gh0strat | f4cc9e1e3dd233cd9fc38f14524787fa9cb15630a68351f33de9c9087eebb44d

General

Target

JaffaCakes118_4d27d809fa2ee20883e49e8bdc9d2150.dll
Size

912KB
MD5

4d27d809fa2ee20883e49e8bdc9d2150
SHA1

64d216af04a3043fb817f848fbc97be62fe15958
SHA256

f4cc9e1e3dd233cd9fc38f14524787fa9cb15630a68351f33de9c9087eebb44d
SHA512

d19e405214f8bc2a7eecb80bc46061b8cb7fd0e362667745f44285babd1452e427130accd6921cacef920656762160602cd8fdb7c1634db67d50fd14a00fd51e
SSDEEP

24576:wEJ17LwBnlm+jSyMhLvhoqQ5gJFCcEwIxSOlgfo:hJ1IQQSFhLezqFGwIxRg

Score

10^/10

gh0strat defense_evasion discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/4988-13-0x0000000000400000-0x00000000005F0000-memory.dmp	family_gh0strat
behavioral2/files/0x000400000001da5b-20.dat	family_gh0strat
behavioral2/memory/3400-21-0x0000000000400000-0x00000000005F0000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	hrlB3FE.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	inyjbrycn.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DEA97FC-D002-41f8-9B05-E1E31B635460}	hrlB3FE.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DEA97FC-D002-41f8-9B05-E1E31B635460}\stubpath = "C:\\Windows\\system32\\inyjbrycn.exe"	hrlB3FE.tmp

Executes dropped EXE 2 IoCs

pid	Process
4988	hrlB3FE.tmp
3400	inyjbrycn.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	hrlB3FE.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	inyjbrycn.exe

Loads dropped DLL 1 IoCs

pid	Process
4048	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inyjbrycn.exe	hrlB3FE.tmp
File opened for modification	C:\Windows\SysWOW64\inyjbrycn.exe_lang.ini	hrlB3FE.tmp

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4988	hrlB3FE.tmp
3400	inyjbrycn.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hrlB3FE.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inyjbrycn.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4988	hrlB3FE.tmp
4988	hrlB3FE.tmp
4988	hrlB3FE.tmp
4988	hrlB3FE.tmp
3400	inyjbrycn.exe
3400	inyjbrycn.exe
3400	inyjbrycn.exe
3400	inyjbrycn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	hrlB3FE.tmp
Token: SeDebugPrivilege	3400	inyjbrycn.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 3968	4252	rundll32.exe	84
PID 4252 wrote to memory of 3968	4252	rundll32.exe	84
PID 4252 wrote to memory of 3968	4252	rundll32.exe	84
PID 3968 wrote to memory of 4988	3968	rundll32.exe	85
PID 3968 wrote to memory of 4988	3968	rundll32.exe	85
PID 3968 wrote to memory of 4988	3968	rundll32.exe	85
PID 4988 wrote to memory of 3400	4988	hrlB3FE.tmp	89
PID 4988 wrote to memory of 3400	4988	hrlB3FE.tmp	89
PID 4988 wrote to memory of 3400	4988	hrlB3FE.tmp	89
PID 3400 wrote to memory of 4048	3400	inyjbrycn.exe	90
PID 3400 wrote to memory of 4048	3400	inyjbrycn.exe	90
PID 3400 wrote to memory of 4048	3400	inyjbrycn.exe	90
PID 3400 wrote to memory of 4048	3400	inyjbrycn.exe	90

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4d27d809fa2ee20883e49e8bdc9d2150.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4d27d809fa2ee20883e49e8bdc9d2150.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\hrlB3FE.tmp
    C:\Users\Admin\AppData\Local\Temp\hrlB3FE.tmp
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\SysWOW64\inyjbrycn.exe
      C:\Windows\system32\inyjbrycn.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3400
    - - C:\Windows\SysWOW64\userinit.exe
        
        userinit.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240630468_lang.dll

Filesize
122KB

MD5
c39be57414086fdc5011ec0f54b50ec5

SHA1
06889ce0323435969b99ea6548ae4a9607433e50

SHA256
991f16b1e3007db235bda09227b253a62ee4923c854da5056d301a49d9603b1f

SHA512
91c347be4b7dab5ccd5f5d3e962cd160f7ebc584dd78732aac2b307262ff1b61093050c00e5a1bf2dd6d14d4ca31994f2ae7380f8164f5df110be5acbf2facc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrlB3FE.tmp

Filesize
902KB

MD5
4356e7758188f0cad761016f0ac96d92

SHA1
efeee9d485e2584141499f35d770a43fba35ab59

SHA256
deae3fff3c99801bc66eed7b2a0da62b75f056ebbb781134c4cb8431ca48fcf8

SHA512
af4e151d37d78b6aacd166e784fd432a65fbedc0d697ee7bb7e0d9f98f29bef79ff6e354faa943d424a97162a019a9067a9ad818018e68423c804483441d97a9

Download Submit
C:\Windows\SysWOW64\inyjbrycn.exe

Filesize
902KB

MD5
227fd9c687c8df44431b78874f282e7e

SHA1
d2e2fa028dc1affd39da64c7cd9ba0fa45451f35

SHA256
28d116164da1f7a93d327df7ba2139bbd1f89158d3ae8ff20ab06b355f63ba8d

SHA512
7c60f82d7a245446facf969bf08462921bfcd07d4d9d66e30bac412affd13b5ec1a5c2690269a69c886eb0b15956b81c87f41541f15e13aa119d96f48abfae9c

Download Submit
memory/3400-14-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/3400-15-0x00007FFD79250000-0x00007FFD79445000-memory.dmp

Filesize
2.0MB

Download
memory/3400-21-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/4988-4-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/4988-5-0x00007FFD79250000-0x00007FFD79445000-memory.dmp

Filesize
2.0MB

Download
memory/4988-13-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads