gh0strat | 71543c8e405705e9bbebc3f7f0d6bb954c0f4da8e00ead618ff263ed3ba144be

General

Target

JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe
Size

220KB
MD5

497730398d40b55e7e969e8784b68a95
SHA1

f0a84bc368acead6be937eae9192a7e24f878e46
SHA256

71543c8e405705e9bbebc3f7f0d6bb954c0f4da8e00ead618ff263ed3ba144be
SHA512

f1a72f2335daec7faa3e2a97abe0ce05a4f6946dd27fd2e635b4179ad240c05d3c5d77da0bd37f0c4d9e2834b74a9deea823aa8ab4fa99d52618df8babe04ecc
SSDEEP

6144:eOPj2DfX0VSn3mZJRH3pyv9i0MTUC4+OpSLWg4:r2fk42H3pkE0MTj4LSa1

Score

10^/10

gh0strat bootkit discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/2968-25-0x0000000000400000-0x0000000001955000-memory.dmp	family_gh0strat
behavioral1/memory/2188-30-0x0000000000400000-0x0000000001955000-memory.dmp	family_gh0strat
behavioral1/files/0x00080000000173f1-33.dat	family_gh0strat
behavioral1/memory/2188-35-0x0000000000400000-0x0000000001955000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Executes dropped EXE 2 IoCs

pid	Process
2968	A-Easy.exe
2188	igrxkijwcu

Loads dropped DLL 8 IoCs

pid	Process
2084	JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe
2084	JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe
2968	A-Easy.exe
2968	A-Easy.exe
2968	A-Easy.exe
2968	A-Easy.exe
2968	A-Easy.exe
2796	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\onxcjiogwi	svchost.exe
File created	C:\Windows\SysWOW64\ovmurlqekd	svchost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\%SESSIONNAME%\A-Easy.exe	JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe
File created	\??\c:\program files (x86)\common files\igrxkijwcu	A-Easy.exe
File opened for modification	\??\c:\program files (x86)\common files\igrxkijwcu	A-Easy.exe
File opened for modification	C:\Program Files (x86)\NetMeeting\%SESSIONNAME%\fnjyo.cc3	igrxkijwcu
File created	C:\Program Files (x86)\Common Files\%SESSIONNAME%\coqebmlmco	igrxkijwcu

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A-Easy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igrxkijwcu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2188	igrxkijwcu
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2188	igrxkijwcu
Token: SeBackupPrivilege	2188	igrxkijwcu
Token: SeBackupPrivilege	2188	igrxkijwcu
Token: SeRestorePrivilege	2188	igrxkijwcu
Token: SeBackupPrivilege	2796	svchost.exe
Token: SeRestorePrivilege	2796	svchost.exe
Token: SeBackupPrivilege	2796	svchost.exe
Token: SeBackupPrivilege	2796	svchost.exe
Token: SeSecurityPrivilege	2796	svchost.exe
Token: SeSecurityPrivilege	2796	svchost.exe
Token: SeBackupPrivilege	2796	svchost.exe
Token: SeBackupPrivilege	2796	svchost.exe
Token: SeSecurityPrivilege	2796	svchost.exe
Token: SeBackupPrivilege	2796	svchost.exe
Token: SeBackupPrivilege	2796	svchost.exe
Token: SeSecurityPrivilege	2796	svchost.exe
Token: SeBackupPrivilege	2796	svchost.exe
Token: SeRestorePrivilege	2796	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2968	2084	JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe	31
PID 2084 wrote to memory of 2968	2084	JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe	31
PID 2084 wrote to memory of 2968	2084	JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe	31
PID 2084 wrote to memory of 2968	2084	JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe	31
PID 2084 wrote to memory of 2968	2084	JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe	31
PID 2084 wrote to memory of 2968	2084	JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe	31
PID 2084 wrote to memory of 2968	2084	JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe	31
PID 2968 wrote to memory of 2188	2968	A-Easy.exe	32
PID 2968 wrote to memory of 2188	2968	A-Easy.exe	32
PID 2968 wrote to memory of 2188	2968	A-Easy.exe	32
PID 2968 wrote to memory of 2188	2968	A-Easy.exe	32
PID 2968 wrote to memory of 2188	2968	A-Easy.exe	32
PID 2968 wrote to memory of 2188	2968	A-Easy.exe	32
PID 2968 wrote to memory of 2188	2968	A-Easy.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Program Files (x86)\Common Files\%SESSIONNAME%\A-Easy.exe
  "C:\Program Files (x86)\Common Files\%SESSIONNAME%\A-Easy.exe" /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - \??\c:\program files (x86)\common files\igrxkijwcu
    "C:\Program Files (x86)\Common Files\%SESSIONNAME%\A-Easy.exe" /S a -sc:\program files (x86)\common files\%sessionname%\a-easy.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2188

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\igrxkijwcu

Filesize
24.6MB

MD5
496f6b35e848dd29109b7d926f4b48ef

SHA1
40367cddb29fe31feeec1c42fd04d6daeed401b2

SHA256
a78fe9bfdeb9686c7f9770b1db38a151743d2ac628f8d3a4fdbf5a6220bd7a3e

SHA512
3ffa0821bfc3b79c5ed2342720d14a259f2e8b041f784aa64b135d9921761005b11509f68df1c18bb44c1cedae06904bf90d19df644ab296b64c55238f0c91b6

Download Submit
\??\c:\program files (x86)\netmeeting\%sessionname%\fnjyo.cc3

Filesize
24.0MB

MD5
4e3ad63243d82b06060fb2945c63b220

SHA1
c929e42d188459ebd61bbfd804883c5b0eea6126

SHA256
c86094ab7c64c6cc90e6211cb843f352e26fd9656911d07bc4dbd78f5ee624bf

SHA512
d7b22c8b19c74c702b3497e0cb691e6bbc242ba32fd0ff78ef09c10a6fe5c5332523b9779503ca68cbce1b36bb709b4630a337fc0959cf8e58f5152194f5a640

Download Submit
\Program Files (x86)\Common Files\%SESSIONNAME%\A-Easy.exe

Filesize
21.2MB

MD5
a006d9dc4a5974858f3509db67ee01c0

SHA1
756d7cd8f9c6f107cac1caee19ae69ffc733ab18

SHA256
eadbd396b7a7921fcf1c315325a91baf81a16f83712b71c53491f8eca40cad1f

SHA512
b1c293a21348825ddc25f9ffc2891a958e4c1c95f414401c83e2487fb16aab65593c26f7e3645012ecf07592956bc4b2382f4e63d018c28856e094268354962a

Download Submit
memory/2084-14-0x0000000004D40000-0x0000000006295000-memory.dmp

Filesize
21.3MB

Download
memory/2188-27-0x0000000000400000-0x0000000001955000-memory.dmp

Filesize
21.3MB

Download
memory/2188-30-0x0000000000400000-0x0000000001955000-memory.dmp

Filesize
21.3MB

Download
memory/2188-35-0x0000000000400000-0x0000000001955000-memory.dmp

Filesize
21.3MB

Download
memory/2796-36-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2968-13-0x0000000000400000-0x0000000001955000-memory.dmp

Filesize
21.3MB

Download
memory/2968-28-0x0000000002180000-0x00000000036D5000-memory.dmp

Filesize
21.3MB

Download
memory/2968-25-0x0000000000400000-0x0000000001955000-memory.dmp

Filesize
21.3MB

Download
memory/2968-29-0x0000000002180000-0x00000000036D5000-memory.dmp

Filesize
21.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads