gh0strat | 7392f70b4c927b4411f9ed3e40603bdf7d4ed89ebd283013cff41e968387cab4

Analysis

max time kernel
93s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_53f11c76f6e05c679e70d2ab9d4ba353.exe
Size

204KB
MD5

53f11c76f6e05c679e70d2ab9d4ba353
SHA1

17c8459738ed13f8997cc8e69a71769e68d1f250
SHA256

7392f70b4c927b4411f9ed3e40603bdf7d4ed89ebd283013cff41e968387cab4
SHA512

6fc00e9b5f015873191a6bb2125e9945f61ff47c391dc31a8a78b2aaedc784837b15be24305f5a4db146bc3475fb66d98f6c3529f97b0aa9714cea27e074d549
SSDEEP

6144:isItKnW8QWBTyPRqyhYPbncTBlhHrtndnkv0oX:vtW8CJq8YPbncT30

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e934-3.dat	family_gh0strat
behavioral2/files/0x000300000001ea24-7.dat	family_gh0strat
behavioral2/memory/1564-11-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2984-16-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2216-21-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2448	idwotnomwi

Executes dropped EXE 1 IoCs

pid	Process
2448	idwotnomwi

Loads dropped DLL 3 IoCs

pid	Process
1564	svchost.exe
2984	svchost.exe
2216	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\hgxdrmwfjo	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\hpuqbgrkjx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\hxjkjjuivs	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1380	1564	WerFault.exe	101
1476	2984	WerFault.exe	107
4460	2216	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_53f11c76f6e05c679e70d2ab9d4ba353.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idwotnomwi

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2448	idwotnomwi
2448	idwotnomwi

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	2448	idwotnomwi
Token: SeBackupPrivilege	2448	idwotnomwi
Token: SeBackupPrivilege	2448	idwotnomwi
Token: SeRestorePrivilege	2448	idwotnomwi
Token: SeBackupPrivilege	1564	svchost.exe
Token: SeRestorePrivilege	1564	svchost.exe
Token: SeBackupPrivilege	1564	svchost.exe
Token: SeBackupPrivilege	1564	svchost.exe
Token: SeSecurityPrivilege	1564	svchost.exe
Token: SeSecurityPrivilege	1564	svchost.exe
Token: SeBackupPrivilege	1564	svchost.exe
Token: SeBackupPrivilege	1564	svchost.exe
Token: SeSecurityPrivilege	1564	svchost.exe
Token: SeBackupPrivilege	1564	svchost.exe
Token: SeBackupPrivilege	1564	svchost.exe
Token: SeSecurityPrivilege	1564	svchost.exe
Token: SeBackupPrivilege	1564	svchost.exe
Token: SeRestorePrivilege	1564	svchost.exe
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeRestorePrivilege	2984	svchost.exe
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeSecurityPrivilege	2984	svchost.exe
Token: SeSecurityPrivilege	2984	svchost.exe
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeSecurityPrivilege	2984	svchost.exe
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeSecurityPrivilege	2984	svchost.exe
Token: SeBackupPrivilege	2984	svchost.exe
Token: SeRestorePrivilege	2984	svchost.exe
Token: SeBackupPrivilege	2216	svchost.exe
Token: SeRestorePrivilege	2216	svchost.exe
Token: SeBackupPrivilege	2216	svchost.exe
Token: SeBackupPrivilege	2216	svchost.exe
Token: SeSecurityPrivilege	2216	svchost.exe
Token: SeSecurityPrivilege	2216	svchost.exe
Token: SeBackupPrivilege	2216	svchost.exe
Token: SeBackupPrivilege	2216	svchost.exe
Token: SeSecurityPrivilege	2216	svchost.exe
Token: SeBackupPrivilege	2216	svchost.exe
Token: SeBackupPrivilege	2216	svchost.exe
Token: SeSecurityPrivilege	2216	svchost.exe
Token: SeBackupPrivilege	2216	svchost.exe
Token: SeRestorePrivilege	2216	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 2448	4736	JaffaCakes118_53f11c76f6e05c679e70d2ab9d4ba353.exe	93
PID 4736 wrote to memory of 2448	4736	JaffaCakes118_53f11c76f6e05c679e70d2ab9d4ba353.exe	93
PID 4736 wrote to memory of 2448	4736	JaffaCakes118_53f11c76f6e05c679e70d2ab9d4ba353.exe	93

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53f11c76f6e05c679e70d2ab9d4ba353.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53f11c76f6e05c679e70d2ab9d4ba353.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736
- \??\c:\users\admin\appdata\local\idwotnomwi
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53f11c76f6e05c679e70d2ab9d4ba353.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_53f11c76f6e05c679e70d2ab9d4ba353.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 752
  2⤵
  - Program crash
  PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1564 -ip 1564
1⤵
PID:3528

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 892
  2⤵
  - Program crash
  PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2984 -ip 2984
1⤵
PID:4332

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 872
  2⤵
  - Program crash
  PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2216 -ip 2216
1⤵
PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\idwotnomwi

Filesize
24.1MB

MD5
37710cef5bd58a7e6be0c8e66440ce5a

SHA1
5d15f8c90056aa07aaf0d7c10391b08d1b1f7a42

SHA256
1b97ddadf6edfa50a2653181dbd5a4c225c43d92092987d448d7c4cffdaf8425

SHA512
c1a2b8e65590404b4f981aa514b85ce01dbdb15c15172ac4f19b94ee125ab1e3109ebc512bb70ef50a8eaa45bc96cd1fd4c1d95a360e4aaa8b5d92fbf5bafb4d

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
d2e968909a7b9edf596a7fa8c173d422

SHA1
6f3e51b66fc8e1a51469f29212ddc11c3ccd7bf6

SHA256
90ff1b10d9d013331de3a6acaabc6d322839046385ade5b09aee52dc27a0ca78

SHA512
bbef3d16f2daa5bcc0c1cc725c472cfaa558d9e5fa07ac8642ae95877c4cb70ef9099ff15700d4db604ffd315d859e8f580632cc9ccaaa2f5eef9aa5947678d6

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
8672267651428bd82667b27d6ab17521

SHA1
9107c243b7c6d4b26d7595b2c816a0f47013fc7e

SHA256
c87ecb34da0fef96068b965f2f863c28359b119af6b13dabe29060805d93d263

SHA512
76c79ac6000329513a2de3bb2caed8db65ac66886142f697084c4f462da61ed9c57b5d0905b52083d4d1cd7e50fcf582d50c27e4c06d1958d6e1d34802aca12d

Download Submit
\??\c:\programdata\drm\%sessionname%\kgwnl.cc3

Filesize
19.0MB

MD5
f755a1e5c0c0c7c4cdaa87d420f1b8e9

SHA1
4cc8ea3094d325cb376945d8af2d959ded97eb31

SHA256
a1640b160d70ba33ef8cf13c064470c725727dfdd352140539ad0a30229984a2

SHA512
5a30972dcdf3d5c2ee3904e0108c95f40832054bd9c3ef433691763573a3c691e06e434009aa3c48d01a5ed884a99e64f14bfea9da2a4a4b79a534a9f3847b84

Download Submit
memory/1564-9-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1564-11-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2216-18-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/2216-21-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2984-13-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/2984-16-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download