gh0strat | df3b567bd35bf73cfa52fa179acc05e19f794c00bf729cd3ea6ddf276b2372e8

General

Target

JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe
Size

9.2MB
MD5

3de25756770c7f2cda872cb32a200949
SHA1

8bc2d08901872dc3fb88599ac06b2b0cae36189d
SHA256

df3b567bd35bf73cfa52fa179acc05e19f794c00bf729cd3ea6ddf276b2372e8
SHA512

92aaa490deda8e72ec99ec5a0d1500608285647f54f6c049d1a0235245579efeff5c3219943e8454510acf41307829541115b6977efa52e7352491f8e0392d4b
SSDEEP

3072:zFE6I0avDH0d+KU0uZ+LbP100ZIPn7CCIXdO69ln5I8SqI:zF1VavDH0d+K1uYbGvP7/Iso5If

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/memory/1496-0-0x0000000000400000-0x0000000000428000-memory.dmp	family_gh0strat
behavioral2/memory/1496-14-0x0000000000400000-0x0000000000428000-memory.dmp	family_gh0strat
behavioral2/files/0x0007000000023cc9-20.dat	family_gh0strat
behavioral2/memory/756-22-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat
behavioral2/memory/756-23-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
756	laass.exe

Loads dropped DLL 1 IoCs

pid	Process
756	laass.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\%Program Files%	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe
File created	C:\Program Files\%Program Files%\363.VBS	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe
File created	C:\Program Files\%Program Files%\laass.exe	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe
File created	C:\Program Files\%Program Files%\Cest.bat	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe
File created	C:\Program Files\%Program Files%\Æô¶¯\chongqi.bat	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe
File created	C:\Program Files\%Program Files%\inst.inf	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Best.bat	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe
File created	C:\WINDOWS\362.VBS	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe
File created	C:\WINDOWS\Best.bat	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	laass.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1496	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe
1496	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1496	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2228	1496	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe	83
PID 1496 wrote to memory of 2228	1496	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe	83
PID 1496 wrote to memory of 2228	1496	JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe	83
PID 2228 wrote to memory of 1648	2228	WScript.exe	84
PID 2228 wrote to memory of 1648	2228	WScript.exe	84
PID 2228 wrote to memory of 1648	2228	WScript.exe	84
PID 1648 wrote to memory of 756	1648	cmd.exe	86
PID 1648 wrote to memory of 756	1648	cmd.exe	86
PID 1648 wrote to memory of 756	1648	cmd.exe	86
PID 1648 wrote to memory of 1060	1648	cmd.exe	87
PID 1648 wrote to memory of 1060	1648	cmd.exe	87
PID 1648 wrote to memory of 1060	1648	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3de25756770c7f2cda872cb32a200949.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\%Program Files%\363.VBS"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files\%Program Files%\Cest.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Program Files\%Program Files%\laass.exe
      laass.exe Wdcp.dll rukou
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:756
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy /e /y "C:\Program Files\%Program Files%\╞⌠╢»" "C:\Documents and Settings\All Users\í╕┐¬╩╝í╣▓╦╡Ñ\│╠╨≥\╞⌠╢»"
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\%Program Files%\363.VBS

Filesize
109B

MD5
b4736c4a0cbbeb50d304da6dbcbde940

SHA1
0b04024ab176bb38fc36ac7cbb4ba69b4817929e

SHA256
c6b08ae8b1242b118aa49690cbadb5b9360d5ff34dddbd9006588ee13c90befb

SHA512
cac3405a0df94b2e998fd4b9aacdcd51d524c1514358172376f95c9ef9b77a2ebd56cfc8b17a7e11c85ab55bc4720fe1d8d9b62a35c76c43365d9044d0f6f167

Download Submit
C:\Program Files\%Program Files%\Cest.bat

Filesize
203B

MD5
72f447896a8ff164c85d9208cce3444d

SHA1
eb9b88318b0942c9c1872ed13a967f4dbf4d7592

SHA256
28d81b63601d96e718e9426385da6c4430eec76f9a8491f9a77bccdffaf38784

SHA512
335d5be3f8db9a438ba02fbfe18b7d7545f1b213b02f6465855ff57371cb336d3e1e796f5e8b4f0bdc0059a7f2622314e3ba953bf01ff45092a93bd337366ebd

Download Submit
C:\Program Files\%Program Files%\Wdcp.dll

Filesize
21.1MB

MD5
2f4ca76242abe3adc92d6901a1f3f371

SHA1
7bbf7d75b4ad739f820458b6b4ad4c68a531d8f8

SHA256
c7c30d7a5988076bb508d631be21aec63bf53fcb1db663eb883a9aa49bd3fbbc

SHA512
df370e06c75d24e08fff8db8f2f8cbcb8b5d5c6e9d1cf48a118599cd78d82a73c63bf01ed6007f1091769b006a855e1960e8cab22074ae3f516a102288acea21

Download Submit
C:\Program Files\%Program Files%\laass.exe

Filesize
32KB

MD5
a5dd94434c702493d4577e966134b303

SHA1
6bfaeb811189c41521802a11e0836237cd169395

SHA256
a26f4219815c297c705060b77595ef76e35e9e2bedbeb5afb3357cdc5ba2717f

SHA512
c5a44a9d526c2d494fcdcd765baf7a765e53838f53a65df1d1ce4114fcb1186296a8faebee4bd0a39a41c9e96aa3b3484e07d86fbd117be7915610eb4ef5cf77

Download Submit
memory/756-22-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/756-23-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1496-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1496-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads