gh0strat | 1003dda5565e2bd0b83354a1bca151d2371e1de434449d89f946575bbc69716b | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...44.exe

windows7-x64

JaffaCakes...44.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_8aca47bd42a7f2b83a5c6c7163b77c44
Size

96KB
Sample

250328-sf3g5azjz3
MD5

8aca47bd42a7f2b83a5c6c7163b77c44
SHA1

6bf3e949bda7e24671888b685b0060a73e0123df
SHA256

1003dda5565e2bd0b83354a1bca151d2371e1de434449d89f946575bbc69716b
SHA512

a121ff07633d2a8f94a8bba9f6507c4e3509da8ecd87044998e528d22a1b9a34fc93e227cdd45ffea4fbb38f380e32d288516b2a2f645e749d999d6d6453e9db
SSDEEP

1536:h6FusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pri+yyjY17G:hgS4jHS8q/3nTzePCwNUh4E9L67G

Score

10^/10

gh0strat bootkit discovery persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_8aca47bd42a7f2b83a5c6c7163b77c44.exe

Resource

win7-20240903-en

gh0strat bootkit discovery persistence rat

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_8aca47bd42a7f2b83a5c6c7163b77c44.exe

Resource

win10v2004-20250314-en

gh0strat discovery rat

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_8aca47bd42a7f2b83a5c6c7163b77c44
- Size
  
  96KB
- MD5
  
  8aca47bd42a7f2b83a5c6c7163b77c44
- SHA1
  
  6bf3e949bda7e24671888b685b0060a73e0123df
- SHA256
  
  1003dda5565e2bd0b83354a1bca151d2371e1de434449d89f946575bbc69716b
- SHA512
  
  a121ff07633d2a8f94a8bba9f6507c4e3509da8ecd87044998e528d22a1b9a34fc93e227cdd45ffea4fbb38f380e32d288516b2a2f645e749d999d6d6453e9db
- SSDEEP
  
  1536:h6FusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pri+yyjY17G:hgS4jHS8q/3nTzePCwNUh4E9L67G
Score

10^/10

gh0strat bootkit discovery persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratbootkitdiscoverypersistencerat

behavioral2

gh0stratdiscoveryrat

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.