gh0strat | b22c86b73dc32c8a0b08d2329d2c80c7ac57e55671753457c70bb2acbf6d6d32

General

Target

JaffaCakes118_574bdfdff36ef931fbc19f3a53776034.exe
Size

127KB
MD5

574bdfdff36ef931fbc19f3a53776034
SHA1

c10f6bc157f513108e713340b2d8d7923ba9ca50
SHA256

b22c86b73dc32c8a0b08d2329d2c80c7ac57e55671753457c70bb2acbf6d6d32
SHA512

b531092f19a09bc5cc20d5cc6db7e3cfb057cc8036911e3086f436fb30e2cc463ac16731ddf89d0fe1dd6ea9da38b4519d142e39d5c7d6492854ecebe6520bdb
SSDEEP

3072:Z7aVnnvIStWq73hGUmv06+W5/RahJ1jOkVt:Z7aVnnvIStWqz8UmMi5ZAJ1j3

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral2/memory/4472-0-0x0000000000400000-0x000000000041E000-memory.dmp	family_gh0strat
behavioral2/memory/4472-3-0x0000000000400000-0x000000000041E000-memory.dmp	family_gh0strat
behavioral2/files/0x000c000000023b71-2.dat	family_gh0strat
behavioral2/memory/4644-5-0x0000000010000000-0x0000000010019000-memory.dmp	family_gh0strat
behavioral2/memory/4644-7-0x0000000010000000-0x0000000010019000-memory.dmp	family_gh0strat
behavioral2/memory/704-8-0x0000000010000000-0x0000000010019000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	704	rundll32.exe
21	704	rundll32.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360svc\Parameters\ServiceDll = "C:\\Windows\\Web\\e57c469kill.dll"	JaffaCakes118_574bdfdff36ef931fbc19f3a53776034.exe

Loads dropped DLL 2 IoCs

pid	Process
4644	svchost.exe
704	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Web	JaffaCakes118_574bdfdff36ef931fbc19f3a53776034.exe
File created	C:\Windows\Web\e57c469kill.dll	JaffaCakes118_574bdfdff36ef931fbc19f3a53776034.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_574bdfdff36ef931fbc19f3a53776034.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4644	svchost.exe
Token: SeDebugPrivilege	704	rundll32.exe
Token: SeDebugPrivilege	704	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 704	4644	svchost.exe	84
PID 4644 wrote to memory of 704	4644	svchost.exe	84
PID 4644 wrote to memory of 704	4644	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_574bdfdff36ef931fbc19f3a53776034.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_574bdfdff36ef931fbc19f3a53776034.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4472

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\web\e57c469kill.dll wintest
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\web\e57c469kill.dll

Filesize
97KB

MD5
4f8193b3016b988f1178e6be3d569742

SHA1
41556f3640d50087efca06f04035def99bfb1892

SHA256
2423a996f2c310d3e48f5241c3810d563277eda161ba4df6e8ae57d456bcb64c

SHA512
bd290d383e668193a0c541ab20738e0767ec2ac02541054e5a253e3e52c8bc070e4e99ae38be52cbadf2ac196e19d492842d40b69d7fcf2928a713850cd4fe74

Download Submit
memory/704-8-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4472-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4472-3-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4644-5-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4644-7-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing