gh0strat | c4a0bb6d9044522198049699b416f78168fa5ac7adcf577de5471a245cfc4af0

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe
Size

321KB
MD5

3be35fb0f28a5f841cd6765827785c5e
SHA1

eaddef60d78bc8fcfd426541453b0504748f78c9
SHA256

c4a0bb6d9044522198049699b416f78168fa5ac7adcf577de5471a245cfc4af0
SHA512

bf88d6f6f69968b84b8fa24630f9fcb044019e4b409a38f8c6801696d68713d2cd7de94b35affaaa4f742d78e17d33bfdd2eb041f6bc7ded4e2ee117c50d7c4b
SSDEEP

6144:p7j1MoraeUuq4H4nDWgRAkPUHtGQn8xID0DMF3GqpKHeLu1keWcw1Weqo:p/1/We+1R3PGGLxe0DbdUBceH

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/3028-6-0x0000000000400000-0x0000000000478000-memory.dmp	family_gh0strat
behavioral1/files/0x0008000000004ed7-14.dat	family_gh0strat
behavioral1/memory/3028-20-0x0000000010000000-0x000000001001C000-memory.dmp	family_gh0strat
behavioral1/memory/3028-21-0x0000000000400000-0x0000000000478000-memory.dmp	family_gh0strat
behavioral1/files/0x000e000000012341-23.dat	family_gh0strat
behavioral1/memory/2912-24-0x0000000010000000-0x000000001001C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2912	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\FileName.jpg	JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe
File opened for modification	C:\Windows\FileName.jpg	JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	3028	JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe
Token: SeRestorePrivilege	3028	JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe
Token: SeBackupPrivilege	3028	JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe
Token: SeRestorePrivilege	3028	JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe
Token: SeBackupPrivilege	3028	JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe
Token: SeRestorePrivilege	3028	JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe
Token: SeBackupPrivilege	3028	JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe
Token: SeRestorePrivilege	3028	JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\706000.dll

Filesize
101KB

MD5
0c442fcf389301e632c2c5ce2804553e

SHA1
117b7727484b3e8d1c3f2505d7093b3876a8ef1b

SHA256
c7d1349fe706f0d8d9600b43ff60b7cbcd6246013cf38810e3c201454315faa4

SHA512
328135fb8c859137f53c5e5235c551f1c7cefa93be6f84dad6df69113de9dd6370dbcef9f9007fdeb1fe3ff25808fdc460e5691c2628619f2e96910dbc31ae14

Download Submit
C:\Windows\FileName.jpg

Filesize
14.9MB

MD5
2738aef4af136f7cf372b40a69502fea

SHA1
f1cb03c83c87ec72adc70cb31d8ed33baee99e22

SHA256
6b0b0dede19c143a410db859aa75338b4009c3fbda6289e0adfd50382e504b86

SHA512
39ff5f10d2a65f8aa251213ac9b7478e86bda0942d2564c2d1037c5fc3d95afcf0d631e702d4c675543270b85a28e9f00ce87407b1e4ff5cbcaf8226691c4bdc

Download Submit
\??\c:\NT_Path.jpg

Filesize
98B

MD5
19913b605b5d408518d9aaba7a332342

SHA1
4c7183701e56014bf7e8ddc2017b7be830007101

SHA256
860fe47d926010906873a576121706d4572e1a0ed19d95d37c1f27ba1b824f36

SHA512
b6ada5dd91e859a72cd2705268162b657baf3647d8691782811c5f73a2e1e1b81711b628b7773cc0586b3fd24d3001d3e03805b914a48145387b4122c475124a

Download Submit
memory/2912-24-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3028-10-0x0000000002440000-0x00000000025C0000-memory.dmp

Filesize
1.5MB

Download
memory/3028-4-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/3028-3-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/3028-2-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/3028-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3028-5-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3028-20-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3028-21-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3028-18-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/3028-6-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3028-9-0x00000000025C0000-0x00000000026D0000-memory.dmp

Filesize
1.1MB

Download
memory/3028-1-0x0000000000240000-0x00000000002B8000-memory.dmp

Filesize
480KB

Download