gh0strat | 1c1d4c1d2d2dd7440ee5ada0500d70e1d9573b7c5f3f0497555d656681d58499

Analysis

max time kernel
141s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_450f676ed6ccd0d01de97923bc917a2a.exe
Size

95KB
MD5

450f676ed6ccd0d01de97923bc917a2a
SHA1

651b6cf038f8a46f80c95413b9695acfa17634d7
SHA256

1c1d4c1d2d2dd7440ee5ada0500d70e1d9573b7c5f3f0497555d656681d58499
SHA512

10dd11e8a54677fc424b230d36b0bca82f82157a5cdd6a99062ffdeae8448cd68daab87523e992bf9a3b41cbef6da3bf328e963f886e30d54393fc7506b8d142
SSDEEP

1536:b+YnODFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prC1rmZ44Cqrz:bs9S4jHS8q/3nTzePCwNUh4E9crMgqX

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023c22-15.dat	family_gh0strat
behavioral2/memory/1236-17-0x0000000000400000-0x000000000044C615-memory.dmp	family_gh0strat
behavioral2/memory/2872-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4372-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1916-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
1236	mquthjmroc

Executes dropped EXE 1 IoCs

pid	Process
1236	mquthjmroc

Loads dropped DLL 3 IoCs

pid	Process
2872	svchost.exe
4372	svchost.exe
1916	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\udhlvbhutm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ulufeekshh	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\udhlvbhutm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5080	2872	WerFault.exe	92
4992	4372	WerFault.exe	97
4756	1916	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_450f676ed6ccd0d01de97923bc917a2a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mquthjmroc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1236	mquthjmroc
1236	mquthjmroc

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1236	mquthjmroc
Token: SeBackupPrivilege	1236	mquthjmroc
Token: SeBackupPrivilege	1236	mquthjmroc
Token: SeRestorePrivilege	1236	mquthjmroc
Token: SeBackupPrivilege	2872	svchost.exe
Token: SeRestorePrivilege	2872	svchost.exe
Token: SeBackupPrivilege	2872	svchost.exe
Token: SeBackupPrivilege	2872	svchost.exe
Token: SeSecurityPrivilege	2872	svchost.exe
Token: SeSecurityPrivilege	2872	svchost.exe
Token: SeBackupPrivilege	2872	svchost.exe
Token: SeBackupPrivilege	2872	svchost.exe
Token: SeSecurityPrivilege	2872	svchost.exe
Token: SeBackupPrivilege	2872	svchost.exe
Token: SeBackupPrivilege	2872	svchost.exe
Token: SeSecurityPrivilege	2872	svchost.exe
Token: SeBackupPrivilege	2872	svchost.exe
Token: SeRestorePrivilege	2872	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeRestorePrivilege	4372	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeSecurityPrivilege	4372	svchost.exe
Token: SeSecurityPrivilege	4372	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeSecurityPrivilege	4372	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeSecurityPrivilege	4372	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeRestorePrivilege	4372	svchost.exe
Token: SeBackupPrivilege	1916	svchost.exe
Token: SeRestorePrivilege	1916	svchost.exe
Token: SeBackupPrivilege	1916	svchost.exe
Token: SeBackupPrivilege	1916	svchost.exe
Token: SeSecurityPrivilege	1916	svchost.exe
Token: SeSecurityPrivilege	1916	svchost.exe
Token: SeBackupPrivilege	1916	svchost.exe
Token: SeBackupPrivilege	1916	svchost.exe
Token: SeSecurityPrivilege	1916	svchost.exe
Token: SeBackupPrivilege	1916	svchost.exe
Token: SeBackupPrivilege	1916	svchost.exe
Token: SeSecurityPrivilege	1916	svchost.exe
Token: SeBackupPrivilege	1916	svchost.exe
Token: SeRestorePrivilege	1916	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1236	1132	JaffaCakes118_450f676ed6ccd0d01de97923bc917a2a.exe	87
PID 1132 wrote to memory of 1236	1132	JaffaCakes118_450f676ed6ccd0d01de97923bc917a2a.exe	87
PID 1132 wrote to memory of 1236	1132	JaffaCakes118_450f676ed6ccd0d01de97923bc917a2a.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_450f676ed6ccd0d01de97923bc917a2a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_450f676ed6ccd0d01de97923bc917a2a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132
- \??\c:\users\admin\appdata\local\mquthjmroc
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_450f676ed6ccd0d01de97923bc917a2a.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_450f676ed6ccd0d01de97923bc917a2a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1236

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1112
  2⤵
  - Program crash
  PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2872 -ip 2872
1⤵
PID:3440

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 744
  2⤵
  - Program crash
  PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4372 -ip 4372
1⤵
PID:3576

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 940
  2⤵
  - Program crash
  PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1916 -ip 1916
1⤵
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
eecfddf304d7be92ffe6ca76030040f8

SHA1
3c2ca16e0f109ea685de1c4a72ec6da1d1b4a9a0

SHA256
300c56c731410f745a082e1ff9e455277ea5bac4395eb5436fe02eed94a38fc2

SHA512
51b92a10524014a0378ac660bd44310ce737f762896d72bdaead8b92e11ebe88dd22a9d06bed9d36e85f7551b25defe39445642078d759edb5b86d42910cee25

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
300B

MD5
241e077354bd4fecebcb9eea3717fdeb

SHA1
91ab1a2243a528040cca05f9a80e53644abfed48

SHA256
c4469da48db078c7ceda71e6404ecd8f9a93e8cdfd1f97c606ac1e0c2ef4b0fb

SHA512
727b857f4a101761764387adc082efaab64758bf1e6df74a50f19021ce180e29391a3bc52b97349ea27512e4ec68f49f3599f59c11ffbd6208f7dd96780ea790

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\xwtko.cc3

Filesize
24.1MB

MD5
88415bad754beaa76d75b605709391c2

SHA1
b66393e7516b8b78892217756ffd6b7e7c5ae05b

SHA256
e37ea8d8398dbc7ddebea9698d99694c9c2072aaf6d7c421f8b4b6512c4318ae

SHA512
c9a305ff3f072fca994f2eb92df50cc64139c3af04c705be8d5e60ed423e5c6c10a507ca6259dcb64c6d5bece714ba0261a8b2093d14b6025bb4cd4ab2cff88c

Download Submit
\??\c:\users\admin\appdata\local\mquthjmroc

Filesize
22.6MB

MD5
644b98dda96415ed48454e51aa0021e8

SHA1
ba3e22f4dabcb7f9473ece8c29710c79ac0f9d68

SHA256
dd61190a4a0c5386f311b60a3d887b170b734c689294439bbd2abc505a58c062

SHA512
a25d025c86374fb34a664483f29cdc61d828762ee592c1393aa95a9ebcf1bbfabefda22894b60f923ee77ed443d4d6d9c406902b9c563f1651b6724d2ecea658

Download Submit
memory/1132-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1132-11-0x0000000000400000-0x000000000044C615-memory.dmp

Filesize
305KB

Download
memory/1132-0-0x0000000000400000-0x000000000044C615-memory.dmp

Filesize
305KB

Download
memory/1236-8-0x0000000000400000-0x000000000044C615-memory.dmp

Filesize
305KB

Download
memory/1236-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1236-17-0x0000000000400000-0x000000000044C615-memory.dmp

Filesize
305KB

Download
memory/1916-27-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/1916-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2872-18-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

Filesize
4KB

Download
memory/2872-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4372-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4372-22-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download