gh0strat | 8f9bf1ea83892e542a0f49c3a7f570416e215b6b0ba76335f33d03acaab0cc63

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_46b8c6e121b543f1f32ddf3e03e6e23c.exe
Size

96KB
MD5

46b8c6e121b543f1f32ddf3e03e6e23c
SHA1

776d5915dcaaf8960ef8c1b197b022c9a34f512f
SHA256

8f9bf1ea83892e542a0f49c3a7f570416e215b6b0ba76335f33d03acaab0cc63
SHA512

68a9b5acc2a29f271e1ac573a4d731ca701b8b2aebc18dfdc745991674e6d15a4f5d52a9884436b58357f8f26c20af42fac812b85a3b2cf13243d6a452e5508c
SSDEEP

1536:4IFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prRBJIl0Hq3Ys:4aS4jHS8q/3nTzePCwNUh4E9RQ0K3Ys

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b91-15.dat	family_gh0strat
behavioral2/memory/2872-17-0x0000000000400000-0x000000000044E31C-memory.dmp	family_gh0strat
behavioral2/memory/4920-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4792-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/5052-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2872	mxfsgmrtcj

Executes dropped EXE 1 IoCs

pid	Process
2872	mxfsgmrtcj

Loads dropped DLL 3 IoCs

pid	Process
4920	svchost.exe
4792	svchost.exe
5052	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\osempdtnqv	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\obsgxgvkeq	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ojgygjyiql	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4796	4920	WerFault.exe	83
2368	4792	WerFault.exe	91
3884	5052	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mxfsgmrtcj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_46b8c6e121b543f1f32ddf3e03e6e23c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2872	mxfsgmrtcj
2872	mxfsgmrtcj

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	2872	mxfsgmrtcj
Token: SeBackupPrivilege	2872	mxfsgmrtcj
Token: SeBackupPrivilege	2872	mxfsgmrtcj
Token: SeRestorePrivilege	2872	mxfsgmrtcj
Token: SeBackupPrivilege	4920	svchost.exe
Token: SeRestorePrivilege	4920	svchost.exe
Token: SeBackupPrivilege	4920	svchost.exe
Token: SeBackupPrivilege	4920	svchost.exe
Token: SeSecurityPrivilege	4920	svchost.exe
Token: SeSecurityPrivilege	4920	svchost.exe
Token: SeBackupPrivilege	4920	svchost.exe
Token: SeBackupPrivilege	4920	svchost.exe
Token: SeSecurityPrivilege	4920	svchost.exe
Token: SeBackupPrivilege	4920	svchost.exe
Token: SeBackupPrivilege	4920	svchost.exe
Token: SeSecurityPrivilege	4920	svchost.exe
Token: SeBackupPrivilege	4920	svchost.exe
Token: SeRestorePrivilege	4920	svchost.exe
Token: SeBackupPrivilege	4792	svchost.exe
Token: SeRestorePrivilege	4792	svchost.exe
Token: SeBackupPrivilege	4792	svchost.exe
Token: SeBackupPrivilege	4792	svchost.exe
Token: SeSecurityPrivilege	4792	svchost.exe
Token: SeSecurityPrivilege	4792	svchost.exe
Token: SeBackupPrivilege	4792	svchost.exe
Token: SeBackupPrivilege	4792	svchost.exe
Token: SeSecurityPrivilege	4792	svchost.exe
Token: SeBackupPrivilege	4792	svchost.exe
Token: SeBackupPrivilege	4792	svchost.exe
Token: SeSecurityPrivilege	4792	svchost.exe
Token: SeBackupPrivilege	4792	svchost.exe
Token: SeRestorePrivilege	4792	svchost.exe
Token: SeBackupPrivilege	5052	svchost.exe
Token: SeRestorePrivilege	5052	svchost.exe
Token: SeBackupPrivilege	5052	svchost.exe
Token: SeBackupPrivilege	5052	svchost.exe
Token: SeSecurityPrivilege	5052	svchost.exe
Token: SeSecurityPrivilege	5052	svchost.exe
Token: SeBackupPrivilege	5052	svchost.exe
Token: SeBackupPrivilege	5052	svchost.exe
Token: SeSecurityPrivilege	5052	svchost.exe
Token: SeBackupPrivilege	5052	svchost.exe
Token: SeBackupPrivilege	5052	svchost.exe
Token: SeSecurityPrivilege	5052	svchost.exe
Token: SeBackupPrivilege	5052	svchost.exe
Token: SeRestorePrivilege	5052	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2872	1044	JaffaCakes118_46b8c6e121b543f1f32ddf3e03e6e23c.exe	82
PID 1044 wrote to memory of 2872	1044	JaffaCakes118_46b8c6e121b543f1f32ddf3e03e6e23c.exe	82
PID 1044 wrote to memory of 2872	1044	JaffaCakes118_46b8c6e121b543f1f32ddf3e03e6e23c.exe	82

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46b8c6e121b543f1f32ddf3e03e6e23c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46b8c6e121b543f1f32ddf3e03e6e23c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044
- \??\c:\users\admin\appdata\local\mxfsgmrtcj
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46b8c6e121b543f1f32ddf3e03e6e23c.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_46b8c6e121b543f1f32ddf3e03e6e23c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 816
  2⤵
  - Program crash
  PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4920 -ip 4920
1⤵
PID:936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 916
  2⤵
  - Program crash
  PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4792 -ip 4792
1⤵
PID:3960

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 748
  2⤵
  - Program crash
  PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5052 -ip 5052
1⤵
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mxfsgmrtcj

Filesize
21.4MB

MD5
0652bc3eec6eb677614839247576d865

SHA1
9065b5dfbfdb9dcdecd357fa34ba2c82a0a0cd19

SHA256
a1339b29ae0c9aece2731414db29dc1a1c7b165b9b4bcebefba7c389b229688c

SHA512
ca962f7096a5a4b6083641c12ce8219e41c33c957fb6897de6b6af0ed4e8376caa3e2a7484e4af6131f1716c6ecc538796263fbae67d73e4fcf423d90bd02c63

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
70efd2651f48cbf5ef35d3672143a65f

SHA1
89c9a5c34240510698a55358a06c89aac3fc22fc

SHA256
4dafc1fb757f22332e55c97c2e4edbd34b43cc15000dde62877cacb93d476562

SHA512
6de317b70eee0c7431ba613e5cbf22bd4d98353d34378c47f301dcae487ad625dc600303a70974be4e20c56cd7f4072097609dfd50030d586f90eff096f7269f

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
300B

MD5
1a0ffb6eaa1b449e36c8977a38e52708

SHA1
0a394b51323bc3b08514c4babdb5b6400e21d300

SHA256
9ee70d9ca8551568bf5134d444a9d001b3480025532e5d907c9fdc330a3c101b

SHA512
ddd42015b67cc06f323f52bbbc966b016854938da0dae998fec7f160d27627f51b394fc1faa697a34e0951ca0ce689c0344e4d9d9acc9dc060681ae06db87696

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\noiut.cc3

Filesize
23.1MB

MD5
94df5171ea4948512a9136d4b3b2bf83

SHA1
7dc4d5ac427af136c111cc3a0d13f6b5faff0452

SHA256
0747236e4e5c4d116c499c7554f0d614935f579170fb776d30403d375d223266

SHA512
4eae0c91e5e9024c7015c282f584455e2fe6f1f0939b255991a1f524edec2df617b47731e3dca36f603121c25f54232b22705d1e3a55de0f0fc4817f2c1f2431

Download Submit
memory/1044-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1044-8-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/1044-0-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/2872-12-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/2872-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2872-17-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/4792-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4792-22-0x00000000017C0000-0x00000000017C1000-memory.dmp

Filesize
4KB

Download
memory/4920-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4920-18-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/5052-27-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

Filesize
4KB

Download
memory/5052-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download