gh0strat | f5210556bbc173d4d4c7bb2972ce61d84e3e17b0fba96f404807591974a7bd1d

Analysis

max time kernel
109s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2025, 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_36ab72202d4aea4e5501e69687cb07a0.exe
Size

96KB
MD5

36ab72202d4aea4e5501e69687cb07a0
SHA1

e5704342f9a2fc41da60b631bc8a11c4cec2871c
SHA256

f5210556bbc173d4d4c7bb2972ce61d84e3e17b0fba96f404807591974a7bd1d
SHA512

34517f3f8253318860800c0bd0261c044c1babf6b4a0f0c18776bcb3de5a8352b24289b9123e4feb5baf336d78b65a0ab1595a3dcd35553623df8f74e76d5dc4
SSDEEP

1536:sDFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prFNxIK+li:s9S4jHS8q/3nTzePCwNUh4E9FV+li

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000b00000001e4d1-15.dat	family_gh0strat
behavioral2/memory/1112-17-0x0000000000400000-0x000000000044E32C-memory.dmp	family_gh0strat
behavioral2/memory/4972-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/5040-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3672-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
1112	eufhwfsmms

Executes dropped EXE 1 IoCs

pid	Process
1112	eufhwfsmms

Loads dropped DLL 3 IoCs

pid	Process
4972	svchost.exe
5040	svchost.exe
3672	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dauwvlbufd	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\diipeodrrx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dqwjmrgpft	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2788	4972	WerFault.exe	95
1572	5040	WerFault.exe	100
4756	3672	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eufhwfsmms
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_36ab72202d4aea4e5501e69687cb07a0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1112	eufhwfsmms
1112	eufhwfsmms

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1112	eufhwfsmms
Token: SeBackupPrivilege	1112	eufhwfsmms
Token: SeBackupPrivilege	1112	eufhwfsmms
Token: SeRestorePrivilege	1112	eufhwfsmms
Token: SeBackupPrivilege	4972	svchost.exe
Token: SeRestorePrivilege	4972	svchost.exe
Token: SeBackupPrivilege	4972	svchost.exe
Token: SeBackupPrivilege	4972	svchost.exe
Token: SeSecurityPrivilege	4972	svchost.exe
Token: SeSecurityPrivilege	4972	svchost.exe
Token: SeBackupPrivilege	4972	svchost.exe
Token: SeBackupPrivilege	4972	svchost.exe
Token: SeSecurityPrivilege	4972	svchost.exe
Token: SeBackupPrivilege	4972	svchost.exe
Token: SeBackupPrivilege	4972	svchost.exe
Token: SeSecurityPrivilege	4972	svchost.exe
Token: SeBackupPrivilege	4972	svchost.exe
Token: SeRestorePrivilege	4972	svchost.exe
Token: SeBackupPrivilege	5040	svchost.exe
Token: SeRestorePrivilege	5040	svchost.exe
Token: SeBackupPrivilege	5040	svchost.exe
Token: SeBackupPrivilege	5040	svchost.exe
Token: SeSecurityPrivilege	5040	svchost.exe
Token: SeSecurityPrivilege	5040	svchost.exe
Token: SeBackupPrivilege	5040	svchost.exe
Token: SeBackupPrivilege	5040	svchost.exe
Token: SeSecurityPrivilege	5040	svchost.exe
Token: SeBackupPrivilege	5040	svchost.exe
Token: SeBackupPrivilege	5040	svchost.exe
Token: SeSecurityPrivilege	5040	svchost.exe
Token: SeBackupPrivilege	5040	svchost.exe
Token: SeRestorePrivilege	5040	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeRestorePrivilege	3672	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeSecurityPrivilege	3672	svchost.exe
Token: SeSecurityPrivilege	3672	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeSecurityPrivilege	3672	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeSecurityPrivilege	3672	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeRestorePrivilege	3672	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 1112	756	JaffaCakes118_36ab72202d4aea4e5501e69687cb07a0.exe	90
PID 756 wrote to memory of 1112	756	JaffaCakes118_36ab72202d4aea4e5501e69687cb07a0.exe	90
PID 756 wrote to memory of 1112	756	JaffaCakes118_36ab72202d4aea4e5501e69687cb07a0.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36ab72202d4aea4e5501e69687cb07a0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36ab72202d4aea4e5501e69687cb07a0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756
- \??\c:\users\admin\appdata\local\eufhwfsmms
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36ab72202d4aea4e5501e69687cb07a0.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_36ab72202d4aea4e5501e69687cb07a0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1076
  2⤵
  - Program crash
  PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4972 -ip 4972
1⤵
PID:4396

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1100
  2⤵
  - Program crash
  PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5040 -ip 5040
1⤵
PID:4824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1088
  2⤵
  - Program crash
  PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3672 -ip 3672
1⤵
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\eufhwfsmms

Filesize
21.8MB

MD5
0a5697e51b506855463506b619b50230

SHA1
d4047578d859830134e978a29412b33d648d3918

SHA256
abd3ab736a8fde3ae3d923414bac25fe768b3177bf0ac3b8ddbdba1747ac28ee

SHA512
1b1bb299e82b7a975312f39ca16675dd02773968f1db01c06eeea8c91cab818ecf90ff004fe42f8688bca678dc8fbeab3601dba916b7ae5e0c880ab7d1750e7f

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
d09b59cd3416125b50e3a3df6a02c19f

SHA1
862e2790461bfb0053825acace86c11d2c3fd629

SHA256
774aa24496d9794eebcf4a1413c05d6a8888a75065356bf436a9e13ee3c045ae

SHA512
ea462f6fa33b924ecff624af9f4cee293ba53c476c1bf715c6900b15db9fe0104486ddb2f18b551804704bf375e1880a495c0192d0a2e1e3856916047f5e9691

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
300B

MD5
9ec5ec0073e70afba60090616051f1e1

SHA1
e026164e8fab47b5b22bb25291e641eb487fce69

SHA256
2d58b6b0470b00de540509edcfa71769180616fb41e4d46025ccd80a6985da19

SHA512
e18efbc3e46200491a9e3c1cdf200ee63621f3b77f9cda1e8c3696dc366e8e93513f81f454f6dad1c337cef91b0fabd98ea907d0ad10b853a6ce529a93142e0c

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\stnvl.cc3

Filesize
23.0MB

MD5
2cbde5a31697af321d0e2ff4d28dfdb8

SHA1
f988368e20c98460b242f65733af75d3585935e8

SHA256
f5d99522fd88c38a7311bd1b288d19cece5bd1f44bfaa41999465a764611c678

SHA512
9cb87078869bd0481794e05bc604f2605b1a104f0e2b288faf9f5d162eb32d1359bb532e98ebc9e26ba044e4efe99923b2ce50737a370193ebecf07992a11af6

Download Submit
memory/756-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/756-12-0x0000000000400000-0x000000000044E32C-memory.dmp

Filesize
312KB

Download
memory/756-0-0x0000000000400000-0x000000000044E32C-memory.dmp

Filesize
312KB

Download
memory/1112-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1112-9-0x0000000000400000-0x000000000044E32C-memory.dmp

Filesize
312KB

Download
memory/1112-17-0x0000000000400000-0x000000000044E32C-memory.dmp

Filesize
312KB

Download
memory/3672-27-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/3672-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4972-18-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download
memory/4972-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/5040-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/5040-22-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download