gh0strat | 243d5dac34cc985729c8623cfce9e95b667d2642d7f6f930469c04a1e6386242

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe
Size

163KB
MD5

5392cfa1d3ebf19311baedc1e5d9bd36
SHA1

871b8c8172c95b64bfe80a2aa459459eaa3c2ab1
SHA256

243d5dac34cc985729c8623cfce9e95b667d2642d7f6f930469c04a1e6386242
SHA512

e376eb83ffb283cec17b1f70dabcb3ecff1bddab11d8e4b5da0b8377f8cb01193c366ce2b2584eb6605dd9e081cd6357ade97ce0902d9bd57e1b81d941b9387c
SSDEEP

3072:dxhXDNHBbWKRpvv70d/pPHWH43NjCa3Aal4b8ceHyhosXln5I3iv:dx9DHbWK3vv7opfWHgUaQfb8n85IG

Score

10^/10

gh0strat discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1620-0-0x0000000000400000-0x000000000042B000-memory.dmp	family_gh0strat
behavioral1/files/0x000800000001707c-4.dat	family_gh0strat
behavioral1/memory/1620-3-0x0000000000400000-0x000000000042B000-memory.dmp	family_gh0strat
behavioral1/memory/2692-6-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat
behavioral1/memory/2692-7-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\winrenms0x0\Parameters\ServiceDll = "C:\\Documents and Settings\\Local\\ntuser.dll"	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe

Loads dropped DLL 1 IoCs

pid	Process
2692	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
2480	taskkill.exe
2324	taskkill.exe
2128	taskkill.exe
2320	taskkill.exe
2684	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe
1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe
1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe
1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe
1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe
1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	2692	svchost.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2320	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	31
PID 1620 wrote to memory of 2320	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	31
PID 1620 wrote to memory of 2320	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	31
PID 1620 wrote to memory of 2320	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	31
PID 1620 wrote to memory of 2684	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	32
PID 1620 wrote to memory of 2684	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	32
PID 1620 wrote to memory of 2684	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	32
PID 1620 wrote to memory of 2684	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	32
PID 1620 wrote to memory of 2480	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	33
PID 1620 wrote to memory of 2480	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	33
PID 1620 wrote to memory of 2480	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	33
PID 1620 wrote to memory of 2480	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	33
PID 1620 wrote to memory of 2324	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	34
PID 1620 wrote to memory of 2324	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	34
PID 1620 wrote to memory of 2324	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	34
PID 1620 wrote to memory of 2324	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	34
PID 1620 wrote to memory of 2128	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	35
PID 1620 wrote to memory of 2128	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	35
PID 1620 wrote to memory of 2128	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	35
PID 1620 wrote to memory of 2128	1620	JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe	35
PID 2692 wrote to memory of 960	2692	svchost.exe	43
PID 2692 wrote to memory of 960	2692	svchost.exe	43
PID 2692 wrote to memory of 960	2692	svchost.exe	43
PID 2692 wrote to memory of 960	2692	svchost.exe	43
PID 2692 wrote to memory of 960	2692	svchost.exe	43
PID 2692 wrote to memory of 960	2692	svchost.exe	43
PID 2692 wrote to memory of 960	2692	svchost.exe	43

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5392cfa1d3ebf19311baedc1e5d9bd36.exe"
1⤵
- Server Software Component: Terminal Services DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im KSafeTray.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im KSafeTray.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im KSafeTray.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im KSafeTray.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im kswebshield.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2128

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\SysWOW64\svchost.exe,main
  2⤵
  - System Location Discovery: System Language Discovery
  PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\documents and settings\local\ntuser.dll

Filesize
10.1MB

MD5
6e2ac653458e7f09f1820c9e1d9ac444

SHA1
5285fd97c74789f3d70e5401a3fc143f5f23918e

SHA256
cfcb1120a3def2182caf0bac92b2b94cf9df9c7628e56a020fe08d0882caef6c

SHA512
194e312cec9f597e9b02339635ec9c616e18c9332b73ac08f221d9d73983c50f14b9d5a48ca1bfc38b885f743c99e431c8e73401fb5ce24dcc268cd986128c7c

Download Submit
memory/1620-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1620-3-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2692-6-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2692-7-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download