gh0strat | a35881e98b0df8d24eea1b78852ec6921ebcf0cf16bfeafd5da3453bdc4fc308

General

Target

JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
Size

951KB
MD5

47bc7aa23e046580e54a596f2301f73a
SHA1

19f375d03b5a2d1fc8c05f18ebc2bb17304f54f0
SHA256

a35881e98b0df8d24eea1b78852ec6921ebcf0cf16bfeafd5da3453bdc4fc308
SHA512

46733f43604a26e0eed422b2fb6187e694edeb0311ccf4fc2ac939d80544a172bd3c69112553c234a0d02ce63ac906244e09db7777af0ad7d2031fd44c272509
SSDEEP

24576:hdufRX5CR3lXuOV2VfBEC1pGBWrvXABdswIo5Ao:hdUI3NNC1pHvwt

Score

10^/10

gh0strat defense_evasion discovery persistence rat trojan

Malware Config

Signatures

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral1/memory/1960-4-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat
behavioral1/memory/1960-8-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat
behavioral1/memory/1708-21-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat
behavioral1/memory/1708-22-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat
behavioral1/memory/1708-23-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat
behavioral1/memory/1708-27-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat
behavioral1/files/0x0007000000016cab-28.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	inetlfmxc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBA4B659-BD96-47c4-9C74-4AAD668A9E45}	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBA4B659-BD96-47c4-9C74-4AAD668A9E45}\stubpath = "C:\\Windows\\system32\\inetlfmxc.exe"	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe

Executes dropped EXE 1 IoCs

pid	Process
1708	inetlfmxc.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	inetlfmxc.exe

Loads dropped DLL 5 IoCs

pid	Process
1960	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
1708	inetlfmxc.exe
1708	inetlfmxc.exe
1708	inetlfmxc.exe
2724	userinit.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	inetlfmxc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\inetlfmxc.exe_lang.ini	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
File created	C:\Windows\SysWOW64\inetlfmxc.exe	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1960	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
1708	inetlfmxc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inetlfmxc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1960	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
1960	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
1708	inetlfmxc.exe
1708	inetlfmxc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
Token: SeDebugPrivilege	1708	inetlfmxc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1708	1960	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe	31
PID 1960 wrote to memory of 1708	1960	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe	31
PID 1960 wrote to memory of 1708	1960	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe	31
PID 1960 wrote to memory of 1708	1960	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe	31
PID 1960 wrote to memory of 1708	1960	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe	31
PID 1960 wrote to memory of 1708	1960	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe	31
PID 1960 wrote to memory of 1708	1960	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe	31
PID 1708 wrote to memory of 2724	1708	inetlfmxc.exe	32
PID 1708 wrote to memory of 2724	1708	inetlfmxc.exe	32
PID 1708 wrote to memory of 2724	1708	inetlfmxc.exe	32
PID 1708 wrote to memory of 2724	1708	inetlfmxc.exe	32
PID 1708 wrote to memory of 2724	1708	inetlfmxc.exe	32
PID 1708 wrote to memory of 2724	1708	inetlfmxc.exe	32
PID 1708 wrote to memory of 2724	1708	inetlfmxc.exe	32
PID 1708 wrote to memory of 2724	1708	inetlfmxc.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Boot or Logon Autostart Execution: Active Setup
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\inetlfmxc.exe
  C:\Windows\system32\inetlfmxc.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\userinit.exe
    userinit.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259457602_lang.dll

Filesize
122KB

MD5
24fabeaf14c70ae499ef7e6178608bf4

SHA1
b39099cc183a6abfe6509c0e8cfa6d5a3c5c89be

SHA256
e9572ee499f36393f56d4730b8c4c381005552a40a8564a38f75adfd02b7c4e3

SHA512
4b14141c65eb8bd2c16e0a999a6fcae9977b95e93c8198f03df47f9cbf3c27e420216260c980dd995071c37f295d0c3e0c8953a874a23ea4be54e575e0594573

Download Submit
\Windows\SysWOW64\inetlfmxc.exe

Filesize
951KB

MD5
c13f44ec7ee7ec5a903c64648ab343d5

SHA1
f8bd211e5001e0b94e8b390c230e5bed53fdbcc4

SHA256
5d097f292954ce8a2df7c4b9fce1458b32f5b512efb449c9473e9e42c838ca2b

SHA512
f96c4bc18971f0c57daf365442d9029bfd0b760453851c5e961e1819fdb11e40d28a341d31877ed9a633d5d1b48217ecb2333b2545bfec5264180af4ae85eae8

Download Submit
memory/1708-23-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/1708-19-0x0000000000AF0000-0x0000000000CFC000-memory.dmp

Filesize
2.0MB

Download
memory/1708-27-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/1708-22-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/1708-21-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/1708-20-0x0000000000AF0000-0x0000000000CFC000-memory.dmp

Filesize
2.0MB

Download
memory/1960-3-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/1960-13-0x0000000002F60000-0x000000000316C000-memory.dmp

Filesize
2.0MB

Download
memory/1960-2-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/1960-8-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/1960-0-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/1960-4-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/1960-1-0x0000000000BE0000-0x0000000000DEC000-memory.dmp

Filesize
2.0MB

Download
memory/2724-26-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads