gh0strat | 2f72312f9437fa468caecdabdc5c955f1c9267ad843179b305f9ba98172242f5

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4190197ccdfc3d482ebccf4cfbe1596e.exe
Size

96KB
MD5

4190197ccdfc3d482ebccf4cfbe1596e
SHA1

6c6d08fad585d71a6a28b983f030a6c40bba5410
SHA256

2f72312f9437fa468caecdabdc5c955f1c9267ad843179b305f9ba98172242f5
SHA512

5112c69e829d70cbfea133515f96c6b38576475af813ec567058e46a1cd1dde0e405a3887fef501d3f8a9334216f1157de2f9f95e14cd63fba3ef537690c1395
SSDEEP

1536:/AFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prqQZeUZw6u:/yS4jHS8q/3nTzePCwNUh4E9qSxZw6u

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023bb6-13.dat	family_gh0strat
behavioral2/memory/3828-16-0x0000000000400000-0x000000000044E2C0-memory.dmp	family_gh0strat
behavioral2/memory/2536-19-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4684-24-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3704-29-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
3828	heoowmctkj

Executes dropped EXE 1 IoCs

pid	Process
3828	heoowmctkj

Loads dropped DLL 3 IoCs

pid	Process
2536	svchost.exe
4684	svchost.exe
3704	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mjdhtkefmt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\mjdhtkefmt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\msbudeajld	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\mbpnlhchyx	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4928	2536	WerFault.exe	93
616	4684	WerFault.exe	98
3188	3704	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4190197ccdfc3d482ebccf4cfbe1596e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	heoowmctkj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3828	heoowmctkj
3828	heoowmctkj

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	3828	heoowmctkj
Token: SeBackupPrivilege	3828	heoowmctkj
Token: SeBackupPrivilege	3828	heoowmctkj
Token: SeRestorePrivilege	3828	heoowmctkj
Token: SeBackupPrivilege	2536	svchost.exe
Token: SeRestorePrivilege	2536	svchost.exe
Token: SeBackupPrivilege	2536	svchost.exe
Token: SeBackupPrivilege	2536	svchost.exe
Token: SeSecurityPrivilege	2536	svchost.exe
Token: SeSecurityPrivilege	2536	svchost.exe
Token: SeBackupPrivilege	2536	svchost.exe
Token: SeBackupPrivilege	2536	svchost.exe
Token: SeSecurityPrivilege	2536	svchost.exe
Token: SeBackupPrivilege	2536	svchost.exe
Token: SeBackupPrivilege	2536	svchost.exe
Token: SeSecurityPrivilege	2536	svchost.exe
Token: SeBackupPrivilege	2536	svchost.exe
Token: SeRestorePrivilege	2536	svchost.exe
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeRestorePrivilege	4684	svchost.exe
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeSecurityPrivilege	4684	svchost.exe
Token: SeSecurityPrivilege	4684	svchost.exe
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeSecurityPrivilege	4684	svchost.exe
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeSecurityPrivilege	4684	svchost.exe
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeRestorePrivilege	4684	svchost.exe
Token: SeBackupPrivilege	3704	svchost.exe
Token: SeRestorePrivilege	3704	svchost.exe
Token: SeBackupPrivilege	3704	svchost.exe
Token: SeBackupPrivilege	3704	svchost.exe
Token: SeSecurityPrivilege	3704	svchost.exe
Token: SeSecurityPrivilege	3704	svchost.exe
Token: SeBackupPrivilege	3704	svchost.exe
Token: SeBackupPrivilege	3704	svchost.exe
Token: SeSecurityPrivilege	3704	svchost.exe
Token: SeBackupPrivilege	3704	svchost.exe
Token: SeBackupPrivilege	3704	svchost.exe
Token: SeSecurityPrivilege	3704	svchost.exe
Token: SeBackupPrivilege	3704	svchost.exe
Token: SeRestorePrivilege	3704	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 3828	5056	JaffaCakes118_4190197ccdfc3d482ebccf4cfbe1596e.exe	88
PID 5056 wrote to memory of 3828	5056	JaffaCakes118_4190197ccdfc3d482ebccf4cfbe1596e.exe	88
PID 5056 wrote to memory of 3828	5056	JaffaCakes118_4190197ccdfc3d482ebccf4cfbe1596e.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4190197ccdfc3d482ebccf4cfbe1596e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4190197ccdfc3d482ebccf4cfbe1596e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056
- \??\c:\users\admin\appdata\local\heoowmctkj
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4190197ccdfc3d482ebccf4cfbe1596e.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_4190197ccdfc3d482ebccf4cfbe1596e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3828

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1088
  2⤵
  - Program crash
  PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2536 -ip 2536
1⤵
PID:4636

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1100
  2⤵
  - Program crash
  PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4684 -ip 4684
1⤵
PID:2000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1112
  2⤵
  - Program crash
  PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3704 -ip 3704
1⤵
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\heoowmctkj

Filesize
20.4MB

MD5
c3d9a6c3967501d4e6a58e6f85dbdce1

SHA1
e7eb9f7eb4e6c06f37ccd275b77f371fda7683d9

SHA256
ec8d4d92005958d967d2e467c00cefeb9a6c670e64be105cc4b9dea3fc8d1f5d

SHA512
adc3f40dd605420bea9295c0ed9894126c8c4b757ed6693b5a80ecb0771242a25630c55d7607891b78783178304410c8ff001207245e6a02d15dcc13f7504241

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
175bc26928a12c5d188e30bce94a3cbe

SHA1
71bd7b571ce8b68d745dcd3e315bca096314b335

SHA256
d1252bd8b4af2bb35bca5c245b5b3a2e6eb02925899fa0b11f0f7bc999910b60

SHA512
a6f17e52e1ff2522f1147db3af52685963f80eda330bd556122bf46988d40d857b38cea08a084925a36b112d41a1d094315b3697db7cbc5d5b6f496d409c147c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
300B

MD5
ed77e9b310f9d57e6ba3932fab83a8b1

SHA1
f15daf41c36d4079fd5502235cde6ade6f052ddc

SHA256
aec17b174f47e9027e028e162bb53332031a8bdb109f4602ac556fe2c1b73945

SHA512
1e0ee92fdcc7b62bbfb797157eed1490154b0ffd0a9b66b126057f7cc2015409c8bb6cec3264da05b53d5081e4016b8b1777986e1b40c55ec22189d84bf0ca52

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\hqvux.cc3

Filesize
19.0MB

MD5
bfbd50ceb8923ffde0c0d96fe42d2507

SHA1
d4b6fdbeec9b96687cb816e71782961356080a99

SHA256
9ea72ffbb56f5ed4ea94e28c18d9488676d24b4e6430136431753fa6b3342f64

SHA512
6ab357cce53b187a979004c701f6cf043d0173a967db3f9202fedc6108473060e13c89ecba6d110c9ad1ad4c45a4a55a1d8ed477bf24acae6655b936ed0cdda4

Download Submit
memory/2536-17-0x00000000019B0000-0x00000000019B1000-memory.dmp

Filesize
4KB

Download
memory/2536-19-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3704-29-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3704-26-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/3828-7-0x0000000000400000-0x000000000044E2C0-memory.dmp

Filesize
312KB

Download
memory/3828-16-0x0000000000400000-0x000000000044E2C0-memory.dmp

Filesize
312KB

Download
memory/4684-21-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/4684-24-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/5056-0-0x0000000000400000-0x000000000044E2C0-memory.dmp

Filesize
312KB

Download
memory/5056-8-0x0000000000400000-0x000000000044E2C0-memory.dmp

Filesize
312KB

Download
memory/5056-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download