gh0strat | 9d157629cbc5b7e985eca8101da2d3671792d3b8ef84e9b95ee6a6ac77450c20

Analysis

max time kernel
34s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 16:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

JaffaCakes118_601376077d95cde5b2d4eeb57b661567.exe
Size

94KB
MD5

601376077d95cde5b2d4eeb57b661567
SHA1

528615a7878a01efb9f6338d2fa8ce869ea2d47c
SHA256

9d157629cbc5b7e985eca8101da2d3671792d3b8ef84e9b95ee6a6ac77450c20
SHA512

8afe335fda5ee62b8a540e52ebc6c40534f30ad265cc403e0cabde1f5b3471535dd3b890ba169505312ec2e877e747b111f631e4fddf9e0c419b690b853a0adc
SSDEEP

1536:xEFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr8GODKL175DMtQBR:x2S4jHS8q/3nTzePCwNUh4E9xhIq

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022a03-14.dat	family_gh0strat
behavioral2/memory/1908-16-0x0000000000400000-0x000000000044E200-memory.dmp	family_gh0strat
behavioral2/memory/1132-19-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4220-24-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3028-29-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
1908	gpvwitbbue

Executes dropped EXE 1 IoCs

pid	Process
1908	gpvwitbbue

Loads dropped DLL 3 IoCs

pid	Process
1132	svchost.exe
4220	svchost.exe
3028	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\varitudnmq	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\vifbcxfkyl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\vifbcxfkyl	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4944	1132	WerFault.exe	98
552	4220	WerFault.exe	103
1628	3028	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_601376077d95cde5b2d4eeb57b661567.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpvwitbbue
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1908	gpvwitbbue
1908	gpvwitbbue

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1908	gpvwitbbue
Token: SeBackupPrivilege	1908	gpvwitbbue
Token: SeBackupPrivilege	1908	gpvwitbbue
Token: SeRestorePrivilege	1908	gpvwitbbue
Token: SeBackupPrivilege	1132	svchost.exe
Token: SeRestorePrivilege	1132	svchost.exe
Token: SeBackupPrivilege	1132	svchost.exe
Token: SeBackupPrivilege	1132	svchost.exe
Token: SeSecurityPrivilege	1132	svchost.exe
Token: SeSecurityPrivilege	1132	svchost.exe
Token: SeBackupPrivilege	1132	svchost.exe
Token: SeBackupPrivilege	1132	svchost.exe
Token: SeSecurityPrivilege	1132	svchost.exe
Token: SeBackupPrivilege	1132	svchost.exe
Token: SeBackupPrivilege	1132	svchost.exe
Token: SeSecurityPrivilege	1132	svchost.exe
Token: SeBackupPrivilege	1132	svchost.exe
Token: SeRestorePrivilege	1132	svchost.exe
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeRestorePrivilege	4220	svchost.exe
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeSecurityPrivilege	4220	svchost.exe
Token: SeSecurityPrivilege	4220	svchost.exe
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeSecurityPrivilege	4220	svchost.exe
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeSecurityPrivilege	4220	svchost.exe
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeRestorePrivilege	4220	svchost.exe
Token: SeBackupPrivilege	3028	svchost.exe
Token: SeRestorePrivilege	3028	svchost.exe
Token: SeBackupPrivilege	3028	svchost.exe
Token: SeBackupPrivilege	3028	svchost.exe
Token: SeSecurityPrivilege	3028	svchost.exe
Token: SeSecurityPrivilege	3028	svchost.exe
Token: SeBackupPrivilege	3028	svchost.exe
Token: SeBackupPrivilege	3028	svchost.exe
Token: SeSecurityPrivilege	3028	svchost.exe
Token: SeBackupPrivilege	3028	svchost.exe
Token: SeBackupPrivilege	3028	svchost.exe
Token: SeSecurityPrivilege	3028	svchost.exe
Token: SeBackupPrivilege	3028	svchost.exe
Token: SeRestorePrivilege	3028	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 1908	4312	JaffaCakes118_601376077d95cde5b2d4eeb57b661567.exe	93
PID 4312 wrote to memory of 1908	4312	JaffaCakes118_601376077d95cde5b2d4eeb57b661567.exe	93
PID 4312 wrote to memory of 1908	4312	JaffaCakes118_601376077d95cde5b2d4eeb57b661567.exe	93

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_601376077d95cde5b2d4eeb57b661567.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_601376077d95cde5b2d4eeb57b661567.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4312
- \??\c:\users\admin\appdata\local\gpvwitbbue
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_601376077d95cde5b2d4eeb57b661567.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_601376077d95cde5b2d4eeb57b661567.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 856
  2⤵
  - Program crash
  PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1132 -ip 1132
1⤵
PID:4616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 856
  2⤵
  - Program crash
  PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4220 -ip 4220
1⤵
PID:4360

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1080
  2⤵
  - Program crash
  PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3028 -ip 3028
1⤵
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\gpvwitbbue

Filesize
23.0MB

MD5
0f1034dfe1e990b18fef0b9cf17ae80b

SHA1
400a6a6cf62794bc6986b0b4aca2467d6601d1c2

SHA256
cc472d3c80b0fa87156faf98c67043ca489d8fe93e7c24fceda4589de1e8434b

SHA512
861e3d0bf2456d6eb14fed8f247a5480e04cef3609ab5d54de127d1a1bd76a52fb490e8f552f4a858f9ff176ce89eb826be0e51712cf33f083a9a594ae42127f

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
357c30175cc8531c4572555eefc90c62

SHA1
a24497a2f19e6544fac75b9553cee02d109133be

SHA256
00d552d37585a30da9c2b0b68011a01968a2b521aab18f6870a849d33ee7769a

SHA512
7dfd6e4910df616562595e6c68b17d88bb783ab8fb809d9b986fcde3983d3fa64e1717809cff1dfab2481b116fd2ab179fd1d685c502eaefebbadca816950b37

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
258B

MD5
73b0f89e1234e42c38523b1cbbf9e4bf

SHA1
ebd0f816e15903f56258222a68463d60b6e8d206

SHA256
0f665f1082eb6bcbe8f9ee713b3482b869f169ebea31beea35213f70adb6a0be

SHA512
cc8d785eed49e2af2288f9830c323d2a7dd76539732cad16c3518903ce5215c61e472176d5a9a3b2fdb69f67bbbe11b0d8b62a22bc80f7df4dfbce80a38a76d5

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\knulq.cc3

Filesize
22.0MB

MD5
66ea24436c29c57e336af53115ab1afd

SHA1
2a5824d09d50fecb0c1735cb9134a83922a923cc

SHA256
d22f535b2c1b9a40506a126e99f13a713d18ffe252515ba0156a41ad78c2af76

SHA512
823fc566ec431bf2db79382785da3758556769f4833d18af7957f852641b6d5f429ec72916001c724b70c1caa9ffcdb50ab802bbd13959c4bf5652f6396347e4

Download Submit
memory/1132-19-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1132-17-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/1908-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1908-16-0x0000000000400000-0x000000000044E200-memory.dmp

Filesize
312KB

Download
memory/1908-8-0x0000000000400000-0x000000000044E200-memory.dmp

Filesize
312KB

Download
memory/3028-26-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3028-29-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4220-21-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download
memory/4220-24-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4312-0-0x0000000000400000-0x000000000044E200-memory.dmp

Filesize
312KB

Download
memory/4312-7-0x0000000000400000-0x000000000044E200-memory.dmp

Filesize
312KB

Download
memory/4312-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download