gh0strat | 0feeff3ab680deabf6e3583c553cb83647113182e0f0cd64860955e2e510ed62

Analysis

max time kernel
107s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2025, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_31f4ee37705aa6d03627013abf5c3300.exe
Size

96KB
MD5

31f4ee37705aa6d03627013abf5c3300
SHA1

c53d67f906a9a742f6930aaadc3661d0cfc02b92
SHA256

0feeff3ab680deabf6e3583c553cb83647113182e0f0cd64860955e2e510ed62
SHA512

efde74b2e2045c1d5bb10f27b870d85e11e5c74811245feec7a8549f3f2a776c6cb21b6737b7131bc2b9bb4a5de6f6f42617702caf2e20ecd8075d5cebb399fc
SSDEEP

1536:7QFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8proyLClEoPHEY42CpLj:7iS4jHS8q/3nTzePCwNUh4E9o+0PHEBj

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e941-14.dat	family_gh0strat
behavioral2/memory/5048-17-0x0000000000400000-0x000000000044E31C-memory.dmp	family_gh0strat
behavioral2/memory/1164-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3432-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2520-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
5048	erhwlcyjog

Executes dropped EXE 1 IoCs

pid	Process
5048	erhwlcyjog

Loads dropped DLL 3 IoCs

pid	Process
1164	svchost.exe
3432	svchost.exe
2520	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\biacnhcidk	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\bqovvkegqf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\baljfeakqp	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
448	1164	WerFault.exe	95
116	3432	WerFault.exe	100
1340	2520	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_31f4ee37705aa6d03627013abf5c3300.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erhwlcyjog
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5048	erhwlcyjog
5048	erhwlcyjog

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	5048	erhwlcyjog
Token: SeBackupPrivilege	5048	erhwlcyjog
Token: SeBackupPrivilege	5048	erhwlcyjog
Token: SeRestorePrivilege	5048	erhwlcyjog
Token: SeBackupPrivilege	1164	svchost.exe
Token: SeRestorePrivilege	1164	svchost.exe
Token: SeBackupPrivilege	1164	svchost.exe
Token: SeBackupPrivilege	1164	svchost.exe
Token: SeSecurityPrivilege	1164	svchost.exe
Token: SeSecurityPrivilege	1164	svchost.exe
Token: SeBackupPrivilege	1164	svchost.exe
Token: SeBackupPrivilege	1164	svchost.exe
Token: SeSecurityPrivilege	1164	svchost.exe
Token: SeBackupPrivilege	1164	svchost.exe
Token: SeBackupPrivilege	1164	svchost.exe
Token: SeSecurityPrivilege	1164	svchost.exe
Token: SeBackupPrivilege	1164	svchost.exe
Token: SeRestorePrivilege	1164	svchost.exe
Token: SeBackupPrivilege	3432	svchost.exe
Token: SeRestorePrivilege	3432	svchost.exe
Token: SeBackupPrivilege	3432	svchost.exe
Token: SeBackupPrivilege	3432	svchost.exe
Token: SeSecurityPrivilege	3432	svchost.exe
Token: SeSecurityPrivilege	3432	svchost.exe
Token: SeBackupPrivilege	3432	svchost.exe
Token: SeBackupPrivilege	3432	svchost.exe
Token: SeSecurityPrivilege	3432	svchost.exe
Token: SeBackupPrivilege	3432	svchost.exe
Token: SeBackupPrivilege	3432	svchost.exe
Token: SeSecurityPrivilege	3432	svchost.exe
Token: SeBackupPrivilege	3432	svchost.exe
Token: SeRestorePrivilege	3432	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeSecurityPrivilege	2520	svchost.exe
Token: SeSecurityPrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeSecurityPrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeSecurityPrivilege	2520	svchost.exe
Token: SeBackupPrivilege	2520	svchost.exe
Token: SeRestorePrivilege	2520	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 5048	716	JaffaCakes118_31f4ee37705aa6d03627013abf5c3300.exe	90
PID 716 wrote to memory of 5048	716	JaffaCakes118_31f4ee37705aa6d03627013abf5c3300.exe	90
PID 716 wrote to memory of 5048	716	JaffaCakes118_31f4ee37705aa6d03627013abf5c3300.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31f4ee37705aa6d03627013abf5c3300.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31f4ee37705aa6d03627013abf5c3300.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:716
- \??\c:\users\admin\appdata\local\erhwlcyjog
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31f4ee37705aa6d03627013abf5c3300.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_31f4ee37705aa6d03627013abf5c3300.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5048

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 1020
  2⤵
  - Program crash
  PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1164 -ip 1164
1⤵
PID:1736

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 872
  2⤵
  - Program crash
  PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3432 -ip 3432
1⤵
PID:1760

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1052
  2⤵
  - Program crash
  PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2520 -ip 2520
1⤵
PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
d5e4020d048f3c41d97a308bff8142a2

SHA1
6c28631d14282243360e3725bc1d52c4c3393da4

SHA256
1e45ac36a8f1382885fee9c8c5561b74f6d0dd1ea065f4441fef7bc267580da0

SHA512
c02a4c7a30163ecb38acf32bd82ef0f59299eb38db8dfca00680848f357c3527c17b342813de340bceffff99b7e0d3cd8e5e65ba76c3c34cb7a46df625c1ab8f

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
0f19fefcd62ec2718f70c10bc1968662

SHA1
1dee0a88f147081bb6584e1226b20c7b210c308e

SHA256
14476c046339a48306eabfd1822262e3c43ae8401448f3693867ece0b945672f

SHA512
6583971e881008a6c0f5b3daa3d495211108110fccf63522799052e68e5245f48d7daf0aa8150c5682ed3b73a2d9a7fe35380c9a9ec295567f9eaf89bf18cda9

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\oossf.cc3

Filesize
24.1MB

MD5
414c01ddb9032f260bc0383d0050ca19

SHA1
bd24636a6ed3ba40fddf83a759c17aab924f803d

SHA256
1abe6ad826eb8edd5b160266bd4917d9bba996b733449550b6a612529fb3391d

SHA512
b0f3c8536e8ea6ebd1e50d08a6a06ac8f8d5f954f99a9353b30c5a3fbf6f4a359710fc09419f1e5bc8de3717f7df4339a0835c7f9186cbeecbbb5438e486e6c1

Download Submit
\??\c:\users\admin\appdata\local\erhwlcyjog

Filesize
23.9MB

MD5
62b4655091fe7b1bcdf991a7dc42dd99

SHA1
9c769bffc55fcf4cfc9a4f7c0db66496bd6d2611

SHA256
10afac8b66214393af6f43fb09eedf718f3933ffece835499a69b75cd37fa886

SHA512
9af676c97c3582e96bc9f774e1a5f43fbaacfa1b6cfc2f170b4ca4dfbec17dfedb9782958824811f33f8c1f16082d850850b7efdcb62ed95f1ede785e3c2a5bb

Download Submit
memory/716-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/716-7-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/716-0-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/1164-18-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/1164-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2520-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2520-27-0x00000000019E0000-0x00000000019E1000-memory.dmp

Filesize
4KB

Download
memory/3432-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3432-22-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/5048-17-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/5048-8-0x0000000000400000-0x000000000044E31C-memory.dmp

Filesize
312KB

Download
memory/5048-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download