gh0strat | 2f0bb0f52ed12e5d5dde9f7d58b60127e746042cb22977c8cc9564847b103abc

General

Target

JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe
Size

148KB
MD5

3b2360db7674e3bfe3a686d04604ad0f
SHA1

6f55f067b20b0215a2993bc81e71b8430bffca19
SHA256

2f0bb0f52ed12e5d5dde9f7d58b60127e746042cb22977c8cc9564847b103abc
SHA512

c1afe3a06a8c063d72336acd88d3c65ad836cde11181550fb6c69653eba117781e0b522574390b34e95782bb374dd0b638059c606f42ce88b5f634cdf7e4fd33
SSDEEP

1536:fU0wUo8NDMwgc4IDcrkcfC8ALLQRrap3BFyrlGWMIKYYO8vT:808kMw6IDMk+C8ALCrtrlGbIKdO8vT

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/772-0-0x0000000000400000-0x0000000000426000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\:\Program Files\Common Files\svchost.exe 202512721841.exe = "C:\\Program Files\\Common Files\\svchost.exe 202512721841.exe"	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe 202512721841.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
2480	taskkill.exe
1036	taskkill.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
772	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 1036	772	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe	30
PID 772 wrote to memory of 1036	772	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe	30
PID 772 wrote to memory of 1036	772	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe	30
PID 772 wrote to memory of 1036	772	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe	30
PID 772 wrote to memory of 1036	772	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe	30
PID 772 wrote to memory of 1036	772	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe	30
PID 772 wrote to memory of 1036	772	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe	30
PID 772 wrote to memory of 2452	772	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe	31
PID 772 wrote to memory of 2452	772	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe	31
PID 772 wrote to memory of 2452	772	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe	31
PID 772 wrote to memory of 2452	772	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe	31
PID 772 wrote to memory of 2452	772	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe	31
PID 772 wrote to memory of 2452	772	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe	31
PID 772 wrote to memory of 2452	772	JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe	31
PID 2452 wrote to memory of 2480	2452	svchost.exe 202512721841.exe	33
PID 2452 wrote to memory of 2480	2452	svchost.exe 202512721841.exe	33
PID 2452 wrote to memory of 2480	2452	svchost.exe 202512721841.exe	33
PID 2452 wrote to memory of 2480	2452	svchost.exe 202512721841.exe	33
PID 2452 wrote to memory of 2480	2452	svchost.exe 202512721841.exe	33
PID 2452 wrote to memory of 2480	2452	svchost.exe 202512721841.exe	33
PID 2452 wrote to memory of 2480	2452	svchost.exe 202512721841.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3b2360db7674e3bfe3a686d04604ad0f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Ksafetray.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Program Files\Common Files\svchost.exe 202512721841.exe
  "C:\Program Files\Common Files\svchost.exe 202512721841.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ksafetray.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2480