gh0strat | 103b0be89b5cfa24aab33b83361f6bde7c30a2e9fa19625e502ed37da88626a5

Analysis

max time kernel
96s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_46280eefbefd76a067ecbd4b84e63660.exe
Size

96KB
MD5

46280eefbefd76a067ecbd4b84e63660
SHA1

fb7f2410d3d9d7904b0cdbeff1449872c9ccf6ea
SHA256

103b0be89b5cfa24aab33b83361f6bde7c30a2e9fa19625e502ed37da88626a5
SHA512

314cd25356152166fb013c31174d5e853529789e1343cbc7b67fd4a6f62d174354ba5315bfc20ab89cb9876973a2d47b0e635e06b6bae0d20074af0158fc6697
SSDEEP

1536:oKFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pryTNH9VtWrZe:oQS4jHS8q/3nTzePCwNUh4E9yxdoZe

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b7c-15.dat	family_gh0strat
behavioral2/memory/4032-17-0x0000000000400000-0x000000000044E21C-memory.dmp	family_gh0strat
behavioral2/memory/4088-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2884-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4236-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
4032	jyoksiirxb

Executes dropped EXE 1 IoCs

pid	Process
4032	jyoksiirxb

Loads dropped DLL 3 IoCs

pid	Process
4088	svchost.exe
2884	svchost.exe
4236	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cokkadmski	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\cwyeigpqxd	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\cfnwqjrnlx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5108	4088	WerFault.exe	83
2840	2884	WerFault.exe	90
3956	4236	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_46280eefbefd76a067ecbd4b84e63660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jyoksiirxb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4032	jyoksiirxb
4032	jyoksiirxb

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4032	jyoksiirxb
Token: SeBackupPrivilege	4032	jyoksiirxb
Token: SeBackupPrivilege	4032	jyoksiirxb
Token: SeRestorePrivilege	4032	jyoksiirxb
Token: SeBackupPrivilege	4088	svchost.exe
Token: SeRestorePrivilege	4088	svchost.exe
Token: SeBackupPrivilege	4088	svchost.exe
Token: SeBackupPrivilege	4088	svchost.exe
Token: SeSecurityPrivilege	4088	svchost.exe
Token: SeSecurityPrivilege	4088	svchost.exe
Token: SeBackupPrivilege	4088	svchost.exe
Token: SeBackupPrivilege	4088	svchost.exe
Token: SeSecurityPrivilege	4088	svchost.exe
Token: SeBackupPrivilege	4088	svchost.exe
Token: SeBackupPrivilege	4088	svchost.exe
Token: SeSecurityPrivilege	4088	svchost.exe
Token: SeBackupPrivilege	4088	svchost.exe
Token: SeRestorePrivilege	4088	svchost.exe
Token: SeBackupPrivilege	2884	svchost.exe
Token: SeRestorePrivilege	2884	svchost.exe
Token: SeBackupPrivilege	2884	svchost.exe
Token: SeBackupPrivilege	2884	svchost.exe
Token: SeSecurityPrivilege	2884	svchost.exe
Token: SeSecurityPrivilege	2884	svchost.exe
Token: SeBackupPrivilege	2884	svchost.exe
Token: SeBackupPrivilege	2884	svchost.exe
Token: SeSecurityPrivilege	2884	svchost.exe
Token: SeBackupPrivilege	2884	svchost.exe
Token: SeBackupPrivilege	2884	svchost.exe
Token: SeSecurityPrivilege	2884	svchost.exe
Token: SeBackupPrivilege	2884	svchost.exe
Token: SeRestorePrivilege	2884	svchost.exe
Token: SeBackupPrivilege	4236	svchost.exe
Token: SeRestorePrivilege	4236	svchost.exe
Token: SeBackupPrivilege	4236	svchost.exe
Token: SeBackupPrivilege	4236	svchost.exe
Token: SeSecurityPrivilege	4236	svchost.exe
Token: SeSecurityPrivilege	4236	svchost.exe
Token: SeBackupPrivilege	4236	svchost.exe
Token: SeBackupPrivilege	4236	svchost.exe
Token: SeSecurityPrivilege	4236	svchost.exe
Token: SeBackupPrivilege	4236	svchost.exe
Token: SeBackupPrivilege	4236	svchost.exe
Token: SeSecurityPrivilege	4236	svchost.exe
Token: SeBackupPrivilege	4236	svchost.exe
Token: SeRestorePrivilege	4236	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 4032	2060	JaffaCakes118_46280eefbefd76a067ecbd4b84e63660.exe	82
PID 2060 wrote to memory of 4032	2060	JaffaCakes118_46280eefbefd76a067ecbd4b84e63660.exe	82
PID 2060 wrote to memory of 4032	2060	JaffaCakes118_46280eefbefd76a067ecbd4b84e63660.exe	82

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46280eefbefd76a067ecbd4b84e63660.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46280eefbefd76a067ecbd4b84e63660.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- \??\c:\users\admin\appdata\local\jyoksiirxb
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46280eefbefd76a067ecbd4b84e63660.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_46280eefbefd76a067ecbd4b84e63660.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4032

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 792
  2⤵
  - Program crash
  PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4088 -ip 4088
1⤵
PID:372

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1104
  2⤵
  - Program crash
  PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2884 -ip 2884
1⤵
PID:3376

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 1100
  2⤵
  - Program crash
  PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4236 -ip 4236
1⤵
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\jyoksiirxb

Filesize
22.3MB

MD5
f59c8502c166a2eb91d87ed2c4906033

SHA1
a9719cfa4060ee5df19e59d1bf6e21c196ba77db

SHA256
0e94c9445d298d159c312b72f8068fc4220809899a73ea1001a9a6e3d8b2ddb5

SHA512
9be49bda8a86a0e9fc11854abe1e938a8a3b26e7c0819faf7a217fcb7905af31bdb59cb2d0e46a6a001142f3fc76787def951a502ff8dd0dc45a8caa7a236cce

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
16b9190edb90e4e3cae8c55b3fb7e0db

SHA1
85c9d16c5e8977dbf2a30aed98b674a01256b056

SHA256
afc5a248f912d203d1b162a3277cd9212de4127e3b4ddf58051eabd679357048

SHA512
08b1e4ccbacc60347dcd9fefeb7bfb0ebddb4144b91d6d9f180a348c2d4a149b31ad75ebd1110ef13f9ec36b190570c3f2dd38554f89493b6dd28855fbbd62b8

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
fc169a41b0548583c2288ff2ca0cd749

SHA1
3d7de08bc0d1a8f4c113344b1bf69d93d288da0d

SHA256
d9e0838f1dff2a138fef9cbe7d5dbc28405a99624010b3c54c6afef71c2f8ce0

SHA512
e23df11084a2e09e6e4e4fe0b94db58d220b5c10dff97d398c7a2c6e39afd53ae0ad5503fa443ca822ae04227fe0a0d8a0dc6303fceca807b09427228c85e593

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\qsmhb.cc3

Filesize
23.1MB

MD5
cca6c2a9e82ca9a12e3e03cdc513c809

SHA1
bc71ca52e958cbf7483acf4c0e5b9086ab64dd8d

SHA256
8ad8b81b29edc0e7995af77291541242eb3b2b3737f0831258cfb23fbbd5cec3

SHA512
1e499ea45de3ed477a79aa6dec444193907a9d397eaf02dc58536d284471bb22980f2ce281e24ed128ab2c4d475d430ebb618d7185fe6afcb980160e870d13bf

Download Submit
memory/2060-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2060-9-0x0000000000400000-0x000000000044E21C-memory.dmp

Filesize
312KB

Download
memory/2060-0-0x0000000000400000-0x000000000044E21C-memory.dmp

Filesize
312KB

Download
memory/2884-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2884-22-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/4032-17-0x0000000000400000-0x000000000044E21C-memory.dmp

Filesize
312KB

Download
memory/4032-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4032-8-0x0000000000400000-0x000000000044E21C-memory.dmp

Filesize
312KB

Download
memory/4088-18-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/4088-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4236-27-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download
memory/4236-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download