gh0strat | 3cfba09cb18312624a33d7ccfec0ae8a8bfcca8f309302acb78243dd748896c1

Analysis

max time kernel
132s
max time network
133s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe
Size

96KB
MD5

1ae7a739ce28d965a88dc7d29d348d2d
SHA1

4819a9508ab05de1180b6ae110d350937b383dd3
SHA256

3cfba09cb18312624a33d7ccfec0ae8a8bfcca8f309302acb78243dd748896c1
SHA512

3c12ded99f0ac053d4e5901512f26d43af8dc4d9ac35d64b1aa5686180460ad8330f97e00054ba154d4550c3c2d7016034a0ee164f601ef378e8ecc3f6743a82
SSDEEP

1536:uJFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr65dBM+9:ufS4jHS8q/3nTzePCwNUh4E90dBM+9

Score

10^/10

gh0strat bootkit persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource yara_rule

\ProgramData\Storm\update\%SESSIONNAME%\cvqxm.cc3 family_gh0strat
behavioral1/memory/2556-23-0x0000000000400000-0x000000000044E2AC-memory.dmp family_gh0strat
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Deletes itself 1 IoCs

Processes:

hylftrngyv

pid process

2556 hylftrngyv
Executes dropped EXE 1 IoCs

Processes:

hylftrngyv

pid process

2556 hylftrngyv
Loads dropped DLL 3 IoCs

Processes:

1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exesvchost.exe

pid process

2296 1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe
2296 1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe
2616 svchost.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe
Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\ytjuyvgyru svchost.exe
File created C:\Windows\SysWOW64\yksrmuagsh svchost.exe

resource	yara_rule
\ProgramData\Storm\update\%SESSIONNAME%\cvqxm.cc3	family_gh0strat
behavioral1/memory/2556-23-0x0000000000400000-0x000000000044E2AC-memory.dmp	family_gh0strat

pid	process
2556	hylftrngyv

pid	process
2556	hylftrngyv

pid	process
2296	1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe
2296	1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe
2616	svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ytjuyvgyru	svchost.exe
File created	C:\Windows\SysWOW64\yksrmuagsh	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

hylftrngyvsvchost.exe

pid process

2556 hylftrngyv
2616 svchost.exe
2616 svchost.exe
2616 svchost.exe

pid	process
2556	hylftrngyv
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

hylftrngyvsvchost.exe

description	pid	process
Token: SeRestorePrivilege	2556	hylftrngyv
Token: SeBackupPrivilege	2556	hylftrngyv
Token: SeBackupPrivilege	2556	hylftrngyv
Token: SeRestorePrivilege	2556	hylftrngyv
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeRestorePrivilege	2616	svchost.exe
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeSecurityPrivilege	2616	svchost.exe
Token: SeSecurityPrivilege	2616	svchost.exe
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeSecurityPrivilege	2616	svchost.exe
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeSecurityPrivilege	2616	svchost.exe
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeRestorePrivilege	2616	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe

description	pid	process	target process
PID 2296 wrote to memory of 2556	2296	1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe	hylftrngyv
PID 2296 wrote to memory of 2556	2296	1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe	hylftrngyv
PID 2296 wrote to memory of 2556	2296	1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe	hylftrngyv
PID 2296 wrote to memory of 2556	2296	1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe	hylftrngyv

C:\Users\Admin\AppData\Local\Temp\1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296

\??\c:\users\admin\appdata\local\hylftrngyv
"C:\Users\Admin\AppData\Local\Temp\1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\1ae7a739ce28d965a88dc7d29d348d2d_jaffacakes118.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Storm\update\%SESSIONNAME%\cvqxm.cc3
Filesize
19.0MB

MD5
57267006514ad8b0ff7ff214e78f13ff

SHA1
7cba59ebd93e07241fc8e954a7aeb0e8f60fcc16

SHA256
75d7d931e1a665d4830ad0886141c2bb5e4197ba775c34688375ba2d102564a6

SHA512
dbee3c3d366d30029e0ffb7cabee3d17948d3d4caecc9a14ce2621257e18fd220adfc78cae46794ec77286215573afe927c2f7bc8d53fc56408b39857f7a69cb

Download Submit
\Users\Admin\AppData\Local\hylftrngyv
Filesize
20.1MB

MD5
eda26b84c3d37058d279eea978333303

SHA1
0c3319ac50bb1e88e13fc6f3bd2a4d87160b9065

SHA256
f4747bbad5366bcd937af0e673395a0c2051746efb3c99036b7bca521c7f6bc5

SHA512
67c9c6d7b671c5f947b8c227b1e64ad60862bcb26c56ea78e739abffa102b3134e797a4198a063ba81a210cd500ce1f18555aae65c309d06527a1f8ac741248a

Download Submit
memory/2296-2-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2296-1-0x0000000000400000-0x000000000044E2AC-memory.dmp

Filesize
312KB

Download
memory/2296-6-0x0000000000240000-0x000000000028F000-memory.dmp

Filesize
316KB

Download
memory/2296-15-0x0000000000400000-0x000000000044E2AC-memory.dmp

Filesize
312KB

Download
memory/2556-17-0x0000000000400000-0x000000000044E2AC-memory.dmp

Filesize
312KB

Download
memory/2556-16-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2556-23-0x0000000000400000-0x000000000044E2AC-memory.dmp

Filesize
312KB

Download
memory/2616-24-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download