gh0strat | c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099

Resubmissions

02-01-2025 21:33

250102-1ejbvswpcv 10

08-12-2024 01:12

241208-bkq68azkep 10

Analysis

max time kernel
130s
max time network
132s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bjyk.exe
Size

378KB
MD5

a770ebf2e59e29c7460a01241a0a493f
SHA1

97e59e483e1fa524a305828157a50203e918ada9
SHA256

ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
SHA512

4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
SSDEEP

6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S

Score

10^/10

gh0strat bootkit discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral9/memory/772-0-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral9/memory/772-1-0x0000000000280000-0x00000000002B3000-memory.dmp	family_gh0strat
behavioral9/files/0x000500000001962b-11.dat	family_gh0strat
behavioral9/memory/772-12-0x0000000000280000-0x00000000002B3000-memory.dmp	family_gh0strat
behavioral9/memory/2184-16-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral9/memory/772-18-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral9/memory/2184-25-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral9/files/0x000600000001962f-28.dat	family_gh0strat
behavioral9/memory/2184-32-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral9/files/0x000d0000000122de-5.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2184	cpojoigwyp

Executes dropped EXE 1 IoCs

pid	Process
2184	cpojoigwyp

Loads dropped DLL 4 IoCs

pid	Process
772	bjyk.exe
772	bjyk.exe
2184	cpojoigwyp
2764	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xvixnaommy	svchost.exe
File created	C:\Windows\SysWOW64\xdllpouibn	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpojoigwyp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bjyk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2184	cpojoigwyp
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2184	cpojoigwyp
Token: SeBackupPrivilege	2184	cpojoigwyp
Token: SeBackupPrivilege	2184	cpojoigwyp
Token: SeRestorePrivilege	2184	cpojoigwyp
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeSecurityPrivilege	2764	svchost.exe
Token: SeSecurityPrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeSecurityPrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeSecurityPrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
772	bjyk.exe
2184	cpojoigwyp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 2184	772	bjyk.exe	30
PID 772 wrote to memory of 2184	772	bjyk.exe	30
PID 772 wrote to memory of 2184	772	bjyk.exe	30
PID 772 wrote to memory of 2184	772	bjyk.exe	30
PID 772 wrote to memory of 2184	772	bjyk.exe	30
PID 772 wrote to memory of 2184	772	bjyk.exe	30
PID 772 wrote to memory of 2184	772	bjyk.exe	30

C:\Users\Admin\AppData\Local\Temp\bjyk.exe
"C:\Users\Admin\AppData\Local\Temp\bjyk.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772
- \??\c:\users\admin\appdata\local\cpojoigwyp
  "C:\Users\Admin\AppData\Local\Temp\bjyk.exe" a -sc:\users\admin\appdata\local\temp\bjyk.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2184

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\programdata\drm\%sessionname%\etpgb.cc3

Filesize
22.1MB

MD5
ab0be390c4b7e856709f1cb01a4cc550

SHA1
0654822187561472d9f5301f54df3ba5f0bf872d

SHA256
5a5eb07e382d58cb95f91205dc9d8d5640e53802874ee41ae39028a463bf4d13

SHA512
d33f327f6c365bfc33d865aa2aa848af069123c2cc91fea0d608104002c0bb0dcf3816b46597efa90c3c251feb6c1f0e20b76e37a21c9129bff9b5d87b5d37a1

Download Submit
\Users\Admin\AppData\Local\Temp\srlB3B5.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
\Users\Admin\AppData\Local\cpojoigwyp

Filesize
23.7MB

MD5
c3d8463fb9d05321ec1b445b2b8ccb59

SHA1
c84ee6bc8c29503f06108a029950e6d6459b930f

SHA256
06ddd46d1dddfe35126879dda047cd2b101527533e96bff94f855fc0481dceb9

SHA512
9f5af992b45ede7b65e6dd626c996b2725efc220b5674cdec6c225fc075ee632132abf10e77cf4be9e861410aff3118bc27d74e88f12077f269f7eb4253996b5

Download Submit
memory/772-12-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/772-19-0x0000000000890000-0x0000000000904000-memory.dmp

Filesize
464KB

Download
memory/772-7-0x0000000000890000-0x0000000000904000-memory.dmp

Filesize
464KB

Download
memory/772-8-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/772-3-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/772-0-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/772-4-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/772-1-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/772-18-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/2184-23-0x0000000001E00000-0x0000000001E74000-memory.dmp

Filesize
464KB

Download
memory/2184-25-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/2184-16-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/2184-32-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/2184-31-0x0000000001E00000-0x0000000001E74000-memory.dmp

Filesize
464KB

Download
memory/2764-33-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download