gh0strat | 32ab40a2a278d102e9f4334a411529e35207a51902a54c2ce44d7566c31a0ca0

Analysis

max time kernel
120s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_51acce6c0ffe9c5eaac2f99a5547e538.exe
Size

96KB
MD5

51acce6c0ffe9c5eaac2f99a5547e538
SHA1

054f5fdef50e290f9dc6bb3fd01c04609eb4a2be
SHA256

32ab40a2a278d102e9f4334a411529e35207a51902a54c2ce44d7566c31a0ca0
SHA512

eec44e81d134573eb6b6c59b9adbcd2102d7e7db07e36de756f7cf9d675141e4e0fe905dcda0345cc0355e1dd417527b1c60551a53096c2169caa897c16780cd
SSDEEP

1536:WAFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prYAFz2q3:WyS4jHS8q/3nTzePCwNUh4E9bJ2q3

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023abc-15.dat	family_gh0strat
behavioral2/memory/3924-17-0x0000000000400000-0x000000000044E2D4-memory.dmp	family_gh0strat
behavioral2/memory/1064-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1508-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1120-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
3924	gmcnsygpqq

Executes dropped EXE 1 IoCs

pid	Process
3924	gmcnsygpqq

Loads dropped DLL 3 IoCs

pid	Process
1064	svchost.exe
1508	svchost.exe
1120	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\umtaojsefk	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\uvhswmubrf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\uvhswmubrf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
404	1064	WerFault.exe	94
4512	1508	WerFault.exe	99
4456	1120	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_51acce6c0ffe9c5eaac2f99a5547e538.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gmcnsygpqq
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3924	gmcnsygpqq
3924	gmcnsygpqq

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	3924	gmcnsygpqq
Token: SeBackupPrivilege	3924	gmcnsygpqq
Token: SeBackupPrivilege	3924	gmcnsygpqq
Token: SeRestorePrivilege	3924	gmcnsygpqq
Token: SeBackupPrivilege	1064	svchost.exe
Token: SeRestorePrivilege	1064	svchost.exe
Token: SeBackupPrivilege	1064	svchost.exe
Token: SeBackupPrivilege	1064	svchost.exe
Token: SeSecurityPrivilege	1064	svchost.exe
Token: SeSecurityPrivilege	1064	svchost.exe
Token: SeBackupPrivilege	1064	svchost.exe
Token: SeBackupPrivilege	1064	svchost.exe
Token: SeSecurityPrivilege	1064	svchost.exe
Token: SeBackupPrivilege	1064	svchost.exe
Token: SeBackupPrivilege	1064	svchost.exe
Token: SeSecurityPrivilege	1064	svchost.exe
Token: SeBackupPrivilege	1064	svchost.exe
Token: SeRestorePrivilege	1064	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeSecurityPrivilege	1508	svchost.exe
Token: SeSecurityPrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeSecurityPrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeSecurityPrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeRestorePrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeSecurityPrivilege	1120	svchost.exe
Token: SeSecurityPrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeSecurityPrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeSecurityPrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeRestorePrivilege	1120	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 3924	4988	JaffaCakes118_51acce6c0ffe9c5eaac2f99a5547e538.exe	89
PID 4988 wrote to memory of 3924	4988	JaffaCakes118_51acce6c0ffe9c5eaac2f99a5547e538.exe	89
PID 4988 wrote to memory of 3924	4988	JaffaCakes118_51acce6c0ffe9c5eaac2f99a5547e538.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51acce6c0ffe9c5eaac2f99a5547e538.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51acce6c0ffe9c5eaac2f99a5547e538.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988
- \??\c:\users\admin\appdata\local\gmcnsygpqq
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51acce6c0ffe9c5eaac2f99a5547e538.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_51acce6c0ffe9c5eaac2f99a5547e538.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 1040
  2⤵
  - Program crash
  PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1064 -ip 1064
1⤵
PID:3396

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 944
  2⤵
  - Program crash
  PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1508 -ip 1508
1⤵
PID:4300

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 872
  2⤵
  - Program crash
  PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1120 -ip 1120
1⤵
PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\gmcnsygpqq

Filesize
23.4MB

MD5
4078f37377499b61cebf2be3c290069d

SHA1
e59577fa6e9a25b86e1fef8f47b45fa55ea07168

SHA256
3d20712518958145b430dbac677e2b4f46cf463fed49274470734874966c2d3a

SHA512
62a5ca3f206d2c10b5d71c504adc8b8c11cdf806d0e1f3467921ec20ad96d467cdd1d6788ea4d486c4b710b5e0036ea1dd723315bc9458bcd9b69a5a7c803aff

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
1f1b104aa952abbc7f14f6219112e417

SHA1
dd436dffcb5b5e34788143543f69dcd49e0fe339

SHA256
04fb92a69095a3e35e0bfaf160cbd212c49f1e101fa76912106114a9b61270e4

SHA512
1b88fb306d878e0a3cbf97f1b84807a7f7f8df1a621133ae0448e7c950900b66e98bbba6f5c548bc18ff2b0bfb84b28b951104acdad21482f1cf88aa68daad73

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
3f32dc349085671c3673e272f390e6ff

SHA1
09498ee17eb9c22824a52d9e17109654b58b866d

SHA256
0693eed239fe242d638dedc4a5a9a116a8bdd1285ac6c99f96cfc21d02f49232

SHA512
8a9db97c0f18953edd0ba9bf9e1ad8180a54befbc3b176485beec14e594b3e0878cbd3dceb7574f8eabae498a10f920ae90b50a5b95b43a156600c2283e53bd1

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\rrhtg.cc3

Filesize
19.0MB

MD5
8b51d8f9573cdd9f74b1683beafa402c

SHA1
648afffae4cb09e2e4fe6f310b662c41da425648

SHA256
feac2ec0947e947a29ff315ad69d9291422ff229c27c88cebfeefb80668bc724

SHA512
79c71a3408744a0bf131c116a1f97a81ab679335da751311ff82115ce9b1114eebd5d5c0ae83d3f6e4b9579964f2ce5167aa6525a41379b27470c2b68ef82cfa

Download Submit
memory/1064-18-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1064-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1120-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1120-27-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/1508-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1508-22-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/3924-17-0x0000000000400000-0x000000000044E2D4-memory.dmp

Filesize
312KB

Download
memory/3924-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3924-9-0x0000000000400000-0x000000000044E2D4-memory.dmp

Filesize
312KB

Download
memory/4988-0-0x0000000000400000-0x000000000044E2D4-memory.dmp

Filesize
312KB

Download
memory/4988-8-0x0000000000400000-0x000000000044E2D4-memory.dmp

Filesize
312KB

Download
memory/4988-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download