gh0strat | 2dab9d1dad41a8f0428ee783e98c8ba299e6fd8420e578bd3fbecc5d2ca0fe5a

Analysis

max time kernel
93s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4ff60eef0ac253e4c4f2daecfd5980df.exe
Size

22.7MB
MD5

4ff60eef0ac253e4c4f2daecfd5980df
SHA1

a7a6d4f7b33dab45a82cffc6e3f9357a0f79d174
SHA256

2dab9d1dad41a8f0428ee783e98c8ba299e6fd8420e578bd3fbecc5d2ca0fe5a
SHA512

f4a8bfcfee5a27b3b844b5e6c6e938554b7ebf6b403f02e796c5b4a5950afa7473dc33887784ba6a4fa2a3dcbe77ea8880d692c8da768f060cd62e87341b64bb
SSDEEP

3072:BKSqXrJnWqbwOuVQYVlydB7RhXJmyhQtsbGCV9OawNqddkTNAPYT5g7yQgTatp:lUrJnWqbHZRh5HhiIGZaDdkTNAPYm7gw

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e99b-7.dat	family_gh0strat
behavioral2/memory/4996-11-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4064-16-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3844-21-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
3740	iejtbckovo

Executes dropped EXE 1 IoCs

pid	Process
3740	iejtbckovo

Loads dropped DLL 3 IoCs

pid	Process
4996	svchost.exe
4064	svchost.exe
3844	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sttcygqbqh	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\schuhjsxec	svchost.exe
File created	C:\Windows\SysWOW64\schuhjsxec	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\slvnpmvvrw	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\Date\Q%SESSIONNAME%\mkevy.cc3	iejtbckovo

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2272	4996	WerFault.exe	99
4392	4064	WerFault.exe	103
5092	3844	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4ff60eef0ac253e4c4f2daecfd5980df.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iejtbckovo
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3740	iejtbckovo
3740	iejtbckovo

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	3740	iejtbckovo
Token: SeBackupPrivilege	3740	iejtbckovo
Token: SeBackupPrivilege	3740	iejtbckovo
Token: SeRestorePrivilege	3740	iejtbckovo
Token: SeBackupPrivilege	4996	svchost.exe
Token: SeRestorePrivilege	4996	svchost.exe
Token: SeBackupPrivilege	4996	svchost.exe
Token: SeBackupPrivilege	4996	svchost.exe
Token: SeSecurityPrivilege	4996	svchost.exe
Token: SeSecurityPrivilege	4996	svchost.exe
Token: SeBackupPrivilege	4996	svchost.exe
Token: SeBackupPrivilege	4996	svchost.exe
Token: SeSecurityPrivilege	4996	svchost.exe
Token: SeBackupPrivilege	4996	svchost.exe
Token: SeBackupPrivilege	4996	svchost.exe
Token: SeSecurityPrivilege	4996	svchost.exe
Token: SeBackupPrivilege	4996	svchost.exe
Token: SeRestorePrivilege	4996	svchost.exe
Token: SeBackupPrivilege	4064	svchost.exe
Token: SeRestorePrivilege	4064	svchost.exe
Token: SeBackupPrivilege	4064	svchost.exe
Token: SeBackupPrivilege	4064	svchost.exe
Token: SeSecurityPrivilege	4064	svchost.exe
Token: SeSecurityPrivilege	4064	svchost.exe
Token: SeBackupPrivilege	4064	svchost.exe
Token: SeBackupPrivilege	4064	svchost.exe
Token: SeSecurityPrivilege	4064	svchost.exe
Token: SeBackupPrivilege	4064	svchost.exe
Token: SeBackupPrivilege	4064	svchost.exe
Token: SeSecurityPrivilege	4064	svchost.exe
Token: SeBackupPrivilege	4064	svchost.exe
Token: SeRestorePrivilege	4064	svchost.exe
Token: SeBackupPrivilege	3844	svchost.exe
Token: SeRestorePrivilege	3844	svchost.exe
Token: SeBackupPrivilege	3844	svchost.exe
Token: SeBackupPrivilege	3844	svchost.exe
Token: SeSecurityPrivilege	3844	svchost.exe
Token: SeSecurityPrivilege	3844	svchost.exe
Token: SeBackupPrivilege	3844	svchost.exe
Token: SeBackupPrivilege	3844	svchost.exe
Token: SeSecurityPrivilege	3844	svchost.exe
Token: SeBackupPrivilege	3844	svchost.exe
Token: SeBackupPrivilege	3844	svchost.exe
Token: SeSecurityPrivilege	3844	svchost.exe
Token: SeBackupPrivilege	3844	svchost.exe
Token: SeRestorePrivilege	3844	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 3740	5064	JaffaCakes118_4ff60eef0ac253e4c4f2daecfd5980df.exe	91
PID 5064 wrote to memory of 3740	5064	JaffaCakes118_4ff60eef0ac253e4c4f2daecfd5980df.exe	91
PID 5064 wrote to memory of 3740	5064	JaffaCakes118_4ff60eef0ac253e4c4f2daecfd5980df.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ff60eef0ac253e4c4f2daecfd5980df.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ff60eef0ac253e4c4f2daecfd5980df.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064
- \??\c:\users\admin\appdata\local\iejtbckovo
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ff60eef0ac253e4c4f2daecfd5980df.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_4ff60eef0ac253e4c4f2daecfd5980df.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 820
  2⤵
  - Program crash
  PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4996 -ip 4996
1⤵
PID:4448

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1088
  2⤵
  - Program crash
  PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4064 -ip 4064
1⤵
PID:4284

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 924
  2⤵
  - Program crash
  PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3844 -ip 3844
1⤵
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\iejtbckovo

Filesize
24.0MB

MD5
9073d5745ee92e9c66bb6ddfd47c41ba

SHA1
c69548620035b4b2333cd28f9ee5e4c7861156f0

SHA256
b2f75cfbc16d407c85979b1a0a65f4f5230cdb9c109f69f862eef16a3b788bbe

SHA512
3c355d9b1562b567acdfec0a5e52b9305865524e41e820e55fe3fbe828a08f5aa22656cd35b842f9522c562475bdade98fb999f76d90d5d0c53ca0515f5689a8

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
1137c6c78f6d6edef81dff79d947d219

SHA1
e25728512b01b1588c422b5ade04567ba8761227

SHA256
f0c8e5483a2e0c9111cb6eb95a929841f6e95d50ccb196085cacac49dcd75ab9

SHA512
1e67e83ae75ba1de3f56eed081c44aa4221a459edd63236672245931524ecacd82a4ee4b3daf14375f2187d3881f1e47854e9e34ce32235777972561d4b4539c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
300B

MD5
a2f6ad244a6e439616f25462be990ac6

SHA1
cbfee0996a992839be613809ee7e1c47e45fbf2f

SHA256
962f542083901dcbfef057cfc352ad8aa68c31770600f663104536fa5b974c87

SHA512
6f9ce418809b09a703ce785078f6a0e40068a96ee5d4b8425476caad07cc4a1bbb68ee951b13dd7ad8d9cd17b5709a378f19ef3e3d4466f30203f3a143bf6e50

Download Submit
\??\c:\program files (x86)\winrar\formats\date\q%sessionname%\mkevy.cc3

Filesize
24.1MB

MD5
15423475d1c1330013e52548004375f1

SHA1
21d2971e9849efd8b21a5057a6c596fd0cfb659e

SHA256
7849730ddd2ae75ccbdba398167b84b8a5a8ec42c4ac4a8bf3b4a38acc2c3a7f

SHA512
6f24e4b00ca48972e5522ba80599672f154b53c30c12737153bbeb15427ea11491948e2687ceadc4e385d63faf22ba0a372b31e7db537bd67a933c1c9c6ce9a4

Download Submit
memory/3844-18-0x00000000015F0000-0x00000000015F1000-memory.dmp

Filesize
4KB

Download
memory/3844-21-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4064-13-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/4064-16-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4996-9-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4996-11-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download