gh0strat | 55088f908115710fad9e9d04efe9eec06ee0a16bca9453b75683f452cbd72114

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/01/2025, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Size

82KB
MD5

3f9d6dcc5ecc15be183c3b3f999bd8d8
SHA1

ad8f0bfa542fe20335967fc0ccc20b32524e7a1c
SHA256

55088f908115710fad9e9d04efe9eec06ee0a16bca9453b75683f452cbd72114
SHA512

4bc5305f63a879cc4003a949f1381cc1c55fbeda97b53453e2651267cc196664f4a5c3623327fa893bc96973d145b9ac8bae7c88f92d81aeb4eb53ae7720eb81
SSDEEP

1536:Io48KAfHKom0RK2zuOpfS4BL99L9Rm8hOW7bdQdkA7ZrrAPh:DWeqovR5zuOpfJnL9f5bOdT7ZXi

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1128-5-0x0000000000400000-0x000000000043A000-memory.dmp	family_gh0strat
behavioral1/files/0x000a0000000195c4-9.dat	family_gh0strat
behavioral1/files/0x000a0000000195c4-12.dat	family_gh0strat
behavioral1/memory/1128-13-0x0000000010000000-0x000000001001C000-memory.dmp	family_gh0strat
behavioral1/files/0x000a0000000120d5-16.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2592	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2592	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ubfe\Hmsacbojb.jpg	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
File created	C:\Program Files (x86)\Ubfe\Hmsacbojb.jpg	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1128	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Token: SeRestorePrivilege	1128	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Token: SeBackupPrivilege	1128	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Token: SeRestorePrivilege	1128	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Token: SeBackupPrivilege	1128	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Token: SeRestorePrivilege	1128	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Token: SeBackupPrivilege	1128	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Token: SeRestorePrivilege	1128	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2496500.dll

Filesize
101KB

MD5
92ae02dac610f816fb2de1f992e72916

SHA1
adbfdcd5f9a227df039da2998f24754cfe03c0c7

SHA256
535e1fa0e2a27ba57113908f881cd0baa50b5f38fe9de6ea40fd5bd9b2736f4d

SHA512
506dea9755a720c9ef25cbaa6441cb4bd39f05048ea5b8385df68f8aca7969b1f372ad36c988cae6e4a5b7eb508424464367d0dfe9f78afbb1419d84bf64f15f

Download Submit
C:\Program Files (x86)\Ubfe\Hmsacbojb.jpg

Filesize
265KB

MD5
b9a2bd63d7899c77ba1fd380515977be

SHA1
26955657efa20ea450a1cdd9697993b5eaeae0fc

SHA256
ccd23f4b02d5ef5b61fff7ac77878d35759150f1f4af6d5343aeb4413d2d4a3d

SHA512
26e193cb219a09af2a27d38d5283db93093c475da4bb52b9ad1611259f5303735d0ba44b20d2fc94c0b8a3c0dc2def61ef534408e962bc639714d5f051236d44

Download Submit
\??\c:\NT_Path.jpg

Filesize
99B

MD5
956204eaf359f7daf010daf84dc3fd73

SHA1
0ed130939cadc2df66d2dbc76418fff8300bab80

SHA256
ac3832e6187bd867e928c3d0f051ff934b8a66a855b72181c24678b9c8fbb7d8

SHA512
e8941aa58637ef4ae2eaca85c439a99ca001b9cf7d99c187c6530ba6be4cbb69a769400cc409804aca41a23cdee6f965820132c28c05b2afeed33efef7b8e9d3

Download Submit
\??\c:\program files (x86)\ubfe\hmsacbojb.jpg

Filesize
11.2MB

MD5
807a2389f751c5da53e90487860d48b5

SHA1
8e1dd95fc6d0bf032cc2b803971c5db9230479c9

SHA256
aa07322c57d613670af9fcd29f1bb656bc58a87337810616727ff33f707755eb

SHA512
012247a9dd1936ef91ab6aaf5c5d5ceb43bec33f4499a9bebfb29423fde9880bc5e8ff08700ded0ab44bfa7ba34e7514223b587c61e55b198095ae5e5398c10b

Download Submit
memory/1128-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1128-1-0x0000000000240000-0x000000000027A000-memory.dmp

Filesize
232KB

Download
memory/1128-5-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1128-4-0x000000000042B000-0x000000000042C000-memory.dmp

Filesize
4KB

Download
memory/1128-13-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download