gh0strat | 84c62b26f3aecbd61e19e7c21d9db9785c51f9eceeb86daaec2feb81687cfe58

Analysis

max time kernel
94s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4a44b5836d25a8d3807904c70f72e1cd.exe
Size

95KB
MD5

4a44b5836d25a8d3807904c70f72e1cd
SHA1

710c47f410c9ff8bb19c8ccf6e60f2ab457a5c74
SHA256

84c62b26f3aecbd61e19e7c21d9db9785c51f9eceeb86daaec2feb81687cfe58
SHA512

a679f669fb877f30abc5a7b3f1b74e9074b4ad769ba1f53a858015c70146ca806999c96e4936bcc337483cf8ad3e5ca03d200319808fcb5b9670e217932f830f
SSDEEP

1536:5KFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prg26Bx5HYU:5QS4jHS8q/3nTzePCwNUh4E9gHv5HYU

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023ca1-14.dat	family_gh0strat
behavioral2/memory/2456-17-0x0000000000400000-0x000000000044E328-memory.dmp	family_gh0strat
behavioral2/memory/2436-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1924-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4544-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2456	gvbqtyglwe

Executes dropped EXE 1 IoCs

pid	Process
2456	gvbqtyglwe

Loads dropped DLL 3 IoCs

pid	Process
2436	svchost.exe
1924	svchost.exe
4544	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dyaedlfqhw	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dyaedlfqhw	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\diowkoious	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4552	2436	WerFault.exe	83
312	1924	WerFault.exe	90
1136	4544	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4a44b5836d25a8d3807904c70f72e1cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvbqtyglwe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2456	gvbqtyglwe
2456	gvbqtyglwe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	2456	gvbqtyglwe
Token: SeBackupPrivilege	2456	gvbqtyglwe
Token: SeBackupPrivilege	2456	gvbqtyglwe
Token: SeRestorePrivilege	2456	gvbqtyglwe
Token: SeBackupPrivilege	2436	svchost.exe
Token: SeRestorePrivilege	2436	svchost.exe
Token: SeBackupPrivilege	2436	svchost.exe
Token: SeBackupPrivilege	2436	svchost.exe
Token: SeSecurityPrivilege	2436	svchost.exe
Token: SeSecurityPrivilege	2436	svchost.exe
Token: SeBackupPrivilege	2436	svchost.exe
Token: SeBackupPrivilege	2436	svchost.exe
Token: SeSecurityPrivilege	2436	svchost.exe
Token: SeBackupPrivilege	2436	svchost.exe
Token: SeBackupPrivilege	2436	svchost.exe
Token: SeSecurityPrivilege	2436	svchost.exe
Token: SeBackupPrivilege	2436	svchost.exe
Token: SeRestorePrivilege	2436	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeRestorePrivilege	1924	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeSecurityPrivilege	1924	svchost.exe
Token: SeSecurityPrivilege	1924	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeSecurityPrivilege	1924	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeSecurityPrivilege	1924	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeRestorePrivilege	1924	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeRestorePrivilege	4544	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeSecurityPrivilege	4544	svchost.exe
Token: SeSecurityPrivilege	4544	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeSecurityPrivilege	4544	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeSecurityPrivilege	4544	svchost.exe
Token: SeBackupPrivilege	4544	svchost.exe
Token: SeRestorePrivilege	4544	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2456	2768	JaffaCakes118_4a44b5836d25a8d3807904c70f72e1cd.exe	82
PID 2768 wrote to memory of 2456	2768	JaffaCakes118_4a44b5836d25a8d3807904c70f72e1cd.exe	82
PID 2768 wrote to memory of 2456	2768	JaffaCakes118_4a44b5836d25a8d3807904c70f72e1cd.exe	82

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a44b5836d25a8d3807904c70f72e1cd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a44b5836d25a8d3807904c70f72e1cd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768
- \??\c:\users\admin\appdata\local\gvbqtyglwe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a44b5836d25a8d3807904c70f72e1cd.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_4a44b5836d25a8d3807904c70f72e1cd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 844
  2⤵
  - Program crash
  PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2436 -ip 2436
1⤵
PID:1604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1108
  2⤵
  - Program crash
  PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1924 -ip 1924
1⤵
PID:3592

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1104
  2⤵
  - Program crash
  PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4544 -ip 4544
1⤵
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\gvbqtyglwe

Filesize
19.4MB

MD5
da63dc3f04926c25e8ba57b5e527bc82

SHA1
4fac362403b6f64831c2917a3ca782d5c35af1c3

SHA256
054301f0596f2b6c60686c9d1571d8ea34bee30761f5ca9aad365438c61f61d6

SHA512
8e515c03b62717fa75cc33803dfb2cc7b6a0e455c2c76bf4807e63fd99f094f97cad0bc566979daf41253d1df323b4196dd210dba53d651e78bfdfa0f37fdfe8

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
372fff92a7465959f9423b0a0c060365

SHA1
07def3c9958c601ea98745228a04ba66fc5de183

SHA256
b3ee8e926d10767874f47e8ec0cc846e2532bdf58115843c11c4254860a725f1

SHA512
0eb14d616deb95097c3499c986fe998fed9cc493b5100d98f760497cea2a04172e76459615050022de3ff54c701fac25bc43a4b2ebf0b9501567e3ad1b69b808

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
79bd4ec0c36e2df4817f253ee919887d

SHA1
8c8333a95da6e74a479b3f2df5715402e5dc958c

SHA256
29309ce18313c45ee92a7df1865f7e863ee1a7c9c70bbe86e3f37163153b1d8e

SHA512
5257aed60d5f0be22cd5e5519c79341dce53a4f5ca88d520b0b9b8edf1445ee77f0f7ab542b3dd0beb19401f6993f1e1eba83fc5048e80f07f8b0732c0090fe8

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\sbyll.cc3

Filesize
21.0MB

MD5
feea9a0df1abd771dc3dcf048664ba96

SHA1
72f0f4326b49eda1c65bad9bad82e9e2be45b4d8

SHA256
f647a031c7cb24a5b5f89a82ccc9301775329867b81d741b7be6206ce70daac5

SHA512
d72ea8f4461fdd6fca408edfee1135cc2548af887f2c39a7fbcf194716d017c2cdfa581fc6ff8240d9546a177c3a50ccedc00179233f7be38bc2bbad6d0cb4bc

Download Submit
memory/1924-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1924-22-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2436-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2436-18-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/2456-17-0x0000000000400000-0x000000000044E328-memory.dmp

Filesize
312KB

Download
memory/2456-7-0x0000000000400000-0x000000000044E328-memory.dmp

Filesize
312KB

Download
memory/2768-0-0x0000000000400000-0x000000000044E328-memory.dmp

Filesize
312KB

Download
memory/2768-10-0x0000000000400000-0x000000000044E328-memory.dmp

Filesize
312KB

Download
memory/2768-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4544-27-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

Filesize
4KB

Download
memory/4544-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download