gh0strat | 239b7cd90eb08f94831fa16fc9f657bcc1defc074636c559b2c705d5d0397d91

Analysis

max time kernel
91s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4f622a7641293ba12630f2aee19a0e61.exe
Size

94KB
MD5

4f622a7641293ba12630f2aee19a0e61
SHA1

b18bb1535b8c5229481a665d8072e995ce37ce17
SHA256

239b7cd90eb08f94831fa16fc9f657bcc1defc074636c559b2c705d5d0397d91
SHA512

1d9cd38d8446c3c4691c5ba0f869ef31d1ddf811c8aad1e92a1a94c39a04e628c546c3bef3df01da49bc4cdae3e142c461d046b16d163aa814bba540a2e61624
SSDEEP

1536:4oFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prXSEPnbSVO:46S4jHS8q/3nTzePCwNUh4E95POVO

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e924-15.dat	family_gh0strat
behavioral2/memory/1408-17-0x0000000000400000-0x000000000044C612-memory.dmp	family_gh0strat
behavioral2/memory/1504-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4804-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2916-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
1408	eexgkirshb

Executes dropped EXE 1 IoCs

pid	Process
1408	eexgkirshb

Loads dropped DLL 3 IoCs

pid	Process
1504	svchost.exe
4804	svchost.exe
2916	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rmfpypcjcd	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\rutjhsfgoy	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\rdicpvhect	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1284	1504	WerFault.exe	95
2084	4804	WerFault.exe	100
920	2916	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4f622a7641293ba12630f2aee19a0e61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eexgkirshb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1408	eexgkirshb
1408	eexgkirshb

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1408	eexgkirshb
Token: SeBackupPrivilege	1408	eexgkirshb
Token: SeBackupPrivilege	1408	eexgkirshb
Token: SeRestorePrivilege	1408	eexgkirshb
Token: SeBackupPrivilege	1504	svchost.exe
Token: SeRestorePrivilege	1504	svchost.exe
Token: SeBackupPrivilege	1504	svchost.exe
Token: SeBackupPrivilege	1504	svchost.exe
Token: SeSecurityPrivilege	1504	svchost.exe
Token: SeSecurityPrivilege	1504	svchost.exe
Token: SeBackupPrivilege	1504	svchost.exe
Token: SeBackupPrivilege	1504	svchost.exe
Token: SeSecurityPrivilege	1504	svchost.exe
Token: SeBackupPrivilege	1504	svchost.exe
Token: SeBackupPrivilege	1504	svchost.exe
Token: SeSecurityPrivilege	1504	svchost.exe
Token: SeBackupPrivilege	1504	svchost.exe
Token: SeRestorePrivilege	1504	svchost.exe
Token: SeBackupPrivilege	4804	svchost.exe
Token: SeRestorePrivilege	4804	svchost.exe
Token: SeBackupPrivilege	4804	svchost.exe
Token: SeBackupPrivilege	4804	svchost.exe
Token: SeSecurityPrivilege	4804	svchost.exe
Token: SeSecurityPrivilege	4804	svchost.exe
Token: SeBackupPrivilege	4804	svchost.exe
Token: SeBackupPrivilege	4804	svchost.exe
Token: SeSecurityPrivilege	4804	svchost.exe
Token: SeBackupPrivilege	4804	svchost.exe
Token: SeBackupPrivilege	4804	svchost.exe
Token: SeSecurityPrivilege	4804	svchost.exe
Token: SeBackupPrivilege	4804	svchost.exe
Token: SeRestorePrivilege	4804	svchost.exe
Token: SeBackupPrivilege	2916	svchost.exe
Token: SeRestorePrivilege	2916	svchost.exe
Token: SeBackupPrivilege	2916	svchost.exe
Token: SeBackupPrivilege	2916	svchost.exe
Token: SeSecurityPrivilege	2916	svchost.exe
Token: SeSecurityPrivilege	2916	svchost.exe
Token: SeBackupPrivilege	2916	svchost.exe
Token: SeBackupPrivilege	2916	svchost.exe
Token: SeSecurityPrivilege	2916	svchost.exe
Token: SeBackupPrivilege	2916	svchost.exe
Token: SeBackupPrivilege	2916	svchost.exe
Token: SeSecurityPrivilege	2916	svchost.exe
Token: SeBackupPrivilege	2916	svchost.exe
Token: SeRestorePrivilege	2916	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1408	1200	JaffaCakes118_4f622a7641293ba12630f2aee19a0e61.exe	90
PID 1200 wrote to memory of 1408	1200	JaffaCakes118_4f622a7641293ba12630f2aee19a0e61.exe	90
PID 1200 wrote to memory of 1408	1200	JaffaCakes118_4f622a7641293ba12630f2aee19a0e61.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f622a7641293ba12630f2aee19a0e61.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f622a7641293ba12630f2aee19a0e61.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1200
- \??\c:\users\admin\appdata\local\eexgkirshb
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f622a7641293ba12630f2aee19a0e61.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_4f622a7641293ba12630f2aee19a0e61.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 768
  2⤵
  - Program crash
  PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1504 -ip 1504
1⤵
PID:752

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 880
  2⤵
  - Program crash
  PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4804 -ip 4804
1⤵
PID:2332

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 940
  2⤵
  - Program crash
  PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2916 -ip 2916
1⤵
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\eexgkirshb

Filesize
21.3MB

MD5
3af822c61beedcc5f751353287436fea

SHA1
3f19f058a2c3b16acf76f02e2c388b6005b5831c

SHA256
da74fc35f9e0bb38ce08d1c9465e3872a6771a3b3d0d9a3799113f9b1ae8b6a1

SHA512
204bc5557b564db41163a0475580215f3c40cc696b9d72a7f8034979ce1909c9f409c7c6b78ea192fa846c2a51c14bfa3531ef1f0ced0098461789f27c8abdbb

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
b80838654708bcbcaf56a1acfa4077fe

SHA1
966070f2e03471ed47076231f95fd658c9c8ab44

SHA256
bcdb1054bebfdab57458642ac023a8cb06cd091219d52478e16cf3ca3feabedf

SHA512
51bf19212459df422156317e65f7dcfccc10ef191e38d7b6ba30248aa76fc0d473d93737d73e58ff67bc418e4bf592ee72bbde9938edff344ae08c82480467e9

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
8534e5df7522a30fe8c23e7ef46845fa

SHA1
eccbb7da7cb4a2f924d7a42e8e1a75f4f68b229f

SHA256
d81d76f5b7b6e4f93acef423f0f0e2cb7a3f94e5f827e04875d9b65ca0f3ad60

SHA512
ae88f5ae7f9b8f01b6e0f504851ec72fd35c20d1e2c863e35ce9303c14dee7f158829292f992d604dd8e70fb311e1e0cfb00681399c61ba57b2d3a87c43a18da

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\lfpcn.cc3

Filesize
19.1MB

MD5
7f978f309696add87ff4cc4520a28c74

SHA1
49ffaf94d45b6c9300bee9e62ac46f5d61b27add

SHA256
6b252a52e91cbdcf1bf52f541a7db7af07b2d44357155bfedb5096df32b9c411

SHA512
23b5d1965ec51c4262055035bc1969617dc85cfed5a5e7fe1befa7de2f35c5414e3caf45c027adb3ecfee11f118e07f95922456d019ab91c5c3ce3f588e97003

Download Submit
memory/1200-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1200-10-0x0000000000400000-0x000000000044C612-memory.dmp

Filesize
305KB

Download
memory/1200-0-0x0000000000400000-0x000000000044C612-memory.dmp

Filesize
305KB

Download
memory/1408-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1408-11-0x0000000000400000-0x000000000044C612-memory.dmp

Filesize
305KB

Download
memory/1408-17-0x0000000000400000-0x000000000044C612-memory.dmp

Filesize
305KB

Download
memory/1504-18-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/1504-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2916-27-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download
memory/2916-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4804-22-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/4804-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download