gh0strat | 13d60c5a7f887b4f396e8f09d3996269df31bcbb5a3a55b6676300c201dd13e1

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02/03/2025, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Size

132KB
MD5

413262439cdfce370229e220fe20c5f1
SHA1

a5914f7d0ea5028d5a6397e3fc7f74dfc3f8c05a
SHA256

13d60c5a7f887b4f396e8f09d3996269df31bcbb5a3a55b6676300c201dd13e1
SHA512

43c8cf7560e34ee89413c90b459dff4602fc31402098d46f86e0a92e24c4d6f1924c7e660094b7df47243d94b9f58a70803ce20e9f52b51591a98d8536b03184
SSDEEP

3072:bQKLIfYGormc//////bv8tOZ7xJL3bxywDPSjv7AOZeJot42Hcf0:bQ+MZoCc//////bv8tOZ7xVtywDqjzAT

Score

10^/10

gh0strat defense_evasion discovery rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012262-1.dat	family_gh0strat
behavioral1/memory/576-2-0x0000000000260000-0x000000000027E000-memory.dmp	family_gh0strat
behavioral1/memory/1016-12-0x0000000000400000-0x000000000041D700-memory.dmp	family_gh0strat
behavioral1/memory/1016-11-0x0000000000405000-0x000000000041E000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
3052	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1016	wmnet.exe

Loads dropped DLL 6 IoCs

pid	Process
576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Progra~1\Realtek\ADPPath\RTHDCPL.exe	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2928	1016	WerFault.exe	48

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1684	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	30
PID 576 wrote to memory of 1684	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	30
PID 576 wrote to memory of 1684	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	30
PID 576 wrote to memory of 1684	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	30
PID 576 wrote to memory of 2988	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	31
PID 576 wrote to memory of 2988	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	31
PID 576 wrote to memory of 2988	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	31
PID 576 wrote to memory of 2988	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	31
PID 576 wrote to memory of 2348	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	32
PID 576 wrote to memory of 2348	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	32
PID 576 wrote to memory of 2348	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	32
PID 576 wrote to memory of 2348	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	32
PID 576 wrote to memory of 2460	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	36
PID 576 wrote to memory of 2460	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	36
PID 576 wrote to memory of 2460	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	36
PID 576 wrote to memory of 2460	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	36
PID 576 wrote to memory of 2276	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	37
PID 576 wrote to memory of 2276	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	37
PID 576 wrote to memory of 2276	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	37
PID 576 wrote to memory of 2276	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	37
PID 576 wrote to memory of 2868	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	38
PID 576 wrote to memory of 2868	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	38
PID 576 wrote to memory of 2868	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	38
PID 576 wrote to memory of 2868	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	38
PID 2460 wrote to memory of 2940	2460	net.exe	43
PID 2460 wrote to memory of 2940	2460	net.exe	43
PID 2460 wrote to memory of 2940	2460	net.exe	43
PID 2460 wrote to memory of 2940	2460	net.exe	43
PID 2988 wrote to memory of 2160	2988	net.exe	45
PID 2988 wrote to memory of 2160	2988	net.exe	45
PID 2988 wrote to memory of 2160	2988	net.exe	45
PID 2988 wrote to memory of 2160	2988	net.exe	45
PID 1684 wrote to memory of 2872	1684	net.exe	44
PID 1684 wrote to memory of 2872	1684	net.exe	44
PID 1684 wrote to memory of 2872	1684	net.exe	44
PID 1684 wrote to memory of 2872	1684	net.exe	44
PID 2348 wrote to memory of 2328	2348	net.exe	42
PID 2348 wrote to memory of 2328	2348	net.exe	42
PID 2348 wrote to memory of 2328	2348	net.exe	42
PID 2348 wrote to memory of 2328	2348	net.exe	42
PID 2276 wrote to memory of 1468	2276	net.exe	46
PID 2276 wrote to memory of 1468	2276	net.exe	46
PID 2276 wrote to memory of 1468	2276	net.exe	46
PID 2276 wrote to memory of 1468	2276	net.exe	46
PID 2868 wrote to memory of 2944	2868	net.exe	47
PID 2868 wrote to memory of 2944	2868	net.exe	47
PID 2868 wrote to memory of 2944	2868	net.exe	47
PID 2868 wrote to memory of 2944	2868	net.exe	47
PID 576 wrote to memory of 1016	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	48
PID 576 wrote to memory of 1016	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	48
PID 576 wrote to memory of 1016	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	48
PID 576 wrote to memory of 1016	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	48
PID 1016 wrote to memory of 2928	1016	wmnet.exe	49
PID 1016 wrote to memory of 2928	1016	wmnet.exe	49
PID 1016 wrote to memory of 2928	1016	wmnet.exe	49
PID 1016 wrote to memory of 2928	1016	wmnet.exe	49
PID 576 wrote to memory of 3052	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	50
PID 576 wrote to memory of 3052	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	50
PID 576 wrote to memory of 3052	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	50
PID 576 wrote to memory of 3052	576	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	50

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2160
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1468
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2944
- C:\Users\Admin\AppData\Local\Temp\wmnet.exe
  C:\Users\Admin\AppData\Local\Temp\wmnet.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\avp.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\wmnet.exe

Filesize
118KB

MD5
5e5835fce2d4b3b7416e14676ca9b935

SHA1
4c5f73f2224ce3b5c0b911b8b44b5ea5c0d56c4a

SHA256
41ad987bf41fcc9b6376f48ea77496e6f176a14b952974e018447ea00c00ec0d

SHA512
633d857ce647c2160c680b276bac6ad522270de654aded893510402d0c25fba97aa9cc702aff68fb6bd3554ed3e8e70c94cfa4474030c0004aa744d1db0c4e14

Download Submit
memory/576-2-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/576-8-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/576-17-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/576-18-0x000000000F000000-0x000000000F029000-memory.dmp

Filesize
164KB

Download
memory/576-19-0x000000000F000000-0x000000000F029000-memory.dmp

Filesize
164KB

Download
memory/1016-12-0x0000000000400000-0x000000000041D700-memory.dmp

Filesize
117KB

Download
memory/1016-11-0x0000000000405000-0x000000000041E000-memory.dmp

Filesize
100KB

Download