gh0strat | cc36b7ea338099ef2829f72e5c435a4554a1c06e1eef30fc9e59982022cf7d86 | Triage

Submit
Reports

Overview

overview

Static

static

7

JaffaCakes...bb.exe

windows7-x64

JaffaCakes...bb.exe

windows10-2004-x64

7

Sharing

General

Target

JaffaCakes118_4eeca5401a0b3f222374edd11bc3fbbb
Size

1.4MB
Sample

250304-wx71qaxny3
MD5

4eeca5401a0b3f222374edd11bc3fbbb
SHA1

c4d2be8c18b799756e4a15267c2071d4a6ad6c1b
SHA256

cc36b7ea338099ef2829f72e5c435a4554a1c06e1eef30fc9e59982022cf7d86
SHA512

46915011543a8a0a139e9d99987612fe8e5e8dd0953b056bfdbfc980f422147d7a5747d1a71d5e44d22e751c58ee4cef80ecadcc6efbf5eb21d6cce7b1a03d03
SSDEEP

24576:z977daDkp58ZQ1dGlDUx1gjC6qFwMM7m33xkYRG6MozaB3nqKMEMYsBjM:p74DY8ZDDUxaC9wM3B46Mo2dqZEuBjM

Score

10^/10

gh0strat defense_evasion discovery persistence rat themida

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_4eeca5401a0b3f222374edd11bc3fbbb.exe

Resource

win7-20240903-en

gh0strat defense_evasion discovery persistence rat themida

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_4eeca5401a0b3f222374edd11bc3fbbb.exe

Resource

win10v2004-20250217-en

defense_evasion discovery themida

windows10-2004-x64

3 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_4eeca5401a0b3f222374edd11bc3fbbb
- Size
  
  1.4MB
- MD5
  
  4eeca5401a0b3f222374edd11bc3fbbb
- SHA1
  
  c4d2be8c18b799756e4a15267c2071d4a6ad6c1b
- SHA256
  
  cc36b7ea338099ef2829f72e5c435a4554a1c06e1eef30fc9e59982022cf7d86
- SHA512
  
  46915011543a8a0a139e9d99987612fe8e5e8dd0953b056bfdbfc980f422147d7a5747d1a71d5e44d22e751c58ee4cef80ecadcc6efbf5eb21d6cce7b1a03d03
- SSDEEP
  
  24576:z977daDkp58ZQ1dGlDUx1gjC6qFwMM7m33xkYRG6MozaB3nqKMEMYsBjM:p74DY8ZDDUxaC9wM3B46Mo2dqZEuBjM
Score

10^/10

gh0strat defense_evasion discovery persistence rat themida
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratdefense_evasiondiscoverypersistenceratthemida

behavioral2

defense_evasiondiscoverythemida

© 2018-2025

Terms | Privacy