gh0strat | b32ce1531038d6b392e33559c2aa94a85e5e61f28250b345b975ba7ffd8d5b42

General

Target

826c4d86531418cca11fd164773523f5_JaffaCakes118.exe
Size

154KB
MD5

826c4d86531418cca11fd164773523f5
SHA1

c170116f252c66e024dfb344558c646be6ef4c28
SHA256

b32ce1531038d6b392e33559c2aa94a85e5e61f28250b345b975ba7ffd8d5b42
SHA512

8a392b2bd1d01b107498407b4d29cbd718bde6c73b53cad4f5f11351ee9a784f7ad64683d79246d4f46b5940a6221bec12286c931fb18a65f4fd09f12b90ed21
SSDEEP

3072:z1Diqfc//////eFIea2wTBILNmJ2NdmM42nj/+sWaPVFsNY0a/LZClX:zgsc//////eFtTNmOoMZRWiTZClX

Score

10^/10

gh0strat aspackv2 discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023c26-4.dat	family_gh0strat
behavioral2/memory/4004-7-0x0000000000400000-0x000000000041C000-memory.dmp	family_gh0strat
behavioral2/memory/4004-15-0x0000000000400000-0x000000000041C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility32.dll"	server.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023cbc-8.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
4004	server.exe
1124	·´ÎÄ¼þÀ¦°óÆ÷.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	·´ÎÄ¼þÀ¦°óÆ÷.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	826c4d86531418cca11fd164773523f5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1124	·´ÎÄ¼þÀ¦°óÆ÷.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 1348	2612	826c4d86531418cca11fd164773523f5_JaffaCakes118.exe	86
PID 2612 wrote to memory of 1348	2612	826c4d86531418cca11fd164773523f5_JaffaCakes118.exe	86
PID 2612 wrote to memory of 1348	2612	826c4d86531418cca11fd164773523f5_JaffaCakes118.exe	86
PID 2612 wrote to memory of 4908	2612	826c4d86531418cca11fd164773523f5_JaffaCakes118.exe	87
PID 2612 wrote to memory of 4908	2612	826c4d86531418cca11fd164773523f5_JaffaCakes118.exe	87
PID 2612 wrote to memory of 4908	2612	826c4d86531418cca11fd164773523f5_JaffaCakes118.exe	87
PID 1348 wrote to memory of 4004	1348	cmd.exe	90
PID 1348 wrote to memory of 4004	1348	cmd.exe	90
PID 1348 wrote to memory of 4004	1348	cmd.exe	90
PID 4908 wrote to memory of 1124	4908	cmd.exe	91
PID 4908 wrote to memory of 1124	4908	cmd.exe	91
PID 4908 wrote to memory of 1124	4908	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\826c4d86531418cca11fd164773523f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\826c4d86531418cca11fd164773523f5_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    C:\Users\Admin\AppData\Local\Temp\server.exe
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\·´ÎÄ¼þÀ¦°óÆ÷.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\·´ÎÄ¼þÀ¦°óÆ÷.exe
    C:\Users\Admin\AppData\Local\Temp\·´ÎÄ¼þÀ¦°óÆ÷.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1124

C:\Windows\System32\svchost.exe
C:\Windows\\System32\\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
105KB

MD5
dacd4df35fab16e75e84fd2f39a0046c

SHA1
9a5e5bb4cc48d32aa5adbecf606bd651886ea14f

SHA256
542711ebed1cc57d0bd902cee0bd499a6affd32a4d1c7ad30e0c3c0f8b3617dd

SHA512
53dd2ff86a0e59d2cc311a70f140643af7f0d50ec013b0dfa0d28aca2936332bae4132bd257d11978e10a36f5b0befe3c881db1829514005ad67dea3b1addd8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\·´ÎÄ¼þÀ¦°óÆ÷.exe

Filesize
15KB

MD5
106983e7db3e9a76aa55c4c7956179ee

SHA1
c3e8cd4d0c3339835a2ac6cc7c7a4d4e3dba00ff

SHA256
80b7380e88e61217f30f81766f360db52f5ba9dbb8bda0271ec817f1331a60d2

SHA512
ba6b8ce944ab8c315d395ad60c00d5831a3d1b4bbbbe297e90cafb0a5ef31e919d3b7dff5d417c3cb827d98bc5f4ad630acea9789d80f1bc5b8357e366fd1f63

Download Submit
memory/1124-9-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1124-16-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2612-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4004-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4004-15-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing