gh0strat | 36f8162d8d41854a20bf62d22a931ca4e6932d933a97c9909b07c17f62869129

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_469a623cf95b01ba60220da7dccfbb1a.exe
Size

93KB
MD5

469a623cf95b01ba60220da7dccfbb1a
SHA1

997e8c83e8d5ffdf81f3729470811ce9ba79ecd4
SHA256

36f8162d8d41854a20bf62d22a931ca4e6932d933a97c9909b07c17f62869129
SHA512

260ea6a1ec3e6b8e7a2a87a6a7985f823145d205791f1f03c68a511f2dcf7b314fc91b1045f1da2e7886139590ab36284a32d94d7d33bc7f2ed7121e4e5a6aba
SSDEEP

1536:fpFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prCSQxr:f/S4jHS8q/3nTzePCwNUh4E90xr

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b88-15.dat	family_gh0strat
behavioral2/memory/368-17-0x0000000000400000-0x000000000044F000-memory.dmp	family_gh0strat
behavioral2/memory/1728-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4524-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1944-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
368	mcyduhmfgu

Executes dropped EXE 1 IoCs

pid	Process
368	mcyduhmfgu

Loads dropped DLL 3 IoCs

pid	Process
1728	svchost.exe
4524	svchost.exe
1944	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\mctcriwksm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\mkiualyhfi	svchost.exe
File created	C:\Windows\SysWOW64\mkiualyhfi	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\mtwniocfsd	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3420	1728	WerFault.exe	88
5116	4524	WerFault.exe	93
4684	1944	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_469a623cf95b01ba60220da7dccfbb1a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcyduhmfgu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
368	mcyduhmfgu
368	mcyduhmfgu

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	368	mcyduhmfgu
Token: SeBackupPrivilege	368	mcyduhmfgu
Token: SeBackupPrivilege	368	mcyduhmfgu
Token: SeRestorePrivilege	368	mcyduhmfgu
Token: SeBackupPrivilege	1728	svchost.exe
Token: SeRestorePrivilege	1728	svchost.exe
Token: SeBackupPrivilege	1728	svchost.exe
Token: SeBackupPrivilege	1728	svchost.exe
Token: SeSecurityPrivilege	1728	svchost.exe
Token: SeSecurityPrivilege	1728	svchost.exe
Token: SeBackupPrivilege	1728	svchost.exe
Token: SeBackupPrivilege	1728	svchost.exe
Token: SeSecurityPrivilege	1728	svchost.exe
Token: SeBackupPrivilege	1728	svchost.exe
Token: SeBackupPrivilege	1728	svchost.exe
Token: SeSecurityPrivilege	1728	svchost.exe
Token: SeBackupPrivilege	1728	svchost.exe
Token: SeRestorePrivilege	1728	svchost.exe
Token: SeBackupPrivilege	4524	svchost.exe
Token: SeRestorePrivilege	4524	svchost.exe
Token: SeBackupPrivilege	4524	svchost.exe
Token: SeBackupPrivilege	4524	svchost.exe
Token: SeSecurityPrivilege	4524	svchost.exe
Token: SeSecurityPrivilege	4524	svchost.exe
Token: SeBackupPrivilege	4524	svchost.exe
Token: SeBackupPrivilege	4524	svchost.exe
Token: SeSecurityPrivilege	4524	svchost.exe
Token: SeBackupPrivilege	4524	svchost.exe
Token: SeBackupPrivilege	4524	svchost.exe
Token: SeSecurityPrivilege	4524	svchost.exe
Token: SeBackupPrivilege	4524	svchost.exe
Token: SeRestorePrivilege	4524	svchost.exe
Token: SeBackupPrivilege	1944	svchost.exe
Token: SeRestorePrivilege	1944	svchost.exe
Token: SeBackupPrivilege	1944	svchost.exe
Token: SeBackupPrivilege	1944	svchost.exe
Token: SeSecurityPrivilege	1944	svchost.exe
Token: SeSecurityPrivilege	1944	svchost.exe
Token: SeBackupPrivilege	1944	svchost.exe
Token: SeBackupPrivilege	1944	svchost.exe
Token: SeSecurityPrivilege	1944	svchost.exe
Token: SeBackupPrivilege	1944	svchost.exe
Token: SeBackupPrivilege	1944	svchost.exe
Token: SeSecurityPrivilege	1944	svchost.exe
Token: SeBackupPrivilege	1944	svchost.exe
Token: SeRestorePrivilege	1944	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 368	4488	JaffaCakes118_469a623cf95b01ba60220da7dccfbb1a.exe	83
PID 4488 wrote to memory of 368	4488	JaffaCakes118_469a623cf95b01ba60220da7dccfbb1a.exe	83
PID 4488 wrote to memory of 368	4488	JaffaCakes118_469a623cf95b01ba60220da7dccfbb1a.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_469a623cf95b01ba60220da7dccfbb1a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_469a623cf95b01ba60220da7dccfbb1a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4488
- \??\c:\users\admin\appdata\local\mcyduhmfgu
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_469a623cf95b01ba60220da7dccfbb1a.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_469a623cf95b01ba60220da7dccfbb1a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:368

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1104
  2⤵
  - Program crash
  PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1728 -ip 1728
1⤵
PID:4072

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 944
  2⤵
  - Program crash
  PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4524 -ip 4524
1⤵
PID:800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 888
  2⤵
  - Program crash
  PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1944 -ip 1944
1⤵
PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mcyduhmfgu

Filesize
21.1MB

MD5
66dac2ed1e254a72c34950b3837382a5

SHA1
dbe629a0087058bb72fb685d0b0c9aedfc17cc15

SHA256
5046685d61b9946b55354deac1d5b37f2131be04b9527fdfcbb0629f2df4719c

SHA512
103489f22a50b8037ccb863b25d7c4000e4c2e6502d928ca685bc8578a8a2b56de09edfd4f52e5cf4c44304f420aff28f64ef216b870666cb17ef1c5ccf2d51c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
48770e8f87be83f88f5ded53a893186a

SHA1
8db6c5f1d846b821bfb2d996575e34bb0c0ce1ad

SHA256
2a11d01b4e10794d4acac603af7325445f3d79a89a9fdde8072deaf1712ee5a5

SHA512
43c5773aef83cda12a70a6eb81417008108c47c7838337f0a8e088273d36c82b33ac0e1aa4e37de727f0c3feba9d797a8c8a992ff6d95e9c43a389c16038d1e4

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
16740fe5b1070905abc54cacb029a77e

SHA1
d537015121e594c0db07af2fd0ca88747eccb5a1

SHA256
353c193688bcffba0fb41120395600d06e706f655744c9b594bbbdf2bee66187

SHA512
3ec364598fa77b03d46f46accd1dfd5dd4d5cafc4d8a0c32f64f8a094fa3c8d605189d2365a72f2a6c18710edf5e70436677b226c9c45bc15caa927004199fe4

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\wylpn.cc3

Filesize
22.1MB

MD5
55a75bf6d571e069d21d258e4653cd3b

SHA1
d42c63e4146e3ecb321d34f4d90b816d7efaa01f

SHA256
ae3a2111706f541c8a08b411718714a8806f49bf72862212f3556bf43e5d81f6

SHA512
10f4f27d1f80287a7d29da6a57f48a1f9094ccf3c553d39590b59dbe3ff805da202e7a26312f6712aa544047f30844fca70c504e0e717797aad80ac41e63a197

Download Submit
memory/368-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/368-7-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/368-17-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1728-18-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/1728-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1944-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1944-27-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/4488-12-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4488-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4488-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4524-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4524-22-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download