gh0strat | 6be071163d6340ff98a0b9fe175f14144dbc751874b5dc5eeef8a83d91010889

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe
Size

156KB
MD5

417811564bbe489d3117fd04b338ac9b
SHA1

2ea1cb7e18666b7a52b1b099d2e151c7b4a35abf
SHA256

6be071163d6340ff98a0b9fe175f14144dbc751874b5dc5eeef8a83d91010889
SHA512

f0b0189ce9ef3d1259eb18c897dddbb9fae67fbe5e6c30671c01ad055924a851c94f8458c936a9219249c9b0210a01d739f0c21f4d41cf9bcf568936bf39db43
SSDEEP

3072:3hDj44zniIHhEF+AdDSpxXepxwiQEhiM8BKj:yqii2TIp9kxwiQEd8BA

Score

10^/10

gh0strat discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023c6f-11.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1976	maqnct.td

Loads dropped DLL 1 IoCs

pid	Process
2676	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dewtjgos.td	JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe
File created	C:\Windows\SysWOW64\maqnct.td	JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe
File created	C:\Windows\SysWOW64\applelogs.key	rundll32.exe
File created	C:\Windows\SysWOW64\systeminf.inf	JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe
File opened for modification	C:\Windows\SysWOW64\systeminf.inf	JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maqnct.td
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3372	JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe
3372	JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe
3372	JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe
3372	JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe
1976	maqnct.td
1976	maqnct.td
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	maqnct.td

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 4636	3372	JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe	85
PID 3372 wrote to memory of 4636	3372	JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe	85
PID 3372 wrote to memory of 4636	3372	JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe	85
PID 4636 wrote to memory of 4612	4636	cmd.exe	87
PID 4636 wrote to memory of 4612	4636	cmd.exe	87
PID 4636 wrote to memory of 4612	4636	cmd.exe	87
PID 4612 wrote to memory of 4220	4612	rundll32.exe	88
PID 4612 wrote to memory of 4220	4612	rundll32.exe	88
PID 4612 wrote to memory of 4220	4612	rundll32.exe	88
PID 4220 wrote to memory of 3340	4220	runonce.exe	91
PID 4220 wrote to memory of 3340	4220	runonce.exe	91
PID 4220 wrote to memory of 3340	4220	runonce.exe	91
PID 1976 wrote to memory of 2676	1976	maqnct.td	95
PID 1976 wrote to memory of 2676	1976	maqnct.td	95
PID 1976 wrote to memory of 2676	1976	maqnct.td	95
PID 3372 wrote to memory of 860	3372	JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe	96
PID 3372 wrote to memory of 860	3372	JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe	96
PID 3372 wrote to memory of 860	3372	JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe	96

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Documents AND Settings\apple.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Windows\system32\systeminf.inf
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\SysWOW64\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c apple.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:860

C:\Windows\SysWOW64\maqnct.td
C:\Windows\SysWOW64\maqnct.td
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\dewtjgos.td,hi
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents AND Settings\apple.bat

Filesize
94B

MD5
e39e318e5b231fdf5f147640c71c2096

SHA1
5fe5815abf87c414d29babcbe914e70c062a705c

SHA256
3dfb3bbbd87f29fe338b97fef70b525ed754c6b980698c426bc32156c93914e2

SHA512
398b78921d487e135429672488303d7a641907c2124310a55c22cefd061f358f1c15375b7fe1a8919f0fc7423136c4241d714f312d675506bc69dea35b1dbfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\apple.bat

Filesize
2KB

MD5
6054523340f99a6da8dfc1480255ca1a

SHA1
354be1f2ed6abe678592e6c0a9d24423fada5830

SHA256
4532c92713df61d216fe26ef754fb2f7572efb689aa85be79c2693bbe6be9805

SHA512
5d9dbc8c1f04343145cd893199aa1e97489563580ebd3b5d455997805ff7026c6da2ee08d0e200666e61c8cb8df86d115e59ee8989cf0c4149295fd4636d4afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\applezscc.aqq

Filesize
110B

MD5
5ff1aa4f2339f3e14f86ff63dc15532d

SHA1
6cf1dd5f7cfa2b443fc4e6af689979452c2af6cf

SHA256
1c5c90926560f0eb64473bddf0c86c1f22b8a445f75114ca78acb4437c50c2e3

SHA512
b1f3b1f056f3e936daad82569eae07cc3dcae52f7ae9f2f54fa551884a01eb164f6ee02a3fefe0d7af4f5385f8c3c466b1611edf645897ffa75810964618102c

Download Submit
C:\Windows\SysWOW64\dewtjgos.td

Filesize
25.1MB

MD5
9334d9474ae8ae6927b72948ea1546ec

SHA1
59e871b71ee1602911d055153f19bd52ea014b44

SHA256
f878cd1c61068b4e287d422991600e2b7c3731117fe474cfe0c36743976b509f

SHA512
b3602a472d10ab005a402539962fba9b7b85b98d2a7e64b85aca1c52484e7487c2ecf1c3f3117f3e1981f3c1bac91404a7a51143002c56417daf2d9995470e34

Download Submit
C:\Windows\SysWOW64\maqnct.td

Filesize
25.0MB

MD5
0070bb88cd1368dc79595e72cc4c8188

SHA1
2a4c44af12dc22abc6513befcb75550f8c4fd8be

SHA256
d1f05c1528ed588579fbd116a122a039fc98bb506d47399efcc533501cf5d419

SHA512
d6b13bb6c8dd2a84c1b3e6f83453cc79b89ec4d1c1c78489b2f419e3ea02778ba476f8f23f7971a0e904ef1448b7e920d31b41555715f288197240a979c8add8

Download Submit
C:\Windows\SysWOW64\systeminf.inf

Filesize
360B

MD5
2010ba802653db2566c24eb144f17bde

SHA1
f42cad4e58e085e6911350697b919c6b7d49f7cb

SHA256
ed886b39a083a8b53b2b06355c737295cb9bb2fca67f21263d2a4bb6b46f73aa

SHA512
f5604154514b4edca617f1132c7d55404bfd7606a096f3025f1f9b55649f139765eb2050d7933f3d358c436aee451ed475e848892a5bd80cadf257eb78909200

Download Submit