gh0strat | 41b37b95dae9f283f6e9cb9cecd3f02389445666a81c658f0b9ed8588e32ba29

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_451d6cde30a0963f38d16117aba86394.exe
Size

98KB
MD5

451d6cde30a0963f38d16117aba86394
SHA1

a744be3accd0ecc894e6a742ee0b7198e6648250
SHA256

41b37b95dae9f283f6e9cb9cecd3f02389445666a81c658f0b9ed8588e32ba29
SHA512

795bff70c205c0b9ad1e52b589f17de529dcf6cbe300bd0e81364f0dfcfd5800e055ad7fe8cf61cf9a4d494592eaef16879252c6250eecc878a1035cb4df3387
SSDEEP

1536:QYFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prZP9mTVtZuga:QKS4jHS8q/3nTzePCwNUh4E9OZK

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b8a-15.dat	family_gh0strat
behavioral2/memory/3600-17-0x0000000000400000-0x000000000044E384-memory.dmp	family_gh0strat
behavioral2/memory/3128-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2168-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3888-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
3600	lmiglihfrk

Executes dropped EXE 1 IoCs

pid	Process
3600	lmiglihfrk

Loads dropped DLL 3 IoCs

pid	Process
3128	svchost.exe
2168	svchost.exe
3888	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\buwuffiegw	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\blicwcggtb	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\buwuffiegw	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1084	3128	WerFault.exe	84
1436	2168	WerFault.exe	89
3356	3888	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_451d6cde30a0963f38d16117aba86394.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lmiglihfrk
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3600	lmiglihfrk
3600	lmiglihfrk

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	3600	lmiglihfrk
Token: SeBackupPrivilege	3600	lmiglihfrk
Token: SeBackupPrivilege	3600	lmiglihfrk
Token: SeRestorePrivilege	3600	lmiglihfrk
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeRestorePrivilege	3128	svchost.exe
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeSecurityPrivilege	3128	svchost.exe
Token: SeSecurityPrivilege	3128	svchost.exe
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeSecurityPrivilege	3128	svchost.exe
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeSecurityPrivilege	3128	svchost.exe
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeRestorePrivilege	3128	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeRestorePrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeSecurityPrivilege	2168	svchost.exe
Token: SeSecurityPrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeSecurityPrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeSecurityPrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeRestorePrivilege	2168	svchost.exe
Token: SeBackupPrivilege	3888	svchost.exe
Token: SeRestorePrivilege	3888	svchost.exe
Token: SeBackupPrivilege	3888	svchost.exe
Token: SeBackupPrivilege	3888	svchost.exe
Token: SeSecurityPrivilege	3888	svchost.exe
Token: SeSecurityPrivilege	3888	svchost.exe
Token: SeBackupPrivilege	3888	svchost.exe
Token: SeBackupPrivilege	3888	svchost.exe
Token: SeSecurityPrivilege	3888	svchost.exe
Token: SeBackupPrivilege	3888	svchost.exe
Token: SeBackupPrivilege	3888	svchost.exe
Token: SeSecurityPrivilege	3888	svchost.exe
Token: SeBackupPrivilege	3888	svchost.exe
Token: SeRestorePrivilege	3888	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 3600	2908	JaffaCakes118_451d6cde30a0963f38d16117aba86394.exe	83
PID 2908 wrote to memory of 3600	2908	JaffaCakes118_451d6cde30a0963f38d16117aba86394.exe	83
PID 2908 wrote to memory of 3600	2908	JaffaCakes118_451d6cde30a0963f38d16117aba86394.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_451d6cde30a0963f38d16117aba86394.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_451d6cde30a0963f38d16117aba86394.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- \??\c:\users\admin\appdata\local\lmiglihfrk
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_451d6cde30a0963f38d16117aba86394.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_451d6cde30a0963f38d16117aba86394.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3600

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1068
  2⤵
  - Program crash
  PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3128 -ip 3128
1⤵
PID:1188

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 924
  2⤵
  - Program crash
  PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2168 -ip 2168
1⤵
PID:1548

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 1076
  2⤵
  - Program crash
  PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3888 -ip 3888
1⤵
PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
a8fb9728e69bfde329c0bab7613073bd

SHA1
3db05917b07165779b6837e2f0e76cf9b3aaef1a

SHA256
a154c32b6f93c3f4db43ce8b427bdd32223f021488038d20b1c1817df128c6d7

SHA512
8bca044c2976b8b9988d4586078507dff38db97fdd2a658b24933f4cfb15e9d312dcdea9b9ecaee9ca888b3de380c75284902806bafbffa5f4898a367a13e382

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
57cccae9cdb9b11e32128a9764cbf912

SHA1
f1d09bcf449a527d3cd74e62b79a3560ac62a21e

SHA256
a2e20bb67b6f5f5203eb19d8a2eb619dbe7aeb98b241aad226074e8b8bb2cd8f

SHA512
79c04809309cf3c132cbb7ba80241b4abd81ef444a3fe22eab469b5f6b64d425f8aacbbd79a74ce10402eeaa1e3ce587aee9edeeabcb774016e4353c55e1d282

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\iwohf.cc3

Filesize
23.0MB

MD5
3477fed5c5a74e381032bd1793cdf47e

SHA1
0952660ef262049c576a37bbdb71d2bbbb0ac05c

SHA256
ffdfab046d0308015ce45eaafa040f30243a844ffa986e3d46a138033d11414a

SHA512
794e8984b9f9fcef5407dfb59d22b4c446a6f963873e7d02f80b0516c7f3ed6a384fd7dd2904dd2b50eefb5e4e94cf21e99b07aa7246023579338a03a36aa034

Download Submit
\??\c:\users\admin\appdata\local\lmiglihfrk

Filesize
23.7MB

MD5
f1864b4fb48737c9e00f333f26d12963

SHA1
691470b01d1adae5b550a283d673caeeea22fd9a

SHA256
8690008b8c41c8544bc713c7321cff5136906296c517d46805800caec2174349

SHA512
43f89974a99a4af0f0c2d8d810c2b9fc4a5de652df0810506937493d9fa6b220db99b01e5921f16848aab037176b56fc7d069f2f95b525dac415a56d4547cef2

Download Submit
memory/2168-22-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/2168-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2908-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2908-12-0x0000000000400000-0x000000000044E384-memory.dmp

Filesize
312KB

Download
memory/2908-0-0x0000000000400000-0x000000000044E384-memory.dmp

Filesize
312KB

Download
memory/3128-18-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/3128-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3600-17-0x0000000000400000-0x000000000044E384-memory.dmp

Filesize
312KB

Download
memory/3600-7-0x0000000000400000-0x000000000044E384-memory.dmp

Filesize
312KB

Download
memory/3600-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3888-27-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/3888-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download