gh0strat | e0d7a06a466788ac07a82283466ad7d80c6465aefdbc6dc75f776e904465a08e

General

Target

JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe
Size

171KB
MD5

3b54d73444e2626d7e2e6c6c5aba75d6
SHA1

aac897254e696646ad468c8b68c6d77d63c227ad
SHA256

e0d7a06a466788ac07a82283466ad7d80c6465aefdbc6dc75f776e904465a08e
SHA512

d5ecff03f496e7dba4c08d9f6d2136ea8ed01dfa2ce19c703732a02221e1b14ff0db72ecc6e79f9dee0aad87c5c43169728e4afd112d2e47ac49a9320dca3827
SSDEEP

3072:WJuGnYhTbK80khbORf9xHwm1PXBmXZFeA28pM6EdePl9dehiv80P80Cnp8d69Z:WJueTk1OrdwaWB28edeP/deUv80P80AK

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012257-3.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16522433-F885-413d-84C2-EBEE588164DE}\stubpath = "C:\\Windows\\system32\\inugvjlkd.exe"	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16522433-F885-413d-84C2-EBEE588164DE}	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe

Executes dropped EXE 1 IoCs

pid	Process
2340	inugvjlkd.exe

Loads dropped DLL 4 IoCs

pid	Process
752	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe
2340	inugvjlkd.exe
2340	inugvjlkd.exe
2340	inugvjlkd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inugvjlkd.exe	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe
File opened for modification	C:\Windows\SysWOW64\inugvjlkd.exe_lang.ini	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inugvjlkd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
752	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe
2340	inugvjlkd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe
Token: SeDebugPrivilege	2340	inugvjlkd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 2340	752	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe	31
PID 752 wrote to memory of 2340	752	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe	31
PID 752 wrote to memory of 2340	752	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe	31
PID 752 wrote to memory of 2340	752	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe	31
PID 752 wrote to memory of 2340	752	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe	31
PID 752 wrote to memory of 2340	752	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe	31
PID 752 wrote to memory of 2340	752	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe	31
PID 2340 wrote to memory of 1228	2340	inugvjlkd.exe	32
PID 2340 wrote to memory of 1228	2340	inugvjlkd.exe	32
PID 2340 wrote to memory of 1228	2340	inugvjlkd.exe	32
PID 2340 wrote to memory of 1228	2340	inugvjlkd.exe	32
PID 2340 wrote to memory of 1228	2340	inugvjlkd.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\SysWOW64\inugvjlkd.exe
  C:\Windows\system32\inugvjlkd.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\inugvjlkd.exe

Filesize
171KB

MD5
0e9549188cd79f933f75a68406b2499c

SHA1
e21f078de3bfd25a50d9494d20ef6c412343c4bf

SHA256
3c5754fc53089ce9571b785361e7c019ab0aefb4559e4f9af9b4392ea7d61ffa

SHA512
4fc554c1eccda78f0efd87471e14ce06a299a598b55bd7745a67fe12ef919dfd7c40c204974e674fe651d151fd17dce5c76e61de00686b1d110caecf8ecd68cd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads