gh0strat | 6890408c9b2951a708daf57e5cad76ff405981cb0080c5b3345297fdcadf3247

General

Target

JaffaCakes118_55b98489c397583c041c21f1dce0ec50.exe
Size

68KB
MD5

55b98489c397583c041c21f1dce0ec50
SHA1

b080b820a2ab7d678acfcf8b44529a998398f50b
SHA256

6890408c9b2951a708daf57e5cad76ff405981cb0080c5b3345297fdcadf3247
SHA512

a4dbf418ef8bfdb85d9e54ad5e8a62e6d282238a3cbeea42c3494d4c7c396b5968956f137eec2f04d4a1c7432ac512a3293d535a34cae5280702b8202f233030
SSDEEP

1536:X2NjIKUcbdPm4A/TQBjv9v9SuxtnOCiOYG1Q5:X4cKUOPm4oKjv19SuzOPOY4E

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/1992-16-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat
behavioral1/memory/2884-18-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat
behavioral1/memory/2884-19-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat
behavioral1/memory/2884-24-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	svchost.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\msexFastUserSwitchingCompatibility.dll"	JaffaCakes118_55b98489c397583c041c21f1dce0ec50.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000016c58-6.dat	acprotect
behavioral1/files/0x0008000000016cfe-17.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2884	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	JaffaCakes118_55b98489c397583c041c21f1dce0ec50.exe
2884	svchost.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	JaffaCakes118_55b98489c397583c041c21f1dce0ec50.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\text.log	JaffaCakes118_55b98489c397583c041c21f1dce0ec50.exe
File opened for modification	C:\Windows\SysWOW64\text.log	JaffaCakes118_55b98489c397583c041c21f1dce0ec50.exe
File opened for modification	C:\Windows\SysWOW64\msexFastUserSwitchingCompatibility.dll	JaffaCakes118_55b98489c397583c041c21f1dce0ec50.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016c58-6.dat	upx
behavioral1/memory/1992-8-0x0000000010000000-0x0000000010021000-memory.dmp	upx
behavioral1/memory/1992-16-0x0000000010000000-0x0000000010021000-memory.dmp	upx
behavioral1/files/0x0008000000016cfe-17.dat	upx
behavioral1/memory/2884-18-0x0000000010000000-0x0000000010021000-memory.dmp	upx
behavioral1/memory/2884-19-0x0000000010000000-0x0000000010021000-memory.dmp	upx
behavioral1/memory/2884-24-0x0000000010000000-0x0000000010021000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_55b98489c397583c041c21f1dce0ec50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	JaffaCakes118_55b98489c397583c041c21f1dce0ec50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	JaffaCakes118_55b98489c397583c041c21f1dce0ec50.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1992	JaffaCakes118_55b98489c397583c041c21f1dce0ec50.exe
1992	JaffaCakes118_55b98489c397583c041c21f1dce0ec50.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2884	svchost.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55b98489c397583c041c21f1dce0ec50.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55b98489c397583c041c21f1dce0ec50.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Drops file in Drivers directory
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\259430395_ex.tmp

Filesize
47KB

MD5
72b0a1fdfa152ba760bafb6b8623780d

SHA1
cf9420091ee7414dc43833cd0780e8595493bf6c

SHA256
3329938a048d0347dd2a6007936d873ba766e4b62370e43955b045e7fa17d175

SHA512
42fc75b6b9343c21a1ddcbf7612f732025f8a78f889d77cb9b78e8e15315594ddc3e3bf653eb68d46e582bbd44c100415a5c1f9a118fdbbe1ab47edd3966f6c6

Download Submit
\Windows\SysWOW64\msexFastUserSwitchingCompatibility.dll

Filesize
47KB

MD5
49bc3034b534f0c2ebbf90eb92b88be2

SHA1
c002b0c68c9d7c7b3a1e5b5ce004223ddf548a48

SHA256
65c9d54b4a3b2a2e24cf6743f7e5b2c9063eba406ffd64224c0ff658b1799641

SHA512
b2fb5a8f2c2804722aef32fd099649db53419abb6e922a29f5614943dcbea1d6ef649898718019080462db61aee800175bdb5f0bb3d70846d51d5a68d7d54b7a

Download Submit
memory/1992-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1992-1-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1992-8-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1992-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1992-16-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2884-18-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2884-19-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2884-24-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads