Analysis Overview
This report details the lifecycle of a 32-bit Trojan (Gh0stRat variant). The analysis covers initial triage of the 92.2MB executable, identifying its architectural fingerprints, and dissecting its multi-stage execution flow.
Forensic Artifacts
- SHA256: 003734348d05ac8...
- Compile Time: June 14, 2012
- Evasion: %TEMP% Replication
- Encryption: XOR (Key 0x7)
- Persistence: Heartbeat Loop
Static & Dynamic Analysis
Dissecting the Core
Using Ghidra and x32dbg, I identified the malware's initialization sequence. The sample begins by fetching its module filename and replicating itself into a hidden directory (_ir_sf_temp) to evade standard system cleanups.
- XOR Decoding: Manual reversal of the 128KB setup buffer.
- API Hooking: Monitoring
Advapi32.dllfor SID capture. - Killswitch: Discovery of the
0x200server command.
Data Exfiltration Logic
The malware targets specific system information, including Machine SIDs, Idle Times, and Connection Speeds. It formats this data into custom strings such as __IRSID and __IRAOFF before transmitting them to the C2 server via a heartbeat connection.
The Debug Flag (/~DBG)
A unique finding during the analysis was the presence of a /~DBG flag. This command-line argument acts as a developer safety net, allowing the author to test the malware's functionality without triggering the automatic self-deletion routines that occur upon failure.
Detection & Yara Implementation
To conclude the report, I developed a custom Yara rule to detect this specific Gh0stRat variant across an enterprise environment. By targeting unique strings like the temporary path and exfiltration formatting, the rule provides a high-fidelity detection method for SOC teams.