gh0strat | 5f3008ad95031759401227c1dac17f54a0ed38fce21270afc1d2287e8f1058e7

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_65c8c246caa9b09a2b1e87f9d68af654.exe
Size

369KB
MD5

65c8c246caa9b09a2b1e87f9d68af654
SHA1

b4ad1936cb51aec53c943ff05f9ae6daf6445f7f
SHA256

5f3008ad95031759401227c1dac17f54a0ed38fce21270afc1d2287e8f1058e7
SHA512

b15f8429bf5bc9931f2d36209f1d82c5e502c419cdc55653f875fbde6c1878c6de3140ab99b0be6140774a00acd57ac2eb0995cca58b8587100492f51069d67e
SSDEEP

6144:pw0avOvtYSiod4uYzqAvZd/2469vmRcU4kRRourBQOWxdOLQzzDFNyBSVdLM:+vGvViG4HOKZde6RcoXfopM

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x00030000000227b4-26.dat	family_gh0strat
behavioral2/memory/1596-30-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral2/memory/1776-33-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4080-38-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2908-43-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000b000000023c4f-2.dat	acprotect

Deletes itself 1 IoCs

pid	Process
1596	mrjyjghmhi

Executes dropped EXE 1 IoCs

pid	Process
1596	mrjyjghmhi

Loads dropped DLL 7 IoCs

pid	Process
2900	JaffaCakes118_65c8c246caa9b09a2b1e87f9d68af654.exe
2900	JaffaCakes118_65c8c246caa9b09a2b1e87f9d68af654.exe
1596	mrjyjghmhi
1596	mrjyjghmhi
1776	svchost.exe
4080	svchost.exe
2908	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yyaldnxuim	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yhoelqbsui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yqmsukvwur	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4776	1776	WerFault.exe	94
1744	4080	WerFault.exe	100
4656	2908	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_65c8c246caa9b09a2b1e87f9d68af654.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mrjyjghmhi

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1596	mrjyjghmhi
1596	mrjyjghmhi

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1596	mrjyjghmhi
Token: SeBackupPrivilege	1596	mrjyjghmhi
Token: SeBackupPrivilege	1596	mrjyjghmhi
Token: SeRestorePrivilege	1596	mrjyjghmhi
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeRestorePrivilege	1776	svchost.exe
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeSecurityPrivilege	1776	svchost.exe
Token: SeSecurityPrivilege	1776	svchost.exe
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeSecurityPrivilege	1776	svchost.exe
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeSecurityPrivilege	1776	svchost.exe
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeRestorePrivilege	1776	svchost.exe
Token: SeBackupPrivilege	4080	svchost.exe
Token: SeRestorePrivilege	4080	svchost.exe
Token: SeBackupPrivilege	4080	svchost.exe
Token: SeBackupPrivilege	4080	svchost.exe
Token: SeSecurityPrivilege	4080	svchost.exe
Token: SeSecurityPrivilege	4080	svchost.exe
Token: SeBackupPrivilege	4080	svchost.exe
Token: SeBackupPrivilege	4080	svchost.exe
Token: SeSecurityPrivilege	4080	svchost.exe
Token: SeBackupPrivilege	4080	svchost.exe
Token: SeBackupPrivilege	4080	svchost.exe
Token: SeSecurityPrivilege	4080	svchost.exe
Token: SeBackupPrivilege	4080	svchost.exe
Token: SeRestorePrivilege	4080	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeRestorePrivilege	2908	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeSecurityPrivilege	2908	svchost.exe
Token: SeSecurityPrivilege	2908	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeSecurityPrivilege	2908	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeSecurityPrivilege	2908	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeRestorePrivilege	2908	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2900	JaffaCakes118_65c8c246caa9b09a2b1e87f9d68af654.exe
1596	mrjyjghmhi

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 1596	2900	JaffaCakes118_65c8c246caa9b09a2b1e87f9d68af654.exe	91
PID 2900 wrote to memory of 1596	2900	JaffaCakes118_65c8c246caa9b09a2b1e87f9d68af654.exe	91
PID 2900 wrote to memory of 1596	2900	JaffaCakes118_65c8c246caa9b09a2b1e87f9d68af654.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_65c8c246caa9b09a2b1e87f9d68af654.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_65c8c246caa9b09a2b1e87f9d68af654.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900
- \??\c:\users\admin\appdata\local\mrjyjghmhi
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_65c8c246caa9b09a2b1e87f9d68af654.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_65c8c246caa9b09a2b1e87f9d68af654.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1596

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 804
  2⤵
  - Program crash
  PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1776 -ip 1776
1⤵
PID:2936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 956
  2⤵
  - Program crash
  PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4080 -ip 4080
1⤵
PID:3816

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 932
  2⤵
  - Program crash
  PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2908 -ip 2908
1⤵
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uli73C8.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\mrjyjghmhi

Filesize
19.8MB

MD5
0b96b69c355d81a9e58a6ecb680218c7

SHA1
5e71b9880b668b3c6bd069bcdcbc529177001aad

SHA256
5919adf2edcb1a63ed4b8b40490a2edac13fa6c11c79db9c225ec0226be44bf2

SHA512
1d59d4ff0dc25fcfd0e0b49dedcd13465e21dac0b4b1cd56e8b4ba3fc3e6e1c4a332898697fcb8577a353702da1200cf2570e45c018f3b21b864af0579daa8e1

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
203B

MD5
4211bc53e7f82938af6dd9ea3a9ca4f6

SHA1
4107181fd0b5a4eed3e11a0bb7b6671256af0e7d

SHA256
87e2dc97265aa63fc35fe079b99fb34bb46c4d72ade787ed9e34812a645c3dfa

SHA512
9011d3e9b0b3a1f11c76502608b75e456d9a35f8dea4bdcab64d9dd53dde5514ce196e7434f9e18ed43d47fafb74308e98399b580787de71b8b463e70f0def33

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
305B

MD5
a26ba5acea22d33d7d8a48c39619dfd0

SHA1
6909b719a9e461dd7e5563704fcb4de6f8d191b0

SHA256
1903e884bec8608fd30ad7e56818b8822bd40c9b267cca0ec8a0fa1e3a5aa8ef

SHA512
51b7ae04c93c181778635fdb306a2c3ee31745681909ff87e184cd559c370eaafa039b5c254ac93033e344d0711df912945038d92281092ea39f7a3c8b3e3ff3

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\lkorp.cc3

Filesize
20.0MB

MD5
d6c097fd649cb3768331b3ce903dacb3

SHA1
00ad67a19bc37bbad8e8e7fac7f9f327371c4cef

SHA256
3dc94ff917e155b74af05603d86a1c97b0fc4cae0e60ed27e6d293c12f68cbca

SHA512
f4c663849b5dc26c5173ea7d7cc03b19e77828e4610d030f9ff7e6f6cc844cc40fc42a25d0a35ff6fa67b541d9e8f30b4b0dc86af8448214a994e1f2e14e5133

Download Submit
memory/1596-12-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/1596-29-0x0000000002050000-0x00000000020C3000-memory.dmp

Filesize
460KB

Download
memory/1596-23-0x0000000002050000-0x00000000020C3000-memory.dmp

Filesize
460KB

Download
memory/1596-30-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/1776-33-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1776-31-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/2900-16-0x0000000000890000-0x0000000000903000-memory.dmp

Filesize
460KB

Download
memory/2900-14-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/2900-0-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/2900-5-0x0000000000890000-0x0000000000903000-memory.dmp

Filesize
460KB

Download
memory/2908-40-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/2908-43-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4080-35-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/4080-38-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download