gh0strat | 3cfba09cb18312624a33d7ccfec0ae8a8bfcca8f309302acb78243dd748896c1

Analysis

max time kernel
133s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe
Size

96KB
MD5

1ae7a739ce28d965a88dc7d29d348d2d
SHA1

4819a9508ab05de1180b6ae110d350937b383dd3
SHA256

3cfba09cb18312624a33d7ccfec0ae8a8bfcca8f309302acb78243dd748896c1
SHA512

3c12ded99f0ac053d4e5901512f26d43af8dc4d9ac35d64b1aa5686180460ad8330f97e00054ba154d4550c3c2d7016034a0ee164f601ef378e8ecc3f6743a82
SSDEEP

1536:uJFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr65dBM+9:ufS4jHS8q/3nTzePCwNUh4E90dBM+9

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

Processes:

resource	yara_rule
\??\c:\programdata\application data\storm\update\%sessionname%\vccvk.cc3	family_gh0strat
behavioral2/memory/4184-17-0x0000000000400000-0x000000000044E2AC-memory.dmp	family_gh0strat
behavioral2/memory/4644-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1896-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2836-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Deletes itself 1 IoCs

Processes:

koeghxqxrl

pid process

4184 koeghxqxrl
Executes dropped EXE 1 IoCs

Processes:

koeghxqxrl

pid process

4184 koeghxqxrl
Loads dropped DLL 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

4644 svchost.exe
1896 svchost.exe
2836 svchost.exe

pid	process
4184	koeghxqxrl

pid	process
4184	koeghxqxrl

pid	process
4644	svchost.exe
1896	svchost.exe
2836	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ykdmolsmfv	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ysqfwovksr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ycotgiqpsb	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3464 4644 WerFault.exe svchost.exe
1804 1896 WerFault.exe svchost.exe
1056 2836 WerFault.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

koeghxqxrl

pid process

4184 koeghxqxrl
4184 koeghxqxrl

pid	pid_target	process	target process
3464	4644	WerFault.exe	svchost.exe
1804	1896	WerFault.exe	svchost.exe
1056	2836	WerFault.exe	svchost.exe

pid	process
4184	koeghxqxrl
4184	koeghxqxrl

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

koeghxqxrlsvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeRestorePrivilege	4184	koeghxqxrl
Token: SeBackupPrivilege	4184	koeghxqxrl
Token: SeBackupPrivilege	4184	koeghxqxrl
Token: SeRestorePrivilege	4184	koeghxqxrl
Token: SeBackupPrivilege	4644	svchost.exe
Token: SeRestorePrivilege	4644	svchost.exe
Token: SeBackupPrivilege	4644	svchost.exe
Token: SeBackupPrivilege	4644	svchost.exe
Token: SeSecurityPrivilege	4644	svchost.exe
Token: SeSecurityPrivilege	4644	svchost.exe
Token: SeBackupPrivilege	4644	svchost.exe
Token: SeBackupPrivilege	4644	svchost.exe
Token: SeSecurityPrivilege	4644	svchost.exe
Token: SeBackupPrivilege	4644	svchost.exe
Token: SeBackupPrivilege	4644	svchost.exe
Token: SeSecurityPrivilege	4644	svchost.exe
Token: SeBackupPrivilege	4644	svchost.exe
Token: SeRestorePrivilege	4644	svchost.exe
Token: SeBackupPrivilege	1896	svchost.exe
Token: SeRestorePrivilege	1896	svchost.exe
Token: SeBackupPrivilege	1896	svchost.exe
Token: SeBackupPrivilege	1896	svchost.exe
Token: SeSecurityPrivilege	1896	svchost.exe
Token: SeSecurityPrivilege	1896	svchost.exe
Token: SeBackupPrivilege	1896	svchost.exe
Token: SeBackupPrivilege	1896	svchost.exe
Token: SeSecurityPrivilege	1896	svchost.exe
Token: SeBackupPrivilege	1896	svchost.exe
Token: SeBackupPrivilege	1896	svchost.exe
Token: SeSecurityPrivilege	1896	svchost.exe
Token: SeBackupPrivilege	1896	svchost.exe
Token: SeRestorePrivilege	1896	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeSecurityPrivilege	2836	svchost.exe
Token: SeSecurityPrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeSecurityPrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeSecurityPrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe

description	pid	process	target process
PID 988 wrote to memory of 4184	988	1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe	koeghxqxrl
PID 988 wrote to memory of 4184	988	1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe	koeghxqxrl
PID 988 wrote to memory of 4184	988	1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe	koeghxqxrl

C:\Users\Admin\AppData\Local\Temp\1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:988

\??\c:\users\admin\appdata\local\koeghxqxrl
"C:\Users\Admin\AppData\Local\Temp\1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\1ae7a739ce28d965a88dc7d29d348d2d_jaffacakes118.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1076
2⤵
- Program crash
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4644 -ip 4644
1⤵
PID:3208

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 924
2⤵
- Program crash
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1896 -ip 1896
1⤵
PID:868

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 860
2⤵
- Program crash
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2836 -ip 2836
1⤵
PID:4336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\koeghxqxrl
Filesize
21.5MB

MD5
296901a59ebfcba87d7933b20da0c2cc

SHA1
8a4ffcc6930e14414ddb172fcd34c78c3958d945

SHA256
8a4474d8dded5ae35d30c26f49d96cfd701441face9c10b9a9f29615033924be

SHA512
351ac6018a7224fe3bea46be95f4d66a8ae9bbf38582d701512e16563f75fb8528e30c2c8e1e4772974df7a4ac9c9e169a932ac17e664f6f64776723a2256da7

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
202B

MD5
df5800ccf82bb72cc21cd0be09ed6559

SHA1
6f380a4ee6473906135b12f0c28b2ea19cd3a6de

SHA256
8f46ea7f238cc3f36b9ddf6285780857745a88660d3f191012a6ea833718f61c

SHA512
105de6b567155e8d254325972c09b283b2c2a4fdc111a6bbc027272bc78cde676dd1cc0e5eeb0aade3af5806ae1579d26ad39f11193b82ac8b873fa60fb100bd

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
303B

MD5
8073044a4805d5480e3851662c86a8a5

SHA1
9d73a8df22374b9de56eff9af40b57370b8d14b9

SHA256
688976bd2dc8e7af76bcb28016118a01b19004c7b377f19cfb4c1c0c7e458049

SHA512
fb4754c3ca16e50f67662398bd0fa2a7bb948e73817e67448cb612ce511a2dd070f0687475aab1ef79aa7b8751147989ef5d59637defa4f104884ef7e10f571b

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\vccvk.cc3
Filesize
19.1MB

MD5
89d91afda5b42d36779a56b3299aad5b

SHA1
550504a6cd17165659755b2cc874a3cd7d06e3ef

SHA256
75eca93ab9abec8c53803cdeff7d10d3c44116869a551ab5cfbd37f6cdbb7dcf

SHA512
0457cfb72a0bb7d1a74dd0073876eb72b3b8616af4be65dc8f57b3a0112c10c30479799df23cb2b183f177fbc050908c03910cc3b48ac3b957c88da15d780b32

Download Submit
memory/988-1-0x0000000000400000-0x000000000044E2AC-memory.dmp

Filesize
312KB

Download
memory/988-10-0x0000000000400000-0x000000000044E2AC-memory.dmp

Filesize
312KB

Download
memory/988-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1896-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1896-22-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download
memory/2836-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2836-27-0x00000000015F0000-0x00000000015F1000-memory.dmp

Filesize
4KB

Download
memory/4184-12-0x0000000000400000-0x000000000044E2AC-memory.dmp

Filesize
312KB

Download
memory/4184-17-0x0000000000400000-0x000000000044E2AC-memory.dmp

Filesize
312KB

Download
memory/4184-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4644-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4644-18-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

Filesize
4KB

Download