gh0strat | 120a4e441684050ef1bd2fa4d131b5846e76c35a880e1215012c5328066583f1

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_45d9487af7ac4ba9fcb15de1db73d973.exe
Size

95KB
MD5

45d9487af7ac4ba9fcb15de1db73d973
SHA1

68643d11a7701c1776a7da12caf4f16b87fa6c20
SHA256

120a4e441684050ef1bd2fa4d131b5846e76c35a880e1215012c5328066583f1
SHA512

3610c5a4638472147ccb9844849889e929cd3b8c1fa844e0382cd583fd4606c3d085cb818af9e21da3bb43ebed34f6db3a547cd64631597e880c2807feaadb52
SSDEEP

1536:GNFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prgq5AubkI:GzS4jHS8q/3nTzePCwNUh4E9z52I

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cc1-14.dat	family_gh0strat
behavioral2/memory/2304-16-0x0000000000400000-0x000000000044E1F0-memory.dmp	family_gh0strat
behavioral2/memory/4532-19-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1316-24-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2004-29-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2304	fcsgbrouyx

Executes dropped EXE 1 IoCs

pid	Process
2304	fcsgbrouyx

Loads dropped DLL 3 IoCs

pid	Process
4532	svchost.exe
1316	svchost.exe
2004	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nxphqmiibb	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ngeaypkgnv	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\npcnijfkng	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3664	4532	WerFault.exe	86
628	1316	WerFault.exe	91
4100	2004	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcsgbrouyx
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_45d9487af7ac4ba9fcb15de1db73d973.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2304	fcsgbrouyx
2304	fcsgbrouyx

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	2304	fcsgbrouyx
Token: SeBackupPrivilege	2304	fcsgbrouyx
Token: SeBackupPrivilege	2304	fcsgbrouyx
Token: SeRestorePrivilege	2304	fcsgbrouyx
Token: SeBackupPrivilege	4532	svchost.exe
Token: SeRestorePrivilege	4532	svchost.exe
Token: SeBackupPrivilege	4532	svchost.exe
Token: SeBackupPrivilege	4532	svchost.exe
Token: SeSecurityPrivilege	4532	svchost.exe
Token: SeSecurityPrivilege	4532	svchost.exe
Token: SeBackupPrivilege	4532	svchost.exe
Token: SeBackupPrivilege	4532	svchost.exe
Token: SeSecurityPrivilege	4532	svchost.exe
Token: SeBackupPrivilege	4532	svchost.exe
Token: SeBackupPrivilege	4532	svchost.exe
Token: SeSecurityPrivilege	4532	svchost.exe
Token: SeBackupPrivilege	4532	svchost.exe
Token: SeRestorePrivilege	4532	svchost.exe
Token: SeBackupPrivilege	1316	svchost.exe
Token: SeRestorePrivilege	1316	svchost.exe
Token: SeBackupPrivilege	1316	svchost.exe
Token: SeBackupPrivilege	1316	svchost.exe
Token: SeSecurityPrivilege	1316	svchost.exe
Token: SeSecurityPrivilege	1316	svchost.exe
Token: SeBackupPrivilege	1316	svchost.exe
Token: SeBackupPrivilege	1316	svchost.exe
Token: SeSecurityPrivilege	1316	svchost.exe
Token: SeBackupPrivilege	1316	svchost.exe
Token: SeBackupPrivilege	1316	svchost.exe
Token: SeSecurityPrivilege	1316	svchost.exe
Token: SeBackupPrivilege	1316	svchost.exe
Token: SeRestorePrivilege	1316	svchost.exe
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeRestorePrivilege	2004	svchost.exe
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeSecurityPrivilege	2004	svchost.exe
Token: SeSecurityPrivilege	2004	svchost.exe
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeSecurityPrivilege	2004	svchost.exe
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeSecurityPrivilege	2004	svchost.exe
Token: SeBackupPrivilege	2004	svchost.exe
Token: SeRestorePrivilege	2004	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 2304	3492	JaffaCakes118_45d9487af7ac4ba9fcb15de1db73d973.exe	84
PID 3492 wrote to memory of 2304	3492	JaffaCakes118_45d9487af7ac4ba9fcb15de1db73d973.exe	84
PID 3492 wrote to memory of 2304	3492	JaffaCakes118_45d9487af7ac4ba9fcb15de1db73d973.exe	84

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45d9487af7ac4ba9fcb15de1db73d973.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45d9487af7ac4ba9fcb15de1db73d973.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492
- \??\c:\users\admin\appdata\local\fcsgbrouyx
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45d9487af7ac4ba9fcb15de1db73d973.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_45d9487af7ac4ba9fcb15de1db73d973.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 788
  2⤵
  - Program crash
  PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4532 -ip 4532
1⤵
PID:4824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 928
  2⤵
  - Program crash
  PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1316 -ip 1316
1⤵
PID:208

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 1100
  2⤵
  - Program crash
  PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2004 -ip 2004
1⤵
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\fcsgbrouyx

Filesize
22.8MB

MD5
1f3a110c3225934c057ab7848aeca32c

SHA1
3a02d3c1ff0f97b85c4cd52d81472a0ffb0c7b33

SHA256
3b460f947f7dbec3d36a3765cc052b8ac2a320b332a14ec1705242a6f95a11f9

SHA512
9d7d01340be629c09db030394d227ae9ec1e3a7a607310c067965e6327efc7fec67d8cc735dd1bdf1409787a18e3c087b826140c1e19692010aee8a451ff4885

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
198B

MD5
6089ce2e97eb779bbccba4b758939fef

SHA1
ffbb58e4192eec6a838c65de59d02ac9f99c4ac1

SHA256
db70485b06b3757e88616bd051f7dc99b276ddc902e2ee6474d6832849e79506

SHA512
cf33f4f73e7aedcd3e4fa750ac877d554ffb80e216a278d6df614baace938e44b6dc6939c57696851ad344d37d449d645aaa85916f9e1ed86e1e192b7fbf576c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
297B

MD5
c4c51b29158008dfec37d0256bebd9fe

SHA1
f19b391130ba2794e3fc523c32cfa305db3fe346

SHA256
7e529e19fa5394dbf8d7d7b35d96adffca7c5db1c552fb6f95108b9555f99728

SHA512
fdeb344091877e21e8a8d87c9c3254610044cbb9fcaf01e651d2834f9425f27148046107703d1aa463a2335a5b22a8ab55cc66dc37a20fa91f16e18a603a4b20

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\nubou.cc3

Filesize
23.1MB

MD5
fbf84ec066a49d80bfec9fec822e2c76

SHA1
87740857dda064ac2f94dca291cc6db21ef4a359

SHA256
ff357913ad3ddbf1958b6597c2e07227abb50536273cc8b2ee8eb0c53901b2c6

SHA512
522d0aa016598ff75bc9ab026692d61c157e6e193e94a384934e58189442a5233726553949f9edde8c36714397145c71774c4cbd42aac91f96a29e805432724c

Download Submit
memory/1316-21-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/1316-24-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2004-26-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

Filesize
4KB

Download
memory/2004-29-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2304-9-0x0000000000400000-0x000000000044E1F0-memory.dmp

Filesize
312KB

Download
memory/2304-16-0x0000000000400000-0x000000000044E1F0-memory.dmp

Filesize
312KB

Download
memory/3492-0-0x0000000000400000-0x000000000044E1F0-memory.dmp

Filesize
312KB

Download
memory/3492-7-0x0000000000400000-0x000000000044E1F0-memory.dmp

Filesize
312KB

Download
memory/3492-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4532-17-0x00000000019E0000-0x00000000019E1000-memory.dmp

Filesize
4KB

Download
memory/4532-19-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download