gh0strat | 55088f908115710fad9e9d04efe9eec06ee0a16bca9453b75683f452cbd72114

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Size

82KB
MD5

3f9d6dcc5ecc15be183c3b3f999bd8d8
SHA1

ad8f0bfa542fe20335967fc0ccc20b32524e7a1c
SHA256

55088f908115710fad9e9d04efe9eec06ee0a16bca9453b75683f452cbd72114
SHA512

4bc5305f63a879cc4003a949f1381cc1c55fbeda97b53453e2651267cc196664f4a5c3623327fa893bc96973d145b9ac8bae7c88f92d81aeb4eb53ae7720eb81
SSDEEP

1536:Io48KAfHKom0RK2zuOpfS4BL99L9Rm8hOW7bdQdkA7ZrrAPh:DWeqovR5zuOpfJnL9f5bOdT7ZXi

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b10-4.dat	family_gh0strat
behavioral2/files/0x000e000000023b69-13.dat	family_gh0strat
behavioral2/memory/1328-14-0x0000000000400000-0x000000000043A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
3256	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1328	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
3256	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ubfe\Hmsacbojb.jpg	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
File created	C:\Program Files (x86)\Ubfe\Hmsacbojb.jpg	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1328	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Token: SeRestorePrivilege	1328	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Token: SeBackupPrivilege	1328	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Token: SeRestorePrivilege	1328	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Token: SeBackupPrivilege	1328	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Token: SeRestorePrivilege	1328	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Token: SeBackupPrivilege	1328	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Token: SeRestorePrivilege	1328	JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1014300.dll

Filesize
101KB

MD5
92ae02dac610f816fb2de1f992e72916

SHA1
adbfdcd5f9a227df039da2998f24754cfe03c0c7

SHA256
535e1fa0e2a27ba57113908f881cd0baa50b5f38fe9de6ea40fd5bd9b2736f4d

SHA512
506dea9755a720c9ef25cbaa6441cb4bd39f05048ea5b8385df68f8aca7969b1f372ad36c988cae6e4a5b7eb508424464367d0dfe9f78afbb1419d84bf64f15f

Download Submit
\??\c:\NT_Path.jpg

Filesize
99B

MD5
5c61a951276063c4dfcb686e64f4375f

SHA1
b5c083c37a8bc6269c46c2083f2d6bcd10396e50

SHA256
4217ff8e727f5c328106ffaa135f6b52fcf3ea65ca6683bc89e77fc75d320f86

SHA512
636c20221433399e81810f80b5baef6bb5adba6b722418145cde1830a22590fa28bc65bdf8c5e98c6ef56d7df173eb90244764b76067b2ad2dc3dbb2ebe94839

Download Submit
\??\c:\program files (x86)\ubfe\hmsacbojb.jpg

Filesize
5.8MB

MD5
79244d262f0891d75352050166933424

SHA1
807782c78decd0ef224358396ea2b5e19049f289

SHA256
59a2fe91961fe27a7c6e86fec58e2924c42dcf7aa2fc0ae728a7799769833ee6

SHA512
ac693d02d8a346c2087d91626d157de52ae21b91ff16d5492ecf9abdc24d787435637c37f848eea2f16d2a5063e4ed3890c1f6cc29b83bf2723fc80b9d09ca19

Download Submit
memory/1328-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1328-1-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/1328-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download