gh0strat | 56a2a088cf33ab175f32a1de3b3a0d49c2b058fd7210231958f3f3341b1c7113

Analysis

max time kernel
95s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4dd3698bc5d4fc10234127291e5afa7c.exe
Size

96KB
MD5

4dd3698bc5d4fc10234127291e5afa7c
SHA1

db1ed73bc14463f6a9d55b9bc66dc78827fb72e1
SHA256

56a2a088cf33ab175f32a1de3b3a0d49c2b058fd7210231958f3f3341b1c7113
SHA512

985106aa01c0477cb8ecd6b6356454181c0ed20a0649b81ab35c55d40a1d98d02d7d437bd0a7c11688174426d38105d1f30b88105ddfe9a66cdd81fc5b70422e
SSDEEP

3072:OYS4jHS8q/3nTzePCwNUh4E9SQbrh2B3ifb:OT428q/nTzePCwG7d6S

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023b5e-15.dat	family_gh0strat
behavioral2/memory/456-17-0x0000000000400000-0x000000000044E2EC-memory.dmp	family_gh0strat
behavioral2/memory/4952-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3912-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/5024-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
456	gcngibskmx

Executes dropped EXE 1 IoCs

pid	Process
456	gcngibskmx

Loads dropped DLL 3 IoCs

pid	Process
4952	svchost.exe
3912	svchost.exe
5024	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ubnxupoaiy	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ubnxupoaiy	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\usyfmmmcud	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
836	4952	WerFault.exe	85
1100	3912	WerFault.exe	89
3520	5024	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4dd3698bc5d4fc10234127291e5afa7c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcngibskmx
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
456	gcngibskmx
456	gcngibskmx

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	456	gcngibskmx
Token: SeBackupPrivilege	456	gcngibskmx
Token: SeBackupPrivilege	456	gcngibskmx
Token: SeRestorePrivilege	456	gcngibskmx
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeRestorePrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeSecurityPrivilege	4952	svchost.exe
Token: SeSecurityPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeSecurityPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeSecurityPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeRestorePrivilege	4952	svchost.exe
Token: SeBackupPrivilege	3912	svchost.exe
Token: SeRestorePrivilege	3912	svchost.exe
Token: SeBackupPrivilege	3912	svchost.exe
Token: SeBackupPrivilege	3912	svchost.exe
Token: SeSecurityPrivilege	3912	svchost.exe
Token: SeSecurityPrivilege	3912	svchost.exe
Token: SeBackupPrivilege	3912	svchost.exe
Token: SeBackupPrivilege	3912	svchost.exe
Token: SeSecurityPrivilege	3912	svchost.exe
Token: SeBackupPrivilege	3912	svchost.exe
Token: SeBackupPrivilege	3912	svchost.exe
Token: SeSecurityPrivilege	3912	svchost.exe
Token: SeBackupPrivilege	3912	svchost.exe
Token: SeRestorePrivilege	3912	svchost.exe
Token: SeBackupPrivilege	5024	svchost.exe
Token: SeRestorePrivilege	5024	svchost.exe
Token: SeBackupPrivilege	5024	svchost.exe
Token: SeBackupPrivilege	5024	svchost.exe
Token: SeSecurityPrivilege	5024	svchost.exe
Token: SeSecurityPrivilege	5024	svchost.exe
Token: SeBackupPrivilege	5024	svchost.exe
Token: SeBackupPrivilege	5024	svchost.exe
Token: SeSecurityPrivilege	5024	svchost.exe
Token: SeBackupPrivilege	5024	svchost.exe
Token: SeBackupPrivilege	5024	svchost.exe
Token: SeSecurityPrivilege	5024	svchost.exe
Token: SeBackupPrivilege	5024	svchost.exe
Token: SeRestorePrivilege	5024	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 456	3368	JaffaCakes118_4dd3698bc5d4fc10234127291e5afa7c.exe	84
PID 3368 wrote to memory of 456	3368	JaffaCakes118_4dd3698bc5d4fc10234127291e5afa7c.exe	84
PID 3368 wrote to memory of 456	3368	JaffaCakes118_4dd3698bc5d4fc10234127291e5afa7c.exe	84

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4dd3698bc5d4fc10234127291e5afa7c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4dd3698bc5d4fc10234127291e5afa7c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368
- \??\c:\users\admin\appdata\local\gcngibskmx
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4dd3698bc5d4fc10234127291e5afa7c.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_4dd3698bc5d4fc10234127291e5afa7c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:456

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 812
  2⤵
  - Program crash
  PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4952 -ip 4952
1⤵
PID:2092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1112
  2⤵
  - Program crash
  PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3912 -ip 3912
1⤵
PID:1576

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1020
  2⤵
  - Program crash
  PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5024 -ip 5024
1⤵
PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\gcngibskmx

Filesize
20.3MB

MD5
07caae0028d66eeb9051baa35b3701d2

SHA1
8a2a1754af325b9ec8d28464a3bb1829f3633096

SHA256
9ea7c8d6ceb7409c4241828104407866b152afcf468839d2eee51f8b627a13f5

SHA512
9f52a4c4a757832acc9d8a910b620883b7d0df5468889583bacb2225f169a87149e616969c1b258ee6ef0f16ab2a93fdb1c180fb663c226986ae9f94f77e8030

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
f66f5da81d2a888bb9d6634a6c7c8f5e

SHA1
65bd574ea7498984067610e93cec6d0e4dd1d226

SHA256
304b4494d84931742459343eaa47d4f15953f5fe0435531d1f43a27a2fd2f75a

SHA512
0fd2a3b68c2b6f78269730a61e6013e56debb17e23cf49920469274aeccc6200971bf591d1f4c5e9bb1e3d48e167e5596cfc8a408b7a617783161f50da4bb231

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
0c608b1a313bc8b2ad8b05c166dc4441

SHA1
c2a0b7bd698c5f77535944ec7503f9052ec2983c

SHA256
1530ea75d8f525113805e3127a333aa7dd45312d591aa94ae4ef62a7a50c24a9

SHA512
491747402b6de1f03319488957be6f55bd8b31afbd663993ac96a961aa9b551df277d5b1fa09107fd21b58f600a28d15fe9017c2fa1ac01be3089ef3d00a0b0d

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\mksmx.cc3

Filesize
20.1MB

MD5
aa5be1e75a52e37aa9df5c2362bb0618

SHA1
796ac9505f2bd9fc206d4c77e2b590d36aaba051

SHA256
5cc90e07faeb19d26644110f79ccff2c22d7ba845d6a323670169ea12ef87f16

SHA512
3d523588263856c59299a5b67f788f1ce1d72547eb72de4f9e24127ad54cdd15ea375f61534a431c4c29ba8c15fcaf1ff4fa5ceb7382bc350bac48bbf22a6b3c

Download Submit
memory/456-9-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/456-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/456-17-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/3368-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3368-8-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/3368-0-0x0000000000400000-0x000000000044E2EC-memory.dmp

Filesize
312KB

Download
memory/3912-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3912-22-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/4952-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4952-18-0x0000000001740000-0x0000000001741000-memory.dmp

Filesize
4KB

Download
memory/5024-27-0x00000000016E0000-0x00000000016E1000-memory.dmp

Filesize
4KB

Download
memory/5024-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download