gh0strat | 110e121a5c20d21a8735dc42a8ac85a81a85e2045d79fb91d77a7328e2662ad9

General

Target

JaffaCakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe
Size

95KB
MD5

3c216dfd1ea55f02b865059c1d2aac4c
SHA1

930c175570611d2628c4537ddb188d0cd6fcd6e2
SHA256

110e121a5c20d21a8735dc42a8ac85a81a85e2045d79fb91d77a7328e2662ad9
SHA512

aae362f40039d1ce011173f16d013d112635e59ca3168de2fc35ed2452834ff6500df7c6ea6ba631b20f89e8d2961354f64bec28f57ca00566ac9697f4ddd52c
SSDEEP

1536:C+FusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prjXVrGONLfdD:CES4jHS8q/3nTzePCwNUh4E9jXYifdD

Score

10^/10

gh0strat bootkit discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000019609-18.dat	family_gh0strat
behavioral1/memory/1680-21-0x0000000000400000-0x000000000044E3D4-memory.dmp	family_gh0strat
behavioral1/memory/2952-24-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2952-26-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
1680	cfrcokynov

Executes dropped EXE 1 IoCs

pid	Process
1680	cfrcokynov

Loads dropped DLL 3 IoCs

pid	Process
2480	JaffaCakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe
2480	JaffaCakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe
2952	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fgoadjjdrb	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfrcokynov
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1680	cfrcokynov
2952	svchost.exe
2952	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	1680	cfrcokynov
Token: SeBackupPrivilege	1680	cfrcokynov
Token: SeBackupPrivilege	1680	cfrcokynov
Token: SeRestorePrivilege	1680	cfrcokynov
Token: SeBackupPrivilege	2952	svchost.exe
Token: SeRestorePrivilege	2952	svchost.exe
Token: SeBackupPrivilege	2952	svchost.exe
Token: SeBackupPrivilege	2952	svchost.exe
Token: SeSecurityPrivilege	2952	svchost.exe
Token: SeSecurityPrivilege	2952	svchost.exe
Token: SeBackupPrivilege	2952	svchost.exe
Token: SeBackupPrivilege	2952	svchost.exe
Token: SeSecurityPrivilege	2952	svchost.exe
Token: SeBackupPrivilege	2952	svchost.exe
Token: SeBackupPrivilege	2952	svchost.exe
Token: SeSecurityPrivilege	2952	svchost.exe
Token: SeBackupPrivilege	2952	svchost.exe
Token: SeRestorePrivilege	2952	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1680	2480	JaffaCakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe	31
PID 2480 wrote to memory of 1680	2480	JaffaCakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe	31
PID 2480 wrote to memory of 1680	2480	JaffaCakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe	31
PID 2480 wrote to memory of 1680	2480	JaffaCakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480
- \??\c:\users\admin\appdata\local\cfrcokynov
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\programdata\application data\storm\update\%sessionname%\qjqvu.cc3

Filesize
22.0MB

MD5
445117a4079db67231fe35d81818b2ad

SHA1
2f9653a3ca7bd70721c781affc56dd1fe4950d17

SHA256
17023a6fb34f1d3727aa49933e6ad1b0f71b4806523927580ca5c6c01679b202

SHA512
9f8eb13869076eca5fec97eee28bef71702b027e59631bdcb67e5ff7fc788f5a68d90a3ffc8da212f18b06f31fab8b7e49e6f89a822f7332d9a03bd935792c2e

Download Submit
\Users\Admin\AppData\Local\cfrcokynov

Filesize
20.8MB

MD5
10b2b3d304713b732fcfb0c5398fe42f

SHA1
df5fd6eb39fae633c4a89994bc3c6b35e0a72e95

SHA256
7c5e7b9377c611c8948d42b614bb8ea0f74e474f17554316c4de653dc3760281

SHA512
06c49bf515125d052b319dbfb2c9ddaef00129c60e5eedc98fe28f6bcb94d5f3a77531b25e52b1ae00b5743f93b7a99f5770c2bd13025cdbdb4a1301cad369ea

Download Submit
memory/1680-14-0x0000000000400000-0x000000000044E3D4-memory.dmp

Filesize
312KB

Download
memory/1680-21-0x0000000000400000-0x000000000044E3D4-memory.dmp

Filesize
312KB

Download
memory/2480-1-0x0000000000400000-0x000000000044E3D4-memory.dmp

Filesize
312KB

Download
memory/2480-2-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2480-6-0x0000000000230000-0x000000000027F000-memory.dmp

Filesize
316KB

Download
memory/2480-12-0x0000000000400000-0x000000000044E3D4-memory.dmp

Filesize
312KB

Download
memory/2952-22-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2952-24-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2952-26-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads