gh0strat | 2f62aefa2a42dbc2649608ef226f32b3e974b4a03017d5edb14fc9301d3dce39

Analysis

max time kernel
96s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3baa02971bb069ea3f0bc558ef894602.exe
Size

96KB
MD5

3baa02971bb069ea3f0bc558ef894602
SHA1

28353f617a95e7b911df6206c183f9446196fac9
SHA256

2f62aefa2a42dbc2649608ef226f32b3e974b4a03017d5edb14fc9301d3dce39
SHA512

133a984b190c4f996782a1d69cf5e2112a2ab6fb732077fc2b907ac7249add4112a68f40b7190aa08fa2316d90b5f3e880c052d36535cb18d27d558b71527c5b
SSDEEP

1536:0iFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prnKlekv4gdYA:0IS4jHS8q/3nTzePCwNUh4E9n1K4gdB

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cbc-15.dat	family_gh0strat
behavioral2/memory/4056-17-0x0000000000400000-0x000000000044E35C-memory.dmp	family_gh0strat
behavioral2/memory/640-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2156-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1496-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
4056	dcovgvoedo

Executes dropped EXE 1 IoCs

pid	Process
4056	dcovgvoedo

Loads dropped DLL 3 IoCs

pid	Process
640	svchost.exe
2156	svchost.exe
1496	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tprhbqtocf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tyfbjtwmoa	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\thttrwykcv	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3524	640	WerFault.exe	83
3676	2156	WerFault.exe	87
5024	1496	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3baa02971bb069ea3f0bc558ef894602.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcovgvoedo
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4056	dcovgvoedo
4056	dcovgvoedo

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4056	dcovgvoedo
Token: SeBackupPrivilege	4056	dcovgvoedo
Token: SeBackupPrivilege	4056	dcovgvoedo
Token: SeRestorePrivilege	4056	dcovgvoedo
Token: SeBackupPrivilege	640	svchost.exe
Token: SeRestorePrivilege	640	svchost.exe
Token: SeBackupPrivilege	640	svchost.exe
Token: SeBackupPrivilege	640	svchost.exe
Token: SeSecurityPrivilege	640	svchost.exe
Token: SeSecurityPrivilege	640	svchost.exe
Token: SeBackupPrivilege	640	svchost.exe
Token: SeBackupPrivilege	640	svchost.exe
Token: SeSecurityPrivilege	640	svchost.exe
Token: SeBackupPrivilege	640	svchost.exe
Token: SeBackupPrivilege	640	svchost.exe
Token: SeSecurityPrivilege	640	svchost.exe
Token: SeBackupPrivilege	640	svchost.exe
Token: SeRestorePrivilege	640	svchost.exe
Token: SeBackupPrivilege	2156	svchost.exe
Token: SeRestorePrivilege	2156	svchost.exe
Token: SeBackupPrivilege	2156	svchost.exe
Token: SeBackupPrivilege	2156	svchost.exe
Token: SeSecurityPrivilege	2156	svchost.exe
Token: SeSecurityPrivilege	2156	svchost.exe
Token: SeBackupPrivilege	2156	svchost.exe
Token: SeBackupPrivilege	2156	svchost.exe
Token: SeSecurityPrivilege	2156	svchost.exe
Token: SeBackupPrivilege	2156	svchost.exe
Token: SeBackupPrivilege	2156	svchost.exe
Token: SeSecurityPrivilege	2156	svchost.exe
Token: SeBackupPrivilege	2156	svchost.exe
Token: SeRestorePrivilege	2156	svchost.exe
Token: SeBackupPrivilege	1496	svchost.exe
Token: SeRestorePrivilege	1496	svchost.exe
Token: SeBackupPrivilege	1496	svchost.exe
Token: SeBackupPrivilege	1496	svchost.exe
Token: SeSecurityPrivilege	1496	svchost.exe
Token: SeSecurityPrivilege	1496	svchost.exe
Token: SeBackupPrivilege	1496	svchost.exe
Token: SeBackupPrivilege	1496	svchost.exe
Token: SeSecurityPrivilege	1496	svchost.exe
Token: SeBackupPrivilege	1496	svchost.exe
Token: SeBackupPrivilege	1496	svchost.exe
Token: SeSecurityPrivilege	1496	svchost.exe
Token: SeBackupPrivilege	1496	svchost.exe
Token: SeRestorePrivilege	1496	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 4056	2060	JaffaCakes118_3baa02971bb069ea3f0bc558ef894602.exe	82
PID 2060 wrote to memory of 4056	2060	JaffaCakes118_3baa02971bb069ea3f0bc558ef894602.exe	82
PID 2060 wrote to memory of 4056	2060	JaffaCakes118_3baa02971bb069ea3f0bc558ef894602.exe	82

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3baa02971bb069ea3f0bc558ef894602.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3baa02971bb069ea3f0bc558ef894602.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- \??\c:\users\admin\appdata\local\dcovgvoedo
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3baa02971bb069ea3f0bc558ef894602.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_3baa02971bb069ea3f0bc558ef894602.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 852
  2⤵
  - Program crash
  PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 640 -ip 640
1⤵
PID:4448

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1100
  2⤵
  - Program crash
  PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2156 -ip 2156
1⤵
PID:3460

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 872
  2⤵
  - Program crash
  PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1496 -ip 1496
1⤵
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dcovgvoedo

Filesize
20.6MB

MD5
5c495bb39838ca1ce4c3610573d0316b

SHA1
2048d37d8f452ee9824222e40f7d2df6776b3bb5

SHA256
3d2409ca29cb3d5c2de372158c8ad0f1a9a82ab65a7b8249089a9f01a7a80a0e

SHA512
488bcc8694a0589e740aaee492e24a5718799738d7550ded27b756e94b7c2732622d002b95050cf297f62d89c092d251c044334cec14787bddce9d81ecc7acff

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
bd6e568b90676a80df415348b9f7905f

SHA1
9a69e3ce2d8994a955d15fb05583ef6425c22804

SHA256
c44c9ecdc09c998f67708be2a061c5dc550977f3cf026221fefa40acbf40ba5c

SHA512
f245c4acf3da2c7c0beab09c4b5259c03adfb897c4c55bbdd7b7ee6c61300de1ad962b0153339df450e4166c2b61d5e4b1219359e5314329511d956ab1e9e77c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
f3c40e082be97427dfed15d684da3ed4

SHA1
c25ccba2e50bb23286e0b720aa22bbf1e280c0c6

SHA256
cc6017217e080df09c9456e7c7f6c3b2459defeb0dcf5f735c3e38c894a515b8

SHA512
f47a8dde5c8b2089c133ea2a91cfcff5fd67433773447eccabbe28aeb944c4da1e996815472247b2e3d73d006ca9ef329e11fc6d6c0613090eec4decd5779cb6

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\fwncn.cc3

Filesize
24.1MB

MD5
06ce3e674be87c0f36bff123142fb77f

SHA1
4f946609526b3c3fc7c0fbd61c0fe2744e8187c9

SHA256
756a9946e642497069fc668344783e525b0173b174549e8951caee4c425ee69d

SHA512
2e1d71c86af6c81b4e31336181ef85f40644103fbd1c9e3e65298bc22717dd0e9d36b4cc830cddb07b12189ee1ee3afc9c1f49391b5648b9a15d560d75b90219

Download Submit
memory/640-18-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/640-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1496-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1496-27-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/2060-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2060-9-0x0000000000400000-0x000000000044E35C-memory.dmp

Filesize
312KB

Download
memory/2060-0-0x0000000000400000-0x000000000044E35C-memory.dmp

Filesize
312KB

Download
memory/2156-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2156-22-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/4056-17-0x0000000000400000-0x000000000044E35C-memory.dmp

Filesize
312KB

Download
memory/4056-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4056-7-0x0000000000400000-0x000000000044E35C-memory.dmp

Filesize
312KB

Download