gh0strat | 820bfdeb6de172662d9d34b85e90f7913edea5595eeb3dc9358df757c02db5be

Analysis

max time kernel
95s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_666acf75e9e8f9f26af284b6063ea4bc.exe
Size

95KB
MD5

666acf75e9e8f9f26af284b6063ea4bc
SHA1

f5a56c49e480023553b32e3206a3603777bf965a
SHA256

820bfdeb6de172662d9d34b85e90f7913edea5595eeb3dc9358df757c02db5be
SHA512

cd9b6007ea44abb449344352a8a08dc30ab5ab371fd4c290cc957f88d54901bae86fb991dcfee63137ed42c57edfae2258aa51151838528ab5f00d0db7c8d33f
SSDEEP

1536:3a9zFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr8eEwN:3KNS4jHS8q/3nTzePCwNUh4E9VEwN

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000500000001e96c-15.dat	family_gh0strat
behavioral2/memory/3188-17-0x0000000000400000-0x000000000044C605-memory.dmp	family_gh0strat
behavioral2/memory/1704-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4708-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4832-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
3188	hcykupibrd

Executes dropped EXE 1 IoCs

pid	Process
3188	hcykupibrd

Loads dropped DLL 3 IoCs

pid	Process
1704	svchost.exe
4708	svchost.exe
4832	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xwhlxhcxfs	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\xgfyhbwdfd	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\xotspeyarx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4424	1704	WerFault.exe	93
2692	4708	WerFault.exe	99
4980	4832	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_666acf75e9e8f9f26af284b6063ea4bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hcykupibrd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3188	hcykupibrd
3188	hcykupibrd

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	3188	hcykupibrd
Token: SeBackupPrivilege	3188	hcykupibrd
Token: SeBackupPrivilege	3188	hcykupibrd
Token: SeRestorePrivilege	3188	hcykupibrd
Token: SeBackupPrivilege	1704	svchost.exe
Token: SeRestorePrivilege	1704	svchost.exe
Token: SeBackupPrivilege	1704	svchost.exe
Token: SeBackupPrivilege	1704	svchost.exe
Token: SeSecurityPrivilege	1704	svchost.exe
Token: SeSecurityPrivilege	1704	svchost.exe
Token: SeBackupPrivilege	1704	svchost.exe
Token: SeBackupPrivilege	1704	svchost.exe
Token: SeSecurityPrivilege	1704	svchost.exe
Token: SeBackupPrivilege	1704	svchost.exe
Token: SeBackupPrivilege	1704	svchost.exe
Token: SeSecurityPrivilege	1704	svchost.exe
Token: SeBackupPrivilege	1704	svchost.exe
Token: SeRestorePrivilege	1704	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeRestorePrivilege	4708	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeSecurityPrivilege	4708	svchost.exe
Token: SeSecurityPrivilege	4708	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeSecurityPrivilege	4708	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeSecurityPrivilege	4708	svchost.exe
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeRestorePrivilege	4708	svchost.exe
Token: SeBackupPrivilege	4832	svchost.exe
Token: SeRestorePrivilege	4832	svchost.exe
Token: SeBackupPrivilege	4832	svchost.exe
Token: SeBackupPrivilege	4832	svchost.exe
Token: SeSecurityPrivilege	4832	svchost.exe
Token: SeSecurityPrivilege	4832	svchost.exe
Token: SeBackupPrivilege	4832	svchost.exe
Token: SeBackupPrivilege	4832	svchost.exe
Token: SeSecurityPrivilege	4832	svchost.exe
Token: SeBackupPrivilege	4832	svchost.exe
Token: SeBackupPrivilege	4832	svchost.exe
Token: SeSecurityPrivilege	4832	svchost.exe
Token: SeBackupPrivilege	4832	svchost.exe
Token: SeRestorePrivilege	4832	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 3188	1628	JaffaCakes118_666acf75e9e8f9f26af284b6063ea4bc.exe	87
PID 1628 wrote to memory of 3188	1628	JaffaCakes118_666acf75e9e8f9f26af284b6063ea4bc.exe	87
PID 1628 wrote to memory of 3188	1628	JaffaCakes118_666acf75e9e8f9f26af284b6063ea4bc.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_666acf75e9e8f9f26af284b6063ea4bc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_666acf75e9e8f9f26af284b6063ea4bc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628
- \??\c:\users\admin\appdata\local\hcykupibrd
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_666acf75e9e8f9f26af284b6063ea4bc.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_666acf75e9e8f9f26af284b6063ea4bc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3188

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1104
  2⤵
  - Program crash
  PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1704 -ip 1704
1⤵
PID:3940

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1028
  2⤵
  - Program crash
  PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4708 -ip 4708
1⤵
PID:1380

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1104
  2⤵
  - Program crash
  PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4832 -ip 4832
1⤵
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\hcykupibrd

Filesize
23.2MB

MD5
e3f65e5bd10f40d9cf5b95f28a7db924

SHA1
6da77a40dbd24f0884a984808c269ace5484cc19

SHA256
cb45046e03e4b4eaebc8732b6776ecfbc663f6348e823985d734f65057446c4b

SHA512
1dbe9fd8f2e795d7a59a510ac1a475a5cdde0f65d7ce10669cc0d848b99b392b767792ef08aea5ee1746c6f2cfaf1a5d55cc7dfbd1b1036f7f91e2775922b367

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
711f1d218a10b513bc8dda5a27f3de37

SHA1
eebde90ab62e0c6ca496a0acfc3bc81a004cef18

SHA256
73f2f455bdb65f2c82397b7d6a8fc2c86a27277a4cc20f8166b68e60447a3618

SHA512
1d826039ecc9b0815127230c3fcf65a8944b0a879757231f18b07019b593b2e74e5ea3e32bb2a57824ea39f839f9a0b4b1e20d4f1573b9399868f9a6724fd70d

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
8b1eb9551268f511a8569a8cca516cc1

SHA1
68fdf52abe35c9bb72e84ca9d590d0e6f8ce7511

SHA256
a1f07097801d370ed5c8591c6fe86a922d475a45b2f864539589fa0583b3e4dd

SHA512
c2797b6598780222117b38cd5d090396a0348ab4409707bb30b3cdf9b475a679f6b3c9efd20f6ba745af894cd1d5d0b345d9853d8f5d074692bd59135cc9535a

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\lolbr.cc3

Filesize
21.1MB

MD5
90e1afadaeb450afd49fff0e9f96bf58

SHA1
49d5a4908cb32a8c5badd5433e4271e8d2aa8a71

SHA256
ca4dd708bd5214b61b192751e911c85204b68345537ba8f98b7aaab2079b6509

SHA512
8edfcfdcf385de50c92696ecc506f9425465f863a43aea149a2474b5aa9fbab2f3c6f8e4124bd07b7d48953fda6438c592d20ef31f38ad32aae737b8bb32b225

Download Submit
memory/1628-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1628-0-0x0000000000400000-0x000000000044C605-memory.dmp

Filesize
305KB

Download
memory/1628-9-0x0000000000400000-0x000000000044C605-memory.dmp

Filesize
305KB

Download
memory/1704-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1704-18-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3188-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3188-17-0x0000000000400000-0x000000000044C605-memory.dmp

Filesize
305KB

Download
memory/3188-7-0x0000000000400000-0x000000000044C605-memory.dmp

Filesize
305KB

Download
memory/4708-22-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4708-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4832-27-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/4832-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download