gh0strat | 0efcc71442aa5d7f2ccbf8a51bdea06c5cb18cf935f6b96b4eefde6a53358eb2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5e783049dbd6739cab598a8e4f5789b0.dll
Size

131KB
MD5

5e783049dbd6739cab598a8e4f5789b0
SHA1

dc9c7f5222270186d9963397b4fedd506da58ac9
SHA256

0efcc71442aa5d7f2ccbf8a51bdea06c5cb18cf935f6b96b4eefde6a53358eb2
SHA512

16481682aba157fbb9200f9a1dc3be4981b5e40b5c753d4bce175f9b33cd61693d05d36ffcf562aca2a71acfd019a37d171177148bfb88593f8abfc5963685d8
SSDEEP

3072:PWLeYPiFfs8qr+Nw7h+Feu4g8qbACPAKJrV3MIdo47:Bs8qVTohAM1laISc

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0011000000023bce-3.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Loads dropped DLL 1 IoCs

pid	Process
5796	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Xtuv\Dtuvwxyab.jpg	rundll32.exe
File created	C:\Program Files (x86)\Xtuv\Dtuvwxyab.jpg	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe
5796	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	4712	rundll32.exe
Token: SeRestorePrivilege	4712	rundll32.exe
Token: SeBackupPrivilege	4712	rundll32.exe
Token: SeRestorePrivilege	4712	rundll32.exe
Token: SeBackupPrivilege	4712	rundll32.exe
Token: SeRestorePrivilege	4712	rundll32.exe
Token: SeBackupPrivilege	4712	rundll32.exe
Token: SeRestorePrivilege	4712	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 4712	4264	rundll32.exe	85
PID 4264 wrote to memory of 4712	4264	rundll32.exe	85
PID 4264 wrote to memory of 4712	4264	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e783049dbd6739cab598a8e4f5789b0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e783049dbd6739cab598a8e4f5789b0.dll,#1
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4712

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\program files (x86)\xtuv\dtuvwxyab.jpg

Filesize
14.0MB

MD5
08bbb867ac6705a91778a34a33a6291e

SHA1
b1a862a31784ca0cc9e679ee0ce2f5f1d41318b3

SHA256
f7419adeb1464199c6cc0f8664befb3c7a23de9ed03e832365501b74358091a5

SHA512
71d0ddea12ff0c4d2e3564656cbf5145477e279d2c02c192d3a31fc324229afb90e8d980710727ff832b1bef8999f5531cae661f9d4aab82d1cfb605a750d40b

Download Submit