gh0strat | 799eca9940d40ba12157d302e46780a0d9d6425ae55ad6908add33256f4d039c

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
03/03/2025, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4776985be04382486b7d621a68250ce9.exe
Size

122KB
MD5

4776985be04382486b7d621a68250ce9
SHA1

2c0731c08123e1f2c949b642b84cd0ce357e0c8a
SHA256

799eca9940d40ba12157d302e46780a0d9d6425ae55ad6908add33256f4d039c
SHA512

cd31489144d461123d6e2b59a4b2f1022877607232ee766c0ceb9ec4ba46eddd98a83f0f7b5e16a36c0cdbaebb0ce4d296c4e217981c8060a19503f17d58f608
SSDEEP

3072:/HV49YZ8DqcLCL7Sw8PpQyULvMpCd/9wtUJ4uHcsF6Hm:/149i8DqkCXSw8KZBdlNJ4FsR

Score

10^/10

gh0strat discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/664-0-0x0000000000400000-0x0000000000420000-memory.dmp	family_gh0strat
behavioral1/files/0x0008000000015d8c-2.dat	family_gh0strat
behavioral1/memory/1660-4-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat
behavioral1/memory/664-5-0x0000000000400000-0x0000000000420000-memory.dmp	family_gh0strat
behavioral1/memory/1660-6-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360svc\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\ntusery.dll"	JaffaCakes118_4776985be04382486b7d621a68250ce9.exe

Deletes itself 1 IoCs

pid	Process
1660	SVCHOST.EXE

Loads dropped DLL 1 IoCs

pid	Process
1660	SVCHOST.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4776985be04382486b7d621a68250ce9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
664	JaffaCakes118_4776985be04382486b7d621a68250ce9.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4776985be04382486b7d621a68250ce9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4776985be04382486b7d621a68250ce9.exe"
1⤵
- Server Software Component: Terminal Services DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:664

C:\Windows\SysWOW64\SVCHOST.EXE
C:\Windows\SysWOW64\SVCHOST.EXE -K NETSVCS
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\documents and settings\local user\ntusery.dll

Filesize
107KB

MD5
93593285c708eb9b2f3abc66c2c488c2

SHA1
f6c7b869b149e40df2d2ff477ff881b17bd27feb

SHA256
0efad438d573ea85d9861b7daf291f2d74f1ab77d491591755cda6b222063234

SHA512
9826783e08d579a7f2b4307ca76ea14d5acfca7bb4a85c91567376c32171219aa479681cf499d35c82efb1c32b92b5cd750a83a15048c2a783bc89d77eacfc07

Download Submit
memory/664-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/664-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1660-4-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1660-6-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download