gh0strat | 32392984f2b574a0c62e743e7b80d97bc41b0b5889d86c728037fc0940675805

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_518d7eaf92eb9c295ad8bd0a443fafe3.exe
Size

96KB
MD5

518d7eaf92eb9c295ad8bd0a443fafe3
SHA1

ff605b5c4261a6a5e49060edaf5f70e8719b6032
SHA256

32392984f2b574a0c62e743e7b80d97bc41b0b5889d86c728037fc0940675805
SHA512

a4e6c967a97de41a00b22145fe457ba42f81cf3ac61217cdafb580007678247ec25a0f50a043b2cd15c3eb82138cde74812af57c3e8d1c76c596121684761b6c
SSDEEP

1536:2RFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prxIZtCb:2HS4jHS8q/3nTzePCwNUh4E9uZtCb

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e730-15.dat	family_gh0strat
behavioral2/memory/2096-17-0x0000000000400000-0x000000000044E29C-memory.dmp	family_gh0strat
behavioral2/memory/3380-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3728-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4708-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2096	hcdkrxgsld

Executes dropped EXE 1 IoCs

pid	Process
2096	hcdkrxgsld

Loads dropped DLL 3 IoCs

pid	Process
3380	svchost.exe
3728	svchost.exe
4708	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ngxyomcedo	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\nomrvpfcqk	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\nxbleshydf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2292	3380	WerFault.exe	90
640	3728	WerFault.exe	96
4860	4708	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_518d7eaf92eb9c295ad8bd0a443fafe3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hcdkrxgsld
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2096	hcdkrxgsld
2096	hcdkrxgsld

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	2096	hcdkrxgsld
Token: SeBackupPrivilege	2096	hcdkrxgsld
Token: SeBackupPrivilege	2096	hcdkrxgsld
Token: SeRestorePrivilege	2096	hcdkrxgsld
Token: SeBackupPrivilege	3380	svchost.exe
Token: SeRestorePrivilege	3380	svchost.exe
Token: SeBackupPrivilege	3380	svchost.exe
Token: SeBackupPrivilege	3380	svchost.exe
Token: SeSecurityPrivilege	3380	svchost.exe
Token: SeSecurityPrivilege	3380	svchost.exe
Token: SeBackupPrivilege	3380	svchost.exe
Token: SeBackupPrivilege	3380	svchost.exe
Token: SeSecurityPrivilege	3380	svchost.exe
Token: SeBackupPrivilege	3380	svchost.exe
Token: SeBackupPrivilege	3380	svchost.exe
Token: SeSecurityPrivilege	3380	svchost.exe
Token: SeBackupPrivilege	3380	svchost.exe
Token: SeRestorePrivilege	3380	svchost.exe
Token: SeBackupPrivilege	3728	svchost.exe
Token: SeRestorePrivilege	3728	svchost.exe
Token: SeBackupPrivilege	3728	svchost.exe
Token: SeBackupPrivilege	3728	svchost.exe
Token: SeSecurityPrivilege	3728	svchost.exe
Token: SeSecurityPrivilege	3728	svchost.exe
Token: SeBackupPrivilege	3728	svchost.exe
Token: SeBackupPrivilege	3728	svchost.exe
Token: SeSecurityPrivilege	3728	svchost.exe
Token: SeBackupPrivilege	3728	svchost.exe
Token: SeBackupPrivilege	3728	svchost.exe
Token: SeSecurityPrivilege	3728	svchost.exe
Token: SeBackupPrivilege	3728	svchost.exe
Token: SeRestorePrivilege	3728	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeRestorePrivilege	4708	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeSecurityPrivilege	4708	svchost.exe
Token: SeSecurityPrivilege	4708	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeSecurityPrivilege	4708	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeSecurityPrivilege	4708	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeRestorePrivilege	4708	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 2096	1344	JaffaCakes118_518d7eaf92eb9c295ad8bd0a443fafe3.exe	89
PID 1344 wrote to memory of 2096	1344	JaffaCakes118_518d7eaf92eb9c295ad8bd0a443fafe3.exe	89
PID 1344 wrote to memory of 2096	1344	JaffaCakes118_518d7eaf92eb9c295ad8bd0a443fafe3.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_518d7eaf92eb9c295ad8bd0a443fafe3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_518d7eaf92eb9c295ad8bd0a443fafe3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344
- \??\c:\users\admin\appdata\local\hcdkrxgsld
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_518d7eaf92eb9c295ad8bd0a443fafe3.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_518d7eaf92eb9c295ad8bd0a443fafe3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 792
  2⤵
  - Program crash
  PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3380 -ip 3380
1⤵
PID:4852

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 944
  2⤵
  - Program crash
  PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3728 -ip 3728
1⤵
PID:3948

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 748
  2⤵
  - Program crash
  PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4708 -ip 4708
1⤵
PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\hcdkrxgsld

Filesize
21.5MB

MD5
d919f19888177dc74883ad10aa1fe997

SHA1
2531b80faef2c8594d87facffb5554cd9a7a4d4a

SHA256
d5e646cd423cdcfb76db80748494f48bf8d1c18864b14f99c2ad695a52c7659e

SHA512
8ed9fdfb79bb6d48dcec58f0c9f320ed171179a7c3a84f1f03ad937636b47428d5a7bfe9810fa7596806b07bfcc5a610b36d6c285d9c6a80392d3f680ad6745e

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
002022dc97e6d1f6a657a8f96c4d86a5

SHA1
d737771fa563a2e47052770c44fe54c52f824ca6

SHA256
0f8c188aeeae3b4a6386a54fd34885c471374de3dc3f4436146d6987d726c6bf

SHA512
548ad6c6e6b536a2f5fed7de898a56fbf961702b0c8b0ec4af857acac0bb7f1ed41fabdf060a00a10407e5994f0e8a375974e7e76cc53c869479f1253346d7cf

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
300B

MD5
15d312f158e7aacef20971397780ae35

SHA1
05443e658fc35f5306c922a89ba69d3b37d80011

SHA256
84742779c25021e2ef705aa304e05fc8c5aa7b2a36def7a4e497729c7b710a24

SHA512
cd9521f8d1b0b45ffd48174997093ee179381faf7f20482cdcee9d0c530375dcb91ce3b57cb4606a0b7ffb65f8acf3073c4c8778136d8b4e5b1dc8533df76c22

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\tdokl.cc3

Filesize
21.0MB

MD5
f177fc0d572811edf5ba64b789a34fc6

SHA1
da4cb3f9717d278cada177357f8a48c461f61e65

SHA256
e1b7d57f0f15779dd5a514c6244ba12eaa97b19f5d68f7892cb0ef8e66594b7a

SHA512
8e1f70b986ae5245fe93a99f8a7bbc0fc2b346ce4775ba5b2453dc5e81d826e07147ab05735e7db7bcfccbbe00a64a880e0849cf2d59da0fe23b80ed6a77e0d7

Download Submit
memory/1344-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1344-12-0x0000000000400000-0x000000000044E29C-memory.dmp

Filesize
312KB

Download
memory/1344-0-0x0000000000400000-0x000000000044E29C-memory.dmp

Filesize
312KB

Download
memory/2096-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2096-9-0x0000000000400000-0x000000000044E29C-memory.dmp

Filesize
312KB

Download
memory/2096-17-0x0000000000400000-0x000000000044E29C-memory.dmp

Filesize
312KB

Download
memory/3380-18-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/3380-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3728-22-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/3728-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4708-27-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

Filesize
4KB

Download
memory/4708-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download