gh0strat | 2a6310c272ff9cff0141e57e98fbeb2c23bb71cbe4a80928621e3595a62303e0

General

Target

JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
Size

184KB
MD5

5b19ef1cc8a6810ae136959210929ae7
SHA1

1ffb7e92ebe4f40ef2a64fdf50550729596ee464
SHA256

2a6310c272ff9cff0141e57e98fbeb2c23bb71cbe4a80928621e3595a62303e0
SHA512

49eae0a63b7d9f0377f195a9582892119a30709ead826a3b247298ad93b6169d3aa1af97d638ebabe3908c8ef9dd622fcbeca6b31932c1763f51b7284fb4291e
SSDEEP

3072:NfJBs6WoDQq8qB4FXRhXrQwxulz0MjV8jQ703WbaziBhHFLUb+:NJBs6Wo38qWFXRdEaIz38pW2zclLUb

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120fd-2.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nwcworkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\ntnwcworkstation.dll"	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\srservice\Parameters\ServiceDll = "C:\\Windows\\system32\\ntsrservice.dll"	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\ntwmi.dll"	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wmdmpmsp\Parameters\ServiceDll = "C:\\Windows\\system32\\ntwmdmpmsp.dll"	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\logonhours\Parameters\ServiceDll = "C:\\Windows\\system32\\ntlogonhours.dll"	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\nthelpsvc.dll"	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fastuserswitchingcompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\ntfastuserswitchingcompatibility.dll"	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\ntirmon.dll"	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nla\Parameters\ServiceDll = "C:\\Windows\\system32\\ntnla.dll"	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\ntntmssvc.dll"	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\pcaudit\Parameters\ServiceDll = "C:\\Windows\\system32\\ntpcaudit.dll"	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\ntuploadmgr.dll"	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nvkuov\Parameters\ServiceDll = "C:\\Windows\\system32\\ntuploadmgr.dll"	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ias\Parameters\ServiceDll = "C:\\Windows\\system32\\ntias.dll"	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe

Loads dropped DLL 13 IoCs

pid	Process
1100	svchost.exe
2732	svchost.exe
2904	svchost.exe
2932	svchost.exe
1360	svchost.exe
2716	svchost.exe
1552	svchost.exe
2492	svchost.exe
2968	svchost.exe
2532	svchost.exe
2956	svchost.exe
912	svchost.exe
1992	svchost.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\81771310.del	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\ntias.dll	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\35172304.del	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\a4363793.del	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\ntpcaudit.dll	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\b198415e.del	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\ntuploadmgr.dll	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\ntnla.dll	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\4ac26bd1.del	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\ntwmdmpmsp.dll	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\nthelpsvc.dll	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\ntfastuserswitchingcompatibility.dll	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\d2f5ca0e.del	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\dad53dd.del	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\ntntmssvc.dll	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\ntnwcworkstation.dll	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\a8c20fb6.del	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\ntlogonhours.dll	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\729d73e9.del	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\ntirmon.dll	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\9b56e972.del	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\4ef54a5d.del	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\ntsrservice.dll	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\bda338ff.del	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\ntwmi.dll	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
File opened for modification	C:\Windows\SysWOW64\ab5e7ac5.del	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2380	JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5b19ef1cc8a6810ae136959210929ae7.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2380

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1100

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2732

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2904

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2932

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1360

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2716

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1552

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2492

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2532

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2956

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:912

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\ntfastuserswitchingcompatibility.dll

Filesize
148KB

MD5
2be99cee3fbef675a6be6b9421bdff7c

SHA1
ee495c9c75659702d7a1c3dc2ba946d6483d8672

SHA256
ef5e19309254715f7764a8042427f0a83c3c7b9babb500fefcfd3e6e50d3a053

SHA512
ee8b16583e1379f17735867996949daa11ab3c8b000df590df302b7bc52f03d58540e6bd4f3b11d07ef06266d23a25d92df1c28dc9c5bc5f72a8b013d7fe3f71

Download Submit

Analysis

Sharing