gh0strat | a35881e98b0df8d24eea1b78852ec6921ebcf0cf16bfeafd5da3453bdc4fc308

General

Target

JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
Size

951KB
MD5

47bc7aa23e046580e54a596f2301f73a
SHA1

19f375d03b5a2d1fc8c05f18ebc2bb17304f54f0
SHA256

a35881e98b0df8d24eea1b78852ec6921ebcf0cf16bfeafd5da3453bdc4fc308
SHA512

46733f43604a26e0eed422b2fb6187e694edeb0311ccf4fc2ac939d80544a172bd3c69112553c234a0d02ce63ac906244e09db7777af0ad7d2031fd44c272509
SSDEEP

24576:hdufRX5CR3lXuOV2VfBEC1pGBWrvXABdswIo5Ao:hdUI3NNC1pHvwt

Score

10^/10

gh0strat defense_evasion discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 11 IoCs

resource	yara_rule
behavioral2/memory/2552-8-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat
behavioral2/memory/2552-9-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat
behavioral2/memory/2552-10-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat
behavioral2/memory/2552-14-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat
behavioral2/memory/3616-21-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat
behavioral2/memory/3616-20-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat
behavioral2/memory/3616-23-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat
behavioral2/memory/3616-24-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat
behavioral2/memory/3616-22-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat
behavioral2/files/0x0008000000023bc3-29.dat	family_gh0strat
behavioral2/memory/3616-27-0x0000000000400000-0x000000000060C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	inldtepix.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9867BCD-B791-403d-B70A-E8956A09C1EE}	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9867BCD-B791-403d-B70A-E8956A09C1EE}\stubpath = "C:\\Windows\\system32\\inldtepix.exe"	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe

Executes dropped EXE 1 IoCs

pid	Process
3616	inldtepix.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	inldtepix.exe

Loads dropped DLL 1 IoCs

pid	Process
3916	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inldtepix.exe	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
File opened for modification	C:\Windows\SysWOW64\inldtepix.exe_lang.ini	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2552	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
3616	inldtepix.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inldtepix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2552	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
2552	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
2552	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
2552	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
3616	inldtepix.exe
3616	inldtepix.exe
3616	inldtepix.exe
3616	inldtepix.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
Token: SeDebugPrivilege	3616	inldtepix.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 3616	2552	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe	82
PID 2552 wrote to memory of 3616	2552	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe	82
PID 2552 wrote to memory of 3616	2552	JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe	82
PID 3616 wrote to memory of 3916	3616	inldtepix.exe	83
PID 3616 wrote to memory of 3916	3616	inldtepix.exe	83
PID 3616 wrote to memory of 3916	3616	inldtepix.exe	83
PID 3616 wrote to memory of 3916	3616	inldtepix.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Boot or Logon Autostart Execution: Active Setup
- Identifies Wine through registry keys
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\inldtepix.exe
  C:\Windows\system32\inldtepix.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\SysWOW64\userinit.exe
    userinit.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240622078_lang.dll

Filesize
122KB

MD5
438a0ef8a82ada2a12b88a5ced2210a9

SHA1
835ad257a40bd09008a4e4f3a7fb29ed72fa3ad9

SHA256
dd72a35f8bde47093b96db75ada55f1ca91400ca0dabebdedcf82501c742ed24

SHA512
09501ff5cb94518f2dc08746e302810326b8a734a7f6acdd315f80acf44dafe860c50a9d891d2fe4df4fa845848e633a3b9fdddecb065bfaeb98bcf5dc739f74

Download Submit
C:\Windows\SysWOW64\inldtepix.exe

Filesize
951KB

MD5
05e3454f3a5527b8cbd500c1c46107a8

SHA1
83e2f6761de0ba62d27f1e766e5ada9b17bda8de

SHA256
c7c54260a4f5f938053dcea746cdacea0a48504116369d7b0cedffa5a7f37a41

SHA512
117031b33bc6c21728dcb74dcadedbf60d77c79087a94cb38c6ef5a23a9534650659d6930920006d4abb3acee23ccc2ef03ce71120d8de209d002dc5cf458d32

Download Submit
memory/2552-10-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2552-14-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2552-5-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/2552-4-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/2552-3-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2552-2-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/2552-8-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2552-9-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2552-0-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2552-6-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/2552-7-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/2552-1-0x0000000077D74000-0x0000000077D76000-memory.dmp

Filesize
8KB

Download
memory/3616-21-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3616-20-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3616-23-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3616-24-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3616-22-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3616-19-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3616-27-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads