gh0strat | e0d7a06a466788ac07a82283466ad7d80c6465aefdbc6dc75f776e904465a08e

Analysis

max time kernel
94s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe
Size

171KB
MD5

3b54d73444e2626d7e2e6c6c5aba75d6
SHA1

aac897254e696646ad468c8b68c6d77d63c227ad
SHA256

e0d7a06a466788ac07a82283466ad7d80c6465aefdbc6dc75f776e904465a08e
SHA512

d5ecff03f496e7dba4c08d9f6d2136ea8ed01dfa2ce19c703732a02221e1b14ff0db72ecc6e79f9dee0aad87c5c43169728e4afd112d2e47ac49a9320dca3827
SSDEEP

3072:WJuGnYhTbK80khbORf9xHwm1PXBmXZFeA28pM6EdePl9dehiv80P80Cnp8d69Z:WJueTk1OrdwaWB28edeP/deUv80P80AK

Score

10^/10

gh0strat discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b5a-4.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F914BE3-2933-49ac-B020-58CF32DB93C2}	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F914BE3-2933-49ac-B020-58CF32DB93C2}\stubpath = "C:\\Windows\\system32\\inyufnzuj.exe"	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe

Executes dropped EXE 1 IoCs

pid	Process
2512	inyufnzuj.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inyufnzuj.exe	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe
File opened for modification	C:\Windows\SysWOW64\inyufnzuj.exe_lang.ini	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inyufnzuj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4120	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe
4120	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe
2512	inyufnzuj.exe
2512	inyufnzuj.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4120	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe
Token: SeDebugPrivilege	2512	inyufnzuj.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 2512	4120	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe	83
PID 4120 wrote to memory of 2512	4120	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe	83
PID 4120 wrote to memory of 2512	4120	JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe	83
PID 2512 wrote to memory of 3536	2512	inyufnzuj.exe	84
PID 2512 wrote to memory of 3536	2512	inyufnzuj.exe	84
PID 2512 wrote to memory of 3536	2512	inyufnzuj.exe	84

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3b54d73444e2626d7e2e6c6c5aba75d6.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\SysWOW64\inyufnzuj.exe
  C:\Windows\system32\inyufnzuj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\inyufnzuj.exe

Filesize
171KB

MD5
fee2c84ee76a43e53e84d066d0338253

SHA1
f6dd986799d17374d8deccc94a698931b11ee924

SHA256
9bb554fc3199dfcf209bc683cab265587a51f214b18ef7b8d88747cee2c7e4d1

SHA512
433fd61ff5cfe19f88bff33269c7e961fc62bbb1bd5234fab59acf14b64ccfa201dbd1494123388456a30b969dc5eab00ee85af603e0a174715bd0a3250accd0

Download Submit