gh0strat | bea5b55cdef955ac7b8a9fead52ddc7f659fa3470c470fd36e769d1b57c5234e

Analysis

max time kernel
94s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5392164e0cb5045847c4ee9cff4813f6.exe
Size

5.0MB
MD5

5392164e0cb5045847c4ee9cff4813f6
SHA1

20f55805079a0c35ce493589335fce990c8e708a
SHA256

bea5b55cdef955ac7b8a9fead52ddc7f659fa3470c470fd36e769d1b57c5234e
SHA512

82f0cf0a85ec7164dbcd442c33e969186e8ddb179707b053fb0ac91f09891bd2196f9e8499cd3ab903a3262f7f334a82916b150b18dab29c84c7d04fd6c4987a
SSDEEP

49152:smv3GY5fa22GFbn0iDenAPpv//e2zzoM/IFnLA5:s0W2SLGFD0i0UPe2N/YLA5

Score

10^/10

gh0strat defense_evasion discovery rat

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e72b-29.dat	family_gh0strat
behavioral2/memory/3624-32-0x0000000000400000-0x000000000097D000-memory.dmp	family_gh0strat
behavioral2/memory/3624-31-0x0000000000400000-0x000000000097D000-memory.dmp	family_gh0strat
behavioral2/memory/4952-36-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2944-41-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/608-46-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_5392164e0cb5045847c4ee9cff4813f6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	hvmqnjpved

Deletes itself 1 IoCs

pid	Process
3624	hvmqnjpved

Executes dropped EXE 1 IoCs

pid	Process
3624	hvmqnjpved

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine	JaffaCakes118_5392164e0cb5045847c4ee9cff4813f6.exe
Key opened	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine	hvmqnjpved

Loads dropped DLL 3 IoCs

pid	Process
4952	svchost.exe
2944	svchost.exe
608	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nxsskutujt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ngqgtooyjd	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\nofacrqwvy	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3800	JaffaCakes118_5392164e0cb5045847c4ee9cff4813f6.exe
3624	hvmqnjpved

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2492	4952	WerFault.exe	93
4440	2944	WerFault.exe	99
1580	608	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5392164e0cb5045847c4ee9cff4813f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvmqnjpved
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3800	JaffaCakes118_5392164e0cb5045847c4ee9cff4813f6.exe
3800	JaffaCakes118_5392164e0cb5045847c4ee9cff4813f6.exe
3624	hvmqnjpved
3624	hvmqnjpved
3624	hvmqnjpved
3624	hvmqnjpved

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	3624	hvmqnjpved
Token: SeBackupPrivilege	3624	hvmqnjpved
Token: SeBackupPrivilege	3624	hvmqnjpved
Token: SeRestorePrivilege	3624	hvmqnjpved
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeRestorePrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeSecurityPrivilege	4952	svchost.exe
Token: SeSecurityPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeSecurityPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeSecurityPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeRestorePrivilege	4952	svchost.exe
Token: SeBackupPrivilege	2944	svchost.exe
Token: SeRestorePrivilege	2944	svchost.exe
Token: SeBackupPrivilege	2944	svchost.exe
Token: SeBackupPrivilege	2944	svchost.exe
Token: SeSecurityPrivilege	2944	svchost.exe
Token: SeSecurityPrivilege	2944	svchost.exe
Token: SeBackupPrivilege	2944	svchost.exe
Token: SeBackupPrivilege	2944	svchost.exe
Token: SeSecurityPrivilege	2944	svchost.exe
Token: SeBackupPrivilege	2944	svchost.exe
Token: SeBackupPrivilege	2944	svchost.exe
Token: SeSecurityPrivilege	2944	svchost.exe
Token: SeBackupPrivilege	2944	svchost.exe
Token: SeRestorePrivilege	2944	svchost.exe
Token: SeBackupPrivilege	608	svchost.exe
Token: SeRestorePrivilege	608	svchost.exe
Token: SeBackupPrivilege	608	svchost.exe
Token: SeBackupPrivilege	608	svchost.exe
Token: SeSecurityPrivilege	608	svchost.exe
Token: SeSecurityPrivilege	608	svchost.exe
Token: SeBackupPrivilege	608	svchost.exe
Token: SeBackupPrivilege	608	svchost.exe
Token: SeSecurityPrivilege	608	svchost.exe
Token: SeBackupPrivilege	608	svchost.exe
Token: SeBackupPrivilege	608	svchost.exe
Token: SeSecurityPrivilege	608	svchost.exe
Token: SeBackupPrivilege	608	svchost.exe
Token: SeRestorePrivilege	608	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 3624	3800	JaffaCakes118_5392164e0cb5045847c4ee9cff4813f6.exe	87
PID 3800 wrote to memory of 3624	3800	JaffaCakes118_5392164e0cb5045847c4ee9cff4813f6.exe	87
PID 3800 wrote to memory of 3624	3800	JaffaCakes118_5392164e0cb5045847c4ee9cff4813f6.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5392164e0cb5045847c4ee9cff4813f6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5392164e0cb5045847c4ee9cff4813f6.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3800
- \??\c:\users\admin\appdata\local\hvmqnjpved
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5392164e0cb5045847c4ee9cff4813f6.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_5392164e0cb5045847c4ee9cff4813f6.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Deletes itself
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3624

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1040
  2⤵
  - Program crash
  PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4952 -ip 4952
1⤵
PID:2080

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1108
  2⤵
  - Program crash
  PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2944 -ip 2944
1⤵
PID:2768

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 940
  2⤵
  - Program crash
  PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 608 -ip 608
1⤵
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\hvmqnjpved

Filesize
22.2MB

MD5
f0342f77c8ca8f3e17aadd10045dff9d

SHA1
6c753bb90fdb77e8283ed4e0fb1a147b97482943

SHA256
59c5881cd81999aa6dbf6054fed9a1779a1c61f4558d33e034a981c2e701b48f

SHA512
b3664f268a9f1f820cfaf9e3e2054f3546bd920df20ab720476cb0722fa350763d5b0e8b73682b34a9fe5773317f47b6abbc4de052b15a7e2b75e6490f166b2e

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
b075d66693df9ded937399c6e83fa23f

SHA1
c4eaf9d7129ea036217a988d80de56905fa720b3

SHA256
e9084b9e9d2951266158b55157bc2ccc1fa6c55822bf22e712e52916b027d516

SHA512
72024fec381a60eee13ba668a3d23fcf71eb830eba43371ad31da1b8cfc6196c1c0d03edd3e18910eb5bd7b6ce6612b58b7e599a14a0e0ce6de290d60ef31140

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
1fdd5027a41f1e287fae8bca6bbd3168

SHA1
312f014c0d273a6f6d8ba44d69f2362b30f27c50

SHA256
df005033ac746ab38b62e94099a040964f28daa2f1a267045ee72c1bda588e66

SHA512
201ddf1c0a19929ff222581cd1993f2a8a13074ffd749e2aec4e4c35cd192a5686ac465838be287c739e0294765e2fbd5b6d25a8a46021bea4df079b3f9ae498

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\qmrrr.cc3

Filesize
24.0MB

MD5
554547394eaf529cad721c7a43e6bb5e

SHA1
2fc9b5651a9c122581e9b8e0e8dc1eda8f2d1a91

SHA256
dc40bc5aa88d4e2a43abecadc208bd46e827c89beff529dac7a9681a0dccb925

SHA512
2d6d8e7ea1c2a8493749ce5083c458ce2753f1ce998075a2bc76ffaace433901efb3f23924ad2b7250955e41ed5120632755116253672eaadde063b252f80212

Download Submit
memory/608-46-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/608-43-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

Filesize
4KB

Download
memory/2944-41-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2944-38-0x0000000001B00000-0x0000000001B01000-memory.dmp

Filesize
4KB

Download
memory/3624-31-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3624-26-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3624-32-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3624-25-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3624-15-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3624-24-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3624-19-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3624-20-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3624-21-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3624-22-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3624-23-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3800-6-0x0000000000401000-0x0000000000419000-memory.dmp

Filesize
96KB

Download
memory/3800-2-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3800-9-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3800-8-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3800-7-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3800-0-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3800-5-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3800-1-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3800-16-0x0000000000400000-0x000000000097D000-memory.dmp

Filesize
5.5MB

Download
memory/3800-18-0x0000000000401000-0x0000000000419000-memory.dmp

Filesize
96KB

Download
memory/3800-4-0x0000000077E74000-0x0000000077E76000-memory.dmp

Filesize
8KB

Download
memory/3800-3-0x0000000002820000-0x0000000002980000-memory.dmp

Filesize
1.4MB

Download
memory/4952-36-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4952-34-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download