gh0strat | 81cafb0fcc0e8bae3d5255f48c5083b1f0914a34a2ddad6e588e15ec8bdd3f68

Analysis

max time kernel
146s
max time network
139s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe
Size

265KB
MD5

3a688e5259d4ccd6a68204961dbe340e
SHA1

0ed852bedfc074da675672cb499c728a6300f979
SHA256

81cafb0fcc0e8bae3d5255f48c5083b1f0914a34a2ddad6e588e15ec8bdd3f68
SHA512

f1aab2473b304053e137080b96a7d068bdecf36d4615636c9cf845a64f312ad6733217d1c11838dd578f5118a934432f37b91614f9be6c0edc4e33057df32baf
SSDEEP

6144:xHAge/rGpjZL02vIM4IHaQlJLsHaKMsHleE8wUVLEdqdBTLG:xHAge/SZOA9DrDQHZHCwauqd1G

Score

10^/10

gh0strat bootkit defense_evasion discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1664-13-0x0000000000400000-0x000000000047B000-memory.dmp	family_gh0strat
behavioral1/files/0x0009000000016d0c-25.dat	family_gh0strat
behavioral1/memory/2752-28-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/1664-48-0x0000000000400000-0x000000000047B000-memory.dmp	family_gh0strat
behavioral1/memory/2752-55-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
1056	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2752	ehnxhgqtmjxwusvl.exe
2732	hnxhgqtmjxwusvlf.exe

Loads dropped DLL 8 IoCs

pid	Process
1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe
1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe
2752	ehnxhgqtmjxwusvl.exe
2752	ehnxhgqtmjxwusvl.exe
2752	ehnxhgqtmjxwusvl.exe
2752	ehnxhgqtmjxwusvl.exe
1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe
1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ehnxhgqtmjxwusvl.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\loveuu.bat	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe
File created	C:\Program Files\cn\ehnxhgqtmjxwusvl.dll	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe
File opened for modification	C:\Program Files\Common Files\qiuqiu.cpp	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe
File created	C:\Program Files\Common Files\qiuqiu.cpp	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe
File created	C:\Program Files\cn\hnxhgqtmjxwusvlf.exe	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe
File created	C:\Program Files\cn\ehnxhgqtmjxwusvl.exe	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2808	sc.exe
2616	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ehnxhgqtmjxwusvl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ehnxhgqtmjxwusvl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ehnxhgqtmjxwusvl.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2752	ehnxhgqtmjxwusvl.exe
2752	ehnxhgqtmjxwusvl.exe
2752	ehnxhgqtmjxwusvl.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2752	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	30
PID 1664 wrote to memory of 2752	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	30
PID 1664 wrote to memory of 2752	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	30
PID 1664 wrote to memory of 2752	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	30
PID 1664 wrote to memory of 2752	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	30
PID 1664 wrote to memory of 2752	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	30
PID 1664 wrote to memory of 2752	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	30
PID 1664 wrote to memory of 2808	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	31
PID 1664 wrote to memory of 2808	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	31
PID 1664 wrote to memory of 2808	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	31
PID 1664 wrote to memory of 2808	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	31
PID 1664 wrote to memory of 2808	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	31
PID 1664 wrote to memory of 2808	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	31
PID 1664 wrote to memory of 2808	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	31
PID 1664 wrote to memory of 2616	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	32
PID 1664 wrote to memory of 2616	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	32
PID 1664 wrote to memory of 2616	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	32
PID 1664 wrote to memory of 2616	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	32
PID 1664 wrote to memory of 2616	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	32
PID 1664 wrote to memory of 2616	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	32
PID 1664 wrote to memory of 2616	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	32
PID 1664 wrote to memory of 2732	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	35
PID 1664 wrote to memory of 2732	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	35
PID 1664 wrote to memory of 2732	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	35
PID 1664 wrote to memory of 2732	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	35
PID 1664 wrote to memory of 2732	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	35
PID 1664 wrote to memory of 2732	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	35
PID 1664 wrote to memory of 2732	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	35
PID 1664 wrote to memory of 1056	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	36
PID 1664 wrote to memory of 1056	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	36
PID 1664 wrote to memory of 1056	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	36
PID 1664 wrote to memory of 1056	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	36
PID 1664 wrote to memory of 1056	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	36
PID 1664 wrote to memory of 1056	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	36
PID 1664 wrote to memory of 1056	1664	JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe	36

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a688e5259d4ccd6a68204961dbe340e.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Program Files\cn\ehnxhgqtmjxwusvl.exe
  "C:\Program Files\cn\ehnxhgqtmjxwusvl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\Windows\SysWOW64\sc.exe
  sc config RasAuto start= auto
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Windows\SysWOW64\sc.exe
  sc config RasAuto start= auto
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Program Files\cn\hnxhgqtmjxwusvlf.exe
  "C:\Program Files\cn\hnxhgqtmjxwusvlf.exe"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\cn\ehnxhgqtmjxwusvl.dll

Filesize
25.9MB

MD5
2e75bc5ed6478be79b26142e50b36b8a

SHA1
c87a856941beadd10a02811c76f05e073e249b3a

SHA256
c24d06e6811f1b62eedffb0e78c43b0e1aca7ce1e1a8ee568ed6b550e844b945

SHA512
c24c7ccdd1ec26b65d7c487abc71d8a673df4b07ac85ee600ba8e5bde951508837bb65008b4fb373c9b991330a9e676bd75c48af31a534243effa37757db8a55

Download Submit
\Program Files\cn\ehnxhgqtmjxwusvl.exe

Filesize
8.9MB

MD5
1c60a70f59f60fee7a5be4b081c359d4

SHA1
2c0e9f1edf5d239b69114d6c2d684dd0ad35125a

SHA256
50776c1c8be13d28d8a418ecf8f1473e96ad1df225d53198584a5f5c3c462462

SHA512
734f32e230a7d3b757775e09729bc9b071a02a94584dd39d8589b797968b5837e41ab68a835c204c5f68112a5bc8bbc33bc4e582cb8a73b8fe34b16c91bc1bec

Download Submit
\Program Files\cn\hnxhgqtmjxwusvlf.exe

Filesize
8.9MB

MD5
2f44ee8ce990ce4c596111af774a04ad

SHA1
82e670b9b242be3f60f9f594eabf58b5e7873b79

SHA256
61edd07d928cd5f8e2f8a711414dea0e876fa486887d7c66550cea4eb8455540

SHA512
b769e29492488ac811b23e7b4d7953064a42e9c91eec5fa44bd34a71dd139451ae82dc1b97245b45555532d78f62a2ffda079df25979e7d868dffb3188a1273e

Download Submit
memory/1664-5-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1664-43-0x0000000000320000-0x0000000000324000-memory.dmp

Filesize
16KB

Download
memory/1664-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1664-4-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1664-3-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1664-13-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1664-6-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/1664-2-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1664-26-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1664-48-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1664-49-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/1664-1-0x0000000000240000-0x00000000002BB000-memory.dmp

Filesize
492KB

Download
memory/1664-46-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1664-7-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1664-36-0x0000000000320000-0x0000000000324000-memory.dmp

Filesize
16KB

Download
memory/2732-45-0x0000000000400000-0x00000000004030CC-memory.dmp

Filesize
12KB

Download
memory/2732-44-0x0000000000400000-0x00000000004030CC-memory.dmp

Filesize
12KB

Download
memory/2752-30-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2752-28-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2752-55-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download