gh0strat | 69331281556a9da8b0612655a4570935a3239d7bd6943fd5f8e7753fca4d567a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2025, 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe
Size

1.4MB
MD5

4572a395f849eece93bdd2c5071cd717
SHA1

3e0ea31860f37e744e5b5f45ac98fd8c5eb6f36a
SHA256

69331281556a9da8b0612655a4570935a3239d7bd6943fd5f8e7753fca4d567a
SHA512

4bbc56692b04dbeb54809b582ad0d430901fc7a1d41c32108e392b1172a2f55b79a08074fe15007bbdc4577e8a5b8853b1867e270911cc28892144e7053c66a8
SSDEEP

24576:IpQI7mFPNpDTKGGc//////RTrAR+CEJpk2XUFl+TDWhYeqow8ZWR6eMvDR1IBf/A:IH67Ec//////RTEA8dr+Tqrbw8ZtDsN4

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b83-69.dat	family_gh0strat
behavioral2/memory/3368-79-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4256-84-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1936-90-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Executes dropped EXE 3 IoCs

pid	Process
2760	SRAT.exe
184	alg.exe
1612	jiwmqjugqm

Loads dropped DLL 3 IoCs

pid	Process
3368	svchost.exe
4256	svchost.exe
1936	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ybfgaisonl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yksailumag	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yshsqoxjnc	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1940	3368	WerFault.exe	96
932	4256	WerFault.exe	103
3324	1936	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jiwmqjugqm
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1612	jiwmqjugqm
1612	jiwmqjugqm

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeRestorePrivilege	1612	jiwmqjugqm
Token: SeBackupPrivilege	1612	jiwmqjugqm
Token: SeBackupPrivilege	1612	jiwmqjugqm
Token: SeRestorePrivilege	1612	jiwmqjugqm
Token: SeBackupPrivilege	3368	svchost.exe
Token: SeRestorePrivilege	3368	svchost.exe
Token: SeBackupPrivilege	3368	svchost.exe
Token: SeBackupPrivilege	3368	svchost.exe
Token: SeSecurityPrivilege	3368	svchost.exe
Token: SeSecurityPrivilege	3368	svchost.exe
Token: SeBackupPrivilege	3368	svchost.exe
Token: SeBackupPrivilege	3368	svchost.exe
Token: SeSecurityPrivilege	3368	svchost.exe
Token: SeBackupPrivilege	3368	svchost.exe
Token: SeBackupPrivilege	3368	svchost.exe
Token: SeSecurityPrivilege	3368	svchost.exe
Token: SeBackupPrivilege	3368	svchost.exe
Token: SeRestorePrivilege	3368	svchost.exe
Token: SeBackupPrivilege	4256	svchost.exe
Token: SeRestorePrivilege	4256	svchost.exe
Token: SeBackupPrivilege	4256	svchost.exe
Token: SeBackupPrivilege	4256	svchost.exe
Token: SeSecurityPrivilege	4256	svchost.exe
Token: SeSecurityPrivilege	4256	svchost.exe
Token: SeBackupPrivilege	4256	svchost.exe
Token: SeBackupPrivilege	4256	svchost.exe
Token: SeSecurityPrivilege	4256	svchost.exe
Token: SeBackupPrivilege	4256	svchost.exe
Token: SeBackupPrivilege	4256	svchost.exe
Token: SeSecurityPrivilege	4256	svchost.exe
Token: SeBackupPrivilege	4256	svchost.exe
Token: SeRestorePrivilege	4256	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeSecurityPrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeRestorePrivilege	1936	svchost.exe
Token: SeSecurityPrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeSecurityPrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeSecurityPrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeRestorePrivilege	1936	svchost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2760	SRAT.exe
2760	SRAT.exe
2760	SRAT.exe
2760	SRAT.exe
2760	SRAT.exe
2760	SRAT.exe
2760	SRAT.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2760	SRAT.exe
2760	SRAT.exe
2760	SRAT.exe
2760	SRAT.exe
2760	SRAT.exe
2760	SRAT.exe
2760	SRAT.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 4116	3980	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe	83
PID 3980 wrote to memory of 4116	3980	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe	83
PID 3980 wrote to memory of 4116	3980	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe	83
PID 3980 wrote to memory of 4044	3980	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe	84
PID 3980 wrote to memory of 4044	3980	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe	84
PID 3980 wrote to memory of 4044	3980	JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe	84
PID 4116 wrote to memory of 2760	4116	cmd.exe	87
PID 4116 wrote to memory of 2760	4116	cmd.exe	87
PID 4116 wrote to memory of 2760	4116	cmd.exe	87
PID 4044 wrote to memory of 184	4044	cmd.exe	88
PID 4044 wrote to memory of 184	4044	cmd.exe	88
PID 4044 wrote to memory of 184	4044	cmd.exe	88
PID 184 wrote to memory of 1612	184	alg.exe	89
PID 184 wrote to memory of 1612	184	alg.exe	89
PID 184 wrote to memory of 1612	184	alg.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4572a395f849eece93bdd2c5071cd717.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\SRAT.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Users\Admin\AppData\Local\Temp\SRAT.exe
    C:\Users\Admin\AppData\Local\Temp\SRAT.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\alg.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\alg.exe
    C:\Users\Admin\AppData\Local\Temp\alg.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:184
  - - \??\c:\users\admin\appdata\local\jiwmqjugqm
      C:\Users\Admin\AppData\Local\Temp\alg.exe a -sc:\users\admin\appdata\local\temp\alg.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1612

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 784
  2⤵
  - Program crash
  PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3368 -ip 3368
1⤵
PID:64

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 920
  2⤵
  - Program crash
  PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4256 -ip 4256
1⤵
PID:4340

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 872
  2⤵
  - Program crash
  PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1936 -ip 1936
1⤵
PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SRAT.exe

Filesize
814KB

MD5
9a62b1378200e4a8cc45025c89be17c0

SHA1
9891eadf9507d4e47b5e76cd9073743e0d06a76e

SHA256
3ce7cf1e6af93d9c82365a7f8c475c5e0484c128f1e09b33ceb716ee3ddcc1f5

SHA512
c784679063d24dc0a79ab6882ad009fd23f4fb9e36bdb429fd8a2fbd76a4a4e9ce7ab4f06267d8e1cba7f326ce406595f9ada479cc500382cb6f93ae3a9e87ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setting.ini

Filesize
24B

MD5
492895398b228836f7c2c07040204c54

SHA1
8a15c9b02004f8f6dc743a53662195ff412ca60e

SHA256
f9e2b9858b78338c6a8e4fc98938807999c8d129f9f77324019372cd73ba9df0

SHA512
669372adef804ee4260e676b3ae76f5e573f7079f3cf36bb841b26abf4963d0b060c79df98f3722c7d2ec585fa0cb3e6f0feeff4bbf4bd622759c1fb63584ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\alg.exe

Filesize
196KB

MD5
2f74f888d3305020b1786b606346848f

SHA1
352549b244057ec31e0295d180b76935704d61eb

SHA256
d79679f87d6ac990d5b3f276ba6edc9f30f15c52dccf5c1f3e63de8889d4ee77

SHA512
1a18344bbe1d0c962b0cfb7a1559b30cc6fc5e5818fb8e8c84dc76048d6947a29e1696c7d6c35f0bc5a70f43722b87d7204901e96b5b636504851bf7e5cfc9c6

Download Submit
C:\Users\Admin\AppData\Local\jiwmqjugqm

Filesize
22.9MB

MD5
2d8ec79429cbca4f8db7e68c0660440d

SHA1
a4de62fcc1566804b64bbe747212ab1daae0972f

SHA256
26ff836aa073f276ecee1198ca17e89dc18ead0847765fe01d19a33ec0700499

SHA512
ebc9578e0b6cca014f390ead648c661cb78014237313f3d7099c217a4d7621eabce8e1af00172048c9a1a98d4bb9391c3911d50a911fff4b9717992879bcef6f

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
900affa2b455af632d8d483d16a40ab8

SHA1
ea07873e6d3ff0c274d506b4aa5fd6f09a5d0ee0

SHA256
cebccd4f9e998933f2855c7a263665047efcd36044acc54ad18b88b0e0380a7a

SHA512
210c529f4e734d6ae25e100d138f7517c7e8af838bd0df0a704fa58b10fdfb11f71b0aa15d1a24bc3ee76c1f1fa22aa727103c18bcd6d0100fcfe96a7cd37f95

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
c135d192d12fa2f3b606f855ca536433

SHA1
ba5e760d614805d8f32709210031cb6988e10531

SHA256
4de229689b8ced6a2a910d78a7db2154684854244c5d58be72df4606c04bf3a3

SHA512
5596f969cb17fccfdbaa6b213059577c247492725346bca5bf456c526ef5ea8bfa4486ca83423a32c76551ddcfd03c02a92bbaa4bf13ac39a497ff925cb10551

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\jpglo.cc3

Filesize
24.0MB

MD5
241ecb260c885efa8d045157ca86b693

SHA1
fcad129725f91c4187d9c406cc0203e6f9aaef00

SHA256
58f99092eae28f755739203dedc0e3054af3170d20565564e581f7774b91edae

SHA512
7dcd10c96c21785b60adef2d2c84b6a0e5f5456e6997af35a0354622c7169fac9651889af41aa0816105686d29bfc0f3ee672c6b766440067606e227cf5dc77b

Download Submit
memory/1936-90-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1936-86-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/2760-38-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/2760-34-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/2760-12-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2760-11-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2760-10-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2760-20-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2760-55-0x0000000003350000-0x0000000003352000-memory.dmp

Filesize
8KB

Download
memory/2760-57-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2760-56-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/2760-54-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2760-53-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2760-52-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2760-51-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2760-50-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2760-49-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2760-48-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2760-47-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2760-46-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2760-45-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2760-44-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2760-43-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2760-42-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2760-41-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2760-40-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2760-39-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2760-106-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2760-37-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2760-36-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2760-35-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2760-13-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2760-33-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2760-32-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2760-31-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2760-30-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2760-29-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2760-28-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2760-27-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2760-26-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2760-25-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2760-24-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2760-23-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2760-22-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2760-21-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2760-14-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2760-63-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2760-64-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2760-65-0x00000000022F0000-0x000000000234A000-memory.dmp

Filesize
360KB

Download
memory/2760-66-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2760-15-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2760-16-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2760-19-0x00000000022F0000-0x000000000234A000-memory.dmp

Filesize
360KB

Download
memory/2760-87-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2760-18-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2760-17-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/3368-79-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3368-77-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/3980-3-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/3980-0-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/4256-84-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4256-81-0x00000000015F0000-0x00000000015F1000-memory.dmp

Filesize
4KB

Download