gh0strat | 124a1a8e3dfa4abf78c2c075a0ccf7e529a6c3c6bdbc858c276b9a14dc2b2e10

Analysis

max time kernel
143s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3984623ed01fc37f0238e925c77242cd_JaffaCakes118.exe
Size

156KB
MD5

3984623ed01fc37f0238e925c77242cd
SHA1

0fdca681ac8a03e3ff5095573861145ba7067521
SHA256

124a1a8e3dfa4abf78c2c075a0ccf7e529a6c3c6bdbc858c276b9a14dc2b2e10
SHA512

79c2b45654bd9c878af13b0de3cf90858348c17f28684ee8f720c533b4eda9ba2ba9823ff2f621ae240277f23b9670f02e2cbccb2db74cb6b3b3d0b136e2327f
SSDEEP

3072:4kS6en6kwScY9QEe4tVK5DbFFGZDOaKvWx8z+QQMCOWkTYz:4kCpw2e4tVwD/GZDOaHx86QQM1Ti

Score

10^/10

gh0strat bootkit discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/files/0x00070000000120fe-4.dat	family_gh0strat
behavioral1/files/0x0006000000019228-24.dat	family_gh0strat
behavioral1/memory/2452-26-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2352-43-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2452-47-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2352-49-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 6 IoCs

pid	Process
2452	Winsafe.exe
2724	Read.exe
2352	Sys.exe
848	Read.exe
1636	Sys.exe
1220	Sys.exe

Loads dropped DLL 4 IoCs

pid	Process
2328	3984623ed01fc37f0238e925c77242cd_JaffaCakes118.exe
2328	3984623ed01fc37f0238e925c77242cd_JaffaCakes118.exe
2452	Winsafe.exe
2352	Sys.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Winsafe.exe
File opened for modification	\??\PhysicalDrive0	Sys.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yjsoft.ini	Winsafe.exe
File created	C:\Windows\SysWOW64\yjsoft.ini	Sys.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Temp\FWOAEANZGM.vbs	Read.exe
File created	C:\Windows\SysWOW64\wcntxfjywx	Sys.exe
File created	C:\Windows\SysWOW64\wdeifevtdb	Sys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Read.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Read.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3984623ed01fc37f0238e925c77242cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winsafe.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Sys.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Sys.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Winsafe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winsafe.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2272	taskkill.exe
664	taskkill.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000a0ae771d911cdb01	scrcons.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	scrcons.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	Sys.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	Sys.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	scrcons.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	scrcons.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script\Settings	scrcons.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Sys.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	Sys.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	scrcons.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script	scrcons.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script\Settings\JITDebug = "0"	scrcons.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	scrcons.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Sys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	Sys.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	scrcons.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000a0ae771d911cdb01	scrcons.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	scrcons.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2452	Winsafe.exe
2452	Winsafe.exe
2352	Sys.exe
2352	Sys.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeBackupPrivilege	2452	Winsafe.exe
Token: SeRestorePrivilege	2452	Winsafe.exe
Token: SeBackupPrivilege	2452	Winsafe.exe
Token: SeRestorePrivilege	2452	Winsafe.exe
Token: SeBackupPrivilege	2452	Winsafe.exe
Token: SeRestorePrivilege	2452	Winsafe.exe
Token: SeBackupPrivilege	2452	Winsafe.exe
Token: SeRestorePrivilege	2452	Winsafe.exe
Token: SeBackupPrivilege	2452	Winsafe.exe
Token: SeRestorePrivilege	2452	Winsafe.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeBackupPrivilege	2352	Sys.exe
Token: SeRestorePrivilege	2352	Sys.exe
Token: SeBackupPrivilege	2352	Sys.exe
Token: SeRestorePrivilege	2352	Sys.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2452	2328	3984623ed01fc37f0238e925c77242cd_JaffaCakes118.exe	30
PID 2328 wrote to memory of 2452	2328	3984623ed01fc37f0238e925c77242cd_JaffaCakes118.exe	30
PID 2328 wrote to memory of 2452	2328	3984623ed01fc37f0238e925c77242cd_JaffaCakes118.exe	30
PID 2328 wrote to memory of 2452	2328	3984623ed01fc37f0238e925c77242cd_JaffaCakes118.exe	30
PID 2452 wrote to memory of 2272	2452	Winsafe.exe	31
PID 2452 wrote to memory of 2272	2452	Winsafe.exe	31
PID 2452 wrote to memory of 2272	2452	Winsafe.exe	31
PID 2452 wrote to memory of 2272	2452	Winsafe.exe	31
PID 2452 wrote to memory of 2724	2452	Winsafe.exe	34
PID 2452 wrote to memory of 2724	2452	Winsafe.exe	34
PID 2452 wrote to memory of 2724	2452	Winsafe.exe	34
PID 2452 wrote to memory of 2724	2452	Winsafe.exe	34
PID 2724 wrote to memory of 2712	2724	Read.exe	35
PID 2724 wrote to memory of 2712	2724	Read.exe	35
PID 2724 wrote to memory of 2712	2724	Read.exe	35
PID 2724 wrote to memory of 2712	2724	Read.exe	35
PID 1988 wrote to memory of 2352	1988	scrcons.exe	38
PID 1988 wrote to memory of 2352	1988	scrcons.exe	38
PID 1988 wrote to memory of 2352	1988	scrcons.exe	38
PID 1988 wrote to memory of 2352	1988	scrcons.exe	38
PID 2352 wrote to memory of 664	2352	Sys.exe	39
PID 2352 wrote to memory of 664	2352	Sys.exe	39
PID 2352 wrote to memory of 664	2352	Sys.exe	39
PID 2352 wrote to memory of 664	2352	Sys.exe	39
PID 2352 wrote to memory of 848	2352	Sys.exe	41
PID 2352 wrote to memory of 848	2352	Sys.exe	41
PID 2352 wrote to memory of 848	2352	Sys.exe	41
PID 2352 wrote to memory of 848	2352	Sys.exe	41
PID 848 wrote to memory of 1732	848	Read.exe	42
PID 848 wrote to memory of 1732	848	Read.exe	42
PID 848 wrote to memory of 1732	848	Read.exe	42
PID 848 wrote to memory of 1732	848	Read.exe	42
PID 1988 wrote to memory of 1636	1988	scrcons.exe	43
PID 1988 wrote to memory of 1636	1988	scrcons.exe	43
PID 1988 wrote to memory of 1636	1988	scrcons.exe	43
PID 1988 wrote to memory of 1636	1988	scrcons.exe	43
PID 1988 wrote to memory of 1220	1988	scrcons.exe	44
PID 1988 wrote to memory of 1220	1988	scrcons.exe	44
PID 1988 wrote to memory of 1220	1988	scrcons.exe	44
PID 1988 wrote to memory of 1220	1988	scrcons.exe	44

C:\Users\Admin\AppData\Local\Temp\3984623ed01fc37f0238e925c77242cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3984623ed01fc37f0238e925c77242cd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\Winsafe.exe
  "C:\Users\Admin\AppData\Local\Temp\Winsafe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im KSafeTray.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- - C:\Read.exe
    C:\Read.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\wscript.exe
      wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\LFNKBLJWAO.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2712

C:\Windows\system32\wbem\scrcons.exe
C:\Windows\system32\wbem\scrcons.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\Temp\Sys.exe
  "C:\Windows\Temp\Sys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im KSafeTray.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:664
- - C:\Read.exe
    C:\Read.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\SysWOW64\wscript.exe
      wscript.exe //B "C:\Windows\system32\config\systemprofile\AppData\Local\Temp\FWOAEANZGM.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      PID:1732
- C:\Windows\Temp\Sys.exe
  "C:\Windows\Temp\Sys.exe"
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\Temp\Sys.exe
  "C:\Windows\Temp\Sys.exe"
  2⤵
  - Executes dropped EXE
  PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Read.exe

Filesize
22.4MB

MD5
488f085116c12adbf2a5c24e394910f8

SHA1
d61fbc8c58f8a8275d1a0171d4bc7ed05a76aca8

SHA256
26c32df76a9448c94df83563426969acc89fd28ea0c0a8fe86cde7d0e220ba0c

SHA512
2d6069f4213726a5ec96b4bdcc319ef061c32b447d9a9b1ec995b785c24fbf6246869d4b281a223598ae0315caff16a5cb32c63116b2e6709a095ed0953e8993

Download Submit
C:\Users\Admin\AppData\Local\Temp\LFNKBLJWAO.vbs

Filesize
1KB

MD5
162da6dc7fecc9b007e65d473815100f

SHA1
333337b297e0e4c7c4b8cc3ddce145e61f3bf69f

SHA256
914d973e8438fe000181535dfab6e2a58077f883979bf47e5fe1b70684fd6d9e

SHA512
d4e0487b8985f8103e358b0f826f6b723fa67e9fe21fae8c8cf06df88a6b95f5151b58756169bcad868f2b060ca5b313a8e7704eff9d5c4d527c891d808f3868

Download Submit
\Users\Admin\AppData\Local\Temp\Winsafe.exe

Filesize
44.9MB

MD5
b84c18db26b58e60d92c6f6dc0c7c314

SHA1
a0f65c475063a20b9cecd142c40daee5dd6e5570

SHA256
fdaae273d212e73917d799f4cc4085b9c49a4219f175baaaa4ebffcd9ddd9fa6

SHA512
be6204198be4fa9a0e530935cb5b7dcf6fe233ffe7ca6c07d9ba8e49c8a8e2c165135dc40548ae49aef0f3fabc20d3a6aec575323397f923271b6354c96fe7d0

Download Submit
\Windows\SysWOW64\yjsoft.ini

Filesize
22.4MB

MD5
7989f3682aae1ab49003d04643d40ec7

SHA1
70ecd20acd035ad83de8a0afba69b5ff225b2550

SHA256
9530891e9a41557b3b9ac16170938f8d4ec6629afaf2e3d73af5278ac0cb36c8

SHA512
853aea3085cad19ce90275acecfa68f3495dc181a2b6ed34f4d89bbe9691a34cd661a3d739989e391776e02173f52417424b1a75d22e0b9c2d1d21738bc446bf

Download Submit
memory/2328-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2328-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2328-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2352-43-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2352-48-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2352-49-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2452-26-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2452-29-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2452-47-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download