gh0strat | c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099

Analysis

max time kernel
429s
max time network
1154s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-12-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bjyk.exe
Size

378KB
MD5

a770ebf2e59e29c7460a01241a0a493f
SHA1

97e59e483e1fa524a305828157a50203e918ada9
SHA256

ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
SHA512

4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
SSDEEP

6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral5/memory/5360-0-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral5/files/0x001900000002abd6-12.dat	family_gh0strat
behavioral5/memory/5936-14-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral5/memory/5360-17-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral5/memory/5936-27-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral5/files/0x001a00000002abd8-30.dat	family_gh0strat
behavioral5/memory/5936-33-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral5/memory/1696-36-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral5/memory/4536-41-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral5/memory/5472-46-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral5/files/0x0011000000025aac-2.dat	acprotect

Deletes itself 1 IoCs

pid	Process
5936	jnjcfjifhg

Executes dropped EXE 1 IoCs

pid	Process
5936	jnjcfjifhg

Loads dropped DLL 7 IoCs

pid	Process
5360	bjyk.exe
5360	bjyk.exe
5936	jnjcfjifhg
5936	jnjcfjifhg
1696	svchost.exe
4536	svchost.exe
5472	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\awuphukcry	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\afjjpxmaet	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\anwcxbpwrp	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
6088	1696	WerFault.exe	78
1176	4536	WerFault.exe	82
4580	5472	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bjyk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jnjcfjifhg
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5936	jnjcfjifhg
5936	jnjcfjifhg

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	5936	jnjcfjifhg
Token: SeBackupPrivilege	5936	jnjcfjifhg
Token: SeBackupPrivilege	5936	jnjcfjifhg
Token: SeRestorePrivilege	5936	jnjcfjifhg
Token: SeBackupPrivilege	1696	svchost.exe
Token: SeRestorePrivilege	1696	svchost.exe
Token: SeBackupPrivilege	1696	svchost.exe
Token: SeBackupPrivilege	1696	svchost.exe
Token: SeSecurityPrivilege	1696	svchost.exe
Token: SeSecurityPrivilege	1696	svchost.exe
Token: SeBackupPrivilege	1696	svchost.exe
Token: SeBackupPrivilege	1696	svchost.exe
Token: SeSecurityPrivilege	1696	svchost.exe
Token: SeBackupPrivilege	1696	svchost.exe
Token: SeBackupPrivilege	1696	svchost.exe
Token: SeSecurityPrivilege	1696	svchost.exe
Token: SeBackupPrivilege	1696	svchost.exe
Token: SeRestorePrivilege	1696	svchost.exe
Token: SeBackupPrivilege	4536	svchost.exe
Token: SeRestorePrivilege	4536	svchost.exe
Token: SeBackupPrivilege	4536	svchost.exe
Token: SeBackupPrivilege	4536	svchost.exe
Token: SeSecurityPrivilege	4536	svchost.exe
Token: SeSecurityPrivilege	4536	svchost.exe
Token: SeBackupPrivilege	4536	svchost.exe
Token: SeBackupPrivilege	4536	svchost.exe
Token: SeSecurityPrivilege	4536	svchost.exe
Token: SeBackupPrivilege	4536	svchost.exe
Token: SeBackupPrivilege	4536	svchost.exe
Token: SeSecurityPrivilege	4536	svchost.exe
Token: SeBackupPrivilege	4536	svchost.exe
Token: SeRestorePrivilege	4536	svchost.exe
Token: SeBackupPrivilege	5472	svchost.exe
Token: SeRestorePrivilege	5472	svchost.exe
Token: SeBackupPrivilege	5472	svchost.exe
Token: SeBackupPrivilege	5472	svchost.exe
Token: SeSecurityPrivilege	5472	svchost.exe
Token: SeSecurityPrivilege	5472	svchost.exe
Token: SeBackupPrivilege	5472	svchost.exe
Token: SeBackupPrivilege	5472	svchost.exe
Token: SeSecurityPrivilege	5472	svchost.exe
Token: SeBackupPrivilege	5472	svchost.exe
Token: SeBackupPrivilege	5472	svchost.exe
Token: SeSecurityPrivilege	5472	svchost.exe
Token: SeBackupPrivilege	5472	svchost.exe
Token: SeRestorePrivilege	5472	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5360	bjyk.exe
5936	jnjcfjifhg

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5360 wrote to memory of 5936	5360	bjyk.exe	77
PID 5360 wrote to memory of 5936	5360	bjyk.exe	77
PID 5360 wrote to memory of 5936	5360	bjyk.exe	77

C:\Users\Admin\AppData\Local\Temp\bjyk.exe
"C:\Users\Admin\AppData\Local\Temp\bjyk.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5360
- \??\c:\users\admin\appdata\local\jnjcfjifhg
  "C:\Users\Admin\AppData\Local\Temp\bjyk.exe" a -sc:\users\admin\appdata\local\temp\bjyk.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 900
  2⤵
  - Program crash
  PID:6088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1696 -ip 1696
1⤵
PID:5540

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1136
  2⤵
  - Program crash
  PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4536 -ip 4536
1⤵
PID:2052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 1080
  2⤵
  - Program crash
  PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5472 -ip 5472
1⤵
PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\foi903A.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
C:\Users\Admin\AppData\Local\jnjcfjifhg

Filesize
23.0MB

MD5
80a94e1cbefc8aec2d2e12e529360c96

SHA1
6023259335ef17afbb1e6559ab8d86dd625a9e10

SHA256
065425c2565cd89a1700bdfc6025573e148b416b57d4f0047bb3e0a68d19a3a4

SHA512
d8c3412d9108a2fdbfd4e42b38de4858c0a6565562599fd0a90949734d6fb71ca1431fc30e6d9b274cc9364cfb3933842d20ba61c135bf186b862065e0d3f298

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
19a606d0d02ad08f66f6783550c86640

SHA1
0cb011a99c696ca80a0cb8c09739279ad96b4403

SHA256
d8206ec6e1692a5f751767abae6b4750d9271de914ad73338c694c791c677ee6

SHA512
fc4d7079e8c97223b10725edd7ec2d4998b9dd743ec3ae1b8e16551286f8e1b97281d69df5fa28f618bded9a8d7a018e7fbe5b480b353772a5b26493f00e983a

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
300B

MD5
2b9c0708448e312e893095af8964ecf2

SHA1
c0f77d0c774043cebaf6ee47db977cf0ccb1cf8e

SHA256
db7f82ec4ee167a7b030856af21c8a1dc870b8f75182924e67918faa60ff029f

SHA512
2a97e7e55dbcbddc0af7b86c41ef8e7368e7854ddae6b0b6936f4604aeba33205a85d71f4718603b259098bb08c31e032d31141926990d0978d091ea66637ee8

Download Submit
\??\c:\programdata\drm\%sessionname%\wylpn.cc3

Filesize
22.1MB

MD5
9789844457c403ea9a5494c034817215

SHA1
f24fb6d2508e147328cc6568c2983d0a505b5c71

SHA256
5fdc3f0216168c04ffcf1661165ce25c7bce8db8a3f70096af1fe8b43e9d9bb8

SHA512
280b1fc68bad7dd8cde5c1f21d6f021d5fba01d444b53917946bacf9288b8c7abc20cebc694af99ad3c0ba56e50e7e5a45de582ca25923a9827583e0275d44ee

Download Submit
memory/1696-34-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/1696-36-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4536-38-0x00000000015E0000-0x00000000015E1000-memory.dmp

Filesize
4KB

Download
memory/4536-41-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/5360-18-0x0000000002050000-0x00000000020C4000-memory.dmp

Filesize
464KB

Download
memory/5360-17-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/5360-8-0x0000000002050000-0x00000000020C4000-memory.dmp

Filesize
464KB

Download
memory/5360-9-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/5360-7-0x0000000002050000-0x00000000020C4000-memory.dmp

Filesize
464KB

Download
memory/5360-0-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/5472-46-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/5472-43-0x00000000014D0000-0x00000000014D1000-memory.dmp

Filesize
4KB

Download
memory/5936-27-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/5936-32-0x0000000002170000-0x00000000021E4000-memory.dmp

Filesize
464KB

Download
memory/5936-33-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/5936-26-0x0000000002170000-0x00000000021E4000-memory.dmp

Filesize
464KB

Download
memory/5936-14-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/5936-25-0x0000000002170000-0x00000000021E4000-memory.dmp

Filesize
464KB

Download