gh0strat | 0c71ddd274298e2a05b48acaa278704fdc842b3dcdc941891668161e8cdff50e

Analysis

max time kernel
120s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_55fe2a4b9a75eeed31c19f9ef7c19e55.exe
Size

95KB
MD5

55fe2a4b9a75eeed31c19f9ef7c19e55
SHA1

d448cf6db82246e23efe2718c40e4b9ae23d7b22
SHA256

0c71ddd274298e2a05b48acaa278704fdc842b3dcdc941891668161e8cdff50e
SHA512

5abbaa1fbaa3a00f1b6e589392acaff2a3e6738d0b9a396df6a558dc20ab8d25f6ac072970aa2fc2f0570c4c696cb89afe0ee2a28d103fb81881b85058e1dfa1
SSDEEP

1536:qKFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prTPLyrBdACLmDx7kEOR:qQS4jHS8q/3nTzePCwNUh4E9TPerBdAc

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e725-15.dat	family_gh0strat
behavioral2/memory/212-16-0x0000000000400000-0x000000000044E348-memory.dmp	family_gh0strat
behavioral2/memory/4036-19-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/432-24-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2596-29-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
212	jpehxxxkmn

Executes dropped EXE 1 IoCs

pid	Process
212	jpehxxxkmn

Loads dropped DLL 3 IoCs

pid	Process
4036	svchost.exe
432	svchost.exe
2596	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kbhuhiuhpu	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\kjunplxfcp	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\kjunplxfcp	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
712	4036	WerFault.exe	91
3936	432	WerFault.exe	97
412	2596	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_55fe2a4b9a75eeed31c19f9ef7c19e55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jpehxxxkmn
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
212	jpehxxxkmn
212	jpehxxxkmn

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	212	jpehxxxkmn
Token: SeBackupPrivilege	212	jpehxxxkmn
Token: SeBackupPrivilege	212	jpehxxxkmn
Token: SeRestorePrivilege	212	jpehxxxkmn
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeRestorePrivilege	4036	svchost.exe
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeSecurityPrivilege	4036	svchost.exe
Token: SeSecurityPrivilege	4036	svchost.exe
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeSecurityPrivilege	4036	svchost.exe
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeSecurityPrivilege	4036	svchost.exe
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeRestorePrivilege	4036	svchost.exe
Token: SeBackupPrivilege	432	svchost.exe
Token: SeRestorePrivilege	432	svchost.exe
Token: SeBackupPrivilege	432	svchost.exe
Token: SeBackupPrivilege	432	svchost.exe
Token: SeSecurityPrivilege	432	svchost.exe
Token: SeSecurityPrivilege	432	svchost.exe
Token: SeBackupPrivilege	432	svchost.exe
Token: SeBackupPrivilege	432	svchost.exe
Token: SeSecurityPrivilege	432	svchost.exe
Token: SeBackupPrivilege	432	svchost.exe
Token: SeBackupPrivilege	432	svchost.exe
Token: SeSecurityPrivilege	432	svchost.exe
Token: SeBackupPrivilege	432	svchost.exe
Token: SeRestorePrivilege	432	svchost.exe
Token: SeBackupPrivilege	2596	svchost.exe
Token: SeRestorePrivilege	2596	svchost.exe
Token: SeBackupPrivilege	2596	svchost.exe
Token: SeBackupPrivilege	2596	svchost.exe
Token: SeSecurityPrivilege	2596	svchost.exe
Token: SeSecurityPrivilege	2596	svchost.exe
Token: SeBackupPrivilege	2596	svchost.exe
Token: SeBackupPrivilege	2596	svchost.exe
Token: SeSecurityPrivilege	2596	svchost.exe
Token: SeBackupPrivilege	2596	svchost.exe
Token: SeBackupPrivilege	2596	svchost.exe
Token: SeSecurityPrivilege	2596	svchost.exe
Token: SeBackupPrivilege	2596	svchost.exe
Token: SeRestorePrivilege	2596	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 212	4900	JaffaCakes118_55fe2a4b9a75eeed31c19f9ef7c19e55.exe	88
PID 4900 wrote to memory of 212	4900	JaffaCakes118_55fe2a4b9a75eeed31c19f9ef7c19e55.exe	88
PID 4900 wrote to memory of 212	4900	JaffaCakes118_55fe2a4b9a75eeed31c19f9ef7c19e55.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55fe2a4b9a75eeed31c19f9ef7c19e55.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55fe2a4b9a75eeed31c19f9ef7c19e55.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4900
- \??\c:\users\admin\appdata\local\jpehxxxkmn
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55fe2a4b9a75eeed31c19f9ef7c19e55.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_55fe2a4b9a75eeed31c19f9ef7c19e55.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:212

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 768
  2⤵
  - Program crash
  PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4036 -ip 4036
1⤵
PID:1652

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 956
  2⤵
  - Program crash
  PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 432 -ip 432
1⤵
PID:4100

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 868
  2⤵
  - Program crash
  PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2596 -ip 2596
1⤵
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\evjjy.cc3

Filesize
23.1MB

MD5
4711523c9d8f64c978993aadcddd8349

SHA1
54a5737cfa0ca823d1b88d9ed9f6c290dfeff288

SHA256
f638bce760d84f31634a53ef2a5444eda557257220d9b1b14de2913cf5c09257

SHA512
987bcf9f68ec0cf06890e38241acedad57622f27128ff02d7ab63ae8ea7c50a9831f30033369a9e1416caeb89694d751b165d5cb05b86db7fb40036a82f46133

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
e8a7fad0df24c30d96f4b86cf014363f

SHA1
61f904b69ca3b301be6d5a8ae81c017c7ae3eabb

SHA256
38affcc82ec58d8c4dd0636646d70556287afaa020165923e9ecda74985dcbad

SHA512
2f12c78d5c1d538e4a2e467fb4eb2c4a9f3e35eeb2df853ba772507417d0d594715fa94292f57b7ec7f08cb01b273a8f4fddb775b27b3a55dfb830aaf97eeaa7

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
885e53859d3757ab526dcc1785171004

SHA1
f7bbb6179eb51a23ffc4c1a788e4377b9b928939

SHA256
6367dfc514cb156633f228aad718c3040457fd3f614426de2b8252beae2ec681

SHA512
d83ae6dfd5388903b54ae9febc090df71ca158cd4339a1f6d4bd580e36f380939791ca8228cbf16a52dc96dba5391f746f83093d213c5a91a02c99bac7631eb7

Download Submit
\??\c:\users\admin\appdata\local\jpehxxxkmn

Filesize
23.5MB

MD5
07e25d1fc9913a43c731f8adccbea8c6

SHA1
cccb555b22f7cc522342d7a64b4f0ccb18c9a50a

SHA256
1e6578086efc6c3797cb399d9b60fba34f86f2ff5be7d25110ede6d28f0a8e4b

SHA512
537f21cf435f145b4eb1956f4eb7220a7fa5141ebdae4079063acc997293da6e726e05363c8e8eef0850c89ac343562dec0937e9ca436aee08ccfec652d3d3b1

Download Submit
memory/212-16-0x0000000000400000-0x000000000044E348-memory.dmp

Filesize
312KB

Download
memory/212-7-0x0000000000400000-0x000000000044E348-memory.dmp

Filesize
312KB

Download
memory/212-11-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/432-21-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/432-24-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2596-26-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/2596-29-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4036-17-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4036-19-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4900-9-0x0000000000400000-0x000000000044E348-memory.dmp

Filesize
312KB

Download
memory/4900-0-0x0000000000400000-0x000000000044E348-memory.dmp

Filesize
312KB

Download
memory/4900-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download