gh0strat | 7bca5730a67fd45ddcf33dc1254f5c1b430afe180f75c5a9d54bdc0da400affc

General

Target

JaffaCakes118_5754fbee092911fed25371552db7f581.exe
Size

96KB
MD5

5754fbee092911fed25371552db7f581
SHA1

0ed3c994e7bcf3539882489379f0e2c65ee76896
SHA256

7bca5730a67fd45ddcf33dc1254f5c1b430afe180f75c5a9d54bdc0da400affc
SHA512

634f5a085042e78cae7d775aa33e1adc6a62011fc98e9323534d0de23f1928712542b7a345ba316c60d0389433fcbd5388323a23a593dc47d8beb6d2493b75d3
SSDEEP

1536:FwFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prKWveWa:FCS4jHS8q/3nTzePCwNUh4E9KWGWa

Score

10^/10

gh0strat bootkit discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00080000000186ca-19.dat	family_gh0strat
behavioral1/memory/2320-21-0x0000000000400000-0x000000000044E2F4-memory.dmp	family_gh0strat
behavioral1/memory/2804-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2804-27-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2320	fphsxvnrvx

Executes dropped EXE 1 IoCs

pid	Process
2320	fphsxvnrvx

Loads dropped DLL 3 IoCs

pid	Process
1732	JaffaCakes118_5754fbee092911fed25371552db7f581.exe
1732	JaffaCakes118_5754fbee092911fed25371552db7f581.exe
2804	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kxdxfisuvg	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5754fbee092911fed25371552db7f581.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fphsxvnrvx

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2320	fphsxvnrvx
2804	svchost.exe
2804	svchost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeRestorePrivilege	2320	fphsxvnrvx
Token: SeBackupPrivilege	2320	fphsxvnrvx
Token: SeBackupPrivilege	2320	fphsxvnrvx
Token: SeRestorePrivilege	2320	fphsxvnrvx
Token: SeBackupPrivilege	2804	svchost.exe
Token: SeBackupPrivilege	2804	svchost.exe
Token: SeRestorePrivilege	2804	svchost.exe
Token: SeSecurityPrivilege	2804	svchost.exe
Token: SeSecurityPrivilege	2804	svchost.exe
Token: SeBackupPrivilege	2804	svchost.exe
Token: SeBackupPrivilege	2804	svchost.exe
Token: SeSecurityPrivilege	2804	svchost.exe
Token: SeBackupPrivilege	2804	svchost.exe
Token: SeBackupPrivilege	2804	svchost.exe
Token: SeSecurityPrivilege	2804	svchost.exe
Token: SeBackupPrivilege	2804	svchost.exe
Token: SeRestorePrivilege	2804	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2320	1732	JaffaCakes118_5754fbee092911fed25371552db7f581.exe	30
PID 1732 wrote to memory of 2320	1732	JaffaCakes118_5754fbee092911fed25371552db7f581.exe	30
PID 1732 wrote to memory of 2320	1732	JaffaCakes118_5754fbee092911fed25371552db7f581.exe	30
PID 1732 wrote to memory of 2320	1732	JaffaCakes118_5754fbee092911fed25371552db7f581.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5754fbee092911fed25371552db7f581.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5754fbee092911fed25371552db7f581.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- \??\c:\users\admin\appdata\local\fphsxvnrvx
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5754fbee092911fed25371552db7f581.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_5754fbee092911fed25371552db7f581.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\programdata\application data\storm\update\%sessionname%\qjceg.cc3

Filesize
21.1MB

MD5
f9352860e4cc4b77d98160738dfc3129

SHA1
8fd364ee78b1ba22a2178d066fdae5b157b2edde

SHA256
72fed2df61c9c18761ddbe781e9a7a370591a67b60fb774baf6ea9db6602789d

SHA512
1a3159cf192fb6e9ffc2f8a8753fee16a8baac043c6ca20b76b635b1af9ea85f690001a49f712698c9888ee46863ed5defb8ae18e96cf6755387b2c4d8d3e2d8

Download Submit
\Users\Admin\AppData\Local\fphsxvnrvx

Filesize
21.9MB

MD5
bd3c7b77518d331168024f08fb85aed7

SHA1
494f8ef63b0561ff24a70d74b0c896f1b21a1759

SHA256
280a2aa991bec7e1ca05f5325168f5c1e1054869da20cbf3601e56a5006be140

SHA512
663f5d06ec6dc18caef18b5347e7797e1a7d1a650752f448b5a68b06015b34dcf1c786612c8ae77a475fdd0f3be2cc5225b3b16df2aaa18822fe2c11aaca4cd7

Download Submit
memory/1732-2-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1732-1-0x0000000000400000-0x000000000044E2F4-memory.dmp

Filesize
312KB

Download
memory/1732-13-0x0000000000280000-0x00000000002CF000-memory.dmp

Filesize
316KB

Download
memory/1732-12-0x0000000000400000-0x000000000044E2F4-memory.dmp

Filesize
312KB

Download
memory/1732-24-0x0000000000280000-0x00000000002CF000-memory.dmp

Filesize
316KB

Download
memory/2320-16-0x0000000000400000-0x000000000044E2F4-memory.dmp

Filesize
312KB

Download
memory/2320-21-0x0000000000400000-0x000000000044E2F4-memory.dmp

Filesize
312KB

Download
memory/2804-22-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2804-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2804-27-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads