gh0strat | 9f587ce911e0af79e44c483392ea3eeea4c0367c0af133fe984a30d0caee1627

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_62c284e413906e5db4d7c4e5291c8c59.exe
Size

320KB
MD5

62c284e413906e5db4d7c4e5291c8c59
SHA1

8ed758d0abf36b57c5ab6e7485eface4180e3730
SHA256

9f587ce911e0af79e44c483392ea3eeea4c0367c0af133fe984a30d0caee1627
SHA512

1e3ed9fb3c443cb1e16925a19b5bf9b285843315e5e667be0dfc1f4615f30af3499a68378ee1458565ca8c7ae2222937f3d368e41087c72286820936745f1964
SSDEEP

6144:IvM/Haymfu4nDWgRAkPD2GQn8xID0DMF3kBydfSN5ndyaizYuyLn5:p6DR3PD2GLxe0Dvya5n3ize

Score

10^/10

gh0strat discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2576-7-0x0000000000400000-0x0000000000477000-memory.dmp	family_gh0strat
behavioral1/memory/2576-15-0x0000000000400000-0x0000000000477000-memory.dmp	family_gh0strat
behavioral1/memory/2600-17-0x0000000010000000-0x000000001001E000-memory.dmp	family_gh0strat
behavioral1/files/0x00080000000120fc-16.dat	family_gh0strat
behavioral1/memory/2600-18-0x0000000010000000-0x000000001001E000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rsnet_\Parameters\ServiceDll = "C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\rsnet.dll"	JaffaCakes118_62c284e413906e5db4d7c4e5291c8c59.exe

Deletes itself 1 IoCs

pid	Process
2600	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2600	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo	JaffaCakes118_62c284e413906e5db4d7c4e5291c8c59.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\rsnet.dll	JaffaCakes118_62c284e413906e5db4d7c4e5291c8c59.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_62c284e413906e5db4d7c4e5291c8c59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62c284e413906e5db4d7c4e5291c8c59.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62c284e413906e5db4d7c4e5291c8c59.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2576

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\Microsoft Shared\MSInfo\rsnet.dll

Filesize
105KB

MD5
536d7ab4530edf0135ba0b5414c5b23c

SHA1
fde91f6d0e515d2c51aadc79ed0953f7d5f130ec

SHA256
c0ffb3e773eedb7a58733c27ebe5e01cc4e34a827acdddbfc243be4da4f7ca43

SHA512
1718951141575640e6c2b9406534160d0904e6442a8608ac6bca52b8ff573c3b2473e8392e66c1beb99ce0df2d3790b007edc3e67713dbe822e8631c230a0ce8

Download Submit
memory/2576-3-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2576-14-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2576-7-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2576-5-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2576-4-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2576-1-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2576-6-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2576-2-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2576-15-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2576-8-0x0000000001D90000-0x0000000001EA0000-memory.dmp

Filesize
1.1MB

Download
memory/2576-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2576-9-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2600-17-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2600-18-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download