gh0strat | 7a5376903fe26fa792a55b3d4f995d34541fab173297fb7b70e22871ae866149

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_62e4ba7533320089f9b6710d20e29282.exe
Size

614KB
MD5

62e4ba7533320089f9b6710d20e29282
SHA1

f62947d65701d05f2c2236d842c4293da1279478
SHA256

7a5376903fe26fa792a55b3d4f995d34541fab173297fb7b70e22871ae866149
SHA512

a05a8a3367c146a6545c32ce6c3efb8a51c54e1c6b980384d2ea04c6ab471656be5045725aa90b0e29bd3538e8bc39d33ea81f9efe1354165e4892ff3f8237fc
SSDEEP

12288:6esLDOu68IwmMvMFpKIhMBlnOTB6zf8PDATGNBpRGQ7MZ862:hsEimM0bPsOTIoPDATkMJ2

Score

10^/10

gh0strat discovery persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/3084-67-0x0000000010000000-0x0000000010032000-memory.dmp	family_gh0strat
behavioral2/memory/3084-68-0x0000000010000000-0x0000000010032000-memory.dmp	family_gh0strat
behavioral2/memory/3084-72-0x0000000010000000-0x0000000010032000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\BITS\Parameters\ServiceDll = "C:\\Windows\\system32\\bits.dll"	server.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	JaffaCakes118_62e4ba7533320089f9b6710d20e29282.exe

Executes dropped EXE 1 IoCs

pid	Process
3084	server.exe

Loads dropped DLL 1 IoCs

pid	Process
3084	server.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bits.dll	server.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00020000000227b0-66.dat	upx
behavioral2/memory/3084-67-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral2/memory/3084-68-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral2/memory/3084-72-0x0000000010000000-0x0000000010032000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_62e4ba7533320089f9b6710d20e29282.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3084	server.exe
3084	server.exe
3084	server.exe
3084	server.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 1572	3240	JaffaCakes118_62e4ba7533320089f9b6710d20e29282.exe	85
PID 3240 wrote to memory of 1572	3240	JaffaCakes118_62e4ba7533320089f9b6710d20e29282.exe	85
PID 3240 wrote to memory of 1572	3240	JaffaCakes118_62e4ba7533320089f9b6710d20e29282.exe	85
PID 3240 wrote to memory of 2120	3240	JaffaCakes118_62e4ba7533320089f9b6710d20e29282.exe	87
PID 3240 wrote to memory of 2120	3240	JaffaCakes118_62e4ba7533320089f9b6710d20e29282.exe	87
PID 3240 wrote to memory of 2120	3240	JaffaCakes118_62e4ba7533320089f9b6710d20e29282.exe	87
PID 2120 wrote to memory of 3084	2120	cmd.exe	89
PID 2120 wrote to memory of 3084	2120	cmd.exe	89
PID 2120 wrote to memory of 3084	2120	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62e4ba7533320089f9b6710d20e29282.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62e4ba7533320089f9b6710d20e29282.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ÌìÌì¸üÐÂ.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\server.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
119KB

MD5
fc1b42d3ba4cf9289ffddab093f69b71

SHA1
9cc68096e94a0088f30cc420c3c3bfb78080ab86

SHA256
a282a5dca7ebff6402c6f7c51f2c6df41e3010a82dc916f9796bb67db315c9fd

SHA512
e25b50d7de17e08cc89fdd31d8c7cccdfa59bb3f5de63f7368b6c95f45a2063c57954f5c908d80ffcd21175229dd19e4b32f78e159289b9b430dcd8b28b94ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe.bat

Filesize
154B

MD5
72329485b67191d6d47d5dd4cc9b63e9

SHA1
58a997b8caa0ddac6fba5f2e0ba613a20011826b

SHA256
7d81d958a98c30821fc0448462b3f867dc2eb048ba30a56432abe3e18c780e5b

SHA512
6a222de5cd6d18fcf2bfad4134f17c207cf756e0da958b0702ffd3446abe8b0111d68133d15f7be3c12da2b5ce710c14b89fbbba8e294029663aca268df02bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÌìÌì¸üÐÂ.exe.bat

Filesize
160B

MD5
39d63e0183a257628dcabff58857289b

SHA1
c13cc6957c6b07e5884084d8aad26e1f83b35968

SHA256
5d669407c287cbf3136c2049e1f8873bd3146a676d177b802dcd21cd488a201a

SHA512
ee73a63166ba66dfea6e00949f9b3b1f22722923b1cdf7207c0e4456dc52d8bd07e1da31cf1e81f86e488ff6d954c4b304ee81f2419ef504f1c3c96a83895c93

Download Submit
C:\Windows\SysWOW64\bits.dll

Filesize
103KB

MD5
aa56e054dea2042de7f8f4a5e1cb0194

SHA1
797ed5d7660c7b9f375406968ae0648f04655003

SHA256
6bd3b681aff9a76c8171c285cdd7ea30155e1dfcb85939450f3db5843a437764

SHA512
24ff874fab08c5c1e9a009849f6a6564dc91762eb0d0c120b522e7d1960bf155209fa9ed3d3c11604d04e5482cc85eb069b0c21d08599b833c1ac6cb8be791bd

Download Submit
memory/3084-57-0x0000000000520000-0x0000000000541000-memory.dmp

Filesize
132KB

Download
memory/3084-71-0x0000000000520000-0x0000000000541000-memory.dmp

Filesize
132KB

Download
memory/3084-72-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/3084-68-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/3084-67-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/3240-4-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/3240-42-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/3240-20-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3240-19-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3240-18-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3240-17-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3240-16-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3240-15-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3240-14-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3240-13-0x0000000003470000-0x0000000003475000-memory.dmp

Filesize
20KB

Download
memory/3240-12-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/3240-11-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/3240-10-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/3240-8-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/3240-7-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/3240-6-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3240-5-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/3240-9-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3240-32-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/3240-45-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/3240-46-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/3240-44-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/3240-43-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3240-25-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/3240-41-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3240-40-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/3240-39-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/3240-38-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/3240-37-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/3240-36-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/3240-35-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/3240-34-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/3240-33-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/3240-31-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/3240-30-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/3240-29-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/3240-2-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/3240-3-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/3240-1-0x0000000002200000-0x0000000002252000-memory.dmp

Filesize
328KB

Download
memory/3240-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3240-28-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/3240-27-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/3240-26-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/3240-52-0x0000000002200000-0x0000000002252000-memory.dmp

Filesize
328KB

Download
memory/3240-51-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download