gh0strat | ae6576ce40c84c8e8e06763a45e55d54e4552d09165c3329863425caee337a2f

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_54421a4e48827e509288c5cb97a0ce12.exe
Size

148KB
MD5

54421a4e48827e509288c5cb97a0ce12
SHA1

dc3dfd2362ed9283f1554c4e9610ce4b7bfa244d
SHA256

ae6576ce40c84c8e8e06763a45e55d54e4552d09165c3329863425caee337a2f
SHA512

f7fd4a145d8403e6712ad850d69fad7b3c5a56e2bdf8a8addd7d4fcd253f3be47e85983c220ea8a7624685c75bacd9435c271ee875b2aa80e33b1738658d5225
SSDEEP

3072:9VonPblT9Q/2UT2loXguQPBzGygGucp0Yf/XXIVzG2n7KMnq:9VoPblxQ/PaCQrPBKEu89fvXKzGqO

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120cd-1.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Loads dropped DLL 1 IoCs

pid	Process
2772	JaffaCakes118_54421a4e48827e509288c5cb97a0ce12.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rising.ini	JaffaCakes118_54421a4e48827e509288c5cb97a0ce12.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_54421a4e48827e509288c5cb97a0ce12.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54421a4e48827e509288c5cb97a0ce12.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54421a4e48827e509288c5cb97a0ce12.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Server.tmp

Filesize
120KB

MD5
690f96bb11a4b55cfcf164a1fbdbb5ae

SHA1
1f418b96115399418abcfe94773f9c10957e2a44

SHA256
fbdbb6e5bd66fbcad54fd23e5756e35bebce90a06ab33da904d65c2aacb1518e

SHA512
f217df7de69df656410d26f7671f5fde753e605462dc63cc842019b159b521e35013827c79f05dc08fb8862dde0d91899688b5de379ae67a56860f84a34cfe02

Download Submit