gh0strat | 22a665b7bea6af53fd4f849dba1d6afe7b6b9bfcd6a372ee60462e0fd5535a1c

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2025, 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
Size

222KB
MD5

320eeb1cb6519551b0a853f4a6042683
SHA1

83557ff3574aa8e9c6e0e7fe2fa19a45e4555042
SHA256

22a665b7bea6af53fd4f849dba1d6afe7b6b9bfcd6a372ee60462e0fd5535a1c
SHA512

2895567964819ee86a5064e8bcbc69bbb43474a98541275ff3627532f6e5b1fc454db08ab07d6f35c73d87125f17ecbbd446e0832027f0b6a72cf5ee459481a4
SSDEEP

6144:kltelNNb4uXw3uSnbQ0ANQa2S2VFKLVjVf:CO4XeSnE0+2S8Kzf

Score

10^/10

gh0strat discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023c57-4.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\3cKfhSGe\Parameters\ServiceDll = "C:\\Windows\\system32\\a1ki66.pic"	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe

Deletes itself 1 IoCs

pid	Process
2240	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
1528	svchost.exe
2240	rundll32.exe
1688	svchost.exe
3972	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\a1ki66.pic	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
436	1528	WerFault.exe	89
2548	1688	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1220	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
1220	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
1220	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
1220	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
1220	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
1220	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
1220	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
1220	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
1220	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
1220	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	1220	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
Token: SeIncBasePriorityPrivilege	1220	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
Token: SeBackupPrivilege	1220	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
Token: SeRestorePrivilege	1220	JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
Token: SeDebugPrivilege	1528	svchost.exe
Token: SeBackupPrivilege	2240	rundll32.exe
Token: SeSecurityPrivilege	2240	rundll32.exe
Token: SeDebugPrivilege	1688	svchost.exe
Token: SeBackupPrivilege	3972	rundll32.exe
Token: SeSecurityPrivilege	3972	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2240	1528	svchost.exe	91
PID 1528 wrote to memory of 2240	1528	svchost.exe	91
PID 1528 wrote to memory of 2240	1528	svchost.exe	91
PID 1688 wrote to memory of 3972	1688	svchost.exe	102
PID 1688 wrote to memory of 3972	1688	svchost.exe	102
PID 1688 wrote to memory of 3972	1688	svchost.exe	102

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_320eeb1cb6519551b0a853f4a6042683.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k 3cKfhSGe
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\a1ki66.pic,main 3cKfhSGe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 468
  2⤵
  - Program crash
  PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1528 -ip 1528
1⤵
PID:3476

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k 3cKfhSGe
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\a1ki66.pic,main 3cKfhSGe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 436
  2⤵
  - Program crash
  PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1688 -ip 1688
1⤵
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\a1ki66.pic

Filesize
28.1MB

MD5
c85838c3973496cd57612f1c47e5200c

SHA1
04cc727b16e2795bf7faf284b23e1a026b128db9

SHA256
f7588cf901b9b435442794c76ee792682dcc02a26749a43acb2806aa90a048d9

SHA512
c45c8b5dab58c6d0c411f846f821fde4615302f1416990bb944c2a47507027431b1a5491e9d27d5ca193ea3a9bd3f076194a8d33918f244aa2b97e3b250c232f

Download Submit