gh0strat | f5ce0895952056b9ba875d475dc9029a7679fbe69b2430378d476c53b662fcd4

Analysis

max time kernel
17s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 07:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Size

160KB
MD5

2d354f129cda59fcddf0d30d97db18cf
SHA1

753425f704add5e5712d059ad96dfe9aeea364fd
SHA256

f5ce0895952056b9ba875d475dc9029a7679fbe69b2430378d476c53b662fcd4
SHA512

32aa3a5aeff68001577afaa08daa931e5ff6ca2c9222f5c9c7f64f864c93bcee1cc61dd58dee6831603b3ac4e2c763af61a2f1794217bd27f7592673a1772e62
SSDEEP

3072:XPeqovIp0YFV6icDdqwnnLLKz7OYtc9BorPuZ5KdA/s8jRfR1HU3:/eqoERFV6icDdqwnnPcOwvf8jRfRS3

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b31-3.dat	family_gh0strat
behavioral2/files/0x0012000000023a76-11.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\gui.sys	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2524	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
1832	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
2524	svchost.exe
3768	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Rnmeqtte.dll	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Rnmeqtte.dll	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\temp1324500.dll	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	svchost.exe
2524	svchost.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeBackupPrivilege	1832	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeRestorePrivilege	1832	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeBackupPrivilege	1832	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeRestorePrivilege	1832	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeBackupPrivilege	1832	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeRestorePrivilege	1832	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeBackupPrivilege	1832	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeRestorePrivilege	1832	2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
Token: SeDebugPrivilege	2524	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 3768	2524	svchost.exe	87
PID 2524 wrote to memory of 3768	2524	svchost.exe	87
PID 2524 wrote to memory of 3768	2524	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d354f129cda59fcddf0d30d97db18cf_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\rnmeqtte.dll wintest
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\temp1324500.dll

Filesize
108KB

MD5
9d470571584989e860040f3b21f7f590

SHA1
685177cc8d7b13937d9e0bc36d6e3fc90ed4824d

SHA256
c72c9a98993cc232ec4e96bd9e3ad42710188c8c738044a48e575378a7e61979

SHA512
b08d07c05810ef531a128681a9e00fac34eae0dcaed0b467a7114d82cf4a23ef414cfdd20ee920fce57d8fb2c171db76fa9a870798800b3b52b4dbd747a3a4d9

Download Submit
\??\c:\NT_Path.jpg

Filesize
111B

MD5
2cb9c0306a1964f3de09cb6803c4bdf9

SHA1
230573ca42f09814eba04916ab08c34862fa2b38

SHA256
e998f4f5804b2b0f1a2f5d1d3d87a29d53662d57bb115ba8e5f8c910ee246027

SHA512
d6fe1c224fbdf931966a1568d28f9c80c8ee90b6dcdbd80ab1c3801b29c0db489202c9d09eade49a758d1abe958d15023b8fbccabe5ba05b218bcdbbf8b1369c

Download Submit
\??\c:\windows\SysWOW64\rnmeqtte.dll

Filesize
10.7MB

MD5
08dc5d92b9b453a78f25c6baac2c54ed

SHA1
e7fcc17a8ebf6eec7de4a8548f465bbc2315449a

SHA256
36369630051900d9ff0700222d9393626ea170fd9839fceb90d2b15afa73faa0

SHA512
e39edd70b5773846d512706de9801df8edbf284c890f314757285dd3aa8cb2f99ebf2a597f3b0f4626f3a8f2631a024e733b46c9dfc31c43def000d51f482e1a

Download Submit