gh0strat | 1003dda5565e2bd0b83354a1bca151d2371e1de434449d89f946575bbc69716b

Analysis

max time kernel
102s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8aca47bd42a7f2b83a5c6c7163b77c44.exe
Size

96KB
MD5

8aca47bd42a7f2b83a5c6c7163b77c44
SHA1

6bf3e949bda7e24671888b685b0060a73e0123df
SHA256

1003dda5565e2bd0b83354a1bca151d2371e1de434449d89f946575bbc69716b
SHA512

a121ff07633d2a8f94a8bba9f6507c4e3509da8ecd87044998e528d22a1b9a34fc93e227cdd45ffea4fbb38f380e32d288516b2a2f645e749d999d6d6453e9db
SSDEEP

1536:h6FusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pri+yyjY17G:hgS4jHS8q/3nTzePCwNUh4E9L67G

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x00080000000240a9-15.dat	family_gh0strat
behavioral2/memory/636-17-0x0000000000400000-0x000000000044E2B8-memory.dmp	family_gh0strat
behavioral2/memory/2924-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3164-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2576-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
636	clpuiyinew

Executes dropped EXE 1 IoCs

pid	Process
636	clpuiyinew

Loads dropped DLL 3 IoCs

pid	Process
2924	svchost.exe
3164	svchost.exe
2576	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\mqeloqkofr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\myrfwtmlsn	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\mhpsgnhqsw	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1504	2924	WerFault.exe	97
64	3164	WerFault.exe	103
1908	2576	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8aca47bd42a7f2b83a5c6c7163b77c44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clpuiyinew
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
636	clpuiyinew
636	clpuiyinew

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	636	clpuiyinew
Token: SeBackupPrivilege	636	clpuiyinew
Token: SeBackupPrivilege	636	clpuiyinew
Token: SeRestorePrivilege	636	clpuiyinew
Token: SeBackupPrivilege	2924	svchost.exe
Token: SeRestorePrivilege	2924	svchost.exe
Token: SeBackupPrivilege	2924	svchost.exe
Token: SeBackupPrivilege	2924	svchost.exe
Token: SeSecurityPrivilege	2924	svchost.exe
Token: SeSecurityPrivilege	2924	svchost.exe
Token: SeBackupPrivilege	2924	svchost.exe
Token: SeBackupPrivilege	2924	svchost.exe
Token: SeSecurityPrivilege	2924	svchost.exe
Token: SeBackupPrivilege	2924	svchost.exe
Token: SeBackupPrivilege	2924	svchost.exe
Token: SeSecurityPrivilege	2924	svchost.exe
Token: SeBackupPrivilege	2924	svchost.exe
Token: SeRestorePrivilege	2924	svchost.exe
Token: SeBackupPrivilege	3164	svchost.exe
Token: SeRestorePrivilege	3164	svchost.exe
Token: SeBackupPrivilege	3164	svchost.exe
Token: SeBackupPrivilege	3164	svchost.exe
Token: SeSecurityPrivilege	3164	svchost.exe
Token: SeSecurityPrivilege	3164	svchost.exe
Token: SeBackupPrivilege	3164	svchost.exe
Token: SeBackupPrivilege	3164	svchost.exe
Token: SeSecurityPrivilege	3164	svchost.exe
Token: SeBackupPrivilege	3164	svchost.exe
Token: SeBackupPrivilege	3164	svchost.exe
Token: SeSecurityPrivilege	3164	svchost.exe
Token: SeBackupPrivilege	3164	svchost.exe
Token: SeRestorePrivilege	3164	svchost.exe
Token: SeBackupPrivilege	2576	svchost.exe
Token: SeRestorePrivilege	2576	svchost.exe
Token: SeBackupPrivilege	2576	svchost.exe
Token: SeBackupPrivilege	2576	svchost.exe
Token: SeSecurityPrivilege	2576	svchost.exe
Token: SeSecurityPrivilege	2576	svchost.exe
Token: SeBackupPrivilege	2576	svchost.exe
Token: SeBackupPrivilege	2576	svchost.exe
Token: SeSecurityPrivilege	2576	svchost.exe
Token: SeBackupPrivilege	2576	svchost.exe
Token: SeBackupPrivilege	2576	svchost.exe
Token: SeSecurityPrivilege	2576	svchost.exe
Token: SeBackupPrivilege	2576	svchost.exe
Token: SeRestorePrivilege	2576	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 636	3192	JaffaCakes118_8aca47bd42a7f2b83a5c6c7163b77c44.exe	91
PID 3192 wrote to memory of 636	3192	JaffaCakes118_8aca47bd42a7f2b83a5c6c7163b77c44.exe	91
PID 3192 wrote to memory of 636	3192	JaffaCakes118_8aca47bd42a7f2b83a5c6c7163b77c44.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8aca47bd42a7f2b83a5c6c7163b77c44.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8aca47bd42a7f2b83a5c6c7163b77c44.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3192
- \??\c:\users\admin\appdata\local\clpuiyinew
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8aca47bd42a7f2b83a5c6c7163b77c44.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_8aca47bd42a7f2b83a5c6c7163b77c44.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:636

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1096
  2⤵
  - Program crash
  PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2924 -ip 2924
1⤵
PID:2944

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 884
  2⤵
  - Program crash
  PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3164 -ip 3164
1⤵
PID:4132

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 1116
  2⤵
  - Program crash
  PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2576 -ip 2576
1⤵
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\clpuiyinew

Filesize
20.7MB

MD5
ee28d2608c84f7032830d73cc6098d6f

SHA1
c9fde6cc1d177f0cde97cc31f25c5f0defb5f30c

SHA256
38f60e4bcd310715d2b6c52b6c303b2572a9a8bf22e9f30ce47606e91375460a

SHA512
c17dcb87c7f5cac0a60f8854b25df8dafa2faaad1d803ea33d41383341a31fcd76b9b520ec5b359c249717c2251156b6049893372300ab04f6042eddf633e8a3

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
201B

MD5
f5b0d5c84c63e2c7c76bde51021a0d9e

SHA1
48ce2fb11291d9c28702ea0dd040b2507229917f

SHA256
01babcfd803ec9e25f8c578033a060bfc9c0cb0e2ed0c7f062794281a9685f70

SHA512
86238d9701f38364f03687d83dda34bba12ce1f5c54636edd46f34b08185e5d366cb5735c1b0343ca9c14fc231bafebd090d932f7b1728667a16705537db60bb

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
302B

MD5
0505aec16060680d92001ce6366e8c25

SHA1
80c779dffbbb1d8d421aeeb21a98708d2d918dd1

SHA256
4c8662366fbc51efb8601c32ab5ca5a184b54e2e1793cc9877583649a739363a

SHA512
c01e11992adc0c316082d357a2257ee99d9e0fd6e3999b76f841ba856feeeaa72e7cac719eb581c7f1bfe5e727bbed09ecbf013ad74367c5b2321e5920a5d60a

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\fvdis.cc3

Filesize
19.1MB

MD5
5fbbf425d14775ae37117ee9e2ec377d

SHA1
739ef03947f84431a3a165f074d2eaf9b43400c2

SHA256
50c23cd0767f5cbb73549e255cdc3d2d7ccf949a1ca3a413ebda9cc321934535

SHA512
0b89d0592f670adc500ec2689150f62e9c5341f9c9a99d2f6d7a1fed1750f203fba8a9050032afe0dcf1152cfb2e76d3d367efca9637bee9020ce4e23bb16e57

Download Submit
memory/636-9-0x0000000000400000-0x000000000044E2B8-memory.dmp

Filesize
312KB

Download
memory/636-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/636-17-0x0000000000400000-0x000000000044E2B8-memory.dmp

Filesize
312KB

Download
memory/2576-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2576-27-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/2924-18-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/2924-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3164-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3164-22-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/3192-0-0x0000000000400000-0x000000000044E2B8-memory.dmp

Filesize
312KB

Download
memory/3192-8-0x0000000000400000-0x000000000044E2B8-memory.dmp

Filesize
312KB

Download
memory/3192-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download