gh0strat | 95e8bf28c169dc191d2b22176371a827d25c07e07ee502e2cf2a96a184741945

Analysis

max time kernel
93s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5debc03392bc9a095da1fb539453218c.exe
Size

1.7MB
MD5

5debc03392bc9a095da1fb539453218c
SHA1

29315e8e970e2b89ee69cd07047784cfe359c9a6
SHA256

95e8bf28c169dc191d2b22176371a827d25c07e07ee502e2cf2a96a184741945
SHA512

a2b8ace6e2222f6d18c8c1165a60eb15b48f075d3cb4b13555621645b19c0833b662f2eb178052baad34c0e36571f043c1ab5a1720ea80e1b8be4824f99e2fe0
SSDEEP

49152:1r8B2Gwk2iv6JVLGonQkiMA04xF0AKGPT8Oq:1QB2GwkQqonQ72S0VGPT8O

Score

10^/10

gh0strat discovery rat vmprotect

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023c19-3.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Executes dropped EXE 1 IoCs

pid	Process
3028	AVA²»Ðà¼Ò×å¸¨Öú.exe

Loads dropped DLL 4 IoCs

pid	Process
3028	AVA²»Ðà¼Ò×å¸¨Öú.exe
3028	AVA²»Ðà¼Ò×å¸¨Öú.exe
3028	AVA²»Ðà¼Ò×å¸¨Öú.exe
3028	AVA²»Ðà¼Ò×å¸¨Öú.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000c000000023c19-3.dat	vmprotect
behavioral2/memory/3028-6-0x0000000000400000-0x0000000000757000-memory.dmp	vmprotect
behavioral2/memory/3028-7-0x0000000000400000-0x0000000000757000-memory.dmp	vmprotect
behavioral2/memory/3028-48-0x0000000000400000-0x0000000000757000-memory.dmp	vmprotect

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5debc03392bc9a095da1fb539453218c.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ = "Microsoft Internet Transfer Control, version 6.0"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID\ = "InetCtls.Inet"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\ = "Internet Control General Property Page Object"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\ = "Microsoft Internet Transfer Control, version 6.0"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSWINSCK.OCX, 1"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSINET.OCX, 1"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSINET.OCX"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	AVA²»Ðà¼Ò×å¸¨Öú.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	AVA²»Ðà¼Ò×å¸¨Öú.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	AVA²»Ðà¼Ò×å¸¨Öú.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3416	JaffaCakes118_5debc03392bc9a095da1fb539453218c.exe
3028	AVA²»Ðà¼Ò×å¸¨Öú.exe
3028	AVA²»Ðà¼Ò×å¸¨Öú.exe
3028	AVA²»Ðà¼Ò×å¸¨Öú.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 3028	3416	JaffaCakes118_5debc03392bc9a095da1fb539453218c.exe	85
PID 3416 wrote to memory of 3028	3416	JaffaCakes118_5debc03392bc9a095da1fb539453218c.exe	85
PID 3416 wrote to memory of 3028	3416	JaffaCakes118_5debc03392bc9a095da1fb539453218c.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5debc03392bc9a095da1fb539453218c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5debc03392bc9a095da1fb539453218c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Users\Admin\AppData\Local\Temp\AVA²»Ðà¼Ò×å¸¨Öú.exe
  "C:\Users\Admin\AppData\Local\Temp\AVA²»Ðà¼Ò×å¸¨Öú.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AVA²»Ðà¼Ò×å¸¨Öú.exe

Filesize
1.3MB

MD5
e3f5e9926295125c52d170412a5a8d11

SHA1
6de39f938835adc2ddacd2ba58879b64543fe454

SHA256
b4aa25f21a0349b7e24b45d8c4d85b6e09fd9027990f14f1317a5e735df46d58

SHA512
a1549ca9d297275d6e17de92f8fe23d662f56621e1b1116bcca8e9f24a5627172b1ebeda29ae2c038b7b473ccdf1b328f51715bd5f916d37e37148a5917be541

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSINET.OCX

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
memory/3028-6-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/3028-7-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/3028-48-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download