gh0strat | 5da4a3e61bf7cf4a2d4240bc3b1de93a61e57fc3519e13caf2474f7d12030d3f

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe
Size

476KB
MD5

56862ecfc66c6941e12357f602424b25
SHA1

c0ad1a78286d3f6e11492d0fbcf305f02f73a28f
SHA256

5da4a3e61bf7cf4a2d4240bc3b1de93a61e57fc3519e13caf2474f7d12030d3f
SHA512

3eda14f758cc3e7a3df5a88e9da817729b93b8955a34b6c0cd26a67b7eb750a7ba487e2305974e457b5258b4c79c1d21d863e7ca05c67718e2fdf1164cd67369
SSDEEP

6144:9qOVverctVjgK6GuQq9+vAG+wLhLL/Z0axth2uL29E2xlVqc:9q2veAtaK6GuQq9lG5hLL/guLT

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/220-10-0x0000000000400000-0x0000000000417000-memory.dmp	family_gh0strat
behavioral2/memory/220-13-0x0000000000400000-0x0000000000417000-memory.dmp	family_gh0strat
behavioral2/memory/220-15-0x0000000000400000-0x0000000000417000-memory.dmp	family_gh0strat
behavioral2/memory/220-16-0x0000000000400000-0x0000000000417000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	4732	At.exe	94

Executes dropped EXE 2 IoCs

pid	Process
2288	SysClock.exe
220	SysClock.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 220	2288	SysClock.exe	88

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2668	sc.exe
4624	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SysClock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SysClock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
4568	taskkill.exe
4940	taskkill.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	536	wmic.exe
Token: SeSecurityPrivilege	536	wmic.exe
Token: SeTakeOwnershipPrivilege	536	wmic.exe
Token: SeLoadDriverPrivilege	536	wmic.exe
Token: SeSystemProfilePrivilege	536	wmic.exe
Token: SeSystemtimePrivilege	536	wmic.exe
Token: SeProfSingleProcessPrivilege	536	wmic.exe
Token: SeIncBasePriorityPrivilege	536	wmic.exe
Token: SeCreatePagefilePrivilege	536	wmic.exe
Token: SeBackupPrivilege	536	wmic.exe
Token: SeRestorePrivilege	536	wmic.exe
Token: SeShutdownPrivilege	536	wmic.exe
Token: SeDebugPrivilege	536	wmic.exe
Token: SeSystemEnvironmentPrivilege	536	wmic.exe
Token: SeRemoteShutdownPrivilege	536	wmic.exe
Token: SeUndockPrivilege	536	wmic.exe
Token: SeManageVolumePrivilege	536	wmic.exe
Token: 33	536	wmic.exe
Token: 34	536	wmic.exe
Token: 35	536	wmic.exe
Token: 36	536	wmic.exe
Token: SeIncreaseQuotaPrivilege	536	wmic.exe
Token: SeSecurityPrivilege	536	wmic.exe
Token: SeTakeOwnershipPrivilege	536	wmic.exe
Token: SeLoadDriverPrivilege	536	wmic.exe
Token: SeSystemProfilePrivilege	536	wmic.exe
Token: SeSystemtimePrivilege	536	wmic.exe
Token: SeProfSingleProcessPrivilege	536	wmic.exe
Token: SeIncBasePriorityPrivilege	536	wmic.exe
Token: SeCreatePagefilePrivilege	536	wmic.exe
Token: SeBackupPrivilege	536	wmic.exe
Token: SeRestorePrivilege	536	wmic.exe
Token: SeShutdownPrivilege	536	wmic.exe
Token: SeDebugPrivilege	536	wmic.exe
Token: SeSystemEnvironmentPrivilege	536	wmic.exe
Token: SeRemoteShutdownPrivilege	536	wmic.exe
Token: SeUndockPrivilege	536	wmic.exe
Token: SeManageVolumePrivilege	536	wmic.exe
Token: 33	536	wmic.exe
Token: 34	536	wmic.exe
Token: 35	536	wmic.exe
Token: 36	536	wmic.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeDebugPrivilege	4940	taskkill.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 2288	3596	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	86
PID 3596 wrote to memory of 2288	3596	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	86
PID 3596 wrote to memory of 2288	3596	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	86
PID 3596 wrote to memory of 3632	3596	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	87
PID 3596 wrote to memory of 3632	3596	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	87
PID 3596 wrote to memory of 3632	3596	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	87
PID 2288 wrote to memory of 220	2288	SysClock.exe	88
PID 2288 wrote to memory of 220	2288	SysClock.exe	88
PID 2288 wrote to memory of 220	2288	SysClock.exe	88
PID 2288 wrote to memory of 220	2288	SysClock.exe	88
PID 2288 wrote to memory of 220	2288	SysClock.exe	88
PID 3596 wrote to memory of 536	3596	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	89
PID 3596 wrote to memory of 536	3596	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	89
PID 3596 wrote to memory of 536	3596	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	89
PID 3632 wrote to memory of 2668	3632	cmd.exe	92
PID 3632 wrote to memory of 2668	3632	cmd.exe	92
PID 3632 wrote to memory of 2668	3632	cmd.exe	92
PID 3632 wrote to memory of 4624	3632	cmd.exe	93
PID 3632 wrote to memory of 4624	3632	cmd.exe	93
PID 3632 wrote to memory of 4624	3632	cmd.exe	93
PID 3596 wrote to memory of 4568	3596	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	114
PID 3596 wrote to memory of 4568	3596	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	114
PID 3596 wrote to memory of 4568	3596	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	114
PID 3596 wrote to memory of 4940	3596	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	116
PID 3596 wrote to memory of 4940	3596	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	116
PID 3596 wrote to memory of 4940	3596	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	116

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3596
- C:\RECYCLER\20251325\SysClock.exe
  C:\RECYCLER\20251325\SysClock.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\RECYCLER\20251325\SysClock.exe
    C:\RECYCLER\20251325\SysClock.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\RECYCLER\UPX.BAT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\SysWOW64\sc.exe
    sc config schedule start= auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2668
- - C:\Windows\SysWOW64\sc.exe
    sc start schedule
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4624
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic process call create "At 13:26 C:\RECYCLER\20251325\clock.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im clock.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im clock.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4940

C:\Windows\system32\At.exe
At 13:26 C:\RECYCLER\20251325\clock.exe
1⤵
- Process spawned unexpected child process
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RECYCLER\20251325\SysClock.exe

Filesize
476KB

MD5
56862ecfc66c6941e12357f602424b25

SHA1
c0ad1a78286d3f6e11492d0fbcf305f02f73a28f

SHA256
5da4a3e61bf7cf4a2d4240bc3b1de93a61e57fc3519e13caf2474f7d12030d3f

SHA512
3eda14f758cc3e7a3df5a88e9da817729b93b8955a34b6c0cd26a67b7eb750a7ba487e2305974e457b5258b4c79c1d21d863e7ca05c67718e2fdf1164cd67369

Download Submit
C:\RECYCLER\UPX.BAT

Filesize
51B

MD5
496ede5f4af744ec169eeafc494593aa

SHA1
df7137e28043cc3d1fd18b7ede50d49497ddab11

SHA256
a74b48576dd2e5c8d3f14b9afb28f6947ab6c0c8632c0d4b447d64454d9ad2ff

SHA512
44309ae8ed29eb5619fe38dad62445bd741cd0c25271f36da03fc6fa1072b15bf70f5b88e89db8f10b41c4ef8c876c8a8e1d9e051a20de05accd0acf0583d4d0

Download Submit
memory/220-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/220-13-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/220-15-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/220-16-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download