gh0strat | 36ac25c2091b56bbd5407e2fc11666e02da1db030bfe391f07607bf5e1f95ddb

General

Target

JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe
Size

137KB
MD5

319457f48e0c52165f9bdd0fb53837da
SHA1

0573839f46a1d83c2f1e6b1dc976e1008006c1d8
SHA256

36ac25c2091b56bbd5407e2fc11666e02da1db030bfe391f07607bf5e1f95ddb
SHA512

55572b9b17ab0a014ab04919347b84d5265144ebe31f152d4ff4c6adc25e318bb6d593e00d80817c85e9ba18191840af3cc3f69204ce4090434b2e9d47cea3b0
SSDEEP

3072:c6JR+uNAEaC3KtYlG4tOLjzqch+ChaCraZE6UVhn/06zl/Xey:cgZNATdYlG4AzqE+CxruE6Ufn/V

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1624-5-0x0000000000440000-0x000000000045E000-memory.dmp	family_gh0strat
behavioral1/files/0x0008000000016621-3.dat	family_gh0strat
behavioral1/memory/1032-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_gh0strat
behavioral1/memory/1032-20-0x0000000000400000-0x000000000041E000-memory.dmp	family_gh0strat
behavioral1/files/0x0007000000016c3a-19.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	svchost.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	server.exe

Executes dropped EXE 1 IoCs

pid	Process
1032	server.exe

Loads dropped DLL 3 IoCs

pid	Process
1624	JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe
1624	JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe
3020	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	server.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Office loads VBA resources, possible macro or embedded object present

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A759F3AE-18C2-4115-96EB-B25D1DC6AE01}\WpadNetworkName = "Network 3"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-14-0a-16-b9-9d\WpadDecisionTime = 401325419989db01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-14-0a-16-b9-9d\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A759F3AE-18C2-4115-96EB-B25D1DC6AE01}\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A759F3AE-18C2-4115-96EB-B25D1DC6AE01}\WpadDecisionTime = 401325419989db01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A759F3AE-18C2-4115-96EB-B25D1DC6AE01}\5e-14-0a-16-b9-9d	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0169000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-14-0a-16-b9-9d	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-14-0a-16-b9-9d\WpadDecisionReason = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A759F3AE-18C2-4115-96EB-B25D1DC6AE01}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A759F3AE-18C2-4115-96EB-B25D1DC6AE01}\WpadDecision = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2596	WINWORD.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2596	WINWORD.EXE
2596	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2596	1624	JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe	30
PID 1624 wrote to memory of 2596	1624	JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe	30
PID 1624 wrote to memory of 2596	1624	JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe	30
PID 1624 wrote to memory of 2596	1624	JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe	30
PID 1624 wrote to memory of 1032	1624	JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe	31
PID 1624 wrote to memory of 1032	1624	JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe	31
PID 1624 wrote to memory of 1032	1624	JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe	31
PID 1624 wrote to memory of 1032	1624	JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe	31
PID 2596 wrote to memory of 2720	2596	WINWORD.EXE	35
PID 2596 wrote to memory of 2720	2596	WINWORD.EXE	35
PID 2596 wrote to memory of 2720	2596	WINWORD.EXE	35
PID 2596 wrote to memory of 2720	2596	WINWORD.EXE	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\爱情、经不起时间或距离的考验.doc"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2720
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1032

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\爱情、经不起时间或距离的考验.doc

Filesize
39KB

MD5
ac9aeb5e3cc8392ac924397c812c96ae

SHA1
39c4c1ff0c939ce3e4ea9a30781f72110bda01e2

SHA256
6420c2c2176a1308573275dd6fe21ac1f1c11d1c046c3fce2b74381233262049

SHA512
53df2938f0731721202cb81ffa4aeab4432ba2aa7ff2d9a585729e2e271c0ef472eccc284590088024fdb1ed75598168462b18baf584459056902d60dd6f5d18

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dll

Filesize
99KB

MD5
7fd4b6c2d3d37e4d6478eb0a0c6a8661

SHA1
723eedb5cc3f7a05ae08d82e4d4fb25855e13301

SHA256
fa0a6f47ab8d501e3620dd673ebfe97fce17e611fc29cea111185f4e0ba7f34a

SHA512
c49adeb4e0d8733aa9bc4209ec95f558c90aae9e5ccfc0a51d59b465b352b4e2ab83a78de5fee42a89b277f59f07da73c15c5c341cc48dede7c697e6dd3623a8

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
111KB

MD5
adcde10f51f6bd5bf78adf6fcee9d536

SHA1
449a4df49d11dd81408cbde26fbf9f7ec05aba12

SHA256
91e6cf834dbaf6e3e74c300b2d5963bb638c2503c4678551a7f73c40294e99b3

SHA512
9105c71ed42b5bb7a83ba25fa3fc062412d6c983f6aaae145ec51a19f3ba054b6175ac33603f9194bb9882d8a6468512db4997cbed36ec88fa57f92785ef7e4a

Download Submit
memory/1032-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1032-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1624-5-0x0000000000440000-0x000000000045E000-memory.dmp

Filesize
120KB

Download
memory/1624-12-0x0000000000440000-0x000000000045E000-memory.dmp

Filesize
120KB

Download
memory/2596-6-0x000000002F111000-0x000000002F112000-memory.dmp

Filesize
4KB

Download
memory/2596-18-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2596-22-0x00000000715CD000-0x00000000715D8000-memory.dmp

Filesize
44KB

Download
memory/2596-30-0x00000000715CD000-0x00000000715D8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing