gh0strat | 34d5f715014b52fff5fe0b0bfe5ba7aad7e09d03a180d1e410acb49af3b968eb

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4341a5d57788fc11c7dd64aa09af9e25.exe
Size

95KB
MD5

4341a5d57788fc11c7dd64aa09af9e25
SHA1

c634766b96a54c7ce75b0d92d81fae0456018685
SHA256

34d5f715014b52fff5fe0b0bfe5ba7aad7e09d03a180d1e410acb49af3b968eb
SHA512

cae7329a0c7da5eb816467538cb4ce9d457bce56eb6acd4eebde2e21a7cd36810556407f651e2e8f0d9e470b7086acf9f919dd982fa0c96840281d7b58ffb064
SSDEEP

1536:L+FusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prdpP23w:LES4jHS8q/3nTzePCwNUh4E9Tx

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cae-14.dat	family_gh0strat
behavioral2/memory/3908-16-0x0000000000400000-0x000000000044E27C-memory.dmp	family_gh0strat
behavioral2/memory/5064-19-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3144-24-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4720-29-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
3908	mhmqjibdvp

Executes dropped EXE 1 IoCs

pid	Process
3908	mhmqjibdvp

Loads dropped DLL 3 IoCs

pid	Process
5064	svchost.exe
3144	svchost.exe
4720	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dovajtjioj	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dxsosnfnos	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dghhbqhlbo	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4224	5064	WerFault.exe	83
3912	3144	WerFault.exe	87
3964	4720	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4341a5d57788fc11c7dd64aa09af9e25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhmqjibdvp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3908	mhmqjibdvp
3908	mhmqjibdvp

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	3908	mhmqjibdvp
Token: SeBackupPrivilege	3908	mhmqjibdvp
Token: SeBackupPrivilege	3908	mhmqjibdvp
Token: SeRestorePrivilege	3908	mhmqjibdvp
Token: SeBackupPrivilege	5064	svchost.exe
Token: SeRestorePrivilege	5064	svchost.exe
Token: SeBackupPrivilege	5064	svchost.exe
Token: SeBackupPrivilege	5064	svchost.exe
Token: SeSecurityPrivilege	5064	svchost.exe
Token: SeSecurityPrivilege	5064	svchost.exe
Token: SeBackupPrivilege	5064	svchost.exe
Token: SeBackupPrivilege	5064	svchost.exe
Token: SeSecurityPrivilege	5064	svchost.exe
Token: SeBackupPrivilege	5064	svchost.exe
Token: SeBackupPrivilege	5064	svchost.exe
Token: SeSecurityPrivilege	5064	svchost.exe
Token: SeBackupPrivilege	5064	svchost.exe
Token: SeRestorePrivilege	5064	svchost.exe
Token: SeBackupPrivilege	3144	svchost.exe
Token: SeRestorePrivilege	3144	svchost.exe
Token: SeBackupPrivilege	3144	svchost.exe
Token: SeBackupPrivilege	3144	svchost.exe
Token: SeSecurityPrivilege	3144	svchost.exe
Token: SeSecurityPrivilege	3144	svchost.exe
Token: SeBackupPrivilege	3144	svchost.exe
Token: SeBackupPrivilege	3144	svchost.exe
Token: SeSecurityPrivilege	3144	svchost.exe
Token: SeBackupPrivilege	3144	svchost.exe
Token: SeBackupPrivilege	3144	svchost.exe
Token: SeSecurityPrivilege	3144	svchost.exe
Token: SeBackupPrivilege	3144	svchost.exe
Token: SeRestorePrivilege	3144	svchost.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeRestorePrivilege	4720	svchost.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeSecurityPrivilege	4720	svchost.exe
Token: SeSecurityPrivilege	4720	svchost.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeSecurityPrivilege	4720	svchost.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeSecurityPrivilege	4720	svchost.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeRestorePrivilege	4720	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 3908	4816	JaffaCakes118_4341a5d57788fc11c7dd64aa09af9e25.exe	82
PID 4816 wrote to memory of 3908	4816	JaffaCakes118_4341a5d57788fc11c7dd64aa09af9e25.exe	82
PID 4816 wrote to memory of 3908	4816	JaffaCakes118_4341a5d57788fc11c7dd64aa09af9e25.exe	82

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4341a5d57788fc11c7dd64aa09af9e25.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4341a5d57788fc11c7dd64aa09af9e25.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4816
- \??\c:\users\admin\appdata\local\mhmqjibdvp
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4341a5d57788fc11c7dd64aa09af9e25.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_4341a5d57788fc11c7dd64aa09af9e25.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3908

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1108
  2⤵
  - Program crash
  PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5064 -ip 5064
1⤵
PID:4068

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1104
  2⤵
  - Program crash
  PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3144 -ip 3144
1⤵
PID:5048

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 812
  2⤵
  - Program crash
  PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4720 -ip 4720
1⤵
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
716e7459d41507afeecb6790b474d4dc

SHA1
48fe3e2df1f3b90c10f23211e97a9f1af1bbb73c

SHA256
e3973bd2e0ec725eacc5346294f570f9b85690073081e9c043eacc80bb7dcde2

SHA512
2e3fed811d87a1ca921bf309f60ea83220369adcc6b13e6da20fc05164304841d8b39992577f48e7f951319343ffcc9714a90092f4849edf3b8c4c077641f6c7

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\xnxlk.cc3

Filesize
21.0MB

MD5
cd00835e2c729563411fa7f362e1edb1

SHA1
4e7d6552db1aece9a7241005ddd1411f024c1e21

SHA256
aa76ff60660a5eaa1c7146d021ccc9ca65eb3b61df5b4780d58662fa4ac2a1ed

SHA512
5514176e7ccac5b4c28a759d341da089091d5b8cd7dd66c362c8b6d6faf4c3b9cd0835b8309f1fa9ef06428eb6123e07f082913c5cbe4f9d369535fd7ef612aa

Download Submit
\??\c:\users\admin\appdata\local\mhmqjibdvp

Filesize
22.0MB

MD5
dffb622bf13cb30c7236b751e0381a7e

SHA1
f8896dc92ed2d289545bae9ecbef7ba0b87d35d2

SHA256
f6d4487900be58b0d0ebdd2927338bb417c9bf863b6f721bf339c8999270a052

SHA512
2f37727b3ffd4a11b32f33ca92679d86eed3c93cdd7e7197398b4ba7c9c97d0d5250f95c5af0ce22988281ab46748f3d496431b911fd861faf1d2a41826b337b

Download Submit
memory/3144-24-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3144-21-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/3908-9-0x0000000000400000-0x000000000044E27C-memory.dmp

Filesize
312KB

Download
memory/3908-16-0x0000000000400000-0x000000000044E27C-memory.dmp

Filesize
312KB

Download
memory/3908-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4720-26-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4720-29-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4816-7-0x0000000000400000-0x000000000044E27C-memory.dmp

Filesize
312KB

Download
memory/4816-0-0x0000000000400000-0x000000000044E27C-memory.dmp

Filesize
312KB

Download
memory/4816-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/5064-17-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/5064-19-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download