gh0strat | b458e9a3fdbe16c2608831ea7eba1e5934594e078ecf937cdef54116a37f4525

General

Target

JaffaCakes118_44e9877b2ee59e4597b68b0dfeda2603.exe
Size

129KB
MD5

44e9877b2ee59e4597b68b0dfeda2603
SHA1

90dd5e65358afce1bdb76652b8d394519eca33f7
SHA256

b458e9a3fdbe16c2608831ea7eba1e5934594e078ecf937cdef54116a37f4525
SHA512

ed4aaeb307e100b5a1ba7e61b592fa6bf4c5b74ce3e4927287dd4b9e246cd807b4145ae92d7b4396caebce8c0446df7a7db25b006957e954dbbf9d11605c7c75
SSDEEP

3072:nwft/dzyQH9Eg/RJa+uMHdOy6p1dlqoatv3kk0v42BKwx:wft/hyQdH/i+Vkt1nRatvUk07BL

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/3016-0-0x0000000000400000-0x0000000000422000-memory.dmp	family_gh0strat
behavioral1/memory/2564-5-0x0000000000400000-0x0000000000422000-memory.dmp	family_gh0strat
behavioral1/files/0x00080000000120fe-4.dat	family_gh0strat
behavioral1/memory/3016-7-0x0000000000400000-0x0000000000422000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\System32\\FastUserSwitchingCompatibility.exe"	JaffaCakes118_44e9877b2ee59e4597b68b0dfeda2603.exe

Loads dropped DLL 1 IoCs

pid	Process
2000	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.exe	JaffaCakes118_44e9877b2ee59e4597b68b0dfeda2603.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_44e9877b2ee59e4597b68b0dfeda2603.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_44e9877b2ee59e4597b68b0dfeda2603.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{35A98CD5-8BA1-438B-83A6-58D762F74CF2}\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4d-5c-71-d0-9f	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{35A98CD5-8BA1-438B-83A6-58D762F74CF2}\WpadNetworkName = "Network 3"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4d-5c-71-d0-9f\WpadDecisionTime = 10cf1152f98bdb01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{35A98CD5-8BA1-438B-83A6-58D762F74CF2}\WpadDecisionTime = 10cf1152f98bdb01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{35A98CD5-8BA1-438B-83A6-58D762F74CF2}\WpadDecision = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4d-5c-71-d0-9f\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4d-5c-71-d0-9f\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{35A98CD5-8BA1-438B-83A6-58D762F74CF2}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{35A98CD5-8BA1-438B-83A6-58D762F74CF2}\4e-4d-5c-71-d0-9f	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2564	3016	JaffaCakes118_44e9877b2ee59e4597b68b0dfeda2603.exe	30
PID 3016 wrote to memory of 2564	3016	JaffaCakes118_44e9877b2ee59e4597b68b0dfeda2603.exe	30
PID 3016 wrote to memory of 2564	3016	JaffaCakes118_44e9877b2ee59e4597b68b0dfeda2603.exe	30
PID 3016 wrote to memory of 2564	3016	JaffaCakes118_44e9877b2ee59e4597b68b0dfeda2603.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44e9877b2ee59e4597b68b0dfeda2603.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44e9877b2ee59e4597b68b0dfeda2603.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44e9877b2ee59e4597b68b0dfeda2603.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44e9877b2ee59e4597b68b0dfeda2603.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.exe

Filesize
98KB

MD5
001be4960fd87b28f3225f4951e4eec3

SHA1
9d52b4519c4b44b6b46b9c4bd3c4880b963ec663

SHA256
536d91e3db54df0360a0636e362d3541049b2fc736933797eeaecb297634c4ad

SHA512
06910f359efa32f646a388ce240aa1d236ea6bf1d85eb71db129eaf7933f8d10992b2f010d1d0acaa29759df924d529093fba41febbdc622ece21772629e4995

Download Submit
memory/2564-5-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3016-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3016-7-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing