gh0strat | 63c6e42f1be316c70d5e1b0887adb5ee2c9bffc3f48487ed21f8a170b20b1874

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_45fd681eaf9789b7a074a014a1a48b01.exe
Size

96KB
MD5

45fd681eaf9789b7a074a014a1a48b01
SHA1

04f411ced4b1b89d195ceec7a5a29405c9c20115
SHA256

63c6e42f1be316c70d5e1b0887adb5ee2c9bffc3f48487ed21f8a170b20b1874
SHA512

de1a4b73af1e1befac7e9e0647660dd4b8495c4cd7350c63e187d8db3f47e688e6ffc83cd8e09f19b85094008444513de73ea5cd498314035ddc7e81f6dbeea2
SSDEEP

1536:TbFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prliXc20YA:TVS4jHS8q/3nTzePCwNUh4E9lMc2fA

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023bd9-15.dat	family_gh0strat
behavioral2/memory/3700-17-0x0000000000400000-0x000000000044E3EC-memory.dmp	family_gh0strat
behavioral2/memory/4868-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4296-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3744-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
3700	frddnqidbl

Executes dropped EXE 1 IoCs

pid	Process
3700	frddnqidbl

Loads dropped DLL 3 IoCs

pid	Process
4868	svchost.exe
4296	svchost.exe
3744	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ayyryfrctm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ahnlhiuahh	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\aqlyqcpegq	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1188	4868	WerFault.exe	83
4108	4296	WerFault.exe	87
220	3744	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_45fd681eaf9789b7a074a014a1a48b01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frddnqidbl
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3700	frddnqidbl
3700	frddnqidbl

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	3700	frddnqidbl
Token: SeBackupPrivilege	3700	frddnqidbl
Token: SeBackupPrivilege	3700	frddnqidbl
Token: SeRestorePrivilege	3700	frddnqidbl
Token: SeBackupPrivilege	4868	svchost.exe
Token: SeRestorePrivilege	4868	svchost.exe
Token: SeBackupPrivilege	4868	svchost.exe
Token: SeBackupPrivilege	4868	svchost.exe
Token: SeSecurityPrivilege	4868	svchost.exe
Token: SeSecurityPrivilege	4868	svchost.exe
Token: SeBackupPrivilege	4868	svchost.exe
Token: SeBackupPrivilege	4868	svchost.exe
Token: SeSecurityPrivilege	4868	svchost.exe
Token: SeBackupPrivilege	4868	svchost.exe
Token: SeBackupPrivilege	4868	svchost.exe
Token: SeSecurityPrivilege	4868	svchost.exe
Token: SeBackupPrivilege	4868	svchost.exe
Token: SeRestorePrivilege	4868	svchost.exe
Token: SeBackupPrivilege	4296	svchost.exe
Token: SeRestorePrivilege	4296	svchost.exe
Token: SeBackupPrivilege	4296	svchost.exe
Token: SeBackupPrivilege	4296	svchost.exe
Token: SeSecurityPrivilege	4296	svchost.exe
Token: SeSecurityPrivilege	4296	svchost.exe
Token: SeBackupPrivilege	4296	svchost.exe
Token: SeBackupPrivilege	4296	svchost.exe
Token: SeSecurityPrivilege	4296	svchost.exe
Token: SeBackupPrivilege	4296	svchost.exe
Token: SeBackupPrivilege	4296	svchost.exe
Token: SeSecurityPrivilege	4296	svchost.exe
Token: SeBackupPrivilege	4296	svchost.exe
Token: SeRestorePrivilege	4296	svchost.exe
Token: SeBackupPrivilege	3744	svchost.exe
Token: SeRestorePrivilege	3744	svchost.exe
Token: SeBackupPrivilege	3744	svchost.exe
Token: SeBackupPrivilege	3744	svchost.exe
Token: SeSecurityPrivilege	3744	svchost.exe
Token: SeSecurityPrivilege	3744	svchost.exe
Token: SeBackupPrivilege	3744	svchost.exe
Token: SeBackupPrivilege	3744	svchost.exe
Token: SeSecurityPrivilege	3744	svchost.exe
Token: SeBackupPrivilege	3744	svchost.exe
Token: SeBackupPrivilege	3744	svchost.exe
Token: SeSecurityPrivilege	3744	svchost.exe
Token: SeBackupPrivilege	3744	svchost.exe
Token: SeRestorePrivilege	3744	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 3700	4376	JaffaCakes118_45fd681eaf9789b7a074a014a1a48b01.exe	82
PID 4376 wrote to memory of 3700	4376	JaffaCakes118_45fd681eaf9789b7a074a014a1a48b01.exe	82
PID 4376 wrote to memory of 3700	4376	JaffaCakes118_45fd681eaf9789b7a074a014a1a48b01.exe	82

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45fd681eaf9789b7a074a014a1a48b01.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45fd681eaf9789b7a074a014a1a48b01.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376
- \??\c:\users\admin\appdata\local\frddnqidbl
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45fd681eaf9789b7a074a014a1a48b01.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_45fd681eaf9789b7a074a014a1a48b01.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3700

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1088
  2⤵
  - Program crash
  PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4868 -ip 4868
1⤵
PID:2188

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1028
  2⤵
  - Program crash
  PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4296 -ip 4296
1⤵
PID:816

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 944
  2⤵
  - Program crash
  PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3744 -ip 3744
1⤵
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\frddnqidbl

Filesize
21.5MB

MD5
cd34863d69e27fd53d9d51cf8e1ad7e4

SHA1
6853d022e8ad01e4a992ebd2fb49a1802e2b618f

SHA256
8f43191dc8906a27bcacbd5302d90df161fba03ce798e982e13e6387f1c31c0b

SHA512
6588324d7517c56d8bff62080b10a56cb731563b8469089526797043ec2a7364b6f78688b29a0e0661039556d5e5907e677da4aa54c982d67191443e3b4a2000

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
d306ab46979cd5815dbd6b80aa7ff303

SHA1
4f2e3d019c8f93023b18bc09cbb71fff3f0c488d

SHA256
87043ec2039909058a23a7acd55e9ddd430e91ec3babc9c25fad9b1ea4c37b11

SHA512
cedb06a3e7ae82e27af755678d7c7b219a6390b3feff696c00bab60ff48c333d7dc7dc1dcb136136c6a34897cd7594e024d57c6cde1a63e0f53e36a24976dd32

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
300B

MD5
4f9608c9e887a168d1bbba53ee6d4b4e

SHA1
0cc747cf3da26be09ae8197230c6c696f4b779c3

SHA256
e55a9188ef952b75b88c1f5902f4ceb7c6ba21b351d2b0936f7ac9f1522731af

SHA512
3123460f7d552a79a568c5b3d8b465354b69919d749f5c0e4b2627cf1abfe1c46447d6462d3ee87998a6861c27cdb0cc6f5a5d6a46632f4d2bbdc2c3ee6bc21b

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\ikdte.cc3

Filesize
22.1MB

MD5
23899985d06d73eef415f96a175b6dc7

SHA1
5cd71c0b587c2d9b0bd87636590003754bffd982

SHA256
b5b0cae90832229b18974c8e74e3d6ac02dad47fe3f05dda0e8ecd4c99a9f7f8

SHA512
7628a49880edc7135c53d36978c6b80c752a43943725beb83d77c4d6e8fbb871902f8957e44aba02568964ffd929938fed56f5fbe22e7654f0b19b4e0d7d1f95

Download Submit
memory/3700-8-0x0000000000400000-0x000000000044E3EC-memory.dmp

Filesize
312KB

Download
memory/3700-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3700-17-0x0000000000400000-0x000000000044E3EC-memory.dmp

Filesize
312KB

Download
memory/3744-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3744-27-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4296-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4296-22-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download
memory/4376-0-0x0000000000400000-0x000000000044E3EC-memory.dmp

Filesize
312KB

Download
memory/4376-9-0x0000000000400000-0x000000000044E3EC-memory.dmp

Filesize
312KB

Download
memory/4376-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4868-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4868-18-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download