll	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\temp482000.dll	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2812	svchost.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeBackupPrivilege	988	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeRestorePrivilege	988	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeBackupPrivilege	988	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeRestorePrivilege	988	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeBackupPrivilege	988	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeRestorePrivilege	988	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeBackupPrivilege	988	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeRestorePrivilege	988	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeDebugPrivilege	2812	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2804	2812	svchost.exe	32
PID 2812 wrote to memory of 2804	2812	svchost.exe	32
PID 2812 wrote to memory of 2804	2812	svchost.exe	32
PID 2812 wrote to memory of 2804	2812	svchost.exe	32
PID 2812 wrote to memory of 2804	2812	svchost.exe	32
PID 2812 wrote to memory of 2804	2812	svchost.exe	32
PID 2812 wrote to memory of 2804	2812	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\rnmeqtte.dll wintest
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Rnmeqtte.dll

Filesize
2.7MB

MD5
68001155095ef32b0abfabfcc37768e4

SHA1
7d87bd2f4e03a315bff7e78a5d4a704a902fc1b9

SHA256
19f30b9768dc191f8d980d831551903bde5490b394f2c4026f340d8555d7f461

SHA512
0de0a63fca0816378c11944c4870e638ef3228a5f9e80c02565c1cb5249038fdfcdb9c1c2dc7e78107745b6ac0570c69a8224681a435ae1b21ebcff264f82f40

Download Submit
C:\windows\temp482000.dll

Filesize
108KB

MD5
9d470571584989e860040f3b21f7f590

SHA1
685177cc8d7b13937d9e0bc36d6e3fc90ed4824d

SHA256
c72c9a98993cc232ec4e96bd9e3ad42710188c8c738044a48e575378a7e61979

SHA512
b08d07c05810ef531a128681a9e00fac34eae0dcaed0b467a7114d82cf4a23ef414cfdd20ee920fce57d8fb2c171db76fa9a870798800b3b52b4dbd747a3a4d9

Download Submit
\??\c:\NT_Path.jpg

Filesize
110B

MD5
c65efa37c21e0f5a0f9113d8a7acf18d

SHA1
809fab58207cb4c6ba8d8d10cd4be53a44eec04f

SHA256
bc7d8d621a4dbcc371374e962904cb91f13bafc5962e0f7de41472ccb1f768b4

SHA512
f6a80704eb2ae2a2ebb60a4bc7e6b5a09df8140c49910aa16e8ccfe60ef7c38f155257be656780b6d4e9ac7659c76e6f277b91ce599f0c087210f98826677054

Download Submit
memory/988-12-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download