gh0strat | 3a11eb449ae8e2880a403251f7270ede453a7d424e5297e44810cc43c6dbccc8

General

Target

JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe
Size

1.4MB
MD5

558140ea2c04f37d95c72a43073c1027
SHA1

9fc3bf1496f519ede537e8820de522ebf2c041d8
SHA256

3a11eb449ae8e2880a403251f7270ede453a7d424e5297e44810cc43c6dbccc8
SHA512

9f248722a3fdedf627fe568b1a26212dcd9922fd8ba947d074fde031fb32c5fd42dbdbd9b7416ab46fb4b60103cd7bccd256937c1a3576c97879e595bd63c3cc
SSDEEP

24576:vyq+e/hqP14vf6Xj3u2EJiqMdJWQb7EmXqYdchgaZL+gy35T5n7KMLDn58:6qM4vcj+2EwaQb7HFdc/ZrypTRKMHn58

Score

10^/10

gh0strat defense_evasion discovery persistence rat themida

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000800000001686c-27.dat	family_gh0strat
behavioral1/files/0x0009000000016644-35.dat	family_gh0strat
behavioral1/files/0x0007000000016ce7-44.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94B96E6C-69C4-4f2e-B568-FDFE36D9508F}\stubpath = "c:\\windows\\inxiaqxbm.exe"	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94B96E6C-69C4-4f2e-B568-FDFE36D9508F}	server.exe

Executes dropped EXE 3 IoCs

pid	Process
2812	~__UNINST.EXE
2656	server.exe
2616	inxiaqxbm.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	~__UNINST.EXE

Loads dropped DLL 11 IoCs

pid	Process
2196	JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe
2812	~__UNINST.EXE
2812	~__UNINST.EXE
2812	~__UNINST.EXE
2812	~__UNINST.EXE
2812	~__UNINST.EXE
2656	server.exe
2656	server.exe
2656	server.exe
2616	inxiaqxbm.exe
2812	~__UNINST.EXE

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2196-0-0x0000000000400000-0x000000000057F000-memory.dmp	themida
behavioral1/memory/2196-4-0x0000000000400000-0x000000000057F000-memory.dmp	themida
behavioral1/files/0x00080000000120f9-7.dat	themida
behavioral1/memory/2812-13-0x0000000000400000-0x000000000057F000-memory.dmp	themida
behavioral1/memory/2812-23-0x0000000000400000-0x000000000057F000-memory.dmp	themida
behavioral1/memory/2812-49-0x0000000000400000-0x000000000057F000-memory.dmp	themida
behavioral1/memory/2812-52-0x0000000000400000-0x000000000057F000-memory.dmp	themida

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\syslog.dat	server.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2196	JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe
2812	~__UNINST.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\inxiaqxbm.exe	server.exe
File opened for modification	\??\c:\windows\inxiaqxbm.exe_lang.ini	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inxiaqxbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~__UNINST.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2196	JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe
2812	~__UNINST.EXE
2656	server.exe
2616	inxiaqxbm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	server.exe
Token: SeDebugPrivilege	2616	inxiaqxbm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2616	inxiaqxbm.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2812	2196	JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe	30
PID 2196 wrote to memory of 2812	2196	JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe	30
PID 2196 wrote to memory of 2812	2196	JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe	30
PID 2196 wrote to memory of 2812	2196	JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe	30
PID 2196 wrote to memory of 2812	2196	JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe	30
PID 2196 wrote to memory of 2812	2196	JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe	30
PID 2196 wrote to memory of 2812	2196	JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe	30
PID 2812 wrote to memory of 2656	2812	~__UNINST.EXE	32
PID 2812 wrote to memory of 2656	2812	~__UNINST.EXE	32
PID 2812 wrote to memory of 2656	2812	~__UNINST.EXE	32
PID 2812 wrote to memory of 2656	2812	~__UNINST.EXE	32
PID 2812 wrote to memory of 2656	2812	~__UNINST.EXE	32
PID 2812 wrote to memory of 2656	2812	~__UNINST.EXE	32
PID 2812 wrote to memory of 2656	2812	~__UNINST.EXE	32
PID 2656 wrote to memory of 2616	2656	server.exe	33
PID 2656 wrote to memory of 2616	2656	server.exe	33
PID 2656 wrote to memory of 2616	2656	server.exe	33
PID 2656 wrote to memory of 2616	2656	server.exe	33
PID 2656 wrote to memory of 2616	2656	server.exe	33
PID 2656 wrote to memory of 2616	2656	server.exe	33
PID 2656 wrote to memory of 2616	2656	server.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\~__UNINST.EXE
  "C:\Users\Admin\AppData\Local\Temp\~__UNINST.EXE" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_558140ea2c04f37d95c72a43073c1027.exe
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - \??\c:\windows\inxiaqxbm.exe
      c:\windows\inxiaqxbm.exe ZhuDong
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\inxiaqxbm.exe

Filesize
174KB

MD5
caa40c4aace16fabc8de29fd314e5556

SHA1
534631a708cc6b5ec6fdb5bc782689be3cfdebf2

SHA256
c23b9cc14ec72ded30488f639c00903f40ca77b02bfc1ef0ad50346947f71737

SHA512
cf4808868458998b89e2ae35039b30364f794efd24604853b00d18d1240960bc525ecb5b608fe1c43ef8c6eda1244fd4884599ae38267bf1e905579059bb7d70

Download Submit
\Users\Admin\AppData\Local\Temp\259443390_lang.dll

Filesize
122KB

MD5
435b9900b0fe008e75b5a1ecc6857f6c

SHA1
e317ba910f4aaae0bfdd3db8f43ef219b147a8cd

SHA256
acee9ca5c930890ec2c3b8d0aaf46bd8a60957749d13eeb57825a0db8b55add6

SHA512
111e59f0d8aa3f11bc2747250b4b91b061f65146cee37efa6bc73abd5d6eab43b4947a9f7cb8fbae08507889fd51c5b494d4af911e90fd3d40cc57d2cc35df43

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
174KB

MD5
121cfce381d14f5bb1ba149d44f11aab

SHA1
5524078d6d24b842426c6aa30ff523d222afeed5

SHA256
5d6f562b164697ddf19690a4a17369b10eb07818551aa2d3a4d4c607f69bc973

SHA512
ea3cb4bc1a3fff19a1e5a9a686d68b080786d19cc0db43e2b85440d105e23d038f32b46244ce35f935ef338a93907163847bcfda12e5678d62575bc3803cbfe5

Download Submit
\Users\Admin\AppData\Local\Temp\~__UNINST.EXE

Filesize
1.4MB

MD5
558140ea2c04f37d95c72a43073c1027

SHA1
9fc3bf1496f519ede537e8820de522ebf2c041d8

SHA256
3a11eb449ae8e2880a403251f7270ede453a7d424e5297e44810cc43c6dbccc8

SHA512
9f248722a3fdedf627fe568b1a26212dcd9922fd8ba947d074fde031fb32c5fd42dbdbd9b7416ab46fb4b60103cd7bccd256937c1a3576c97879e595bd63c3cc

Download Submit
memory/2196-6-0x00000000042C0000-0x00000000042D0000-memory.dmp

Filesize
64KB

Download
memory/2196-0-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2196-4-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2196-2-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2196-1-0x0000000004160000-0x0000000004162000-memory.dmp

Filesize
8KB

Download
memory/2812-13-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2812-17-0x0000000000C90000-0x0000000000E0F000-memory.dmp

Filesize
1.5MB

Download
memory/2812-18-0x0000000000C90000-0x0000000000E0F000-memory.dmp

Filesize
1.5MB

Download
memory/2812-23-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2812-26-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2812-49-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2812-50-0x0000000000C90000-0x0000000000E0F000-memory.dmp

Filesize
1.5MB

Download
memory/2812-52-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads