gh0strat | 2b9df8202473d6392e0d0f0528aa2decfe8f71213127f813145c483f0e53fe06

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03/03/2025, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4407a8cae98fe538af4f335f687254a2.exe
Size

188KB
MD5

4407a8cae98fe538af4f335f687254a2
SHA1

37aba75d216bafc4b9a5d1aa17eed4cea93ff3ba
SHA256

2b9df8202473d6392e0d0f0528aa2decfe8f71213127f813145c483f0e53fe06
SHA512

78fae8e69e57c9825b79292aa3bf5e57a34ac4b78c5c4c6f0dc3abbc1fa778a2c56e38f0103f1185d965bb96a04218811c305bde7330633f54f6c9786ea4ce39
SSDEEP

3072:3l1xEDv8CsDTB0Oslzs+Jh7sPl/OJ8CTzPg5ilQcM+dM7Y:LxEDvQy/j0l/O2CPxlZM+dI

Score

10^/10

gh0strat bootkit discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015d41-2.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2912	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2912	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\phasbljhhi	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4407a8cae98fe538af4f335f687254a2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe
2912	svchost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeBackupPrivilege	2908	JaffaCakes118_4407a8cae98fe538af4f335f687254a2.exe
Token: SeRestorePrivilege	2908	JaffaCakes118_4407a8cae98fe538af4f335f687254a2.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeRestorePrivilege	2912	svchost.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeSecurityPrivilege	2912	svchost.exe
Token: SeSecurityPrivilege	2912	svchost.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeSecurityPrivilege	2912	svchost.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeSecurityPrivilege	2912	svchost.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4407a8cae98fe538af4f335f687254a2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4407a8cae98fe538af4f335f687254a2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\users\admin\applic~1\cjqyy\cjqyy.lib

Filesize
148KB

MD5
c95bdd65bd8fb795424f47ee86e3e676

SHA1
41a8b0a722e1099c31941876cc035259b53414d7

SHA256
ba68cc7c788edad052e3915e6dd31259eae78ff8804e8eae728f26be0d7844f4

SHA512
de748a36ab75467af9069496397c7bfcc5baf98b7be228fd3375825013c3cc1a00be5fd9835aeea256b1275e6863c7e179d2a1eca5911046b6aa5f7c5b5bcd67

Download Submit