gh0strat | b841791e639f01f1714bf635a44f38d0fc0c4e2be08c2b34af655f0440055074

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2025, 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe
Size

172KB
MD5

379fb2f0a94317823dc4b13b2a05cab7
SHA1

d3e317b61195a08f33677672d7681d6f1cd2fd5b
SHA256

b841791e639f01f1714bf635a44f38d0fc0c4e2be08c2b34af655f0440055074
SHA512

6c69bd3bcc97dad73cab19452f80caddb90158aec5b03817062ff692da7845aa9d08c60125ab04ec44377c5c7330cc1dd137a74616eb47d9046f288e283da7f0
SSDEEP

3072:+fyJtvpLh9cGWKfn308osxp70zSQQZMSYNxMS:+ifcI/0puxQWMSYLB

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023d22-2.dat	family_gh0strat
behavioral2/files/0x0013000000023c1b-10.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
32	3380	rundll32.exe
66	3380	rundll32.exe

Deletes itself 1 IoCs

pid	Process
4572	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
4808	JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe
4572	svchost.exe
3380	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RqmhtoC.dll	JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe
File opened for modification	C:\Windows\SysWOW64\Rxmectxe.dll	JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe
File created	C:\Windows\SysWOW64\Rxmectxe.dll	JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe
4572	svchost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeBackupPrivilege	4808	JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe
Token: SeRestorePrivilege	4808	JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe
Token: SeBackupPrivilege	4808	JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe
Token: SeRestorePrivilege	4808	JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe
Token: SeBackupPrivilege	4808	JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe
Token: SeRestorePrivilege	4808	JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe
Token: SeBackupPrivilege	4808	JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe
Token: SeRestorePrivilege	4808	JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe
Token: SeDebugPrivilege	4572	svchost.exe
Token: SeDebugPrivilege	3380	rundll32.exe
Token: SeDebugPrivilege	3380	rundll32.exe
Token: SeDebugPrivilege	3380	rundll32.exe
Token: SeDebugPrivilege	3380	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 3380	4572	svchost.exe	98
PID 4572 wrote to memory of 3380	4572	svchost.exe	98
PID 4572 wrote to memory of 3380	4572	svchost.exe	98

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_379fb2f0a94317823dc4b13b2a05cab7.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\rxmectxe.dll wintest
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\RqmhtoC.dll

Filesize
132KB

MD5
889545e0219f5d63e4d89a5d57975a75

SHA1
0145ccde4bace8e324275cfa03912ec37eaa3d2c

SHA256
f3f0e28eb5b25d2c3030517e61c0ae483c7fdc80b36c8cddc50330d9a18f1694

SHA512
d30143a30dbcd65315c1f78a85bd869d3b738d31b0cd35819c85ebfb6881d872bcbd8516cc0c652405380da4f7638339ca8e97f8a4f3b3f47b86b7075427e476

Download Submit
\??\c:\NT_Path.jpg

Filesize
116B

MD5
7a8481967d87d07c030135b305235c25

SHA1
2fdd90ad37cda02111517a1494121531592ef5d6

SHA256
948c764be00bd6d161eddbfff7b7b507032b345fd08b1e71e37a47dfe75cf128

SHA512
fee35fadee15b10c85ce09d8c68a8ded6b0d65338361a6473a6d7b7b79de44ae6c01e5a6553e25065a53db48f659f7be8df29b08a616c76555debc2fbba15e2f

Download Submit
\??\c:\windows\SysWOW64\rxmectxe.dll

Filesize
19.0MB

MD5
b9086271d9e07d578348011a4001b748

SHA1
ec6d9be0c97cc78f5487d4cf8959e98710ef3555

SHA256
16e75507f2a09165eff473783ff05edfb619b646dcd10e0dfb6ddae9aa8ece96

SHA512
fdd422a4a008889e1dbf51cde262650073c0fec896761fd6c621301a9f39d3a4c36e6ef13e9a276c623c14bc1e87161315de71042187beabb47c8a494f894160

Download Submit