gh0strat | 4532f8e5f2100078700b28e0f0c23756fa033f724344aa24bd8b4a9a1b6519d5

General

Target

JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe
Size

234KB
MD5

46bc5c487b42f6ae0602f13bf6f45960
SHA1

ed6095782b0c18e3afc0d9be372170773fc5ba6c
SHA256

4532f8e5f2100078700b28e0f0c23756fa033f724344aa24bd8b4a9a1b6519d5
SHA512

9b5729916744bd7b21dd7725f7d488e47c6caaaa77970fc4711daa53719baf8b6b473c305c05e36bbdee420fe3b6d8a488f96936ca0c924c0d4c4b958b255ee8
SSDEEP

6144:A32arg/4xJZpZelo9cnEwd5xi9x1eFY/3:S2/0ZcEY5x+1eC3

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2084-4-0x0000000000400000-0x000000000043C000-memory.dmp	family_gh0strat
behavioral1/files/0x0008000000015d6d-5.dat	family_gh0strat
behavioral1/memory/2508-9-0x0000000010000000-0x0000000010020000-memory.dmp	family_gh0strat
behavioral1/memory/2508-11-0x0000000010000000-0x0000000010020000-memory.dmp	family_gh0strat
behavioral1/memory/2508-14-0x0000000010000000-0x0000000010020000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2508	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\linkinfo.dll	JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe
File opened for modification	C:\Windows\linkinfo.dll	JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2084	JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe
2084	JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2508	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 2084	808	JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe	30
PID 808 wrote to memory of 2084	808	JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe	30
PID 808 wrote to memory of 2084	808	JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe	30
PID 808 wrote to memory of 2084	808	JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe	30
PID 2084 wrote to memory of 1332	2084	JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe	31
PID 2084 wrote to memory of 1332	2084	JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe	31
PID 2084 wrote to memory of 1332	2084	JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe	31
PID 2084 wrote to memory of 1332	2084	JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe	31
PID 1332 wrote to memory of 2508	1332	cmd.exe	33
PID 1332 wrote to memory of 2508	1332	cmd.exe	33
PID 1332 wrote to memory of 2508	1332	cmd.exe	33
PID 1332 wrote to memory of 2508	1332	cmd.exe	33
PID 1332 wrote to memory of 2508	1332	cmd.exe	33
PID 1332 wrote to memory of 2508	1332	cmd.exe	33
PID 1332 wrote to memory of 2508	1332	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46bc5c487b42f6ae0602f13bf6f45960.exe
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rundll32.exe C:\Windows\linkinfo.dll hi
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\linkinfo.dll hi
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\linkinfo.dll

Filesize
119KB

MD5
0608d737da70fbb06a1d35be366f775d

SHA1
295459deb78b88bee0ebdbe5776b4327331b905f

SHA256
2401c8a1c86f8acfbc628296b512e7f2a1d4f24f67e5f44632604f04764bf1ee

SHA512
5098c1e36b1d5d98de0ebf2ecfa1967413791fed82c2b9bd74df210bb47072fc64d1be2c24b183955c7ec4d7a023685daba63351792a92997159218a72f29ef6

Download Submit
memory/808-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/808-1-0x00000000003A0000-0x00000000003DC000-memory.dmp

Filesize
240KB

Download
memory/808-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2084-4-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2508-8-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2508-7-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2508-6-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2508-9-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2508-11-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2508-14-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing