gh0strat | 6047cc605e0dfbee45f75d3aa49fc2f901cf1e3be1c356d02c416e9fa8ed1278

Analysis

max time kernel
95s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4cb85dc70ca46ce70499d1a8142f0f20.exe
Size

196KB
MD5

4cb85dc70ca46ce70499d1a8142f0f20
SHA1

79665c3a585de51d9b9853f902b11d0f2a3efa45
SHA256

6047cc605e0dfbee45f75d3aa49fc2f901cf1e3be1c356d02c416e9fa8ed1278
SHA512

7f92d77ad9261e40ac0885f8d0719dbe25b2ce8b51976e126b7695d590d9630403f542176b7eba4c876e7188ebcdbaf10bd89da7ba0119c8030ed8eee30f1619
SSDEEP

3072:Vgmn0avOvtYz4nqSioDXx4uE9w2qbMUeZPgrQ/O/46x4M15m:+w0avOvtYSiod4uYzqAvZd/246Hvm

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b6d-7.dat	family_gh0strat
behavioral2/memory/2892-11-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4488-16-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4460-21-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
1176	ellenuoctg

Executes dropped EXE 1 IoCs

pid	Process
1176	ellenuoctg

Loads dropped DLL 3 IoCs

pid	Process
2892	svchost.exe
4488	svchost.exe
4460	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ciyusxrppr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\cqmnbbundm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\cybgjewlph	svchost.exe
File created	C:\Windows\SysWOW64\ciyusxrppr	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1740	2892	WerFault.exe	95
1648	4488	WerFault.exe	101
3644	4460	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ellenuoctg
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4cb85dc70ca46ce70499d1a8142f0f20.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1176	ellenuoctg
1176	ellenuoctg

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1176	ellenuoctg
Token: SeBackupPrivilege	1176	ellenuoctg
Token: SeBackupPrivilege	1176	ellenuoctg
Token: SeRestorePrivilege	1176	ellenuoctg
Token: SeBackupPrivilege	2892	svchost.exe
Token: SeRestorePrivilege	2892	svchost.exe
Token: SeBackupPrivilege	2892	svchost.exe
Token: SeBackupPrivilege	2892	svchost.exe
Token: SeSecurityPrivilege	2892	svchost.exe
Token: SeSecurityPrivilege	2892	svchost.exe
Token: SeBackupPrivilege	2892	svchost.exe
Token: SeBackupPrivilege	2892	svchost.exe
Token: SeSecurityPrivilege	2892	svchost.exe
Token: SeBackupPrivilege	2892	svchost.exe
Token: SeBackupPrivilege	2892	svchost.exe
Token: SeSecurityPrivilege	2892	svchost.exe
Token: SeBackupPrivilege	2892	svchost.exe
Token: SeRestorePrivilege	2892	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeRestorePrivilege	4488	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeSecurityPrivilege	4488	svchost.exe
Token: SeSecurityPrivilege	4488	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeSecurityPrivilege	4488	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeSecurityPrivilege	4488	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeRestorePrivilege	4488	svchost.exe
Token: SeBackupPrivilege	4460	svchost.exe
Token: SeRestorePrivilege	4460	svchost.exe
Token: SeBackupPrivilege	4460	svchost.exe
Token: SeBackupPrivilege	4460	svchost.exe
Token: SeSecurityPrivilege	4460	svchost.exe
Token: SeSecurityPrivilege	4460	svchost.exe
Token: SeBackupPrivilege	4460	svchost.exe
Token: SeBackupPrivilege	4460	svchost.exe
Token: SeSecurityPrivilege	4460	svchost.exe
Token: SeBackupPrivilege	4460	svchost.exe
Token: SeBackupPrivilege	4460	svchost.exe
Token: SeSecurityPrivilege	4460	svchost.exe
Token: SeBackupPrivilege	4460	svchost.exe
Token: SeRestorePrivilege	4460	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 1176	3136	JaffaCakes118_4cb85dc70ca46ce70499d1a8142f0f20.exe	89
PID 3136 wrote to memory of 1176	3136	JaffaCakes118_4cb85dc70ca46ce70499d1a8142f0f20.exe	89
PID 3136 wrote to memory of 1176	3136	JaffaCakes118_4cb85dc70ca46ce70499d1a8142f0f20.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cb85dc70ca46ce70499d1a8142f0f20.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cb85dc70ca46ce70499d1a8142f0f20.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3136
- \??\c:\users\admin\appdata\local\ellenuoctg
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cb85dc70ca46ce70499d1a8142f0f20.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_4cb85dc70ca46ce70499d1a8142f0f20.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1176

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 800
  2⤵
  - Program crash
  PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2892 -ip 2892
1⤵
PID:1068

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 748
  2⤵
  - Program crash
  PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4488 -ip 4488
1⤵
PID:2128

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 884
  2⤵
  - Program crash
  PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4460 -ip 4460
1⤵
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ellenuoctg

Filesize
22.3MB

MD5
4a13ccfc47a7cc1a80b8a244fbf6d9fa

SHA1
21308bfc06d7aea8dfe0b30720e71aa2b34bc208

SHA256
596a6aa9c599db784ec2c83d270f03f2732fe5c3d42995e23124cbef1b1780a0

SHA512
44ea1b60b9959e2aa787f93b5254f6184706d43cd241ba3a7442a6cea65db4a70a7f9690a5243534e63426a551bf3382310b5024a825e88f2746b44778e3637f

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
8e27b7b28bff3b50cc5f6e059661c03a

SHA1
99fc9f3c41cc4e42daa519bb2b7c5670ce1b6fbf

SHA256
5251fa1e26d0e4c68dd48a9a84f4cba10a3343133c8a5c60f172a3113665c05b

SHA512
a2697fb82a3694543bbc2950c83068a0cd93f5a1cdb6d13262d997f1c4629ce75dcd5804be24954a5a402320b14628186ffcf848c9942a2bc6209d7b2d64d34c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
dfc75c936750eed1ec1a1b1efe5f48d7

SHA1
1ce89c3e641f66496afade920c2128fd1ccbff4c

SHA256
e880e5c6088b2b65c257d0fb16b2934922ff5d4ccacb7612c7a745980e26a18a

SHA512
2beb248039d97f0aa703ead085213f1fcd801d7375e98859231a92f995c4ee872d42e0d6bb0ba09ee39fb68dc765c4dad06cae2a9df767f28106d958033a880c

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\gyuok.cc3

Filesize
24.1MB

MD5
1e364f4885a8a9313c76edb4d736130f

SHA1
59ec5e516987150040f2ecab80ac884b9c9af83c

SHA256
bbc4798feb35b77ed307a88931f4c6ebd0ec1f85490901bc06edb0d92ec1e318

SHA512
19faee38774f821f4a59d5ebd14dfdcba879ed35a1f48d1ef04c2ea53187e06727be146d30f266b0646b3e15b2f2924176da0adffad1241a859adfa56896c9ba

Download Submit
memory/2892-9-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/2892-11-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4460-18-0x00000000016D0000-0x00000000016D1000-memory.dmp

Filesize
4KB

Download
memory/4460-21-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4488-13-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/4488-16-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download