gh0strat | 446f4906320e6d5206eb2b63495414748fb16699ed8f46de3d23dcaa699b9a37

Analysis

max time kernel
94s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4f02a9bd9cebb8c89787f16101677a59.exe
Size

196KB
MD5

4f02a9bd9cebb8c89787f16101677a59
SHA1

ab363f7df24852914acef3bb256fe727e2333316
SHA256

446f4906320e6d5206eb2b63495414748fb16699ed8f46de3d23dcaa699b9a37
SHA512

f4496bbee42633e064ec11f7467556aecec679eed1bb71caf5a8d8750930a93926bbd313c2a5ec378d4d0ac0f707efec7996dcb7d386269e2ab82b820aa91b2b
SSDEEP

6144:6sIt6nW8QvBTyPRqyhYPbHcTBlhHrandnkv0:39W8xJq8YPbHcT3V

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000700000001da5e-3.dat	family_gh0strat
behavioral2/files/0x000300000001e922-7.dat	family_gh0strat
behavioral2/memory/744-11-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4140-16-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3328-21-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2320	btgtbtkcee

Executes dropped EXE 1 IoCs

pid	Process
2320	btgtbtkcee

Loads dropped DLL 3 IoCs

pid	Process
744	svchost.exe
4140	svchost.exe
3328	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dpwvmmrlmy	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dykoupuiat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dhyhdswgno	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\%SESSIONNAME%\xodqk.cc3	btgtbtkcee

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1244	744	WerFault.exe	93
4420	4140	WerFault.exe	99
3784	3328	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4f02a9bd9cebb8c89787f16101677a59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	btgtbtkcee
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2320	btgtbtkcee
2320	btgtbtkcee

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	2320	btgtbtkcee
Token: SeBackupPrivilege	2320	btgtbtkcee
Token: SeBackupPrivilege	2320	btgtbtkcee
Token: SeRestorePrivilege	2320	btgtbtkcee
Token: SeBackupPrivilege	744	svchost.exe
Token: SeRestorePrivilege	744	svchost.exe
Token: SeBackupPrivilege	744	svchost.exe
Token: SeBackupPrivilege	744	svchost.exe
Token: SeSecurityPrivilege	744	svchost.exe
Token: SeSecurityPrivilege	744	svchost.exe
Token: SeBackupPrivilege	744	svchost.exe
Token: SeBackupPrivilege	744	svchost.exe
Token: SeSecurityPrivilege	744	svchost.exe
Token: SeBackupPrivilege	744	svchost.exe
Token: SeBackupPrivilege	744	svchost.exe
Token: SeSecurityPrivilege	744	svchost.exe
Token: SeBackupPrivilege	744	svchost.exe
Token: SeRestorePrivilege	744	svchost.exe
Token: SeBackupPrivilege	4140	svchost.exe
Token: SeRestorePrivilege	4140	svchost.exe
Token: SeBackupPrivilege	4140	svchost.exe
Token: SeBackupPrivilege	4140	svchost.exe
Token: SeSecurityPrivilege	4140	svchost.exe
Token: SeSecurityPrivilege	4140	svchost.exe
Token: SeBackupPrivilege	4140	svchost.exe
Token: SeBackupPrivilege	4140	svchost.exe
Token: SeSecurityPrivilege	4140	svchost.exe
Token: SeBackupPrivilege	4140	svchost.exe
Token: SeBackupPrivilege	4140	svchost.exe
Token: SeSecurityPrivilege	4140	svchost.exe
Token: SeBackupPrivilege	4140	svchost.exe
Token: SeRestorePrivilege	4140	svchost.exe
Token: SeBackupPrivilege	3328	svchost.exe
Token: SeRestorePrivilege	3328	svchost.exe
Token: SeBackupPrivilege	3328	svchost.exe
Token: SeBackupPrivilege	3328	svchost.exe
Token: SeSecurityPrivilege	3328	svchost.exe
Token: SeSecurityPrivilege	3328	svchost.exe
Token: SeBackupPrivilege	3328	svchost.exe
Token: SeBackupPrivilege	3328	svchost.exe
Token: SeSecurityPrivilege	3328	svchost.exe
Token: SeBackupPrivilege	3328	svchost.exe
Token: SeBackupPrivilege	3328	svchost.exe
Token: SeSecurityPrivilege	3328	svchost.exe
Token: SeBackupPrivilege	3328	svchost.exe
Token: SeRestorePrivilege	3328	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 2320	208	JaffaCakes118_4f02a9bd9cebb8c89787f16101677a59.exe	87
PID 208 wrote to memory of 2320	208	JaffaCakes118_4f02a9bd9cebb8c89787f16101677a59.exe	87
PID 208 wrote to memory of 2320	208	JaffaCakes118_4f02a9bd9cebb8c89787f16101677a59.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f02a9bd9cebb8c89787f16101677a59.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f02a9bd9cebb8c89787f16101677a59.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208
- \??\c:\users\admin\appdata\local\btgtbtkcee
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f02a9bd9cebb8c89787f16101677a59.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_4f02a9bd9cebb8c89787f16101677a59.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 776
  2⤵
  - Program crash
  PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 744 -ip 744
1⤵
PID:3384

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 940
  2⤵
  - Program crash
  PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4140 -ip 4140
1⤵
PID:956

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 932
  2⤵
  - Program crash
  PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3328 -ip 3328
1⤵
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\btgtbtkcee

Filesize
22.0MB

MD5
c39964b1ffa8ffe613395810e5f8d0d9

SHA1
2504aaed383064942fa8c4f3f484ec04c64cbdc2

SHA256
b83fde9b7049514c553aa03d3cb83078b45b808117eca5634e81b9173cbc9965

SHA512
4e98f0dd06b66ba62b10301e063e1a2cec6d851896fa3f2162144e5753d132b74d2e30bf76bf7c68c8059ab0b97ac2007f4f854fa05b9211fda3409ec0300a61

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
160B

MD5
9a63ff3fcb86d5f3589094c123ceb6e5

SHA1
2f850d2fb57e63c9f3f99d77db767d0a0eec5256

SHA256
218bd9d29d57234260f7fbd4ae2ecff9dc0ea6b8108eb2d070b3537c0e26b605

SHA512
ff0984dc8883e095d1704f3b348789b8ead29db15948e3d3058af795804efb320425d235c56d5b6917e1b59136cfe6afcf667cf4349de795ca7916004d2df5ba

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
a8d566561833925a56c2c834c78de043

SHA1
beba1a51e2903f91b289b215fe217c20edc28f50

SHA256
55ee7a033a613483d5e6e43bc15c7578218aee4168419ad76a9170763427f2b2

SHA512
65daaed4b24874879069824bc6d5e77c383a9a0e1e4cd8dafc6f4889977dae505bdff94e489d19c102dd1e8768364135607366cc3ca64ae0cd8f4f94bd1e7b48

Download Submit
\??\c:\program files (x86)\%sessionname%\xodqk.cc3

Filesize
22.1MB

MD5
e64447ee5d23b3ea3e4c7a61141d58b3

SHA1
a8c18cf965c08979c36eaf1c0c654c7bd6123d95

SHA256
d5edac8a928390f9af880b502393580171eb503e01ad7ca5089539480f39dff3

SHA512
313b46d316d179913a49ea85281f218271b8f0939b5896c3959c490098bf65fcdf61afc4e831e435d07be7742a79ae9f380275af3f87d9333e893d602bbd55b9

Download Submit
memory/744-9-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/744-11-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3328-18-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/3328-21-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4140-13-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download
memory/4140-16-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download