gh0strat | 2edb9a68bd575c2f1d9f2d56d9a81b46e6c262be81520a8510e2fbc14281f298

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/03/2025, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_41b55e6a13f3393eb84fcb255b512cb9.exe
Size

188KB
MD5

41b55e6a13f3393eb84fcb255b512cb9
SHA1

907b5f824350fffac516f47fa1c43c8a98190642
SHA256

2edb9a68bd575c2f1d9f2d56d9a81b46e6c262be81520a8510e2fbc14281f298
SHA512

1fe7b5d5a26aa0a968c506bbe09367499773177e5b7f773df775b3ba4740f65bea30794164cc35bac0e452c776da19cdb0c4f5460f3c47f21e46fafd574b68ed
SSDEEP

3072:BuynWZJKMIdsJMN/uHsYqmzT86aCpdKzemN2ZNZaBaKY:5nWZJKM+9mHh66aCpdKzemNQjyu

Score

10^/10

gh0strat bootkit discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015d7f-2.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2936	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2936	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qefgrmivfn	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_41b55e6a13f3393eb84fcb255b512cb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeBackupPrivilege	2696	JaffaCakes118_41b55e6a13f3393eb84fcb255b512cb9.exe
Token: SeRestorePrivilege	2696	JaffaCakes118_41b55e6a13f3393eb84fcb255b512cb9.exe
Token: SeBackupPrivilege	2936	svchost.exe
Token: SeRestorePrivilege	2936	svchost.exe
Token: SeBackupPrivilege	2936	svchost.exe
Token: SeBackupPrivilege	2936	svchost.exe
Token: SeSecurityPrivilege	2936	svchost.exe
Token: SeSecurityPrivilege	2936	svchost.exe
Token: SeBackupPrivilege	2936	svchost.exe
Token: SeBackupPrivilege	2936	svchost.exe
Token: SeSecurityPrivilege	2936	svchost.exe
Token: SeBackupPrivilege	2936	svchost.exe
Token: SeBackupPrivilege	2936	svchost.exe
Token: SeSecurityPrivilege	2936	svchost.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41b55e6a13f3393eb84fcb255b512cb9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41b55e6a13f3393eb84fcb255b512cb9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\users\admin\application data\acd systems\acdsee\imageuu.ddf

Filesize
152KB

MD5
cb018f59691bc3f1c63686f233655b7b

SHA1
b655c28c7a08413c0436202a6dd331badffe1ab0

SHA256
29e2043b30c088fe4f47ed62f4878b3e5568045c2a265ee96a7a807938e285bb

SHA512
6cc03e6bdcacf9c618c56658c8a1592b1287972514b31d1c309464c08209455a3df527fbf6be0ef34023fc01ed9dc7acd88c25cbcea58c0c0ad7841a7b328473

Download Submit