gh0strat | 2ae2ad82af3e7dedaab6cff6ef8dfe617dd0bcc72188c76b448b53d25e20b277

Analysis

max time kernel
94s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_652f53214f4d6cc8d4317824323bbee5.exe
Size

196KB
MD5

652f53214f4d6cc8d4317824323bbee5
SHA1

19168e31a5a61caaae61ecef870c0389a5d0aed2
SHA256

2ae2ad82af3e7dedaab6cff6ef8dfe617dd0bcc72188c76b448b53d25e20b277
SHA512

2c7b7fc9ee6057203dad55626412459f3542aa30b0a1f431001f37d1622437de4f35338efe885e702468a9046b7a7b3ee970ab6761ba80866937070a78216a26
SSDEEP

6144:KsIt6nW8QeBTyPRqyhYPbHcTBlhHr6ndnkv0:n9W8iJq8YPbHcT3l

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000600000001da55-3.dat	family_gh0strat
behavioral2/files/0x000200000001e725-8.dat	family_gh0strat
behavioral2/memory/332-11-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/5096-16-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1448-21-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
5052	kutylngubl

Executes dropped EXE 1 IoCs

pid	Process
5052	kutylngubl

Loads dropped DLL 3 IoCs

pid	Process
332	svchost.exe
5096	svchost.exe
1448	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dbikqwlsbs	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dkvdyaoqnn	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dskvhdqnbj	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5104	332	WerFault.exe	96
4608	5096	WerFault.exe	100
4416	1448	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_652f53214f4d6cc8d4317824323bbee5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kutylngubl
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5052	kutylngubl
5052	kutylngubl

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	5052	kutylngubl
Token: SeBackupPrivilege	5052	kutylngubl
Token: SeBackupPrivilege	5052	kutylngubl
Token: SeRestorePrivilege	5052	kutylngubl
Token: SeBackupPrivilege	332	svchost.exe
Token: SeRestorePrivilege	332	svchost.exe
Token: SeBackupPrivilege	332	svchost.exe
Token: SeBackupPrivilege	332	svchost.exe
Token: SeSecurityPrivilege	332	svchost.exe
Token: SeSecurityPrivilege	332	svchost.exe
Token: SeBackupPrivilege	332	svchost.exe
Token: SeBackupPrivilege	332	svchost.exe
Token: SeSecurityPrivilege	332	svchost.exe
Token: SeBackupPrivilege	332	svchost.exe
Token: SeBackupPrivilege	332	svchost.exe
Token: SeSecurityPrivilege	332	svchost.exe
Token: SeBackupPrivilege	332	svchost.exe
Token: SeRestorePrivilege	332	svchost.exe
Token: SeBackupPrivilege	5096	svchost.exe
Token: SeRestorePrivilege	5096	svchost.exe
Token: SeBackupPrivilege	5096	svchost.exe
Token: SeBackupPrivilege	5096	svchost.exe
Token: SeSecurityPrivilege	5096	svchost.exe
Token: SeSecurityPrivilege	5096	svchost.exe
Token: SeBackupPrivilege	5096	svchost.exe
Token: SeBackupPrivilege	5096	svchost.exe
Token: SeSecurityPrivilege	5096	svchost.exe
Token: SeBackupPrivilege	5096	svchost.exe
Token: SeBackupPrivilege	5096	svchost.exe
Token: SeSecurityPrivilege	5096	svchost.exe
Token: SeBackupPrivilege	5096	svchost.exe
Token: SeRestorePrivilege	5096	svchost.exe
Token: SeBackupPrivilege	1448	svchost.exe
Token: SeRestorePrivilege	1448	svchost.exe
Token: SeBackupPrivilege	1448	svchost.exe
Token: SeBackupPrivilege	1448	svchost.exe
Token: SeSecurityPrivilege	1448	svchost.exe
Token: SeSecurityPrivilege	1448	svchost.exe
Token: SeBackupPrivilege	1448	svchost.exe
Token: SeBackupPrivilege	1448	svchost.exe
Token: SeSecurityPrivilege	1448	svchost.exe
Token: SeBackupPrivilege	1448	svchost.exe
Token: SeBackupPrivilege	1448	svchost.exe
Token: SeSecurityPrivilege	1448	svchost.exe
Token: SeBackupPrivilege	1448	svchost.exe
Token: SeRestorePrivilege	1448	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 5052	3808	JaffaCakes118_652f53214f4d6cc8d4317824323bbee5.exe	89
PID 3808 wrote to memory of 5052	3808	JaffaCakes118_652f53214f4d6cc8d4317824323bbee5.exe	89
PID 3808 wrote to memory of 5052	3808	JaffaCakes118_652f53214f4d6cc8d4317824323bbee5.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_652f53214f4d6cc8d4317824323bbee5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_652f53214f4d6cc8d4317824323bbee5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808
- \??\c:\users\admin\appdata\local\kutylngubl
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_652f53214f4d6cc8d4317824323bbee5.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_652f53214f4d6cc8d4317824323bbee5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 1088
  2⤵
  - Program crash
  PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 332 -ip 332
1⤵
PID:2752

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 956
  2⤵
  - Program crash
  PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5096 -ip 5096
1⤵
PID:1648

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 1104
  2⤵
  - Program crash
  PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1448 -ip 1448
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DRM\%SESSIONNAME%\rlnon.cc3

Filesize
22.0MB

MD5
9f462ce8c8ae4c85e5d0324a7cfaf5ba

SHA1
a15b9d592d061cd6038110434759e1679a26ed71

SHA256
80ec83a40148c102dac0541dcac9c940232bd67eaac16284a74c60ce02c48c06

SHA512
934f994a470f0e47e61c6bdeb52eb10377e8162baa9b67f6171427f6909a61448881849eb2241451e105fe3cce6f4935a723937adbb29da8fa2aef73d279b08d

Download Submit
C:\Users\Admin\AppData\Local\kutylngubl

Filesize
20.7MB

MD5
55ae996ac9d268dc2c614747e08141c2

SHA1
44a641040033c2dd6efdfece8ddbe342cc8cbd6b

SHA256
9751a5163c12d80b63581dc04a7708f1679f5a27c480f90045dd0a97009a5cbd

SHA512
59bb9a694eed4c2e0d1429b51241eb49c40596ee771f83883cc8f7f4b2a1f5316a31256b4049a1f06b5a6b66ae2017860c3aa89b7705dbb989e587484ac8c57d

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
29d00f4127375cdc42d01e3aab5aff7e

SHA1
d2e93a5f48a6a398e23232555a6ef7bcafe946c1

SHA256
44c027803f0dda3e7afdc21ca745b584c3e0be27eb5c2ea3bd2edfa00e8f7662

SHA512
9290ff851b8fe31742cf733c74c16d5fc6e5c3357d2238b33640ee2c15f4919cfc13df27a0c81c519987a7cf8ab8ecdd752d1bf202b91680f882628c6992a1da

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
92d3bc25d5673977824f123506aa5953

SHA1
49f6c65185f505de48ecea08c37eb34205a3fb25

SHA256
3b5cffd7a1884c50f348057a4773ac426a561df878bf9c567780ce4d61ca7d92

SHA512
4e13306fe8e3bf720c3f43a74c5e86e37cb84760cfcfe8a5a6cf0bed1f56876208cb10a000e993e473151d092171f5e749d380250279a16f934d8428d7619bb9

Download Submit
memory/332-9-0x00000000019E0000-0x00000000019E1000-memory.dmp

Filesize
4KB

Download
memory/332-11-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1448-21-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/5096-13-0x00000000017D0000-0x00000000017D1000-memory.dmp

Filesize
4KB

Download
memory/5096-16-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download