gh0strat | 9b5f61c1e79d525b2ac6c9c286927b7b6c2ff7fd492561fa9be5193b8a1693a5

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_61e1638fbe2c097bc3904c37c7fbda73.exe
Size

192KB
MD5

61e1638fbe2c097bc3904c37c7fbda73
SHA1

fe6a487cdef92c1dedc5324f710efc3bcb423ef8
SHA256

9b5f61c1e79d525b2ac6c9c286927b7b6c2ff7fd492561fa9be5193b8a1693a5
SHA512

29b3e1ce47f3427a09f2c28678b78f733f7e8ad8a740adf09e3198d84b9db3126103f18c06c97bb403ed6644759d5176730a5800882edb33da0ff07353a90e0b
SSDEEP

3072:3krAnW9c1myF/O7qBBwer9xdqzdgdD5rlNnQETx7cB5I7X2m6mel:UrAnW9cb62w+WQnhlcB5I7mm

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0012000000023ac6-12.dat	family_gh0strat
behavioral2/memory/3176-13-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4672-16-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4656-19-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
3296	eudhbv

Executes dropped EXE 1 IoCs

pid	Process
3296	eudhbv

Loads dropped DLL 3 IoCs

pid	Process
3176	svchost.exe
4672	svchost.exe
4656	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\kuiqsfodly	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\kevkaiqbxt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\kmkdiltylo	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2404	3176	WerFault.exe	96
924	4672	WerFault.exe	100
3836	4656	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_61e1638fbe2c097bc3904c37c7fbda73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eudhbv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1672	JaffaCakes118_61e1638fbe2c097bc3904c37c7fbda73.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeBackupPrivilege	3296	eudhbv
Token: SeRestorePrivilege	3296	eudhbv
Token: SeBackupPrivilege	3296	eudhbv
Token: SeRestorePrivilege	3296	eudhbv
Token: SeBackupPrivilege	3296	eudhbv
Token: SeRestorePrivilege	3296	eudhbv
Token: SeBackupPrivilege	3296	eudhbv
Token: SeRestorePrivilege	3296	eudhbv
Token: SeBackupPrivilege	3176	svchost.exe
Token: SeRestorePrivilege	3176	svchost.exe
Token: SeBackupPrivilege	3176	svchost.exe
Token: SeBackupPrivilege	3176	svchost.exe
Token: SeSecurityPrivilege	3176	svchost.exe
Token: SeSecurityPrivilege	3176	svchost.exe
Token: SeBackupPrivilege	3176	svchost.exe
Token: SeBackupPrivilege	3176	svchost.exe
Token: SeSecurityPrivilege	3176	svchost.exe
Token: SeBackupPrivilege	3176	svchost.exe
Token: SeBackupPrivilege	3176	svchost.exe
Token: SeSecurityPrivilege	3176	svchost.exe
Token: SeBackupPrivilege	3176	svchost.exe
Token: SeRestorePrivilege	3176	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeRestorePrivilege	4672	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeSecurityPrivilege	4672	svchost.exe
Token: SeSecurityPrivilege	4672	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeSecurityPrivilege	4672	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeSecurityPrivilege	4672	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeRestorePrivilege	4672	svchost.exe
Token: SeBackupPrivilege	4656	svchost.exe
Token: SeRestorePrivilege	4656	svchost.exe
Token: SeBackupPrivilege	4656	svchost.exe
Token: SeBackupPrivilege	4656	svchost.exe
Token: SeSecurityPrivilege	4656	svchost.exe
Token: SeSecurityPrivilege	4656	svchost.exe
Token: SeBackupPrivilege	4656	svchost.exe
Token: SeBackupPrivilege	4656	svchost.exe
Token: SeSecurityPrivilege	4656	svchost.exe
Token: SeBackupPrivilege	4656	svchost.exe
Token: SeBackupPrivilege	4656	svchost.exe
Token: SeSecurityPrivilege	4656	svchost.exe
Token: SeBackupPrivilege	4656	svchost.exe
Token: SeRestorePrivilege	4656	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 3296	1672	JaffaCakes118_61e1638fbe2c097bc3904c37c7fbda73.exe	90
PID 1672 wrote to memory of 3296	1672	JaffaCakes118_61e1638fbe2c097bc3904c37c7fbda73.exe	90
PID 1672 wrote to memory of 3296	1672	JaffaCakes118_61e1638fbe2c097bc3904c37c7fbda73.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61e1638fbe2c097bc3904c37c7fbda73.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61e1638fbe2c097bc3904c37c7fbda73.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1672
- \??\c:\users\admin\appdata\local\temp\eudhbv
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61e1638fbe2c097bc3904c37c7fbda73.exe"a -s
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3296

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 1060
  2⤵
  - Program crash
  PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3176 -ip 3176
1⤵
PID:5052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 868
  2⤵
  - Program crash
  PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4672 -ip 4672
1⤵
PID:4416

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 860
  2⤵
  - Program crash
  PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4656 -ip 4656
1⤵
PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eudhbv

Filesize
192KB

MD5
32937f7a25243179fdc1c0ce89d1b2e6

SHA1
e2c88464b3dec9dff588dbe1705fbe75b2df469c

SHA256
7c4002ec5b3e8b284625fb2e41d4a1d48a909477c79f30b40fc677370c42d66e

SHA512
367f2035a92bab864cd031f69fd297e6cefddce01d87c257d0c3ae5adbc5e5549906b3380cffe162c241c1f4ddd93875e8cd37df28fc2986ece98706a6acc8e8

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\hnfrk.ccd

Filesize
213KB

MD5
180abfc0bccd106405f15deb12766b3d

SHA1
05f71ff292612e80414212fdd54b0049d812f290

SHA256
5c7455ca6806ee539804afd7bdf66d87c3f09a129a3f684841868263d6afcaaa

SHA512
97a86672188ed7619c5744aba62372c7f8886f8b36cd5a0d2f6aff3c2e93d73844c0864133dfc7449728b807dadb150e12bc4313a15fefa0059c1bb82cfa99cb

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
a3ad8ccbe44dacd99b85d13f68639c66

SHA1
b0a766b2e8bfeda6d55dd856916b501f7a77dd23

SHA256
7fd30b07a9f4cfa527cdd21ab60deef17082b6d7e8c8142c8b074b3797a95b95

SHA512
ea9146d306793aa84a755b3da4d44aa181bbd4ed98fff59b0170e40362c22b5c5a96449dfdd875af3f9cfa97528c9e87b3534b1cb11dbf0fbf28003d0cbb2864

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
c9e33a842e8da809643428fee168c18c

SHA1
7a343179bf734a62775ee0175d761e98282b98c7

SHA256
213ace588ae4578dbbb132858e83d49a8f56ab82e786fe2621003b2b78e1c60d

SHA512
8260f441a878d1aa41d14dfd366f97dcb1da4ca8f29fdf8bd273f47e711836cf55d17fc5d28eb379991e041654ccbff799454d93e42e69b46292f1d7eacfd43c

Download Submit
memory/1672-4-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3176-13-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4656-19-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4672-16-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download