gh0strat | 3401ae8d0596c1bdb3a4d648b19f4f7ba09a5b2f1c257462fc5d39eeca8204f7

Analysis

max time kernel
96s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_62df764b94ae043ad69629d432da1c48.exe
Size

200KB
MD5

62df764b94ae043ad69629d432da1c48
SHA1

d0d481dac98531afafc8dac916fba8dd54d4ae1f
SHA256

3401ae8d0596c1bdb3a4d648b19f4f7ba09a5b2f1c257462fc5d39eeca8204f7
SHA512

39d031e4708f461998fb7bf188c88c0a3743d8332bf3d088bcb81220a2b5ae2b7893891fb180bff4015c0629abb1a2b809c45d68010bd5bb0761cdad23072eda
SSDEEP

6144:UsYy5nW8Q0BGyPWbyFYPbzcTBlhHrqndntyd:BrW8HebEYPbzcT3n

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral2/memory/3612-0-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral2/files/0x000200000001e70f-4.dat	family_gh0strat
behavioral2/memory/2776-5-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral2/memory/3612-7-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral2/files/0x00060000000229d4-10.dat	family_gh0strat
behavioral2/memory/2776-12-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral2/memory/3116-15-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3488-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1056-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2776	hxvbruslhp

Executes dropped EXE 1 IoCs

pid	Process
2776	hxvbruslhp

Loads dropped DLL 3 IoCs

pid	Process
3116	svchost.exe
3488	svchost.exe
1056	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vcqyibtecq	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\vlfsqewcpl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\vtslyhyach	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4212	3116	WerFault.exe	93
1788	3488	WerFault.exe	98
3500	1056	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_62df764b94ae043ad69629d432da1c48.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hxvbruslhp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2776	hxvbruslhp
2776	hxvbruslhp

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	2776	hxvbruslhp
Token: SeBackupPrivilege	2776	hxvbruslhp
Token: SeBackupPrivilege	2776	hxvbruslhp
Token: SeRestorePrivilege	2776	hxvbruslhp
Token: SeBackupPrivilege	3116	svchost.exe
Token: SeRestorePrivilege	3116	svchost.exe
Token: SeBackupPrivilege	3116	svchost.exe
Token: SeBackupPrivilege	3116	svchost.exe
Token: SeSecurityPrivilege	3116	svchost.exe
Token: SeSecurityPrivilege	3116	svchost.exe
Token: SeBackupPrivilege	3116	svchost.exe
Token: SeBackupPrivilege	3116	svchost.exe
Token: SeSecurityPrivilege	3116	svchost.exe
Token: SeBackupPrivilege	3116	svchost.exe
Token: SeBackupPrivilege	3116	svchost.exe
Token: SeSecurityPrivilege	3116	svchost.exe
Token: SeBackupPrivilege	3116	svchost.exe
Token: SeRestorePrivilege	3116	svchost.exe
Token: SeBackupPrivilege	3488	svchost.exe
Token: SeRestorePrivilege	3488	svchost.exe
Token: SeBackupPrivilege	3488	svchost.exe
Token: SeBackupPrivilege	3488	svchost.exe
Token: SeSecurityPrivilege	3488	svchost.exe
Token: SeSecurityPrivilege	3488	svchost.exe
Token: SeBackupPrivilege	3488	svchost.exe
Token: SeBackupPrivilege	3488	svchost.exe
Token: SeSecurityPrivilege	3488	svchost.exe
Token: SeBackupPrivilege	3488	svchost.exe
Token: SeBackupPrivilege	3488	svchost.exe
Token: SeSecurityPrivilege	3488	svchost.exe
Token: SeBackupPrivilege	3488	svchost.exe
Token: SeRestorePrivilege	3488	svchost.exe
Token: SeBackupPrivilege	1056	svchost.exe
Token: SeRestorePrivilege	1056	svchost.exe
Token: SeBackupPrivilege	1056	svchost.exe
Token: SeBackupPrivilege	1056	svchost.exe
Token: SeSecurityPrivilege	1056	svchost.exe
Token: SeSecurityPrivilege	1056	svchost.exe
Token: SeBackupPrivilege	1056	svchost.exe
Token: SeBackupPrivilege	1056	svchost.exe
Token: SeSecurityPrivilege	1056	svchost.exe
Token: SeBackupPrivilege	1056	svchost.exe
Token: SeBackupPrivilege	1056	svchost.exe
Token: SeSecurityPrivilege	1056	svchost.exe
Token: SeBackupPrivilege	1056	svchost.exe
Token: SeRestorePrivilege	1056	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 2776	3612	JaffaCakes118_62df764b94ae043ad69629d432da1c48.exe	88
PID 3612 wrote to memory of 2776	3612	JaffaCakes118_62df764b94ae043ad69629d432da1c48.exe	88
PID 3612 wrote to memory of 2776	3612	JaffaCakes118_62df764b94ae043ad69629d432da1c48.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62df764b94ae043ad69629d432da1c48.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62df764b94ae043ad69629d432da1c48.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3612
- \??\c:\users\admin\appdata\local\hxvbruslhp
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62df764b94ae043ad69629d432da1c48.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_62df764b94ae043ad69629d432da1c48.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1096
  2⤵
  - Program crash
  PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3116 -ip 3116
1⤵
PID:972

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 928
  2⤵
  - Program crash
  PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3488 -ip 3488
1⤵
PID:4692

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 1060
  2⤵
  - Program crash
  PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1056 -ip 1056
1⤵
PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\hxvbruslhp

Filesize
23.0MB

MD5
5c6e1c5bd954ac1930d88f62d1ec80d5

SHA1
b4f7112efb4105f43ef2c88fbcd39273bd68b631

SHA256
a2ab4fcf11b87085e7377dd9371e56403e9c55fc7e27bceda4ef2ff5b4817828

SHA512
4b66f174d25476244feb95325359a229f4f6316d5d526f9af24ce096f219607fee61843a83efe3972494592d3cd513853663c14c6adf152a7b7ed4bf3bba4c72

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
97e4fd9592e990f08129216c28b47ac9

SHA1
d96eda1ddc5b2acb09fde561a78b9f4380e2bf6d

SHA256
22eb90115a1b9d5204b8a9ec4cc4fccf067dff05c479a55302d40a4eec3a3d73

SHA512
5ee60053012016eb15b078f647084cb94575d6eacfcf8055459ac1451f8f30174ec5624e42c3726868fa24d07b12d007e3ff3750a6d9e9fa5dbef31d70fc7a97

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
23d07988defadf9bd8e27c0d283f1a97

SHA1
b3559e1973bcd0593f6c3cf5eeadc52762c06d58

SHA256
9f17e203687894cc0dbd7c7f0a54c36cc93f1cabe5bc3939e19a03d16ae4d145

SHA512
f5eb61097c714a769c41829e0a28607622af525ec293c24c0f1dc7fc14f35e4cf1f3bc7b4b1b6424e3d6124d96f5354291ed4b2283a1ad33b436604d785b643f

Download Submit
\??\c:\programdata\drm\%sessionname%\qrtxn.mp3

Filesize
19.0MB

MD5
c0a10399e0c027042d542ce54b856bd4

SHA1
269c0c30f918d7a3708df8643d118608f97bd18c

SHA256
5a029dec11dd4d9887f3e02cb56302cad31417e8c81206ffc2deca65a5789ccb

SHA512
8bc9f6c387b81452a66723c80330b7702374fa438bd32ed49f9ebc68bb888fe4bc9430fb2cdc4b50bb07ab38b1e075bd2dca5a0610bb01c1f95b3f1e93042f5b

Download Submit
memory/1056-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1056-22-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/2776-5-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/2776-12-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/3116-13-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/3116-15-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3488-17-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/3488-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3612-0-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/3612-7-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download