gh0strat | 804aabdeeb3a2b3b43d4783f47c89a6eb31f10eb2e024fa8885502618f1a2a77

Analysis

max time kernel
76s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_63cccd30d58fd1635198ebedd10d5463.exe
Size

95KB
MD5

63cccd30d58fd1635198ebedd10d5463
SHA1

6f3ae60d19bf3764e80affcfe3d2257c1108b95e
SHA256

804aabdeeb3a2b3b43d4783f47c89a6eb31f10eb2e024fa8885502618f1a2a77
SHA512

ae68110d48c3d3ae037a9aec5cd22c06f6cfa724907b7b9b95d40279c99acb85071f22c4fac8825cf4986392a86dffa6d6ff84cf6b812783a9d66ea55aee9508
SSDEEP

1536:hG0qFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prDX6qlRBlF:hPwS4jHS8q/3nTzePCwNUh4E9DX1zF

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e72b-15.dat	family_gh0strat
behavioral2/memory/384-17-0x0000000000400000-0x000000000044C610-memory.dmp	family_gh0strat
behavioral2/memory/2676-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1876-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1408-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
384	mhrqcxvojp

Executes dropped EXE 1 IoCs

pid	Process
384	mhrqcxvojp

Loads dropped DLL 3 IoCs

pid	Process
2676	svchost.exe
1876	svchost.exe
1408	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\eyugrdwusp	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\eyugrdwusp	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ehjaagysgl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4636	2676	WerFault.exe	95
1756	1876	WerFault.exe	99
2744	1408	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63cccd30d58fd1635198ebedd10d5463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhrqcxvojp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
384	mhrqcxvojp
384	mhrqcxvojp

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	384	mhrqcxvojp
Token: SeBackupPrivilege	384	mhrqcxvojp
Token: SeBackupPrivilege	384	mhrqcxvojp
Token: SeRestorePrivilege	384	mhrqcxvojp
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeRestorePrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeRestorePrivilege	2676	svchost.exe
Token: SeBackupPrivilege	1876	svchost.exe
Token: SeRestorePrivilege	1876	svchost.exe
Token: SeBackupPrivilege	1876	svchost.exe
Token: SeBackupPrivilege	1876	svchost.exe
Token: SeSecurityPrivilege	1876	svchost.exe
Token: SeSecurityPrivilege	1876	svchost.exe
Token: SeBackupPrivilege	1876	svchost.exe
Token: SeBackupPrivilege	1876	svchost.exe
Token: SeSecurityPrivilege	1876	svchost.exe
Token: SeBackupPrivilege	1876	svchost.exe
Token: SeBackupPrivilege	1876	svchost.exe
Token: SeSecurityPrivilege	1876	svchost.exe
Token: SeBackupPrivilege	1876	svchost.exe
Token: SeRestorePrivilege	1876	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeRestorePrivilege	1408	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeSecurityPrivilege	1408	svchost.exe
Token: SeSecurityPrivilege	1408	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeSecurityPrivilege	1408	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeSecurityPrivilege	1408	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeRestorePrivilege	1408	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 384	4468	JaffaCakes118_63cccd30d58fd1635198ebedd10d5463.exe	91
PID 4468 wrote to memory of 384	4468	JaffaCakes118_63cccd30d58fd1635198ebedd10d5463.exe	91
PID 4468 wrote to memory of 384	4468	JaffaCakes118_63cccd30d58fd1635198ebedd10d5463.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63cccd30d58fd1635198ebedd10d5463.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63cccd30d58fd1635198ebedd10d5463.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468
- \??\c:\users\admin\appdata\local\mhrqcxvojp
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63cccd30d58fd1635198ebedd10d5463.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_63cccd30d58fd1635198ebedd10d5463.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:384

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 860
  2⤵
  - Program crash
  PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2676 -ip 2676
1⤵
PID:396

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 948
  2⤵
  - Program crash
  PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1876 -ip 1876
1⤵
PID:1220

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1100
  2⤵
  - Program crash
  PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1408 -ip 1408
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mhrqcxvojp

Filesize
24.5MB

MD5
1e0c9ec1123d41021202d2a353d29bf7

SHA1
798e52c211e0f0e23ac42d385d64fe1d27749576

SHA256
ad4b595dc330f25d93d9fc56b974fa9684288a29980826688035697968fee283

SHA512
8742e101001de424ef06c6a3ecbb5e86bdfc613528866b1494490014e6586b75e48db5e1ee47bd5b1f15e300ab5c6ed00f3e22be8fbf5e4b5fd39eae88b73348

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
ef010bffc1dbd52ccc94f7b1d77a703f

SHA1
a0ccb48c44947728cbd81fca58f36d1026145f33

SHA256
d3facaa93caac31cd87a4c19647678f1e051a8381c2ca79330012553ecb20d66

SHA512
a0cc6b6d80a20c685d514fcd4ec39391efeede957f323b8a3675fdaeca3f2951ebc4c8bffe28302bb423054030a73c4630748938ef7e8f4a3cee533cc015d395

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
300B

MD5
688418d79075657753c70a9ed846233c

SHA1
151a310b4f30cd926d3703f597063d28582703e0

SHA256
9e97d20e32d659013e63e5c780a6140d87b208d2bb11e91da1d95e0f58b4a2a3

SHA512
043caa26fee24048c0d07ea1adbed5533ca7287cd6b7ab6624601c67b27b306c03a0fd6841d755d09c275b1755202a00e684d2ebdf75bb259a72a01b7c600b8e

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\hdsyk.cc3

Filesize
21.1MB

MD5
43fa738b5d5c82653501847e192d97e0

SHA1
df140acc69737accd938da44091b785f8cd5880d

SHA256
eadfe3924a05301acf2525da22685d528883ca343b6b1c7977b61ac87015354e

SHA512
c00bc202aa408b05be05fc87774770950f5e356d8c8337534cd71be5e993e3fd4e8a8e57aed21a206fe05a6bb27925df5dfce34bf9a38a29b0a96c354b302057

Download Submit
memory/384-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/384-9-0x0000000000400000-0x000000000044C610-memory.dmp

Filesize
305KB

Download
memory/384-17-0x0000000000400000-0x000000000044C610-memory.dmp

Filesize
305KB

Download
memory/1408-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1408-27-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/1876-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1876-22-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/2676-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2676-18-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download
memory/4468-0-0x0000000000400000-0x000000000044C610-memory.dmp

Filesize
305KB

Download
memory/4468-8-0x0000000000400000-0x000000000044C610-memory.dmp

Filesize
305KB

Download
memory/4468-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download