gh0strat | 13d60c5a7f887b4f396e8f09d3996269df31bcbb5a3a55b6676300c201dd13e1

Analysis

max time kernel
119s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Size

132KB
MD5

413262439cdfce370229e220fe20c5f1
SHA1

a5914f7d0ea5028d5a6397e3fc7f74dfc3f8c05a
SHA256

13d60c5a7f887b4f396e8f09d3996269df31bcbb5a3a55b6676300c201dd13e1
SHA512

43c8cf7560e34ee89413c90b459dff4602fc31402098d46f86e0a92e24c4d6f1924c7e660094b7df47243d94b9f58a70803ce20e9f52b51591a98d8536b03184
SSDEEP

3072:bQKLIfYGormc//////bv8tOZ7xJL3bxywDPSjv7AOZeJot42Hcf0:bQ+MZoCc//////bv8tOZ7xVtywDqjzAT

Score

10^/10

gh0strat defense_evasion discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b87-2.dat	family_gh0strat
behavioral2/memory/208-3-0x0000000000400000-0x000000000041D700-memory.dmp	family_gh0strat
behavioral2/memory/208-10-0x0000000000400000-0x000000000041D700-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\BITS\Parameters\ServiceDll = "C:\\Windows\\system32\\update.dll"	wmnet.exe

Executes dropped EXE 1 IoCs

pid	Process
208	wmnet.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\update.dll	wmnet.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Progra~1\Realtek\ADPPath\RTHDCPL.exe	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
Token: SeDebugPrivilege	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 1624	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	87
PID 3580 wrote to memory of 1624	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	87
PID 3580 wrote to memory of 1624	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	87
PID 3580 wrote to memory of 696	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	88
PID 3580 wrote to memory of 696	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	88
PID 3580 wrote to memory of 696	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	88
PID 3580 wrote to memory of 2900	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	89
PID 3580 wrote to memory of 2900	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	89
PID 3580 wrote to memory of 2900	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	89
PID 3580 wrote to memory of 1828	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	93
PID 3580 wrote to memory of 1828	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	93
PID 3580 wrote to memory of 1828	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	93
PID 3580 wrote to memory of 5048	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	94
PID 3580 wrote to memory of 5048	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	94
PID 3580 wrote to memory of 5048	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	94
PID 3580 wrote to memory of 2092	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	95
PID 3580 wrote to memory of 2092	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	95
PID 3580 wrote to memory of 2092	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	95
PID 696 wrote to memory of 2508	696	net.exe	99
PID 696 wrote to memory of 2508	696	net.exe	99
PID 696 wrote to memory of 2508	696	net.exe	99
PID 1624 wrote to memory of 592	1624	net.exe	100
PID 1624 wrote to memory of 592	1624	net.exe	100
PID 1624 wrote to memory of 592	1624	net.exe	100
PID 2900 wrote to memory of 2024	2900	net.exe	101
PID 2900 wrote to memory of 2024	2900	net.exe	101
PID 2900 wrote to memory of 2024	2900	net.exe	101
PID 5048 wrote to memory of 528	5048	net.exe	102
PID 5048 wrote to memory of 528	5048	net.exe	102
PID 5048 wrote to memory of 528	5048	net.exe	102
PID 3580 wrote to memory of 208	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	103
PID 3580 wrote to memory of 208	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	103
PID 3580 wrote to memory of 208	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	103
PID 1828 wrote to memory of 1212	1828	net.exe	104
PID 1828 wrote to memory of 1212	1828	net.exe	104
PID 1828 wrote to memory of 1212	1828	net.exe	104
PID 2092 wrote to memory of 1592	2092	net.exe	105
PID 2092 wrote to memory of 1592	2092	net.exe	105
PID 2092 wrote to memory of 1592	2092	net.exe	105
PID 3580 wrote to memory of 4448	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	111
PID 3580 wrote to memory of 4448	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	111
PID 3580 wrote to memory of 4448	3580	JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe	111

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_413262439cdfce370229e220fe20c5f1.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:592
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2508
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2024
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1212
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:528
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1592
- C:\Users\Admin\AppData\Local\Temp\wmnet.exe
  C:\Users\Admin\AppData\Local\Temp\wmnet.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\avp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wmnet.exe

Filesize
118KB

MD5
5e5835fce2d4b3b7416e14676ca9b935

SHA1
4c5f73f2224ce3b5c0b911b8b44b5ea5c0d56c4a

SHA256
41ad987bf41fcc9b6376f48ea77496e6f176a14b952974e018447ea00c00ec0d

SHA512
633d857ce647c2160c680b276bac6ad522270de654aded893510402d0c25fba97aa9cc702aff68fb6bd3554ed3e8e70c94cfa4474030c0004aa744d1db0c4e14

Download Submit
memory/208-3-0x0000000000400000-0x000000000041D700-memory.dmp

Filesize
117KB

Download
memory/208-10-0x0000000000400000-0x000000000041D700-memory.dmp

Filesize
117KB

Download
memory/3580-11-0x000000000F000000-0x000000000F029000-memory.dmp

Filesize
164KB

Download