gh0strat | 52b931c8114b0190c0789eea3eb6714e3faf86a80f1ee295dd958a70ce7f4da2

Analysis

max time kernel
93s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6094f5dcadc9e0131ef88e136857e8b4.exe
Size

94KB
MD5

6094f5dcadc9e0131ef88e136857e8b4
SHA1

b488ceb6bbf0ec3eb9eac179aba1860ed619dfe8
SHA256

52b931c8114b0190c0789eea3eb6714e3faf86a80f1ee295dd958a70ce7f4da2
SHA512

15626b4291490a0e8109ac8fc3457844d8129ff5b8d92afcb6605e612c881b4f5bf1af2c7ca9e6ceb488d3686630f39f440e574df22a2bce1e66e96c3cf7c01c
SSDEEP

1536:pnJFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prGwdn+:pnfS4jHS8q/3nTzePCwNUh4E9G8+

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023c67-15.dat	family_gh0strat
behavioral2/memory/4472-17-0x0000000000400000-0x000000000044C60F-memory.dmp	family_gh0strat
behavioral2/memory/564-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3984-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3024-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
4472	mdgdnxjpsv

Executes dropped EXE 1 IoCs

pid	Process
4472	mdgdnxjpsv

Loads dropped DLL 3 IoCs

pid	Process
564	svchost.exe
3984	svchost.exe
3024	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\npxssfjxde	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\nxllbimvqy	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ngaejlotdu	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1460	564	WerFault.exe	94
2996	3984	WerFault.exe	100
1388	3024	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6094f5dcadc9e0131ef88e136857e8b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdgdnxjpsv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4472	mdgdnxjpsv
4472	mdgdnxjpsv

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4472	mdgdnxjpsv
Token: SeBackupPrivilege	4472	mdgdnxjpsv
Token: SeBackupPrivilege	4472	mdgdnxjpsv
Token: SeRestorePrivilege	4472	mdgdnxjpsv
Token: SeBackupPrivilege	564	svchost.exe
Token: SeRestorePrivilege	564	svchost.exe
Token: SeBackupPrivilege	564	svchost.exe
Token: SeBackupPrivilege	564	svchost.exe
Token: SeSecurityPrivilege	564	svchost.exe
Token: SeSecurityPrivilege	564	svchost.exe
Token: SeBackupPrivilege	564	svchost.exe
Token: SeBackupPrivilege	564	svchost.exe
Token: SeSecurityPrivilege	564	svchost.exe
Token: SeBackupPrivilege	564	svchost.exe
Token: SeBackupPrivilege	564	svchost.exe
Token: SeSecurityPrivilege	564	svchost.exe
Token: SeBackupPrivilege	564	svchost.exe
Token: SeRestorePrivilege	564	svchost.exe
Token: SeBackupPrivilege	3984	svchost.exe
Token: SeRestorePrivilege	3984	svchost.exe
Token: SeBackupPrivilege	3984	svchost.exe
Token: SeBackupPrivilege	3984	svchost.exe
Token: SeSecurityPrivilege	3984	svchost.exe
Token: SeSecurityPrivilege	3984	svchost.exe
Token: SeBackupPrivilege	3984	svchost.exe
Token: SeBackupPrivilege	3984	svchost.exe
Token: SeSecurityPrivilege	3984	svchost.exe
Token: SeBackupPrivilege	3984	svchost.exe
Token: SeBackupPrivilege	3984	svchost.exe
Token: SeSecurityPrivilege	3984	svchost.exe
Token: SeBackupPrivilege	3984	svchost.exe
Token: SeRestorePrivilege	3984	svchost.exe
Token: SeBackupPrivilege	3024	svchost.exe
Token: SeRestorePrivilege	3024	svchost.exe
Token: SeBackupPrivilege	3024	svchost.exe
Token: SeBackupPrivilege	3024	svchost.exe
Token: SeSecurityPrivilege	3024	svchost.exe
Token: SeSecurityPrivilege	3024	svchost.exe
Token: SeBackupPrivilege	3024	svchost.exe
Token: SeBackupPrivilege	3024	svchost.exe
Token: SeSecurityPrivilege	3024	svchost.exe
Token: SeBackupPrivilege	3024	svchost.exe
Token: SeBackupPrivilege	3024	svchost.exe
Token: SeSecurityPrivilege	3024	svchost.exe
Token: SeBackupPrivilege	3024	svchost.exe
Token: SeRestorePrivilege	3024	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 4472	116	JaffaCakes118_6094f5dcadc9e0131ef88e136857e8b4.exe	88
PID 116 wrote to memory of 4472	116	JaffaCakes118_6094f5dcadc9e0131ef88e136857e8b4.exe	88
PID 116 wrote to memory of 4472	116	JaffaCakes118_6094f5dcadc9e0131ef88e136857e8b4.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6094f5dcadc9e0131ef88e136857e8b4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6094f5dcadc9e0131ef88e136857e8b4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116
- \??\c:\users\admin\appdata\local\mdgdnxjpsv
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6094f5dcadc9e0131ef88e136857e8b4.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_6094f5dcadc9e0131ef88e136857e8b4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4472

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 848
  2⤵
  - Program crash
  PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 564 -ip 564
1⤵
PID:2764

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 812
  2⤵
  - Program crash
  PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3984 -ip 3984
1⤵
PID:4032

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 888
  2⤵
  - Program crash
  PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3024 -ip 3024
1⤵
PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mdgdnxjpsv

Filesize
23.5MB

MD5
c3d84770a63f5921d7fdddf0f8f51233

SHA1
459636260a8a64398a96ce3dcaa7e676b8149382

SHA256
b1dcc7cf0815e3dbaf0f867072870f824d71fcb4be537684b749e283399f96dc

SHA512
cc36238a74647dabfd9f5e6288c8aabde1222f3022ece0f04a8db64945339cb3f69f04377329583ac82f7b44fc31590079e647c62d0679b3169b248ca9f1c7a2

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
063795426e475450dd233a2badac7927

SHA1
de6a4c0d13eb756be8309b5de2bb982d2ef49924

SHA256
8d485a335c0e7bfe45a33c49d1e4beda1f0a44aa41427e56d85b3a281a5b3851

SHA512
8179c675ad65761eeace8cd77cbfa62a0d645ef7dd83feed3873f5f204e75fc479e98b6aa132c373b6aab8a055685629905c55769508e197496546defb1f30e1

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
0d4e88cb44eb550e48e416f437fb6d15

SHA1
6bc39a308fc45fb23b212abec4a27145d287de13

SHA256
94b3be3acc3f5d5da0cc5304aa472e39c1822946f898c4c5f84185b17b81f96e

SHA512
42a99e8a1bde45a36865560faedb15951436adb80c1d8f10d8e8aef8f627cf7d3b15e910231c9f68543a487623f28564bc961afc794cd10d4662bf78a529dadb

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\srjrh.cc3

Filesize
20.0MB

MD5
1a713396b7ec524cd2d001ed674b1d82

SHA1
8f1ed61538ad2c620eca4cd29ad8a7473707e2b5

SHA256
2e58fa0e56ac11566bb9fff0a3c58f4b4d2285971e81c992176951b07e87e949

SHA512
41d5ae6db5af4371ed6ba4fc5558f8f960d426473faa7803e1a361a6e7ae6a9f64215f810486adc22a89779b9396d33805b0ff258115051913145956359ea64d

Download Submit
memory/116-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/116-12-0x0000000000400000-0x000000000044C60F-memory.dmp

Filesize
305KB

Download
memory/116-0-0x0000000000400000-0x000000000044C60F-memory.dmp

Filesize
305KB

Download
memory/564-18-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/564-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3024-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3024-27-0x0000000001A80000-0x0000000001A81000-memory.dmp

Filesize
4KB

Download
memory/3984-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3984-22-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/4472-17-0x0000000000400000-0x000000000044C60F-memory.dmp

Filesize
305KB

Download
memory/4472-8-0x0000000000400000-0x000000000044C60F-memory.dmp

Filesize
305KB

Download
memory/4472-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download