gh0strat | 325a55118b9c12f2323b6f952d2d5b7af46c1df5dc61f0f51ba763b00a42f279

Analysis

max time kernel
105s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_51ce81276e302293b40ea85fde308cda.exe
Size

184KB
MD5

51ce81276e302293b40ea85fde308cda
SHA1

f3239817372cb9e64296f7b994bea72611039110
SHA256

325a55118b9c12f2323b6f952d2d5b7af46c1df5dc61f0f51ba763b00a42f279
SHA512

3684d7fa864d0488b09a3eac0f1ecdc4e88c7d21307cc9d19493247f9e8e3e1c6ed67e4c15321fadb05adb90aaf4853f4e9559ca0d0aa1cbff735a45d79b0124
SSDEEP

3072:oR282m9KOPIj+eL9RDQFFrXsbs1e2KKxuR+4/K/xr8tYs5oGff7GVqUpCs:/vm5B7nru04/oYtYxGff7yO

Score

10^/10

gh0strat bootkit discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023ca7-2.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
5316	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
5316	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bmrmejysfq	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\NETMEE~1\mgn.dll	JaffaCakes118_51ce81276e302293b40ea85fde308cda.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_51ce81276e302293b40ea85fde308cda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5316	svchost.exe
5316	svchost.exe
5316	svchost.exe
5316	svchost.exe
5316	svchost.exe
5316	svchost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeBackupPrivilege	3036	JaffaCakes118_51ce81276e302293b40ea85fde308cda.exe
Token: SeRestorePrivilege	3036	JaffaCakes118_51ce81276e302293b40ea85fde308cda.exe
Token: SeBackupPrivilege	5316	svchost.exe
Token: SeRestorePrivilege	5316	svchost.exe
Token: SeBackupPrivilege	5316	svchost.exe
Token: SeBackupPrivilege	5316	svchost.exe
Token: SeSecurityPrivilege	5316	svchost.exe
Token: SeSecurityPrivilege	5316	svchost.exe
Token: SeBackupPrivilege	5316	svchost.exe
Token: SeBackupPrivilege	5316	svchost.exe
Token: SeSecurityPrivilege	5316	svchost.exe
Token: SeBackupPrivilege	5316	svchost.exe
Token: SeBackupPrivilege	5316	svchost.exe
Token: SeSecurityPrivilege	5316	svchost.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51ce81276e302293b40ea85fde308cda.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51ce81276e302293b40ea85fde308cda.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\progra~2\netmee~1\mgn.dll

Filesize
148KB

MD5
3886a0a7d1abd4d4df4dbd97b83c569e

SHA1
7aa387433c990df01d1f7a50083b0f384faf64d2

SHA256
2eff0980704543c34375b4956054168d505b92721f0ad61924810ea8d109d92d

SHA512
c23423f7d4e5e326a07f648d9e3cb71880832b8ee1d6addba7dc008f487bcffcefa2795073fbfd79c1acf09ccd4211290d7640c396bf66641fd0dcd5b0a2963b

Download Submit