gh0strat | 34ee1fc5ba2591e0b922681c4db53c2e8053e017286ec84ec804ca8b6678e67a

General

Target

JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe
Size

148KB
MD5

3e40b5cc39a894dfa26dd093832d6ba1
SHA1

f5a646111337daa205b666167c4a45d1a0bf4c7d
SHA256

34ee1fc5ba2591e0b922681c4db53c2e8053e017286ec84ec804ca8b6678e67a
SHA512

1b2c2216dc43301a25d4815f1b09da1a0a1d317b1c5174dc09c907a1a460d2de2e49ac66cbd2d2f6fab0165a028b4143d6101bdff2260ce7e40998f1620bf26f
SSDEEP

3072:Y+mZTnv7VcsHTZUCieA/HG3/sw+H/lyII0lkvv:tYTnp9U3eim3j+4II0ls

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2068-0-0x0000000000400000-0x0000000000426000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\:\Program Files\Common Files\svchost.exe 20253254551.exe = "C:\\Program Files\\Common Files\\svchost.exe 20253254551.exe"	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe 20253254551.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
2340	taskkill.exe
2972	taskkill.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2068	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2340	2068	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe	31
PID 2068 wrote to memory of 2340	2068	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe	31
PID 2068 wrote to memory of 2340	2068	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe	31
PID 2068 wrote to memory of 2340	2068	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe	31
PID 2068 wrote to memory of 2340	2068	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe	31
PID 2068 wrote to memory of 2340	2068	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe	31
PID 2068 wrote to memory of 2340	2068	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe	31
PID 2068 wrote to memory of 2512	2068	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe	32
PID 2068 wrote to memory of 2512	2068	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe	32
PID 2068 wrote to memory of 2512	2068	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe	32
PID 2068 wrote to memory of 2512	2068	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe	32
PID 2068 wrote to memory of 2512	2068	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe	32
PID 2068 wrote to memory of 2512	2068	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe	32
PID 2068 wrote to memory of 2512	2068	JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe	32
PID 2512 wrote to memory of 2972	2512	svchost.exe 20253254551.exe	34
PID 2512 wrote to memory of 2972	2512	svchost.exe 20253254551.exe	34
PID 2512 wrote to memory of 2972	2512	svchost.exe 20253254551.exe	34
PID 2512 wrote to memory of 2972	2512	svchost.exe 20253254551.exe	34
PID 2512 wrote to memory of 2972	2512	svchost.exe 20253254551.exe	34
PID 2512 wrote to memory of 2972	2512	svchost.exe 20253254551.exe	34
PID 2512 wrote to memory of 2972	2512	svchost.exe 20253254551.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e40b5cc39a894dfa26dd093832d6ba1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Ksafetray.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Program Files\Common Files\svchost.exe 20253254551.exe
  "C:\Program Files\Common Files\svchost.exe 20253254551.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ksafetray.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2972