gh0strat | a24b4269996bde42ff6757d2308c3a5f513e372a580d28e1c2df39c241f1170d | Triage

Submit
Reports

Overview

overview

Static

static

3

90dea7c6b1...18.exe

windows7-x64

90dea7c6b1...18.exe

windows10-2004-x64

Sharing

General

Target

90dea7c6b1edc5515d7e638748ef407e_JaffaCakes118
Size

95KB
Sample

241123-1smlfaylaw
MD5

90dea7c6b1edc5515d7e638748ef407e
SHA1

2b2b9ecc061b1cc6f7acb38ca2c301bcc7c4cbc6
SHA256

a24b4269996bde42ff6757d2308c3a5f513e372a580d28e1c2df39c241f1170d
SHA512

a792636c7b0286d960c7f7cbd4dff5f622b1f8cffbb1bfeab5b1c2017cb3721a5b4b24277fb891ab00ffb0665e2e5e2c3292ee122dab5f60533482954d763623
SSDEEP

1536:cxEEoFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prvORvMN7:ceE6S4jHS8q/3nTzePCwNUh4E9vAvMN7

Score

10^/10

gh0strat bootkit discovery persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

90dea7c6b1edc5515d7e638748ef407e_JaffaCakes118.exe

Resource

win7-20240708-en

gh0strat bootkit discovery persistence rat

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

90dea7c6b1edc5515d7e638748ef407e_JaffaCakes118.exe

Resource

win10v2004-20241007-en

gh0strat discovery rat

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  90dea7c6b1edc5515d7e638748ef407e_JaffaCakes118
- Size
  
  95KB
- MD5
  
  90dea7c6b1edc5515d7e638748ef407e
- SHA1
  
  2b2b9ecc061b1cc6f7acb38ca2c301bcc7c4cbc6
- SHA256
  
  a24b4269996bde42ff6757d2308c3a5f513e372a580d28e1c2df39c241f1170d
- SHA512
  
  a792636c7b0286d960c7f7cbd4dff5f622b1f8cffbb1bfeab5b1c2017cb3721a5b4b24277fb891ab00ffb0665e2e5e2c3292ee122dab5f60533482954d763623
- SSDEEP
  
  1536:cxEEoFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prvORvMN7:ceE6S4jHS8q/3nTzePCwNUh4E9vAvMN7
Score

10^/10

gh0strat bootkit discovery persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratbootkitdiscoverypersistencerat

behavioral2

gh0stratdiscoveryrat

© 2018-2025

Terms | Privacy