gh0strat | 432bcc1338c4f448fe61779dad178f2c4489708a46a5bb06a7971eaa243f9b74

Analysis

max time kernel
95s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5f9bc3f863bc51015db3a83222ff4d2e.exe
Size

188KB
MD5

5f9bc3f863bc51015db3a83222ff4d2e
SHA1

efb5179bc4d034bd3343a1f0573ffe9d6d2d852a
SHA256

432bcc1338c4f448fe61779dad178f2c4489708a46a5bb06a7971eaa243f9b74
SHA512

8ca59654ad9bdd893974a783641c4f83ce183ddeb08413c48cd6eb8254f0f6064ebbd9410b1c5328be4c8f5852af6b4032efbd85162efd2a0bca92574940d108
SSDEEP

3072:z23OhUjSnWqeXbu3Xdp9CzyD688iY+EPH9N2BHwS8DwBmg5kyYjjwTrrrrrrE:632nWqeXbUJCG288i2HAQZCjCerrrrrr

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000400000001da7d-2.dat	family_gh0strat
behavioral2/memory/4996-6-0x0000000000400000-0x0000000000430000-memory.dmp	family_gh0strat
behavioral2/memory/4996-7-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Loads dropped DLL 1 IoCs

pid	Process
4996	JaffaCakes118_5f9bc3f863bc51015db3a83222ff4d2e.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\StormII\fuyhe.dlc	JaffaCakes118_5f9bc3f863bc51015db3a83222ff4d2e.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4292	4996	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5f9bc3f863bc51015db3a83222ff4d2e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4996	JaffaCakes118_5f9bc3f863bc51015db3a83222ff4d2e.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	4996	JaffaCakes118_5f9bc3f863bc51015db3a83222ff4d2e.exe
Token: SeRestorePrivilege	4996	JaffaCakes118_5f9bc3f863bc51015db3a83222ff4d2e.exe
Token: SeBackupPrivilege	4996	JaffaCakes118_5f9bc3f863bc51015db3a83222ff4d2e.exe
Token: SeRestorePrivilege	4996	JaffaCakes118_5f9bc3f863bc51015db3a83222ff4d2e.exe
Token: SeBackupPrivilege	4996	JaffaCakes118_5f9bc3f863bc51015db3a83222ff4d2e.exe
Token: SeBackupPrivilege	4996	JaffaCakes118_5f9bc3f863bc51015db3a83222ff4d2e.exe
Token: SeSecurityPrivilege	4996	JaffaCakes118_5f9bc3f863bc51015db3a83222ff4d2e.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5f9bc3f863bc51015db3a83222ff4d2e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5f9bc3f863bc51015db3a83222ff4d2e.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:4996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 944
  2⤵
  - Program crash
  PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4996 -ip 4996
1⤵
PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\StormII\fuyhe.dlc

Filesize
2.2MB

MD5
2b6ff069697b119b952add0b3af8b76b

SHA1
e6228e396e0fd79fc8e4840a8af7f4ea6c83c15a

SHA256
74d211a6805ed51f0622c13a2d32415faa0ccda95a1189105b2e6ddcd78e81d8

SHA512
73328139d707e4a6f779bc691b366b5f5ea67a41744b2de912d2c9436cd80977ceeddc4475ba0d6d63c6f339c08b2290f73bb40d72441abfb53dbb74070ede79

Download Submit
memory/4996-6-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4996-7-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download