gh0strat | 26dddc8ae271f9b3380ba305bebdd0ee09707aae532d0477144bf6d2fe4e9092

Analysis

max time kernel
93s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_45fe5b239474835e0d53895c4e793b73.exe
Size

95KB
MD5

45fe5b239474835e0d53895c4e793b73
SHA1

81a511f0a6bafb517753b13595529b1cf8ebbda8
SHA256

26dddc8ae271f9b3380ba305bebdd0ee09707aae532d0477144bf6d2fe4e9092
SHA512

2fba49ada2016e684fcc416f5e51da0d202b9281d6a600e5021bff42493b7dea9221b33bc7049d1a5eb14035c0af4e392cd6fe61d6bff17f5da1f2279c25816b
SSDEEP

1536:iRFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prOcOj9:iHS4jHS8q/3nTzePCwNUh4E9o9

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b85-15.dat	family_gh0strat
behavioral2/memory/4068-17-0x0000000000400000-0x000000000044E35C-memory.dmp	family_gh0strat
behavioral2/memory/1616-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1472-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1724-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
4068	lvxjwjnwrw

Executes dropped EXE 1 IoCs

pid	Process
4068	lvxjwjnwrw

Loads dropped DLL 3 IoCs

pid	Process
1616	svchost.exe
1472	svchost.exe
1724	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\bpuvgmmpjf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\bxiooponwa	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\bgwiwsrkjv	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2524	1616	WerFault.exe	85
5080	1472	WerFault.exe	91
3216	1724	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_45fe5b239474835e0d53895c4e793b73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lvxjwjnwrw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4068	lvxjwjnwrw
4068	lvxjwjnwrw

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4068	lvxjwjnwrw
Token: SeBackupPrivilege	4068	lvxjwjnwrw
Token: SeBackupPrivilege	4068	lvxjwjnwrw
Token: SeRestorePrivilege	4068	lvxjwjnwrw
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeRestorePrivilege	1616	svchost.exe
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeSecurityPrivilege	1616	svchost.exe
Token: SeSecurityPrivilege	1616	svchost.exe
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeSecurityPrivilege	1616	svchost.exe
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeSecurityPrivilege	1616	svchost.exe
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeRestorePrivilege	1616	svchost.exe
Token: SeBackupPrivilege	1472	svchost.exe
Token: SeRestorePrivilege	1472	svchost.exe
Token: SeBackupPrivilege	1472	svchost.exe
Token: SeBackupPrivilege	1472	svchost.exe
Token: SeSecurityPrivilege	1472	svchost.exe
Token: SeSecurityPrivilege	1472	svchost.exe
Token: SeBackupPrivilege	1472	svchost.exe
Token: SeBackupPrivilege	1472	svchost.exe
Token: SeSecurityPrivilege	1472	svchost.exe
Token: SeBackupPrivilege	1472	svchost.exe
Token: SeBackupPrivilege	1472	svchost.exe
Token: SeSecurityPrivilege	1472	svchost.exe
Token: SeBackupPrivilege	1472	svchost.exe
Token: SeRestorePrivilege	1472	svchost.exe
Token: SeBackupPrivilege	1724	svchost.exe
Token: SeRestorePrivilege	1724	svchost.exe
Token: SeBackupPrivilege	1724	svchost.exe
Token: SeBackupPrivilege	1724	svchost.exe
Token: SeSecurityPrivilege	1724	svchost.exe
Token: SeSecurityPrivilege	1724	svchost.exe
Token: SeBackupPrivilege	1724	svchost.exe
Token: SeBackupPrivilege	1724	svchost.exe
Token: SeSecurityPrivilege	1724	svchost.exe
Token: SeBackupPrivilege	1724	svchost.exe
Token: SeBackupPrivilege	1724	svchost.exe
Token: SeSecurityPrivilege	1724	svchost.exe
Token: SeBackupPrivilege	1724	svchost.exe
Token: SeRestorePrivilege	1724	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 4068	764	JaffaCakes118_45fe5b239474835e0d53895c4e793b73.exe	82
PID 764 wrote to memory of 4068	764	JaffaCakes118_45fe5b239474835e0d53895c4e793b73.exe	82
PID 764 wrote to memory of 4068	764	JaffaCakes118_45fe5b239474835e0d53895c4e793b73.exe	82

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45fe5b239474835e0d53895c4e793b73.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45fe5b239474835e0d53895c4e793b73.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764
- \??\c:\users\admin\appdata\local\lvxjwjnwrw
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45fe5b239474835e0d53895c4e793b73.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_45fe5b239474835e0d53895c4e793b73.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4068

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 824
  2⤵
  - Program crash
  PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1616 -ip 1616
1⤵
PID:2392

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 936
  2⤵
  - Program crash
  PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1472 -ip 1472
1⤵
PID:3472

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 824
  2⤵
  - Program crash
  PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1724 -ip 1724
1⤵
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\lvxjwjnwrw

Filesize
25.0MB

MD5
c1165f4cd0da131c7ff83f42e729ee18

SHA1
16429b8f2860e08160e8257cae8ff6b3491ceb6a

SHA256
4c937a0b7d8b3084d7114c128321c0e0d0b4a1fee3ea75d04794b49bc56b716d

SHA512
8eeef0259bf5707e87363136f44eedadce66c96d5f06d55d54b68522bce23c888193e23f0b847930349bee20cabe8e148d7a1c2a8b95a8c383116bb82fa05108

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
9564adbe06be0bdfb3e09ac5778191d3

SHA1
efa19396ae5618c6ce439d138173470af0ab0a60

SHA256
721bebe338c4bc4dd4ec493a2d2515ac484076831e1d200e2427c14eddabfffd

SHA512
018a8b726a3bff1662448758864bfe7bcca437eb1b9b76ec83eeea788462d2832d63077807eb2084366bfae28e744e3a69cc2065fa7bfb21053c28223b389058

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
ffa13a862ba302400ed6de7b0f3b2070

SHA1
4fde8cd6ce624c96418df7ca3ca0cf89f8a99bd5

SHA256
ae6ddd33d904b91729d6535529ac502ddb795c7c1fcf7d920657476bfdee6ea5

SHA512
e70d3464fa0d0009afd13d26fd2174c174885de076eaffe7f81ac9d161d1c06e22c985b0634a640a79db2dac9b462b508cfc5f274c56442bc0b20da0d95a2e3b

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\qvkep.cc3

Filesize
24.0MB

MD5
f9c6499a09b6e6c960cda46195eb8bd3

SHA1
8976d0692b0cf200b627867eb135a02eefbb2eb1

SHA256
a239f387bfee3471ba30bb361e4253bab5bf62da43061ddb6b2e28ca67a40377

SHA512
b94653f5f542954c10a9eb600f522779519c97f5728108814e3b906b5e31015dd5d9e42bd99bb9d046269c33adabceec053efe36bdd58b1569423529095725c1

Download Submit
memory/764-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/764-10-0x0000000000400000-0x000000000044E35C-memory.dmp

Filesize
312KB

Download
memory/764-0-0x0000000000400000-0x000000000044E35C-memory.dmp

Filesize
312KB

Download
memory/1472-22-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/1472-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1616-18-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download
memory/1616-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1724-27-0x00000000019D0000-0x00000000019D1000-memory.dmp

Filesize
4KB

Download
memory/1724-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4068-17-0x0000000000400000-0x000000000044E35C-memory.dmp

Filesize
312KB

Download
memory/4068-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4068-12-0x0000000000400000-0x000000000044E35C-memory.dmp

Filesize
312KB

Download