gh0strat | 1424e28b0f59490d026088f3f96ba1c0380df75dafb31d15a5526b81c8aea26d

Analysis

max time kernel
82s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2025, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_39ffd3ffb23d9ea5ba54397a15865fdf.exe
Size

96KB
MD5

39ffd3ffb23d9ea5ba54397a15865fdf
SHA1

0be1916cf3438fac6c36101ce5e1016b647e3961
SHA256

1424e28b0f59490d026088f3f96ba1c0380df75dafb31d15a5526b81c8aea26d
SHA512

b09b61a8d4abd8a24896c1c1c7f9d3f7aeff1df84ab8f46d51cc9e76ef0b01bf31623a2094e1affd2b363868330e84b0d0ecd5a69295817e9afdb2e1d45728bd
SSDEEP

1536:0iFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prnKlekv4gdYu:0IS4jHS8q/3nTzePCwNUh4E9n1K4gdD

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e724-15.dat	family_gh0strat
behavioral2/memory/4188-17-0x0000000000400000-0x000000000044E35C-memory.dmp	family_gh0strat
behavioral2/memory/1536-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3424-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2964-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
4188	nogpflrwvu

Executes dropped EXE 1 IoCs

pid	Process
4188	nogpflrwvu

Loads dropped DLL 3 IoCs

pid	Process
1536	svchost.exe
3424	svchost.exe
2964	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\jvhmbcfmuw	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\jeugjfikhr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\jnjyrikium	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2728	1536	WerFault.exe	94
2960	3424	WerFault.exe	99
1972	2964	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_39ffd3ffb23d9ea5ba54397a15865fdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nogpflrwvu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4188	nogpflrwvu
4188	nogpflrwvu

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4188	nogpflrwvu
Token: SeBackupPrivilege	4188	nogpflrwvu
Token: SeBackupPrivilege	4188	nogpflrwvu
Token: SeRestorePrivilege	4188	nogpflrwvu
Token: SeBackupPrivilege	1536	svchost.exe
Token: SeRestorePrivilege	1536	svchost.exe
Token: SeBackupPrivilege	1536	svchost.exe
Token: SeBackupPrivilege	1536	svchost.exe
Token: SeSecurityPrivilege	1536	svchost.exe
Token: SeSecurityPrivilege	1536	svchost.exe
Token: SeBackupPrivilege	1536	svchost.exe
Token: SeBackupPrivilege	1536	svchost.exe
Token: SeSecurityPrivilege	1536	svchost.exe
Token: SeBackupPrivilege	1536	svchost.exe
Token: SeBackupPrivilege	1536	svchost.exe
Token: SeSecurityPrivilege	1536	svchost.exe
Token: SeBackupPrivilege	1536	svchost.exe
Token: SeRestorePrivilege	1536	svchost.exe
Token: SeBackupPrivilege	3424	svchost.exe
Token: SeRestorePrivilege	3424	svchost.exe
Token: SeBackupPrivilege	3424	svchost.exe
Token: SeBackupPrivilege	3424	svchost.exe
Token: SeSecurityPrivilege	3424	svchost.exe
Token: SeSecurityPrivilege	3424	svchost.exe
Token: SeBackupPrivilege	3424	svchost.exe
Token: SeBackupPrivilege	3424	svchost.exe
Token: SeSecurityPrivilege	3424	svchost.exe
Token: SeBackupPrivilege	3424	svchost.exe
Token: SeBackupPrivilege	3424	svchost.exe
Token: SeSecurityPrivilege	3424	svchost.exe
Token: SeBackupPrivilege	3424	svchost.exe
Token: SeRestorePrivilege	3424	svchost.exe
Token: SeBackupPrivilege	2964	svchost.exe
Token: SeRestorePrivilege	2964	svchost.exe
Token: SeBackupPrivilege	2964	svchost.exe
Token: SeBackupPrivilege	2964	svchost.exe
Token: SeSecurityPrivilege	2964	svchost.exe
Token: SeSecurityPrivilege	2964	svchost.exe
Token: SeBackupPrivilege	2964	svchost.exe
Token: SeBackupPrivilege	2964	svchost.exe
Token: SeSecurityPrivilege	2964	svchost.exe
Token: SeBackupPrivilege	2964	svchost.exe
Token: SeBackupPrivilege	2964	svchost.exe
Token: SeSecurityPrivilege	2964	svchost.exe
Token: SeBackupPrivilege	2964	svchost.exe
Token: SeRestorePrivilege	2964	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 4188	4520	JaffaCakes118_39ffd3ffb23d9ea5ba54397a15865fdf.exe	89
PID 4520 wrote to memory of 4188	4520	JaffaCakes118_39ffd3ffb23d9ea5ba54397a15865fdf.exe	89
PID 4520 wrote to memory of 4188	4520	JaffaCakes118_39ffd3ffb23d9ea5ba54397a15865fdf.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_39ffd3ffb23d9ea5ba54397a15865fdf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_39ffd3ffb23d9ea5ba54397a15865fdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520
- \??\c:\users\admin\appdata\local\nogpflrwvu
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_39ffd3ffb23d9ea5ba54397a15865fdf.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_39ffd3ffb23d9ea5ba54397a15865fdf.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4188

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 1092
  2⤵
  - Program crash
  PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1536 -ip 1536
1⤵
PID:2688

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1072
  2⤵
  - Program crash
  PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3424 -ip 3424
1⤵
PID:4380

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 892
  2⤵
  - Program crash
  PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2964 -ip 2964
1⤵
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\nogpflrwvu

Filesize
19.5MB

MD5
5f4f5f7f838caba7c7d7f3c756f4e6f8

SHA1
1f64324f850e5e1c47d3c409852abc8cbe413b6f

SHA256
dc34aef2b7e6e03c6ec87e52dd8c7cf6d9a7591efe6b6ec457a955e3f0c97fd0

SHA512
e9f2c3c86beaf7ec4186014506d20a426b14926cddb1c63a0d94de62eeef5d18178ba8b3c8f2831eeeb16a43d8036f31510b7c9cee670fba77b3ebd8618f3455

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
78166761e2c48cdea9ae4fc217ef004b

SHA1
7f74f16d2f06f70e18f0157e8a87159603fdd3c1

SHA256
2dce3b29c1603c96a4dd438cfefaf37a294100de19fe5d3f45e6a6dce11a3890

SHA512
76219105484404c0c23b25f66bc036b0e42fc8616401a9d404439374f47549715477d21979283766f15986db2bace6627f6b732eb9889004ee7c637a36f05646

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
300B

MD5
27406baf88bf670b342250af0e74bfad

SHA1
3c659a50d338eec540fd9789b2790c06b641cbcf

SHA256
39903fdaad989093171d411c977bf900661cbc02590575e8d836e91c4b656b10

SHA512
ad8dc30e0ec8518535d8a723d8033ae72fe8b40038f36b684df2d5ff81f887f25e71e5bdc03d6bf5b3351069a6541ce74551adeea0e5ad756b1047b5a0660c67

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\uijgc.cc3

Filesize
21.1MB

MD5
b8bd4d08996738f64536c28bcd85c820

SHA1
b28addac8526d87301b27515bdd153772415c849

SHA256
545076cea96938f16c003bd72481bfc33b0d7b1e6ca101a34a361bf18a3fe791

SHA512
613cf2987a0f92ecfc173d3fe8cb715b92fee777f124f76e313dca6624860b9e4e31a6bf34c2883c79ad73fa2d69568be37e5b32d9407f963ca7b4091b9fb344

Download Submit
memory/1536-18-0x00000000015E0000-0x00000000015E1000-memory.dmp

Filesize
4KB

Download
memory/1536-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2964-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2964-27-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download
memory/3424-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3424-22-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4188-17-0x0000000000400000-0x000000000044E35C-memory.dmp

Filesize
312KB

Download
memory/4188-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4188-11-0x0000000000400000-0x000000000044E35C-memory.dmp

Filesize
312KB

Download
memory/4520-10-0x0000000000400000-0x000000000044E35C-memory.dmp

Filesize
312KB

Download
memory/4520-0-0x0000000000400000-0x000000000044E35C-memory.dmp

Filesize
312KB

Download
memory/4520-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download