gh0strat | 2eaffee2df904fe4f9e8275adba88b6b9c79833cd1c56f2efd730e49994ea3c1

General

Target

JaffaCakes118_569950bac39e02139f59232e4342bd72.exe
Size

338KB
MD5

569950bac39e02139f59232e4342bd72
SHA1

5fe8348ba8e33832c1d32c440ce6bcd5ca2d81a3
SHA256

2eaffee2df904fe4f9e8275adba88b6b9c79833cd1c56f2efd730e49994ea3c1
SHA512

2ab32d6807279921fd2c3f73d3dd7ed92fd1bdb1823c89e8065c7934b224e613daf7f82f39f457708c7f7ce7dd905f0166c16dfb61ca7d5d009ad857af3a0483
SSDEEP

6144:kDOKu03Vjuy4nDWgRAkPf2GQn8xID0DMFChkYkYZeTx1xirVOK/Apf8bZ9oWOQ:8ju0FKvR3Pf2GLxe0Dv7jZw1ucEN9oZQ

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/2036-28-0x0000000000400000-0x0000000000486000-memory.dmp	family_gh0strat
behavioral1/memory/2036-27-0x0000000000230000-0x00000000002B6000-memory.dmp	family_gh0strat
behavioral1/memory/1060-19-0x0000000000400000-0x0000000000486000-memory.dmp	family_gh0strat
behavioral1/memory/1060-5-0x0000000000400000-0x0000000000486000-memory.dmp	family_gh0strat
behavioral1/memory/2036-34-0x0000000000400000-0x0000000000486000-memory.dmp	family_gh0strat
behavioral1/files/0x0008000000015cd1-35.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23597736-71BC-450c-B237-5EC58EA855D5}	JaffaCakes118_569950bac39e02139f59232e4342bd72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23597736-71BC-450c-B237-5EC58EA855D5}\stubpath = "C:\\Windows\\system32\\inzvgovkd.exe"	JaffaCakes118_569950bac39e02139f59232e4342bd72.exe

Executes dropped EXE 1 IoCs

pid	Process
2036	inzvgovkd.exe

Loads dropped DLL 5 IoCs

pid	Process
1060	JaffaCakes118_569950bac39e02139f59232e4342bd72.exe
2036	inzvgovkd.exe
2036	inzvgovkd.exe
2036	inzvgovkd.exe
2704	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inzvgovkd.exe	JaffaCakes118_569950bac39e02139f59232e4342bd72.exe
File opened for modification	C:\Windows\SysWOW64\inzvgovkd.exe_lang.ini	JaffaCakes118_569950bac39e02139f59232e4342bd72.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_569950bac39e02139f59232e4342bd72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inzvgovkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1060	JaffaCakes118_569950bac39e02139f59232e4342bd72.exe
2036	inzvgovkd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	JaffaCakes118_569950bac39e02139f59232e4342bd72.exe
Token: SeDebugPrivilege	2036	inzvgovkd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 2036	1060	JaffaCakes118_569950bac39e02139f59232e4342bd72.exe	30
PID 1060 wrote to memory of 2036	1060	JaffaCakes118_569950bac39e02139f59232e4342bd72.exe	30
PID 1060 wrote to memory of 2036	1060	JaffaCakes118_569950bac39e02139f59232e4342bd72.exe	30
PID 1060 wrote to memory of 2036	1060	JaffaCakes118_569950bac39e02139f59232e4342bd72.exe	30
PID 1060 wrote to memory of 2036	1060	JaffaCakes118_569950bac39e02139f59232e4342bd72.exe	30
PID 1060 wrote to memory of 2036	1060	JaffaCakes118_569950bac39e02139f59232e4342bd72.exe	30
PID 1060 wrote to memory of 2036	1060	JaffaCakes118_569950bac39e02139f59232e4342bd72.exe	30
PID 2036 wrote to memory of 2704	2036	inzvgovkd.exe	31
PID 2036 wrote to memory of 2704	2036	inzvgovkd.exe	31
PID 2036 wrote to memory of 2704	2036	inzvgovkd.exe	31
PID 2036 wrote to memory of 2704	2036	inzvgovkd.exe	31
PID 2036 wrote to memory of 2704	2036	inzvgovkd.exe	31
PID 2036 wrote to memory of 2704	2036	inzvgovkd.exe	31
PID 2036 wrote to memory of 2704	2036	inzvgovkd.exe	31
PID 2036 wrote to memory of 2704	2036	inzvgovkd.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_569950bac39e02139f59232e4342bd72.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_569950bac39e02139f59232e4342bd72.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\inzvgovkd.exe
  C:\Windows\system32\inzvgovkd.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\userinit.exe
    userinit.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259437322_lang.dll

Filesize
122KB

MD5
8179dc23f21d577fd55c5ffe1b7c590e

SHA1
582298fb6622463b4340852eb881c14bdc255eef

SHA256
4181cbf7d0ac2138b4798bd5600b94ac569682138484602f2d9d370f0a17af51

SHA512
52505a86b4300a0b988323b453327ad385d672878ad30aba0689d77ca1c001197e0174532b5240f9ab8c381b161cf2f0f7e30f36fb2cef4d6463be9199199b77

Download Submit
\Windows\SysWOW64\inzvgovkd.exe

Filesize
338KB

MD5
83105ee99c189407de9c15ac0bdffa64

SHA1
99cef492654c87882475a765f4b591ee9eca553b

SHA256
46973b1f86f9bb29d231fe614651a61aab2acf744d6ffe398e0aee21ce102604

SHA512
d5229caa9386cffb0218977ae6a8e4302397643b4cdbb895027dc318d0b7d2acc0387ca0d9c571614120133c5492f4e2e2b4050f5b0143baff8f39c32aeccf00

Download Submit
memory/1060-20-0x0000000000401000-0x0000000000408000-memory.dmp

Filesize
28KB

Download
memory/1060-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1060-8-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1060-9-0x0000000000401000-0x0000000000408000-memory.dmp

Filesize
28KB

Download
memory/1060-1-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/1060-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1060-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1060-21-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/1060-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1060-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1060-7-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/1060-6-0x00000000008F0000-0x0000000000976000-memory.dmp

Filesize
536KB

Download
memory/1060-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2036-26-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2036-27-0x0000000000230000-0x00000000002B6000-memory.dmp

Filesize
536KB

Download
memory/2036-34-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2036-32-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2036-28-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2704-31-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads