gh0strat | 722bad8d9fdc2fb40273177925a5ce9bde0ae194642134a4097893318bfee51b | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...dc.exe

windows7-x64

JaffaCakes...dc.exe

windows10-2004-x64

7

Sharing

General

Target

JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc
Size

150KB
Sample

250304-k85h7axly8
MD5

4c79f3ef767af60499725b3e907eb4dc
SHA1

7d8c14773afe9a457edd728fad01ee377390cd06
SHA256

722bad8d9fdc2fb40273177925a5ce9bde0ae194642134a4097893318bfee51b
SHA512

43d73c0fcaf5705f5c1c65b400d0b293a1e89c62eadf27aa355b17bf6b98c3319533ff75ccf64204f4c7dd19760e7d1f643bf2a6a25ab60ebe5fb15f9b6892ed
SSDEEP

3072:/VhUTNt0TSmLGkhjKXFvIGk6H0ydpZTr5iSTNL9cEVz3CiODcRwZ/:dkt0TSZkhWVvI+UupZTr5iSVrLmcq

Score

10^/10

gh0strat defense_evasion discovery rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe

Resource

win7-20241023-en

gh0strat defense_evasion discovery rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe

Resource

win10v2004-20250217-en

defense_evasion discovery

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc
- Size
  
  150KB
- MD5
  
  4c79f3ef767af60499725b3e907eb4dc
- SHA1
  
  7d8c14773afe9a457edd728fad01ee377390cd06
- SHA256
  
  722bad8d9fdc2fb40273177925a5ce9bde0ae194642134a4097893318bfee51b
- SHA512
  
  43d73c0fcaf5705f5c1c65b400d0b293a1e89c62eadf27aa355b17bf6b98c3319533ff75ccf64204f4c7dd19760e7d1f643bf2a6a25ab60ebe5fb15f9b6892ed
- SSDEEP
  
  3072:/VhUTNt0TSmLGkhjKXFvIGk6H0ydpZTr5iSTNL9cEVz3CiODcRwZ/:dkt0TSZkhWVvI+UupZTr5iSVrLmcq
Score

10^/10

gh0strat defense_evasion discovery rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

File Deletion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratdefense_evasiondiscoveryrat

behavioral2

defense_evasiondiscovery

© 2018-2025

Terms | Privacy