gh0strat | 2aef53ef1584c24cb8a0c69b3560e9b59d0b45c0ed765dbd6636d0e2406bda76

General

Target

JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe
Size

10.2MB
MD5

40c28709e9f5e5a25099fb90627264c2
SHA1

c86a3acb2a0549bef69230ffec447ed63ead98b0
SHA256

2aef53ef1584c24cb8a0c69b3560e9b59d0b45c0ed765dbd6636d0e2406bda76
SHA512

3157d73d0f1e83ac5e90a4a3f71185cb00d48607265229af9593bfa9234b2d8f3e0f663f32551f7165beb40275d6cd992fe981ce842662c43a55c3e41edf6e6d
SSDEEP

3072:5IXO6taGloVFwz8BD0cjRTyVwdUEoAZnC79NJ09sTpwj:5YlQwz8BDpWwO7A1C7rTuj

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000001211a-2.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1224	RUNDLL32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\temp0\QQ.exe	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe
File created	\??\c:\Program Files\WINDOWSS.INI	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe
File created	C:\Program Files\temp0\QQ.exe	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNDLL32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
3028	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe
2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe
2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	taskkill.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 3028	2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe	28
PID 2916 wrote to memory of 3028	2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe	28
PID 2916 wrote to memory of 3028	2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe	28
PID 2916 wrote to memory of 3028	2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe	28
PID 2916 wrote to memory of 1224	2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe	30
PID 2916 wrote to memory of 1224	2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe	30
PID 2916 wrote to memory of 1224	2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe	30
PID 2916 wrote to memory of 1224	2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe	30
PID 2916 wrote to memory of 1224	2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe	30
PID 2916 wrote to memory of 1224	2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe	30
PID 2916 wrote to memory of 1224	2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe	30
PID 2916 wrote to memory of 2676	2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe	34
PID 2916 wrote to memory of 2676	2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe	34
PID 2916 wrote to memory of 2676	2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe	34
PID 2916 wrote to memory of 2676	2916	JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40c28709e9f5e5a25099fb90627264c2.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im KSafeTray.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\SysWOW64\RUNDLL32.exe
  RUNDLL32 "c:\Program Files\WINDOWSS.INI" main
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c afc9fe2f418b00a0.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
3918137a64d271fda4e2edb822191f00

SHA1
beb459099a5c88e2e320f536e9e7bcad75b6a978

SHA256
3e45e21d2bf39e475e811ba18dab5e88471dae954090b9da4d7b04bd6207561f

SHA512
0e13547be91fd4987d594160a7c8624bb6327cac29545d666e8a83251ffb84af34fa5e97ec28990565f53708ba3eaedf51cb460861ecda4a1394186d8f9a0f3f

Download Submit
\??\c:\Program Files\WINDOWSS.INI

Filesize
10.3MB

MD5
520ee88f7687c66ed2c251267537cbfc

SHA1
da6ffc8595cca94886a95b9286d544ae8d29f1c4

SHA256
09f917e05fa292273ade5d248c2344f75a2f8ea6a421cb6307e870d975399e76

SHA512
a0dd71d5a5a8b4a4e9ad2cfb5aa1f71475e88796af9f7401bc50dbe5109ec885d15bac03f27efc03682c48b14bd621d0ce8f49a1549f0dc241380596d9db9a38

Download Submit

Analysis

Sharing