gh0strat | 2eb17d1b539434f14964e8712967a316b60139342c03f1ab41cce26d525b6674

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
Size

159KB
MD5

51971a2dfa78e538e44b44f04b0cd4d6
SHA1

fa02179f997e8ef3ce3515dc5056ed788b54e742
SHA256

2eb17d1b539434f14964e8712967a316b60139342c03f1ab41cce26d525b6674
SHA512

8c927c9a49629a8ffa93af19aefdd5e93e2711aa9fa7ec3e4335a5559b23d52068af5a5d65ed60732e8c6834f9b4a78af922a071e7df945af31c7028615a5a1c
SSDEEP

3072:RBymKRr0U5vw0TdLov8MDX8F9jywLatx2LbE4Uo7Nj:RBybjwyovIFtZLatw/E4U4

Score

10^/10

gh0strat discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022b2f-25.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Excel1tvp\Parameters\ServiceDll	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe

Loads dropped DLL 3 IoCs

pid	Process
3428	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
1524	svchost.exe
2268	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\wi240654062nd.temp	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
File created	C:\Program Files (x86)\wi240654093nd.temp	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MySomeInfo.ini	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
File created	C:\Windows\HowArMe.txt	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
File created	C:\Windows\HowArMe.reg	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3428	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
3428	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
3428	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
3428	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
3428	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
3428	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
3428	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
3428	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe
2268	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3428	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
Token: SeRestorePrivilege	3428	JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
Token: SeDebugPrivilege	1524	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2268	1524	svchost.exe	90
PID 1524 wrote to memory of 2268	1524	svchost.exe	90
PID 1524 wrote to memory of 2268	1524	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51971a2dfa78e538e44b44f04b0cd4d6.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\excel1.dll,CodeMain Excel1tvp
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\360liveupdate.dll

Filesize
20.0MB

MD5
9b08693fb28fa56241d9a3810dc969b9

SHA1
0acf07fb3548582b5271d9f53e035751e9414c96

SHA256
ace5e4c714a92519d076f7b27b7d842bc2175b966b5741383d7bc259aee5ae32

SHA512
bced4b22d51ecbd084b6f50ee466b875b2be177ee2178ca2a5872ae138d4c70078380e8f2837ae6c25cecb694db53bd2f9580ac31301c76b6d40020343b52beb

Download Submit
C:\Windows\MySomeInfo.ini

Filesize
361B

MD5
dac87dfa78d8079c13dcc149b3db7b7d

SHA1
0dbffc4d2087ac6d096924be64596da9909c2848

SHA256
1dee124e6d5e8ae781222c3e8f81e99ae36dcbf7119b06ea6c145b5df521a2eb

SHA512
008634a1c4eaab56315a70568c72cb13018a4bce654d1486f5199868dc7e65078f394ecd8ab8d682b538229e9bcc6e068bf901ecb35be32183725144063cfd27

Download Submit
\??\c:\windows\excel1.dll

Filesize
20.1MB

MD5
106a55bda04eb252fb493a6a746c57a4

SHA1
6bbe614cd56c2a8f0312d0ccccb3bf394dc1c4fa

SHA256
4ba187919b25e835fa4493ce0dbecd985de6d852269f62b5ebe0fedf7cf6cf6f

SHA512
4bafd015da1ffb5ba737789798a73f66f193de5c19043d3f710061522f6abb4a2967ba73e83989d715cede869922a2147b7309fede68cde4ae1f4dae85cb3dfb

Download Submit