gh0strat | 62d0df06a3d3bde1494f312ea7b13894b6cbc809ac57e54cc8bec19973e2812e | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...77.exe

windows7-x64

JaffaCakes...77.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_5ae975e2cabf893cb93eb59265636077
Size

192KB
Sample

250309-ydntvayrt4
MD5

5ae975e2cabf893cb93eb59265636077
SHA1

1f32f75bb3a88e8af88087b0949f8e13b7f21cd2
SHA256

62d0df06a3d3bde1494f312ea7b13894b6cbc809ac57e54cc8bec19973e2812e
SHA512

f90ea988f6fbfd9ecba1ac49fcbef847829002db38726251fd0848d10f00baa579d440aa53f4d824bbc3aef31570c010e8b70b2970b58fa234f3e6ae350250c7
SSDEEP

3072:4UvjUaIc/Jm9br3SIABZz1oXS1xTOy0tMhAW7YD1sQvvbVckFgzua4:4UYaIcs9iIxXE1Oy0+hAWUD1ssTVcsta

Score

10^/10

gh0strat bootkit discovery persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_5ae975e2cabf893cb93eb59265636077.exe

Resource

win7-20240903-en

gh0strat bootkit discovery persistence rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_5ae975e2cabf893cb93eb59265636077.exe

Resource

win10v2004-20250217-en

gh0strat bootkit discovery persistence rat

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_5ae975e2cabf893cb93eb59265636077
- Size
  
  192KB
- MD5
  
  5ae975e2cabf893cb93eb59265636077
- SHA1
  
  1f32f75bb3a88e8af88087b0949f8e13b7f21cd2
- SHA256
  
  62d0df06a3d3bde1494f312ea7b13894b6cbc809ac57e54cc8bec19973e2812e
- SHA512
  
  f90ea988f6fbfd9ecba1ac49fcbef847829002db38726251fd0848d10f00baa579d440aa53f4d824bbc3aef31570c010e8b70b2970b58fa234f3e6ae350250c7
- SSDEEP
  
  3072:4UvjUaIc/Jm9br3SIABZz1oXS1xTOy0tMhAW7YD1sQvvbVckFgzua4:4UYaIcs9iIxXE1Oy0+hAWUD1ssTVcsta
Score

10^/10

gh0strat bootkit discovery persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- Server Software Component: Terminal Services DLL
  persistence
- Sets service image path in registry
  persistence
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Pre-OS Boot

Bootkit

Server Software Component

Terminal Services DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratbootkitdiscoverypersistencerat

behavioral2

gh0stratbootkitdiscoverypersistencerat

© 2018-2025

Terms | Privacy