gh0strat | d56657da73d09a07b6d3fc322ce2a5d992434a8868f941faf3a045c81a1f03fa

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4de5c903df031794efbab0a6e83d51ec.exe
Size

95KB
MD5

4de5c903df031794efbab0a6e83d51ec
SHA1

25c1d1513c212717cd83890ed1f0ed65d7f6152a
SHA256

d56657da73d09a07b6d3fc322ce2a5d992434a8868f941faf3a045c81a1f03fa
SHA512

f38d6f8195dab485f0503ec0993907c13cfac61bf5797b59e9314e12ca751de4dfeb3ec620b1079cf6517f26f555b905ed3b5dd9abfab7aee91e9dc8b5878ebc
SSDEEP

1536:/HFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr9Saxym:/xS4jHS8q/3nTzePCwNUh4E99Qm

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c99-15.dat	family_gh0strat
behavioral2/memory/1020-17-0x0000000000400000-0x000000000044E2D0-memory.dmp	family_gh0strat
behavioral2/memory/1288-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2980-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3008-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
1020	mbqwlcoubp

Executes dropped EXE 1 IoCs

pid	Process
1020	mbqwlcoubp

Loads dropped DLL 3 IoCs

pid	Process
1288	svchost.exe
2980	svchost.exe
3008	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cytslppyfy	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\chilssswst	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\chilssswst	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4000	1288	WerFault.exe	83
1908	2980	WerFault.exe	87
5076	3008	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4de5c903df031794efbab0a6e83d51ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbqwlcoubp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1020	mbqwlcoubp
1020	mbqwlcoubp

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1020	mbqwlcoubp
Token: SeBackupPrivilege	1020	mbqwlcoubp
Token: SeBackupPrivilege	1020	mbqwlcoubp
Token: SeRestorePrivilege	1020	mbqwlcoubp
Token: SeBackupPrivilege	1288	svchost.exe
Token: SeRestorePrivilege	1288	svchost.exe
Token: SeBackupPrivilege	1288	svchost.exe
Token: SeBackupPrivilege	1288	svchost.exe
Token: SeSecurityPrivilege	1288	svchost.exe
Token: SeSecurityPrivilege	1288	svchost.exe
Token: SeBackupPrivilege	1288	svchost.exe
Token: SeBackupPrivilege	1288	svchost.exe
Token: SeSecurityPrivilege	1288	svchost.exe
Token: SeBackupPrivilege	1288	svchost.exe
Token: SeBackupPrivilege	1288	svchost.exe
Token: SeSecurityPrivilege	1288	svchost.exe
Token: SeBackupPrivilege	1288	svchost.exe
Token: SeRestorePrivilege	1288	svchost.exe
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeRestorePrivilege	2980	svchost.exe
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeSecurityPrivilege	2980	svchost.exe
Token: SeSecurityPrivilege	2980	svchost.exe
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeSecurityPrivilege	2980	svchost.exe
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeSecurityPrivilege	2980	svchost.exe
Token: SeBackupPrivilege	2980	svchost.exe
Token: SeRestorePrivilege	2980	svchost.exe
Token: SeBackupPrivilege	3008	svchost.exe
Token: SeRestorePrivilege	3008	svchost.exe
Token: SeBackupPrivilege	3008	svchost.exe
Token: SeBackupPrivilege	3008	svchost.exe
Token: SeSecurityPrivilege	3008	svchost.exe
Token: SeSecurityPrivilege	3008	svchost.exe
Token: SeBackupPrivilege	3008	svchost.exe
Token: SeBackupPrivilege	3008	svchost.exe
Token: SeSecurityPrivilege	3008	svchost.exe
Token: SeBackupPrivilege	3008	svchost.exe
Token: SeBackupPrivilege	3008	svchost.exe
Token: SeSecurityPrivilege	3008	svchost.exe
Token: SeBackupPrivilege	3008	svchost.exe
Token: SeRestorePrivilege	3008	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1020	1752	JaffaCakes118_4de5c903df031794efbab0a6e83d51ec.exe	82
PID 1752 wrote to memory of 1020	1752	JaffaCakes118_4de5c903df031794efbab0a6e83d51ec.exe	82
PID 1752 wrote to memory of 1020	1752	JaffaCakes118_4de5c903df031794efbab0a6e83d51ec.exe	82

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4de5c903df031794efbab0a6e83d51ec.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4de5c903df031794efbab0a6e83d51ec.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752
- \??\c:\users\admin\appdata\local\mbqwlcoubp
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4de5c903df031794efbab0a6e83d51ec.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_4de5c903df031794efbab0a6e83d51ec.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 832
  2⤵
  - Program crash
  PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1288 -ip 1288
1⤵
PID:804

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1100
  2⤵
  - Program crash
  PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2980 -ip 2980
1⤵
PID:2024

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 944
  2⤵
  - Program crash
  PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3008 -ip 3008
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
5ea275710fcb1aaa95e3a63970d27ada

SHA1
ce2729e8e1ed2ae59061e646e165d38071231db5

SHA256
4d4011fa24fdf58bfa95ea5cc3e6c46c4da956f9f7a492de9a05f0beb9b8406e

SHA512
0ef34fa600a4ce8e5bd0b4ebe8c70bb4abc42afb7ca0901d674c1fd029cf747c5c36ecdfab775e26c367a1ec184932e2e3f6c57e6dc3f6148252d68e168037de

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
d0e7910f801d86ce72314d0f42a4e513

SHA1
1fb42f600ae02b5dfcb1485617450ffb294e4263

SHA256
1503d17080fb18d0a7443f41287e42c1e766b0325e43de32f4a89ef70d3bf413

SHA512
09672386a93e0ed1bad6fa065190e6092e5d5f2b0aa5a9bae8f5e2124655472f0ddf70375e9ba3f7a4107d7e523d51c475fdcba69b630f36b306b3dc4ebfc2d2

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\dckhv.cc3

Filesize
21.0MB

MD5
e4492d908106273fbbe2a67e4a7b87d8

SHA1
739844684e8611f0d2ce94bcced1aead329b47b8

SHA256
56ed2741547224f08c7cb9ec055f5414a75c0f0c5ed325d724ecd91e2ef27fd7

SHA512
27ffa123ce5d16d92af32d490719dcc558960b34f371d0d0187e3b50e3b9f6a017bc437aa1d4c9451a773dfadca07c5a70a74201ffb042db22b7640d5d0eaf83

Download Submit
\??\c:\users\admin\appdata\local\mbqwlcoubp

Filesize
20.4MB

MD5
de18bb0721ac087f5dae1aa1c464405d

SHA1
3c122a9044049c33297d967c6d8d226605a0272d

SHA256
3923f923a9e93efd0aea29fdae3967231b2a5382240e5e87589bd4dd18ea570e

SHA512
e2ae0baeeaaed438ade691750b53b4e3e8bfd8f20b9e7b8c05a02b8cf39a0d2a42da65066309c28fe47654934e6a10211dea39e473eb5592b54c720599fff0d2

Download Submit
memory/1020-17-0x0000000000400000-0x000000000044E2D0-memory.dmp

Filesize
312KB

Download
memory/1020-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1020-11-0x0000000000400000-0x000000000044E2D0-memory.dmp

Filesize
312KB

Download
memory/1288-18-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1288-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1752-0-0x0000000000400000-0x000000000044E2D0-memory.dmp

Filesize
312KB

Download
memory/1752-8-0x0000000000400000-0x000000000044E2D0-memory.dmp

Filesize
312KB

Download
memory/1752-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2980-22-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/2980-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3008-27-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/3008-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download