gh0strat | 004566d49485717ed80925c661d425e9726aa391667d5471cb418f96c6e06f77

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe
Size

152KB
MD5

3d7716ebc681dbc9fb939408a434ca95
SHA1

21687506677218a6a899a23df5cec5432c359d58
SHA256

004566d49485717ed80925c661d425e9726aa391667d5471cb418f96c6e06f77
SHA512

aa8a4f7b97cb08664d7ea36f11ca7df083f21960cad448fe8776f91a5a62e273117a4cd222bd5703ed0137d61b96ba8db93041e375fe1243a1e072a724eee197
SSDEEP

3072:E7S0BwvfdtG79onTCBvqYzVKBaUi5zGy7oidb2bb:/0Bw3dSSkKk1xFkide

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2528-0-0x0000000000400000-0x00000000004276FC-memory.dmp	family_gh0strat
behavioral1/files/0x0007000000012118-4.dat	family_gh0strat
behavioral1/memory/2528-9-0x0000000000400000-0x00000000004276FC-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Loads dropped DLL 4 IoCs

pid	Process
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\wi259437462nd.temp	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe

Kills process with taskkill 6 IoCs

defense_evasion

pid	Process
1536	taskkill.exe
1076	taskkill.exe
540	taskkill.exe
1196	taskkill.exe
2540	taskkill.exe
2984	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	1076	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1196	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	30
PID 2528 wrote to memory of 1196	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	30
PID 2528 wrote to memory of 1196	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	30
PID 2528 wrote to memory of 1196	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	30
PID 2528 wrote to memory of 2540	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	31
PID 2528 wrote to memory of 2540	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	31
PID 2528 wrote to memory of 2540	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	31
PID 2528 wrote to memory of 2540	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	31
PID 2528 wrote to memory of 2984	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	32
PID 2528 wrote to memory of 2984	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	32
PID 2528 wrote to memory of 2984	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	32
PID 2528 wrote to memory of 2984	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	32
PID 2528 wrote to memory of 1536	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	33
PID 2528 wrote to memory of 1536	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	33
PID 2528 wrote to memory of 1536	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	33
PID 2528 wrote to memory of 1536	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	33
PID 2528 wrote to memory of 1076	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	34
PID 2528 wrote to memory of 1076	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	34
PID 2528 wrote to memory of 1076	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	34
PID 2528 wrote to memory of 1076	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	34
PID 2528 wrote to memory of 540	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	35
PID 2528 wrote to memory of 540	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	35
PID 2528 wrote to memory of 540	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	35
PID 2528 wrote to memory of 540	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	35
PID 2528 wrote to memory of 2160	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	37
PID 2528 wrote to memory of 2160	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	37
PID 2528 wrote to memory of 2160	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	37
PID 2528 wrote to memory of 2160	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	37
PID 2528 wrote to memory of 2160	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	37
PID 2528 wrote to memory of 2160	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	37
PID 2528 wrote to memory of 2160	2528	JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe	37

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d7716ebc681dbc9fb939408a434ca95.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im KSafeTray.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im kxetray.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im knsdtray.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im KSafeTray.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im kxetray.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im knsdtray.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe Rundlla.dll, CodeMain lpServiceName
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Rundlla.dll

Filesize
20.1MB

MD5
6ca90c365855a4cf34d51eaa5fac0543

SHA1
19afb3d6e8e55439a99d5b2c0ba0a0ab952af6d8

SHA256
2f0d840b6ee2f1216ae73bf713570a2d25a77688b1f88fe48f3eac076708c7f9

SHA512
626d3c7e44562700a78c66a0a885d29babbebeebb14c92065c336f7ef1dd152f0cc5c4a4d0dbcea73551bd74d343351d7c3d7795f8191e84b343165d4b92217e

Download Submit
memory/2528-0-0x0000000000400000-0x00000000004276FC-memory.dmp

Filesize
157KB

Download
memory/2528-9-0x0000000000400000-0x00000000004276FC-memory.dmp

Filesize
157KB

Download