gh0strat | 42d4754659ec0ae58db727fe7982f1aced43b717cad7abc9486bce6662137255

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_50625b71eb47fa32b861051865a8f21b.exe
Size

1.1MB
MD5

50625b71eb47fa32b861051865a8f21b
SHA1

4c95436709a662e0ea21ead0d4281d6c7d062276
SHA256

42d4754659ec0ae58db727fe7982f1aced43b717cad7abc9486bce6662137255
SHA512

b5d01ea77a82cf27768f7ffbb94d5beca5894fc6e6adbdba4da45239f5ea4684da5850ca5568124849b6541184e04a438251fc504fda2f92cd045e37a0fb31d2
SSDEEP

24576:MYayM9ZUUYfTlavxTdOd/8hkDGhmkmf6eR/9eK5J/fTJiw9m6CoWAcuT:MyrlIedUhE+mkmf6eR4K5J/fTJiw9mYr

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/3068-5427-0x0000000000400000-0x0000000000533000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_50625b71eb47fa32b861051865a8f21b.exe

Loads dropped DLL 1 IoCs

pid	Process
3068	JaffaCakes118_50625b71eb47fa32b861051865a8f21b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3068	JaffaCakes118_50625b71eb47fa32b861051865a8f21b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4736	3068	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_50625b71eb47fa32b861051865a8f21b.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 4736	3068	JaffaCakes118_50625b71eb47fa32b861051865a8f21b.exe	30
PID 3068 wrote to memory of 4736	3068	JaffaCakes118_50625b71eb47fa32b861051865a8f21b.exe	30
PID 3068 wrote to memory of 4736	3068	JaffaCakes118_50625b71eb47fa32b861051865a8f21b.exe	30
PID 3068 wrote to memory of 4736	3068	JaffaCakes118_50625b71eb47fa32b861051865a8f21b.exe	30
PID 3068 wrote to memory of 4736	3068	JaffaCakes118_50625b71eb47fa32b861051865a8f21b.exe	30
PID 3068 wrote to memory of 4736	3068	JaffaCakes118_50625b71eb47fa32b861051865a8f21b.exe	30
PID 3068 wrote to memory of 4736	3068	JaffaCakes118_50625b71eb47fa32b861051865a8f21b.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50625b71eb47fa32b861051865a8f21b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50625b71eb47fa32b861051865a8f21b.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 316
  2⤵
  - Program crash
  PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\SE27DB.tmp

Filesize
1024B

MD5
12871388b682b159ddd85545302a289d

SHA1
76b47377da188fcfddeefa0f940287f1cce9885d

SHA256
cc033f00e96cae1829e3a5c15150fe68a62f65440f1b158d9257370fbc488a9b

SHA512
d60953b62d08e52fa2860db257e2bdbaa97e7eff7007617857f7b30a76f7c7ba81f8444d313a6ad496adbbaede5af1661e72522046789bb9aee1340f7ac12c7d

Download Submit
memory/3068-0-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/3068-1-0x00000000009A0000-0x0000000000AD3000-memory.dmp

Filesize
1.2MB

Download
memory/3068-2-0x0000000075F60000-0x0000000075FA7000-memory.dmp

Filesize
284KB

Download
memory/3068-408-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-411-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-413-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-415-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-416-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-418-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-420-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-422-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-421-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-423-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-425-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-426-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-429-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-430-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-431-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-433-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-434-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-435-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-436-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-437-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-440-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-441-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-442-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-444-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-445-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-446-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-449-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-448-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-447-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-443-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-439-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-438-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-432-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-428-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-427-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-424-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-419-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-417-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-414-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-412-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-410-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-409-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-450-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-451-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-452-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-453-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-454-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-455-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-456-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-457-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-458-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-459-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-460-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-461-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-462-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-470-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-463-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-469-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-468-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-467-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-466-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-465-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-464-0x0000000002700000-0x0000000002811000-memory.dmp

Filesize
1.1MB

Download
memory/3068-5420-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download
memory/3068-5421-0x0000000002930000-0x00000000029D1000-memory.dmp

Filesize
644KB

Download
memory/3068-5425-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download
memory/3068-5427-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download