gh0strat | 7caa895701bae8fadd55156512b9a556ab6d594264c951131fbbf915ddc7ec89

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3c64bb2a8435a649ad2ca869d94c74e5.exe
Size

96KB
MD5

3c64bb2a8435a649ad2ca869d94c74e5
SHA1

28d96750de096fad633ac17c89d6954620797387
SHA256

7caa895701bae8fadd55156512b9a556ab6d594264c951131fbbf915ddc7ec89
SHA512

8dc5613647152c0cfdce9608e8a8d4e2058b34ae29e6a566f3c71b9c6b62e5337420c48134990336d0a1210b430fd196e2082858411f16565e1cc6803b292454
SSDEEP

1536:HkFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prQhf3MY:HWS4jHS8q/3nTzePCwNUh4E9g3MY

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023bbd-15.dat	family_gh0strat
behavioral2/memory/4712-17-0x0000000000400000-0x000000000044E31C-memory.dmp	family_gh0strat
behavioral2/memory/2508-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4928-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3956-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
4712	kyeodgubwf

Executes dropped EXE 1 IoCs

pid	Process
4712	kyeodgubwf

Loads dropped DLL 3 IoCs

pid	Process
2508	svchost.exe
4928	svchost.exe
3956	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lnrbsgtgbw	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\lfehkdqjnb	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\lnrbsgtgbw	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3844	2508	WerFault.exe	87
4656	4928	WerFault.exe	91
3944	3956	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3c64bb2a8435a649ad2ca869d94c74e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyeodgubwf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4712	kyeodgubwf
4712	kyeodgubwf

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4712	kyeodgubwf
Token: SeBackupPrivilege	4712	kyeodgubwf
Token: SeBackupPrivilege	4712	kyeodgubwf
Token: SeRestorePrivilege	4712	kyeodgubwf
Token: SeBackupPrivilege	2508	svchost.exe
Token: SeRestorePrivilege	2508	svchost.exe
Token: SeBackupPrivilege	2508	svchost.exe
Token: SeBackupPrivilege	2508	svchost.exe
Token: SeSecurityPrivilege	2508	svchost.exe
Token: SeSecurityPrivilege	2508	svchost.exe
Token: SeBackupPrivilege	2508	svchost.exe
Token: SeBackupPrivilege	2508	svchost.exe
Token: SeSecurityPrivilege	2508	svchost.exe
Token: SeBackupPrivilege	2508	svchost.exe
Token: SeBackupPrivilege	2508	svchost.exe
Token: SeSecurityPrivilege	2508	svchost.exe
Token: SeBackupPrivilege	2508	svchost.exe
Token: SeRestorePrivilege	2508	svchost.exe
Token: SeBackupPrivilege	4928	svchost.exe
Token: SeRestorePrivilege	4928	svchost.exe
Token: SeBackupPrivilege	4928	svchost.exe
Token: SeBackupPrivilege	4928	svchost.exe
Token: SeSecurityPrivilege	4928	svchost.exe
Token: SeSecurityPrivilege	4928	svchost.exe
Token: SeBackupPrivilege	4928	svchost.exe
Token: SeBackupPrivilege	4928	svchost.exe
Token: SeSecurityPrivilege	4928	svchost.exe
Token: SeBackupPrivilege	4928	svchost.exe
Token: SeBackupPrivilege	4928	svchost.exe
Token: SeSecurityPrivilege	4928	svchost.exe
Token: SeBackupPrivilege	4928	svchost.exe
Token: SeRestorePrivilege	4928	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeRestorePrivilege	3956	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeSecurityPrivilege	3956	svchost.exe
Token: SeSecurityPrivilege	3956	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeSecurityPrivilege	3956	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeSecurityPrivilege	3956	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeRestorePrivilege	3956	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 4712	1520	JaffaCakes118_3c64bb2a8435a649ad2ca869d94c74e5.exe	82
PID 1520 wrote to memory of 4712	1520	JaffaCakes118_3c64bb2a8435a649ad2ca869d94c74e5.exe	82
PID 1520 wrote to memory of 4712	1520	JaffaCakes118_3c64bb2a8435a649ad2ca869d94c74e5.exe	82

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c64bb2a8435a649ad2ca869d94c74e5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c64bb2a8435a649ad2ca869d94c74e5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520
- \??\c:\users\admin\appdata\local\kyeodgubwf
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c64bb2a8435a649ad2ca869d94c74e5.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_3c64bb2a8435a649ad2ca869d94c74e5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4712

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 816
  2⤵
  - Program crash
  PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2508 -ip 2508
1⤵
PID:3592

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 940
  2⤵
  - Program crash
  PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4928 -ip 4928
1⤵
PID:4296

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 1096
  2⤵
  - Program crash
  PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3956 -ip 3956
1⤵
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\kyeodgubwf

Filesize
23.4MB

MD5
a68d92315e184fe92c418bd592731aa2

SHA1
9cc25f937bc4b8b187ead2770a5b0f855d3a2956

SHA256
9ab45c3b7174fdb7e1914755009b7e3322b6be3167f1096d36b534670af76296

SHA512
50e33871f93d35c75fad0357bc039c3dda10de10913c7b2a5e5a7cee138cf74f44dbd5a98d8192d87cfda51095b882bb220875bbe3cc9ce387c9413866a597b2

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
ff0d69b1dcc8498c2db249a9233ee220

SHA1
b0f94be3a599294e39c89133a0d5e22cf544350e

SHA256
9d14dc099eb740a108d4d284f36d0a2a2590020aabcc43b6679a4450150b4d55

SHA512
b05da71e0a571917856c218cd95291100d0023297f4f1a30335411fe39317ff14118db4264bcf19ec616f9ca63de84ca3897b656fae314ace451f9e5b16acec9

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
9e9f50281682b4ee1b4692a32a14d789

SHA1
875da3a4b9e23f321de491d37b0027b88bd9c965

SHA256
d37da956e9dbcc720eaf0d984ddfc7d5e7cbd72d08b3f344888ed6a5d4c5b339

SHA512
c0a02289cc49814d3df62a9ea6a247490704105a6f8dd2473bb126156dc83dc7efd0f67934c03ad6611619e7d8c91ab76eb54092d07a0e99e4f6cb89468c4c05

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\vvvfv.cc3

Filesize
20.1MB

MD5
3604efa275941f9275bc3e3f40cfcddf

SHA1
c64fc54f3d52bf0ebfdc472a646c9f7765e196aa

SHA256
d9f0668d9c8c98eaf5a8a416c94b7c5c07951d4fe8cc35f935646a096a541e31

SHA512
7a6ecc33b4e2ba7b90da996d6c651a4dd819652ce85096e32e50712873b04c1ce15ca165b51e72e953a60b92e041d645cf67e9e77c6ff07cf6b775e3c1eac8db

Download Submit
memory/1520-10-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/1520-0-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/1520-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2508-18-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/2508-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3956-27-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/3956-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4712-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4712-7-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/4712-17-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/4928-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download