gh0strat | 69331281556a9da8b0612655a4570935a3239d7bd6943fd5f8e7753fca4d567a

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe
Size

1.4MB
MD5

4572a395f849eece93bdd2c5071cd717
SHA1

3e0ea31860f37e744e5b5f45ac98fd8c5eb6f36a
SHA256

69331281556a9da8b0612655a4570935a3239d7bd6943fd5f8e7753fca4d567a
SHA512

4bbc56692b04dbeb54809b582ad0d430901fc7a1d41c32108e392b1172a2f55b79a08074fe15007bbdc4577e8a5b8853b1867e270911cc28892144e7053c66a8
SSDEEP

24576:IpQI7mFPNpDTKGGc//////RTrAR+CEJpk2XUFl+TDWhYeqow8ZWR6eMvDR1IBf/A:IH67Ec//////RTEA8dr+Tqrbw8ZtDsN4

Score

10^/10

gh0strat bootkit discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d0b-76.dat	family_gh0strat
behavioral1/memory/2340-103-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Executes dropped EXE 3 IoCs

pid	Process
2240	alg.exe
2524	SRAT.exe
2776	isellekcfu

Loads dropped DLL 7 IoCs

pid	Process
2692	cmd.exe
2420	cmd.exe
2420	cmd.exe
2692	cmd.exe
2240	alg.exe
2240	alg.exe
2340	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ojmplutxvs	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isellekcfu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2776	isellekcfu
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2776	isellekcfu
Token: SeBackupPrivilege	2776	isellekcfu
Token: SeBackupPrivilege	2776	isellekcfu
Token: SeRestorePrivilege	2776	isellekcfu
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeRestorePrivilege	2340	svchost.exe
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeSecurityPrivilege	2340	svchost.exe
Token: SeSecurityPrivilege	2340	svchost.exe
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeSecurityPrivilege	2340	svchost.exe
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeSecurityPrivilege	2340	svchost.exe
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeRestorePrivilege	2340	svchost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2524	SRAT.exe
2524	SRAT.exe
2524	SRAT.exe
2524	SRAT.exe
2524	SRAT.exe
2524	SRAT.exe
2524	SRAT.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2524	SRAT.exe
2524	SRAT.exe
2524	SRAT.exe
2524	SRAT.exe
2524	SRAT.exe
2524	SRAT.exe
2524	SRAT.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2692	1936	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe	30
PID 1936 wrote to memory of 2692	1936	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe	30
PID 1936 wrote to memory of 2692	1936	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe	30
PID 1936 wrote to memory of 2692	1936	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe	30
PID 1936 wrote to memory of 2420	1936	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe	31
PID 1936 wrote to memory of 2420	1936	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe	31
PID 1936 wrote to memory of 2420	1936	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe	31
PID 1936 wrote to memory of 2420	1936	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe	31
PID 2420 wrote to memory of 2240	2420	cmd.exe	35
PID 2420 wrote to memory of 2240	2420	cmd.exe	35
PID 2420 wrote to memory of 2240	2420	cmd.exe	35
PID 2420 wrote to memory of 2240	2420	cmd.exe	35
PID 2692 wrote to memory of 2524	2692	cmd.exe	34
PID 2692 wrote to memory of 2524	2692	cmd.exe	34
PID 2692 wrote to memory of 2524	2692	cmd.exe	34
PID 2692 wrote to memory of 2524	2692	cmd.exe	34
PID 2240 wrote to memory of 2776	2240	alg.exe	36
PID 2240 wrote to memory of 2776	2240	alg.exe	36
PID 2240 wrote to memory of 2776	2240	alg.exe	36
PID 2240 wrote to memory of 2776	2240	alg.exe	36

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\SRAT.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\SRAT.exe
    C:\Users\Admin\AppData\Local\Temp\SRAT.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\alg.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\alg.exe
    C:\Users\Admin\AppData\Local\Temp\alg.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - \??\c:\users\admin\appdata\local\isellekcfu
      C:\Users\Admin\AppData\Local\Temp\alg.exe a -sc:\users\admin\appdata\local\temp\alg.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2776

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setting.ini

Filesize
24B

MD5
492895398b228836f7c2c07040204c54

SHA1
8a15c9b02004f8f6dc743a53662195ff412ca60e

SHA256
f9e2b9858b78338c6a8e4fc98938807999c8d129f9f77324019372cd73ba9df0

SHA512
669372adef804ee4260e676b3ae76f5e573f7079f3cf36bb841b26abf4963d0b060c79df98f3722c7d2ec585fa0cb3e6f0feeff4bbf4bd622759c1fb63584ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\alg.exe

Filesize
196KB

MD5
2f74f888d3305020b1786b606346848f

SHA1
352549b244057ec31e0295d180b76935704d61eb

SHA256
d79679f87d6ac990d5b3f276ba6edc9f30f15c52dccf5c1f3e63de8889d4ee77

SHA512
1a18344bbe1d0c962b0cfb7a1559b30cc6fc5e5818fb8e8c84dc76048d6947a29e1696c7d6c35f0bc5a70f43722b87d7204901e96b5b636504851bf7e5cfc9c6

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\hccek.cc3

Filesize
20.1MB

MD5
e4b1ea927f346000d3efcd6a339f9824

SHA1
17db6216f9bf58460162eb04adb365d54a3bf285

SHA256
e7f8ca25cd05f7d4c6a9c0108ad60e776d74b2e3d3c69baed472d7d32dac7f7b

SHA512
845f20c001d87f8b97e61b5ee52e3f7ea0bbd5c56553223b356bd3dadd4b013c9b93e01c09e4a3dde9f46e27738c872d3753f6ced0bb3a1995f29bd14ef63032

Download Submit
\Users\Admin\AppData\Local\Temp\SRAT.exe

Filesize
814KB

MD5
9a62b1378200e4a8cc45025c89be17c0

SHA1
9891eadf9507d4e47b5e76cd9073743e0d06a76e

SHA256
3ce7cf1e6af93d9c82365a7f8c475c5e0484c128f1e09b33ceb716ee3ddcc1f5

SHA512
c784679063d24dc0a79ab6882ad009fd23f4fb9e36bdb429fd8a2fbd76a4a4e9ce7ab4f06267d8e1cba7f326ce406595f9ada479cc500382cb6f93ae3a9e87ba

Download Submit
\Users\Admin\AppData\Local\isellekcfu

Filesize
19.5MB

MD5
3855ab37a46b4826770910a40ea8c9fe

SHA1
037ad1a712e7916ee2b8582bb4026b65b5706a6f

SHA256
aae41330367948708c67fca361c0e9597a4902d59bbdc0dfa3193278bd814ae6

SHA512
ecd7cba27ddca0a75b711e9901e76b33154fe0275c7fd30be7027690d9590b5daadae87307fc9cebfc7d937659224803457f212dba411e21e4bcaa93ef716c17

Download Submit
memory/1936-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1936-2-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2340-103-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2340-79-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2524-40-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/2524-36-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2524-19-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2524-18-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2524-17-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2524-16-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2524-33-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2524-56-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2524-55-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2524-54-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-53-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2524-52-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2524-51-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-50-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-49-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-48-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-47-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-46-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2524-45-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-44-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/2524-43-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2524-42-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/2524-41-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2524-21-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2524-39-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2524-38-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2524-37-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2524-20-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2524-35-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2524-34-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/2524-32-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-31-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-30-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-29-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-28-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-27-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-26-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-25-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-24-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2524-62-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2524-61-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/2524-60-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2524-59-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2524-58-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-57-0x0000000003210000-0x0000000003212000-memory.dmp

Filesize
8KB

Download
memory/2524-72-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2524-73-0x0000000000320000-0x000000000037A000-memory.dmp

Filesize
360KB

Download
memory/2524-22-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2524-78-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2524-23-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2524-15-0x0000000000320000-0x000000000037A000-memory.dmp

Filesize
360KB

Download
memory/2524-102-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2524-14-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2692-12-0x0000000002400000-0x0000000002615000-memory.dmp

Filesize
2.1MB

Download
memory/2692-10-0x0000000002400000-0x0000000002615000-memory.dmp

Filesize
2.1MB

Download