gh0strat | 14a1742d30b0ff7d14b1737b5831ad035921c534c998b79551b97f026f2e1d25

Analysis

max time kernel
94s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_58c8332d7af8479d16c54d98a7fa5cd5.exe
Size

95KB
MD5

58c8332d7af8479d16c54d98a7fa5cd5
SHA1

89b5c951bfa623bf7ce76a790a4de2e764d7419e
SHA256

14a1742d30b0ff7d14b1737b5831ad035921c534c998b79551b97f026f2e1d25
SHA512

726a3e16e4fdda73dc45bc856257e984795e5d638881b75fe326f1d583934536fc6f41bb7b717234f4f53fd8af38569262777f3c97bead1151a865eb0c1afcfa
SSDEEP

1536:boJFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prV7g8n+iO0:bofS4jHS8q/3nTzePCwNUh4E9hgViO0

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e934-14.dat	family_gh0strat
behavioral2/memory/964-16-0x0000000000400000-0x000000000044C60F-memory.dmp	family_gh0strat
behavioral2/memory/1232-19-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3472-24-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3660-29-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
964	eeugoytynb

Executes dropped EXE 1 IoCs

pid	Process
964	eeugoytynb

Loads dropped DLL 3 IoCs

pid	Process
1232	svchost.exe
3472	svchost.exe
3660	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kkcffjpyor	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ksqynmrwcn	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\kbfrvptupi	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2072	1232	WerFault.exe	93
4848	3472	WerFault.exe	98
1636	3660	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_58c8332d7af8479d16c54d98a7fa5cd5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eeugoytynb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
964	eeugoytynb
964	eeugoytynb

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	964	eeugoytynb
Token: SeBackupPrivilege	964	eeugoytynb
Token: SeBackupPrivilege	964	eeugoytynb
Token: SeRestorePrivilege	964	eeugoytynb
Token: SeBackupPrivilege	1232	svchost.exe
Token: SeRestorePrivilege	1232	svchost.exe
Token: SeBackupPrivilege	1232	svchost.exe
Token: SeBackupPrivilege	1232	svchost.exe
Token: SeSecurityPrivilege	1232	svchost.exe
Token: SeSecurityPrivilege	1232	svchost.exe
Token: SeBackupPrivilege	1232	svchost.exe
Token: SeBackupPrivilege	1232	svchost.exe
Token: SeSecurityPrivilege	1232	svchost.exe
Token: SeBackupPrivilege	1232	svchost.exe
Token: SeBackupPrivilege	1232	svchost.exe
Token: SeSecurityPrivilege	1232	svchost.exe
Token: SeBackupPrivilege	1232	svchost.exe
Token: SeRestorePrivilege	1232	svchost.exe
Token: SeBackupPrivilege	3472	svchost.exe
Token: SeRestorePrivilege	3472	svchost.exe
Token: SeBackupPrivilege	3472	svchost.exe
Token: SeBackupPrivilege	3472	svchost.exe
Token: SeSecurityPrivilege	3472	svchost.exe
Token: SeSecurityPrivilege	3472	svchost.exe
Token: SeBackupPrivilege	3472	svchost.exe
Token: SeBackupPrivilege	3472	svchost.exe
Token: SeSecurityPrivilege	3472	svchost.exe
Token: SeBackupPrivilege	3472	svchost.exe
Token: SeBackupPrivilege	3472	svchost.exe
Token: SeSecurityPrivilege	3472	svchost.exe
Token: SeBackupPrivilege	3472	svchost.exe
Token: SeRestorePrivilege	3472	svchost.exe
Token: SeBackupPrivilege	3660	svchost.exe
Token: SeRestorePrivilege	3660	svchost.exe
Token: SeBackupPrivilege	3660	svchost.exe
Token: SeBackupPrivilege	3660	svchost.exe
Token: SeSecurityPrivilege	3660	svchost.exe
Token: SeSecurityPrivilege	3660	svchost.exe
Token: SeBackupPrivilege	3660	svchost.exe
Token: SeBackupPrivilege	3660	svchost.exe
Token: SeSecurityPrivilege	3660	svchost.exe
Token: SeBackupPrivilege	3660	svchost.exe
Token: SeBackupPrivilege	3660	svchost.exe
Token: SeSecurityPrivilege	3660	svchost.exe
Token: SeBackupPrivilege	3660	svchost.exe
Token: SeRestorePrivilege	3660	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 964	3576	JaffaCakes118_58c8332d7af8479d16c54d98a7fa5cd5.exe	88
PID 3576 wrote to memory of 964	3576	JaffaCakes118_58c8332d7af8479d16c54d98a7fa5cd5.exe	88
PID 3576 wrote to memory of 964	3576	JaffaCakes118_58c8332d7af8479d16c54d98a7fa5cd5.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58c8332d7af8479d16c54d98a7fa5cd5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58c8332d7af8479d16c54d98a7fa5cd5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3576
- \??\c:\users\admin\appdata\local\eeugoytynb
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58c8332d7af8479d16c54d98a7fa5cd5.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_58c8332d7af8479d16c54d98a7fa5cd5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:964

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 1056
  2⤵
  - Program crash
  PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1232 -ip 1232
1⤵
PID:3604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 948
  2⤵
  - Program crash
  PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3472 -ip 3472
1⤵
PID:4888

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 860
  2⤵
  - Program crash
  PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3660 -ip 3660
1⤵
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\eeugoytynb

Filesize
23.0MB

MD5
c8241aee3b09a019922071de3042c1b8

SHA1
30ec721119db74f4db8e1d5aa1d2d3ccd1b9eb58

SHA256
dc7218beac9d29495f4377b2d4c94eef7635bb26c5d9eec7b68b27e3aa2ce2a0

SHA512
93787dc7c845a77d89edf497350d41088b282048a80615bf745f5c17addd91cd820c7606bae9733a44bb1031e635163fbfa0145700bf256df13f55c29ce9f84b

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
a584d76ccc780b37edf6202c7f70141b

SHA1
7e21ffb86808683cb07b0b69bde01d8e85e051c2

SHA256
436d3615e3e17766c70b065e220762930000ca91ec2aabe80385373112280374

SHA512
7d4207aa39930a7d44f50382e31c936beb8c193b8b802490db3f3437d3b7323e54e37ed2743f1eb27eb0e563f0e84d5345eadb4ec97de9ab5267e2990e61bbc6

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
021bbe714dbbe40fd13053d259703daa

SHA1
fb46b89f8ebd77ffc4834a62598ffd52ee933de6

SHA256
c47d3d1ff1d6b827c82786f094b951f18226284904895069779886e0fa2d997b

SHA512
4e18621b0d23555ad967ca26973ee9b7585e683222d76fd8cb07eb4747160a2a4e79077d2869ff1b5a64ec0c6e355f904f84d4470f77287cb86a7ce6400f3e85

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\nusxe.cc3

Filesize
19.0MB

MD5
b978af92ad07e7b55ea267621ba6db36

SHA1
cef9f5aede653c96221939205111c3c9df224cdd

SHA256
89cb4fc5768b135472b9ead90e366e592eaed3bee71a6e3eca86426de351e967

SHA512
4144ac0449b00b338ad2e7e3809ea033a0b4de79b4d29fcbbd63a8ef82843f926ed5031cda9d9ebe147559d97d12fef17d9e646b0da7f587b137550ae3602772

Download Submit
memory/964-16-0x0000000000400000-0x000000000044C60F-memory.dmp

Filesize
305KB

Download
memory/964-7-0x0000000000400000-0x000000000044C60F-memory.dmp

Filesize
305KB

Download
memory/1232-17-0x0000000001480000-0x0000000001481000-memory.dmp

Filesize
4KB

Download
memory/1232-19-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3472-21-0x00000000016E0000-0x00000000016E1000-memory.dmp

Filesize
4KB

Download
memory/3472-24-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3576-10-0x0000000000400000-0x000000000044C60F-memory.dmp

Filesize
305KB

Download
memory/3576-0-0x0000000000400000-0x000000000044C60F-memory.dmp

Filesize
305KB

Download
memory/3576-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3660-26-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/3660-29-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download