gh0strat | 8f7c40cac9366d5c195c56b235f995cbdf284bccc834bd7b0cc8c93398704c90

Analysis

max time kernel
150s
max time network
102s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_43bf4ae0cb3e739749d7e0767b703829.exe
Size

38KB
MD5

43bf4ae0cb3e739749d7e0767b703829
SHA1

36a9e6d0cc45c7f80a7e8f1ca6d0ced384a050e2
SHA256

8f7c40cac9366d5c195c56b235f995cbdf284bccc834bd7b0cc8c93398704c90
SHA512

53b510acd94b86100ca4487e69405d67a6de048d5b03239c161430ce4f6c917310b20801f734955c70535f1dd822b359e60387b36879dd3e029c816fbbd36d57
SSDEEP

768:b8mB/VGShQBFKovz7JtHzyGrx/UcWC2//uD/A:TB/IShZqz7JtHzyIx/U9/u/A

Score

10^/10

gh0strat discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00100000000122f3-1.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	832	rundll32.exe
6	832	rundll32.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Runtimee Service 3.0\Parameters\ServiceDll = "C:\\Program Files (x86)\\abc.exe"	JaffaCakes118_43bf4ae0cb3e739749d7e0767b703829.exe

Loads dropped DLL 5 IoCs

pid	Process
2700	svchost.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\abc.exe	JaffaCakes118_43bf4ae0cb3e739749d7e0767b703829.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_43bf4ae0cb3e739749d7e0767b703829.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2700	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 832	2700	svchost.exe	31
PID 2700 wrote to memory of 832	2700	svchost.exe	31
PID 2700 wrote to memory of 832	2700	svchost.exe	31
PID 2700 wrote to memory of 832	2700	svchost.exe	31
PID 2700 wrote to memory of 832	2700	svchost.exe	31
PID 2700 wrote to memory of 832	2700	svchost.exe	31
PID 2700 wrote to memory of 832	2700	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43bf4ae0cb3e739749d7e0767b703829.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43bf4ae0cb3e739749d7e0767b703829.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1552

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "c:\program files (x86)\abc.exe",run Runtimee Service 3.0
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\program files (x86)\abc.exe

Filesize
17.8MB

MD5
b72c9f5d8fa99e8261b41d2c9d0b3668

SHA1
5d3583e7fe2ffe1b1319086ac8510d579084d4cf

SHA256
1d5c9f581cf8247229b7144e1ff00c94fcbf8df80bee77478a700394c7d304c0

SHA512
45be9a228e61075d6022c238bbe5bbd41848dbbf80ab693922aca88aaeb126303ac1bbf1b1a236033cffd610964f25b4b61325e105c911a518149ddfd2316e37

Download Submit