{"id":5170,"date":"2023-06-22T08:26:51","date_gmt":"2023-06-22T08:26:51","guid":{"rendered":"\/cybersecurity-blog\/?p=5170"},"modified":"2025-12-09T10:23:37","modified_gmt":"2025-12-09T10:23:37","slug":"gh0stbins-chinese-rat-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/","title":{"rendered":"Gh0stBins, Chinese RAT: Malware Analysis, Protocol Description, RDP Stream Recovery\u00a0"},"content":{"rendered":"\n<p><\/p>\n\n\n\n<p>It&#8217;s not every day that you come across a DLL so new that even VirusTotal draws a blank. But it&#8217;s even rarer when this sample turns out to be a sophisticated RAT from China.&nbsp;<\/p>\n\n\n\n<p>But this is exactly what happened in our recent case. <strong>We discovered what may be a previously unseen version of the Gh0stBins RAT <\/strong>\u2014 an obscure malware family originating from the Middle Kingdom and sparsely studied in the field. Naturally, we had to analyze it.&nbsp;<\/p>\n\n\n\n<p>The Chinese malware scene has recently undergone something of an industrial revolution, making modern Chinese malware a serious threat. In this article, <strong>we\u2019ll dive deep into this new Gh0stBins variant \u2014 and show you how to<\/strong> <strong>detect it with Suricata and YARA rules as well as recover leaked data using a Python script<\/strong>. &nbsp;<\/p>\n\n\n\n<p>Let\u2019s get started.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How we Discovered this Gh0stBins Sample&nbsp;<\/h2>\n\n\n\n<p>At <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ghost&amp;utm_content=landing\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>, our team is always monitoring network activity of public samples, constantly on the lookout for signs of suspicious actions. We classify them into three main categories: backdoors, stealers, and loaders.&nbsp;<\/p>\n\n\n\n<p>Today\u2019s case started when we detected loader-type activity. This detection was achieved through a two-fold approach. First, using a unique rule specifically designed for xored files of PE EXE or DLL format. Second, by analyzing certain statistical features of the encrypted file \u2014 notably the autocorrelation function, a concept that will be discussed more comprehensively in the section on network rules.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze the <span class=\"highlight\">network stream easily<\/span>. Try ANY.RUN sandbox.  &nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ghost&amp;utm_content=trial\" rel=\"noopener\" target=\"_blank\">\nRequest free trial \n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p><\/p>\n\n\n\n<p>As we continued our analysis, we discovered a significant similarity in the structure of packets from the system-installed backdoor to the structure of Gh0stRat packets. You&#8217;ll find these similar packets highlighted with the same color in the attached screenshots, and we&#8217;ll be discussing these similarities in greater detail in the following sections.&nbsp;<\/p>\n\n\n\n<p>Gh0stRAT: <a href=\"https:\/\/app.any.run\/tasks\/f50156b5-c387-40a1-8eca-8f913babca06\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/f50156b5-c387-40a1-8eca-8f913babca06\/<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"175\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-3-1024x175.png\" alt=\"\" class=\"wp-image-5171\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-3-1024x175.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-3-300x51.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-3-768x131.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-3-370x63.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-3-270x46.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-3-740x126.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-3.png 1053w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Gh0stBins: <a href=\"https:\/\/app.any.run\/tasks\/3b14ef62-5d21-48bb-a5e4-5b3fed402fb7\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/3b14ef62-5d21-48bb-a5e4-5b3fed402fb7\/<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"216\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-6-1024x216.png\" alt=\"\" class=\"wp-image-5174\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-6-1024x216.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-6-300x63.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-6-768x162.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-6-370x78.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-6-270x57.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-6-740x156.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-6.png 1049w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Our sample\u2019s packets are suspiciously similar to Gh0stRat\u2019s&nbsp;<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Stage 1: Loader Analysis&nbsp;<\/h2>\n\n\n\n<p>The initial loader consists of <a href=\"https:\/\/app.any.run\/tasks\/abcd9d2b-cdf1-4d9c-bb65-0fa5294e4109\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ghost&amp;utm_content=service\" target=\"_blank\" rel=\"noreferrer noopener\">two files<\/a>:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>the legitimate application \u2018net-service.exe\u2019 (part of VMware Workstation), which has a <em>valid digital signature<\/em> from \u201cVMware, Inc\u201d&nbsp;<\/li>\n\n\n\n<li>the malicious DLL \u2018shfolder.dll\u2019&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"838\" height=\"320\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-4.png\" alt=\"Process tree of the loader \" class=\"wp-image-5172\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-4.png 838w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-4-300x115.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-4-768x293.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-4-370x141.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-4-270x103.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-4-740x283.png 740w\" sizes=\"(max-width: 838px) 100vw, 838px\" \/><figcaption class=\"wp-element-caption\">Process tree of the loader&nbsp;<\/figcaption><\/figure>\n\n\n\n<p>At the time of writing this article, the malicious DLL has only received <em>3 detections<\/em> on <a href=\"https:\/\/www.virustotal.com\/gui\/file\/2a2f9fcbafc9c7552ff03b36bae05b2d74a8f6fd1531e8ff3bf55adce8ec056a\" target=\"_blank\" rel=\"noreferrer noopener\">VirusTotal<\/a>.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"277\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-47-1-1024x277.png\" alt=\"3 detections on VirusTotal\" class=\"wp-image-5262\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-47-1-1024x277.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-47-1-300x81.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-47-1-768x208.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-47-1-1536x416.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-47-1-370x100.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-47-1-270x73.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-47-1-740x200.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-47-1.png 1544w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">3 detections on VirusTotal<\/figcaption><\/figure>\n\n\n\n<p>Firstly, the main process with PID 3508 restarts itself from the same location. Secondly, it creates its own copy in the same directory with the name \u201cvmnet.exe\u201d and starts itself again.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Additionally, we discovered that two processes made HTTP requests to http:\/\/49[.]235.129.40\/update\/. This indicates that the loader may be attempting to download or update a payload:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"153\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-5-1024x153.png\" alt=\"Suspicious HTTP requests \" class=\"wp-image-5173\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-5-1024x153.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-5-300x45.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-5-768x115.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-5-370x55.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-5-270x40.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-5-740x111.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-5.png 1336w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Suspicious HTTP requests&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The malicious library is loaded into all three processes using Search Order Hijacking technique (<a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/001\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">T1574.001<\/a>) which was documented in the old <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-5526\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CVE-2019-5526<\/a>.&nbsp;<\/p>\n\n\n\n<p>It is interesting that \u201cshfolder.dll\u201d has an artifact &#8211; a PDB path with Chinese characters translated as \u201cover start\u201d:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>E:\\MyProjects\\\u8fc7\u542f\u52a8\\FakeDll\\Release\\shfolder.pdb <\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>So far, a malicious code starts its execution at the initialization routine where static objects or libraries need to be initialized before the program execution:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"187\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-7-1024x187.png\" alt=\"Static objects and libraries are initialized before the program executes \" class=\"wp-image-5175\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-7-1024x187.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-7-300x55.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-7-768x140.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-7-1536x280.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-7-370x68.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-7-270x49.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-7-740x135.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-7.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Static objects and libraries are initialized before the program executes&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The initialization routine of the loader unpacks two payloads that are encrypted with a XOR key \u201812345678AABBCCDD\u2019:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>shellcode is used to load an executable PE file;&nbsp;<\/li>\n\n\n\n<li>the malicious executable (not found on a VirusTotal).&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The following image shows the decrypted PE file with the help of CyberChef:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"373\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-8-1024x373.png\" alt=\"Decrypted PE file in CyberChef \" class=\"wp-image-5176\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-8-1024x373.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-8-300x109.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-8-768x280.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-8-1536x560.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-8-370x135.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-8-270x98.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-8-740x270.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-8.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Decrypted PE file in CyberChef&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The shellcode will be written to the main module&#8217;s Entry Point using \u2018WriteProcessMemory\u2019 function, ensuring that when we reach that point, it will be executed, and the decrypted PE file will be mapped to memory:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"397\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10-1024x397.png\" alt=\"Decrypted PE file\u00a0\" class=\"wp-image-5178\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10-1024x397.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10-300x116.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10-768x298.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10-370x143.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10-270x105.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10-740x287.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10.png 1476w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Decrypted PE file&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The decrypted PE file creates a mutex, which is likely associated with the date of a sample compiled \u20182023.01.18.18.45\u2019:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"110\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-9-1024x110.png\" alt=\"A mutex created by the decrypted PE file \" class=\"wp-image-5177\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-9-1024x110.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-9-300x32.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-9-768x83.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-9-370x40.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-9-270x29.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-9-740x80.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-9.png 1430w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">A mutex created by the decrypted PE file&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>It is worth noting that the date is written in the Chinese date format, using the pattern <strong>&#8220;yyyy\u5e74mm\u6708dd\u65e5.<\/strong>&#8221; This observation could potentially indicate that the attacker has Chinese origins or is associated with China in some way.&nbsp;<\/p>\n\n\n\n<p>The primary objective of the decrypted PE file, which is relatively small in size (around 7KB), is to download and execute a payload from a remote server. To achieve this task, it utilizes WinAPI functions such as \u2018connect\u2019, \u2018WriteFile\u2019, and \u2018ReadFile\u2019 to create a GET request. The structure of the GET request can be observed in the accompanying picture:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"397\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10-1024x397.png\" alt=\"Raw GET request structure  \" class=\"wp-image-5179\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10-1024x397.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10-300x116.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10-768x298.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10-370x143.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10-270x105.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10-740x287.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-10.png 1476w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Raw GET request structure &nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>At the time of writing the article, the remote server was still active. However, instead of returning the expected payload, it displayed a directory listing. Consequently, when the loader attempted to download the payload, it encountered an unexpected response, leading to a crash. The loader was originally designed to download a PE executable, and the directory listing caused an error in its execution.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"301\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-11-1024x301.png\" alt=\"The remote server displayed a directory at the time of writing, which led to loader crashing \" class=\"wp-image-5180\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-11-1024x301.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-11-300x88.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-11-768x226.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-11-1536x451.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-11-370x109.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-11-270x79.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-11-740x217.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-11.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The remote server displayed a directory at the time of writing, which led to loader crashing&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>In case when the payload was successfully downloaded, it needed to be decrypted using t<strong>he XOR key \u201812345678AABBCCDD\u2019.<\/strong> &nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-pullquote\" style=\"border-top-color:#00b0e8;border-bottom-color:#00b0e8\"><blockquote><p><strong>To proceed with our analysis, we manually downloaded the payload and decrypted it. <\/strong>&nbsp;<\/p><\/blockquote><\/figure>\n\n\n\n<p>You can examine the operational payload at <a href=\"https:\/\/app.any.run\/tasks\/3b14ef62-5d21-48bb-a5e4-5b3fed402fb7\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ghost&amp;utm_content=service\" target=\"_blank\" rel=\"noreferrer noopener\">this link<\/a>.&nbsp;<\/p>\n\n\n\n<p>Now, let us move on to the next stage.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Stage 2: RAT Analysis&nbsp;<\/h2>\n\n\n\n<p>The downloaded payload is a DLL with one exported function \u2018shellcode_entry\u2019:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"309\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-12-1024x309.png\" alt=\"The downloaded payload is a DLL \" class=\"wp-image-5181\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-12-1024x309.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-12-300x91.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-12-768x232.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-12-370x112.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-12-270x82.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-12-740x224.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-12.png 1456w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The downloaded payload is a DLL&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The DLL is a modular Remote Access Trojan (RAT) written in C++, and it is not currently present on VirusTotal (VT). The downloaded DLL is also a kernel module that serves as a connector for all the other components of the RAT.&nbsp;<\/p>\n\n\n\n<p><strong>The main execution flow of the RAT can be described roughly as follows:&nbsp;<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"407\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-infographic-1.jpg\" alt=\" main execution flow of the RAT\" class=\"wp-image-5250\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-infographic-1.jpg 936w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-infographic-1-300x130.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-infographic-1-768x334.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-infographic-1-370x161.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-infographic-1-270x117.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-infographic-1-740x322.jpg 740w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The RAT is an IOCP and asynchronous client, which has a complex multithreaded structure, primarily based on the events. However, the detailed description of this structure is beyond the scope of this article. Instead, we will focus on discussing the exchange protocol in detail and highlight a few aspects of the RAT below.&nbsp;<\/p>\n\n\n\n<p>It is interesting that the RAT contains forgotten debug logs, which can prove helpful for debugging purposes:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"140\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-13-1024x140.png\" alt=\"Forgotten debug logs we found in the RAT \" class=\"wp-image-5182\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-13-1024x140.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-13-300x41.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-13-768x105.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-13-370x51.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-13-270x37.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-13-740x101.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-13.png 1260w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Forgotten debug logs we found in the RAT&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Furthermore, the RAT includes RTTI (Run-Time Type Information) information and class descriptions. This tells us that the main class of the current module is likely named &#8216;CKernel&#8217;:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"266\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-14-1024x266.png\" alt=\"RTTI information and class descriptions suggest that the main class of the current module is named \u201cCKernel\u201d \" class=\"wp-image-5183\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-14-1024x266.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-14-300x78.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-14-768x200.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-14-1536x399.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-14-370x96.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-14-270x70.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-14-740x192.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-14.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">RTTI information and class descriptions suggest that the main class of the current module is named \u201cCKernel\u201d&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Let us now turn to discuss the exchange protocol.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Stage 3. Traffic Analysis&nbsp;<\/h2>\n\n\n\n<p>We\u2019re going to analyze traffic based on <a href=\"https:\/\/app.any.run\/tasks\/3b14ef62-5d21-48bb-a5e4-5b3fed402fb7\/\" target=\"_blank\" rel=\"noreferrer noopener\">this task<\/a>. To perform a thorough analysis of the traffic, we recommend either downloading the PCAP (Packet Capture) file or following the network stream in the static discovery window available on ANY.RUN.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nFollow along with this analysis on ANY.RUN <span class=\"highlight\"><\/span> &nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ghost&amp;utm_content=trial2\" rel=\"noopener\" target=\"_blank\">\nRequest a 14-day trial \n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Initial Request: Module Registration&nbsp;<\/h3>\n\n\n\n<p>After establishing the connection, it is observed that the first outgoing packet always consists of 4 bytes, which describes the module connecting to the Command and Control (C2) server. In this particular case, the kernel module is identified by its short alias \u201cKNEL\u201d:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"101\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-15-1024x101.png\" alt=\"The kernel module identified as \u201cKNEL\u201d \" class=\"wp-image-5184\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-15-1024x101.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-15-300x30.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-15-768x76.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-15-370x37.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-15-270x27.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-15-740x73.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-15.png 1398w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The kernel module identified as \u201cKNEL\u201d&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Our hunting team has also discovered an RDP module, identified by the alias \u2018RDTP\u2019. Furthermore, through the process of reverse engineering the code, we can deduce the existence of additional modules. We can speculate about their intended purposes based on their names:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-1\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"11\"\n           data-wpID=\"1\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:20.947176684882%;                    padding:10px;\n                    \"\n                    >\n                                        Name                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:18.214936247723%;                    padding:10px;\n                    \"\n                    >\n                                        Alias                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:60.837887067395%;                    padding:10px;\n                    \"\n                    >\n                                        Module description                     <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        kernel\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        KNEL\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        The heart of the RAT, a connector for all other modules\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        chat\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        unknown\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Enables communication and interaction with the RAT operator or other users.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        filemgr\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        unknown\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Manages files and directories on the compromised system\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        rd\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        RDTP\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Remote Desktop: Allows remote access and control of the target system's desktop.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        camera\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        unknown\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Controls and accesses the target system's camera for capturing images or videos.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        microphone\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        unknown\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Controls and accesses the target system's microphone for recording audio.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        filedownloader\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        unknown\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Downloads files from the internet onto the compromised system\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        kblog\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        unknown\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Logs and records keystrokes on the target system\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        socksproxy\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        unknown\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Sets up a SOCKS proxy server on the compromised system, allowing network traffic to be routed through it\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        cmd\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        unknown\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C11\"\n                    data-col-index=\"2\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Executes\u00a0 commands on the target system, providing remote control and administration capabilities\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-1'>\ntable#wpdtSimpleTable-1{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-1 td, table.wpdtSimpleTable1 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\">Initial Response: Registration Confirmed&nbsp;<\/h3>\n\n\n\n<p>The server responds to the received &#8216;module registration&#8217; packet with the following &#8216;registration confirmed&#8217; packet:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-2\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"17\"\n           data-rows=\"4\"\n           data-wpID=\"2\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bc-C3C3C4 wpdt-empty-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                                            <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        0\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        1\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        2\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"E1\"\n                    data-col-index=\"4\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        3\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"F1\"\n                    data-col-index=\"5\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        4\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"G1\"\n                    data-col-index=\"6\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        5\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"H1\"\n                    data-col-index=\"7\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        6\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"I1\"\n                    data-col-index=\"8\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        7\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"J1\"\n                    data-col-index=\"9\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        8\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"K1\"\n                    data-col-index=\"10\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        9\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"L1\"\n                    data-col-index=\"11\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        a\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"M1\"\n                    data-col-index=\"12\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        b\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"N1\"\n                    data-col-index=\"13\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        c\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"O1\"\n                    data-col-index=\"14\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        d\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"P1\"\n                    data-col-index=\"15\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        e\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"Q1\"\n                    data-col-index=\"16\"\n                    data-row-index=\"0\"\n                    style=\" width:5.8823529411765%;                    padding:10px;\n                    \"\n                    >\n                                        f\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bc-C3C3C4 wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"2\"                     data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0                    <\/td>\n                                                <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"16\"  rowspan=\"1\"                     data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        header                    <\/td>\n                                                                                                                                                                                                                            <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"4\"  rowspan=\"1\"                     data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        magic bytes\u00a0                    <\/td>\n                                                                                    <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"4\"  rowspan=\"1\"                     data-cell-id=\"F3\"\n                    data-col-index=\"5\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        packet size                    <\/td>\n                                                                                    <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"4\"  rowspan=\"1\"                     data-cell-id=\"J3\"\n                    data-col-index=\"9\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        decompressed size                    <\/td>\n                                                                                    <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"4\"  rowspan=\"1\"                     data-cell-id=\"N3\"\n                    data-col-index=\"13\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        packet type                    <\/td>\n                                                                            <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bc-C3C3C4\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1                    <\/td>\n                                                <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"2\"  rowspan=\"1\"                     data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        p_type                     <\/td>\n                                                            <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"14\"  rowspan=\"1\"                     data-cell-id=\"D4\"\n                    data-col-index=\"3\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        payload                     <\/td>\n                                                                                                                                                                                                    <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-2'>\ntable#wpdtSimpleTable-2{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-2 td, table.wpdtSimpleTable2 th { white-space: normal !important; }\n.wpdt-bc-C3C3C4 { background-color: #C3C3C4 !important;}\n<\/style>\n\n\n\n\n<p><strong>The packet has the following fields:&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>magic bytes:<\/strong> always contains the value&nbsp;\u201cBINS\u201d for all subsequent communications.&nbsp;<\/li>\n\n\n\n<li><strong>packet size:<\/strong> the size of the packet excluding the header.<\/li>\n\n\n\n<li><strong>decompressed size:<\/strong> is used only when the payload is compressed, and it represents the size of the decompressed data.<\/li>\n\n\n\n<li><strong>packet type<\/strong>: type of the packet, which can have 2 values:&nbsp;<strong>0x0<\/strong> denotes a data packet&nbsp;and <strong>0xABCDEF <\/strong>indicates that the packet is a \u201cheartbeat\u201d.<\/li>\n\n\n\n<li><strong>p_type<\/strong>: can have 2 types of values: <strong>0x9C78<\/strong>: payload is compressed with \u2018zlib\u2019 using fixed Huffman coding&nbsp;and <strong>any <\/strong>represents a command to process.&nbsp;<\/li>\n\n\n\n<li><strong>payload<\/strong>: compressed or raw data.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Below, you can see an example of the \u201cregistration confirmed\u201d&nbsp;packet:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"103\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-16-1024x103.png\" alt=\"The registration confirmed packet example \" class=\"wp-image-5185\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-16-1024x103.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-16-300x30.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-16-768x77.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-16-370x37.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-16-270x27.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-16-740x74.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-16.png 1398w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The registration confirmed packet example&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The decompressed command from the payload in the above picture can be viewed in CyberChef:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"321\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-17-1024x321.png\" alt=\"\" class=\"wp-image-5186\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-17-1024x321.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-17-300x94.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-17-768x241.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-17-370x116.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-17-270x85.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-17-740x232.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-17.png 1270w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Decompressed command from the picture above&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>So that the server asks the client to send information about the host.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Client Identity&nbsp;<\/h3>\n\n\n\n<p>In response to the command received from the server, the client starts collecting information about the victim. <\/p>\n\n\n\n<p><strong>They do it in the following order:<\/strong><\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Get IP address using WinAPI \u201cgetsockname\u201d&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Get computer name&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>Get user name&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li>Get the Windows version using the WinAPI function \u201cGetNativeSystemInfo\u201d to obtain bitness and information from the registry key:&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Product&nbsp;<\/p>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li>Create a registry key \u201cHKEY_CURRENT_USER\\SOFTWARE\\HHClient\u201d&nbsp;<br>&nbsp;if it didn\u2019t exist before. It also updates the date of the RAT installation by setting a string value \u2018InstallDate\u2019 to the current date:&nbsp;<br>&nbsp;<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"662\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-46-1024x662.png\" alt=\"The RAT sets a string value \u2018InstallDate\u2019 to the current date to update the time of its installation \" class=\"wp-image-5257\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-46-1024x662.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-46-300x194.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-46-768x497.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-46-370x239.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-46-270x175.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-46-740x478.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-46.png 1160w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The RAT sets a string value \u2018InstallDate\u2019 to the current date to update the time of its installation&nbsp;<\/figcaption><\/figure>\n\n\n\n<ol start=\"6\" class=\"wp-block-list\">\n<li>Get information about the processor from \u2018HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\u2019 and using GetSystemInfo API&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"7\" class=\"wp-block-list\">\n<li>Get information about drives via GetLogicalDrives and GetDiskFreeSpaceExW&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"8\" class=\"wp-block-list\">\n<li>Get memory size using GlobalMemoryStatusEx API&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"9\" class=\"wp-block-list\">\n<li>Check if the C2 is available by sending a echo-request (PING) packet to the attacker server&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"10\" class=\"wp-block-list\">\n<li>Check if a victim has a camera by enumerating available devices&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"11\" class=\"wp-block-list\">\n<li>Check if an attacker\u2019s comment of the victim exists in the key \u201cHHClient\u201d&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>After collecting all the information, the RAT prepends it with a 2-byte prefix &#8216;0xEE01&#8217;, indicating that it is a client identity response, compresses it with \u201czlib\u201d and sends it to the C2:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"206\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-18-1024x206.png\" alt=\"Exfiltrating data to C2 \" class=\"wp-image-5187\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-18-1024x206.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-18-300x60.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-18-768x155.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-18-370x75.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-18-270x54.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-18-740x149.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-18.png 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Exfiltrating data to C2&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">HeartBeat&nbsp;<\/h3>\n\n\n\n<p>Every 60 seconds the RAT sends the heartbeat packet (packet type is equal to 0xABCDEF) to the server to ensure the connection is still active. The server has to respond with the same packet type and zero payload len immediately:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"287\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-19-1024x287.png\" alt=\"The heart beat packet is sent every 60 seconds \" class=\"wp-image-5188\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-19-1024x287.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-19-300x84.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-19-768x216.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-19-370x104.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-19-270x76.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-19-740x208.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-19.png 1404w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The heart beat packet is sent every 60 seconds&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Modules Downloading and Executing&nbsp;<\/h3>\n\n\n\n<p>When the attacker decides to execute a command on the victim host, they send a packet similar to the &#8216;registration confirmed&#8217; packet, but with a different command ID. The command ID is always 2 bytes in length. Depending on the packet type, the command ID can either be compressed or located in the position of the &#8216;zlib&#8217; header.&nbsp;<\/p>\n\n\n\n<p>Below is a list of all the available command IDs:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-3\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"4\"\n           data-rows=\"21\"\n           data-wpID=\"3\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:8.6355785837651%;                    padding:10px;\n                    \"\n                    >\n                                        #\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:17.27115716753%;                    padding:10px;\n                    \"\n                    >\n                                        Cmd ID req\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:17.27115716753%;                    padding:10px;\n                    \"\n                    >\n                                        Cmd ID resp\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:56.822107081174%;                    padding:10px;\n                    \"\n                    >\n                                        Description\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0x4552\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEE01\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D2\"\n                    data-col-index=\"3\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Send victim info\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xDD01\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEA05\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D3\"\n                    data-col-index=\"3\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Prepare for loading \u2018cmd\u2019 module\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        3\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xDD02\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEA05\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D4\"\n                    data-col-index=\"3\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Prepare for loading \u201cchat\u2019 module\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        4\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xDD03\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEA05\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D5\"\n                    data-col-index=\"3\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Prepare for loading \u201cfile manager\u201d module\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xDD04\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEA05\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D6\"\n                    data-col-index=\"3\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Prepare for loading \u201cRDP\u201d module\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xDD05\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEA05\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D7\"\n                    data-col-index=\"3\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Prepare for loading \u201ccamera\u201d module\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        7\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xDD06\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEA05\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D8\"\n                    data-col-index=\"3\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Prepare for loading \u201cmicrophone\u201d module\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        8\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xDD07\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEA05\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D9\"\n                    data-col-index=\"3\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Prepare for loading \u201cfile uploader\u201d module\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        9\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xDD08\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        -\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D10\"\n                    data-col-index=\"3\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Exit\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        10\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xDD09\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C11\"\n                    data-col-index=\"2\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEA05\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D11\"\n                    data-col-index=\"3\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Prepare for loading \u2018keyboard log\u2019 module\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        11\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xDD0A\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C12\"\n                    data-col-index=\"2\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEA08\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D12\"\n                    data-col-index=\"3\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Create a LNK file in the startup menu with name of \u201cVMware NAT Service\u201d\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A13\"\n                    data-col-index=\"0\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        12\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B13\"\n                    data-col-index=\"1\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xDD0B\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C13\"\n                    data-col-index=\"2\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEA08\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D13\"\n                    data-col-index=\"3\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Add itself to autorun via \u201cHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\u201d with name \u201cVMware NAT Service\u201d\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A14\"\n                    data-col-index=\"0\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        13\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B14\"\n                    data-col-index=\"1\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xDD0C\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C14\"\n                    data-col-index=\"2\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEA05\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D14\"\n                    data-col-index=\"3\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Prepare for loading \u2018socks proxy\u2019 module\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A15\"\n                    data-col-index=\"0\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        14\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B15\"\n                    data-col-index=\"1\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xDD0D\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C15\"\n                    data-col-index=\"2\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        -\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D15\"\n                    data-col-index=\"3\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Is not developed, has a comment \u201cOnUtilsOpenWebPage\u201d\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A16\"\n                    data-col-index=\"0\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        15\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B16\"\n                    data-col-index=\"1\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEA04\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C16\"\n                    data-col-index=\"2\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        -\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D16\"\n                    data-col-index=\"3\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Restart itself\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A17\"\n                    data-col-index=\"0\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        16\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B17\"\n                    data-col-index=\"1\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEA07\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C17\"\n                    data-col-index=\"2\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xFA00\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D17\"\n                    data-col-index=\"3\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Prepare memory for the payload\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A18\"\n                    data-col-index=\"0\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        17\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B18\"\n                    data-col-index=\"1\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEE02\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C18\"\n                    data-col-index=\"2\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        -\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D18\"\n                    data-col-index=\"3\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Reboot system\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A19\"\n                    data-col-index=\"0\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        18\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B19\"\n                    data-col-index=\"1\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEE03\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C19\"\n                    data-col-index=\"2\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        -\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D19\"\n                    data-col-index=\"3\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Force system shutdown\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A20\"\n                    data-col-index=\"0\"\n                    data-row-index=\"19\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        19\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B20\"\n                    data-col-index=\"1\"\n                    data-row-index=\"19\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEE04\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C20\"\n                    data-col-index=\"2\"\n                    data-row-index=\"19\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xEE05\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D20\"\n                    data-col-index=\"3\"\n                    data-row-index=\"19\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Save comment about the victim host to the registry\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A21\"\n                    data-col-index=\"0\"\n                    data-row-index=\"20\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        20\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B21\"\n                    data-col-index=\"1\"\n                    data-row-index=\"20\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        0xFA01\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"C21\"\n                    data-col-index=\"2\"\n                    data-row-index=\"20\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"D21\"\n                    data-col-index=\"3\"\n                    data-row-index=\"20\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        A part of the payload is received\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-3'>\ntable#wpdtSimpleTable-3{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-3 td, table.wpdtSimpleTable3 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>In the <a href=\"https:\/\/app.any.run\/tasks\/3b14ef62-5d21-48bb-a5e4-5b3fed402fb7\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ghost&amp;utm_content=service\" target=\"_blank\" rel=\"noreferrer noopener\">analyzed task,<\/a> the attacker sends a command 0xDD04 to upload the \u201cRDP\u201d module. In response, the client sends a confirmation of readiness to accept the payload with the bytes \u2018rd\u2019 at the end \u2014 the type of module to be loaded:\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1015\" height=\"196\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-1.png\" alt=\"The command that uploads the \u201cRDP\u201d module \" class=\"wp-image-5251\" style=\"width:650px;height:125px\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-1.png 1015w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-1-300x58.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-1-768x148.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-1-370x71.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-1-270x52.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-1-740x143.png 740w\" sizes=\"(max-width: 1015px) 100vw, 1015px\" \/><figcaption class=\"wp-element-caption\">The command that uploads the \u201cRDP\u201d module&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>The server, in turn, sends basic information about the expected payload:&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>command 0xEA07&nbsp;<\/li>\n\n\n\n<li>total size&nbsp;<\/li>\n\n\n\n<li><em>resulting hash value <\/em>obtained by simply summing up all the bytes included in the payload after the final assembly&nbsp;<\/li>\n\n\n\n<li>\u2018rd\u2019 confirmation&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"189\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-2-1024x189.png\" alt=\"Basin information is then sent by the server in return \" class=\"wp-image-5252\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-2-1024x189.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-2-300x55.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-2-768x142.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-2-370x68.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-2-270x50.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-2-740x137.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-2.png 1071w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Basin information is then sent by the server in return&nbsp;<\/figcaption><\/figure>\n\n\n\n<p>The client allocates memory for the payload and confirms its acceptance by sending the following packet:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"185\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-3-1024x185.png\" alt=\"The client responds with this packet to confirm acceptance \" class=\"wp-image-5253\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-3-1024x185.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-3-300x54.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-3-768x138.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-3-370x67.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-3-270x49.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-3-740x133.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Gh0stBins-screenshot-3.png 1093w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The client responds with this packet to confirm acceptance&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>This packet includes:&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>confirmation command 0xFA00&nbsp;<\/li>\n\n\n\n<li>expecting payload size&nbsp;<\/li>\n\n\n\n<li>expecting payload hash&nbsp;<\/li>\n\n\n\n<li>the number of the received part&nbsp;<\/li>\n\n\n\n<li>the maximum size of the expecting part&nbsp;<\/li>\n\n\n\n<li>\u201crd\u201d confirmation&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>It is also worth noting that the above packet will be sent to the server as confirmation of receiving every part with the only difference in the number of the received part.&nbsp;<\/p>\n\n\n\n<p>Starting from this moment, the server will send the result payload part by part with a size that was agreed upon with the client. Each subsequent packet will have a structure similar to the following:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"210\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-23-1024x210.png\" alt=\"A part of the payload is sent \" class=\"wp-image-5192\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-23-1024x210.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-23-300x62.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-23-768x157.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-23-1536x315.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-23-370x76.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-23-270x55.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-23-740x152.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-23.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">A part of the payload is sent&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>This data packet includes:&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>command 0xFA01&nbsp;<\/li>\n\n\n\n<li>expecting payload size&nbsp;<\/li>\n\n\n\n<li>the size of the current part<\/li>\n\n\n\n<li>payload&nbsp;<\/li>\n\n\n\n<li>4 bytes hash at the end of each packet calculated only for the current payload\u2019s part; the hashing algorithm used will be the same as described earlier&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>When the transaction is complete, the server may send a 0xDD08 command to exit from the kernel module, as was the case in our task.&nbsp;<\/p>\n\n\n\n<p>At this moment, the downloaded RDP module is mapped to the memory and executed, which can be observed through the newly created connection:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"40\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-24-1024x40.png\" alt=\"A new connection indicates that the downloaded RDP is executed  \" class=\"wp-image-5193\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-24-1024x40.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-24-300x12.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-24-768x30.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-24-1536x60.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-24-370x14.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-24-270x10.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-24-740x29.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-24.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">A new connection indicates that the downloaded RDP is executed&nbsp;&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>To simplify the task of constructing the resulting payload, we have written a Python script that is already<strong> <\/strong><a href=\"https:\/\/github.com\/anyrun\/blog-scripts\/blob\/main\/Scripts\/Gh0stBins\/restore_rd.py\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>available in our GitHub repository<\/strong><\/a>. You can download the PCAP file and save the raw TCP stream 0 to a separate file. Then, you can apply our script, which will rebuild the payload from the captured traffic dump. As a result, you will obtain a new DLL containing the malicious RDP module.&nbsp;<\/p>\n\n\n\n<p>Or, you could <a href=\"https:\/\/app.any.run\/tasks\/93c28ffc-08b6-44cc-b0ef-639561cd221f\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ghost&amp;utm_content=service\" target=\"_blank\" rel=\"noreferrer noopener\">download<\/a> a constructed payload with the simple DLL loader for your own analysis.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Stage 4. RDP module: basic description and protocol&nbsp;<\/h2>\n\n\n\n<p>The RDP module, the same as the &#8216;kernel&#8217; module, is a DLL compiled against static CRT and OpenCL libraries. It includes an exported function called \u201cModuleEntry\u201d. This function takes the host and port as input arguments:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"223\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-25-1024x223.png\" alt=\"Exported function named \u201cModuleEntry\u201d \" class=\"wp-image-5194\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-25-1024x223.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-25-300x65.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-25-768x167.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-25-370x81.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-25-270x59.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-25-740x161.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-25.png 1440w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The exported function named \u201cModuleEntry\u201d&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The structure of the RDP module is similar to the \u201ckernel\u201d module, as it is also based on asynchronous events. It has its own commands and includes forgotten logging functions, which can be observed if we execute the module from the console:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"205\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-26-1024x205.png\" alt=\"A logging function was likely forgotten \" class=\"wp-image-5195\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-26-1024x205.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-26-300x60.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-26-768x154.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-26-370x74.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-26-270x54.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-26-740x148.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-26.png 1308w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">A logging function was likely forgotten&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>It is worth mentioning that the RDP module also possesses a debug filename artifact, displaying the same developer\u2019s directory as the \u201ckernel\u201d module:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1002\" height=\"206\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-27.png\" alt=\"Debug filename artifact of the RDP module \" class=\"wp-image-5196\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-27.png 1002w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-27-300x62.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-27-768x158.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-27-370x76.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-27-270x56.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-27-740x152.png 740w\" sizes=\"(max-width: 1002px) 100vw, 1002px\" \/><figcaption class=\"wp-element-caption\">Debug filename artifact of the RDP module&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The traffic structure of the RDP module is like the kernel\u2019s, except for the initial registration packet, which contains the keyword \u201cRDTP\u201d:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"372\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-28-1024x372.png\" alt=\"The traffic structure of the RDP module \" class=\"wp-image-5197\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-28-1024x372.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-28-300x109.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-28-768x279.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-28-370x134.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-28-270x98.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-28-740x269.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-28.png 1404w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The traffic structure of the RDP module&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>One interesting aspect to note is that the RDP module will not function properly if it is started by an external loader, as it lacks the call to the \u201cWSAStartup\u201d routine. This absence of initialization will result in a failure, leading to the module\u2019s exit. This could be a clever trick to protect the module from dynamic analysis, as well as a programmer mistake.&nbsp;<\/p>\n\n\n\n<p>We won&#8217;t spend our time analyzing the internal workings of the RDP. Instead, let\u2019s move on to a more interesting task: recovering a video stream.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Stage 5. RDP Module \u2013 Recovering a Video Stream and Leaked&nbsp;Data&nbsp;<\/h2>\n\n\n\n<p>During our analysis, we wonder if it is possible to restore the video stream received by the attacker to gain insights into the leaked data. The answer is <strong>yes<\/strong> \u2014 we can do it.&nbsp;<\/p>\n\n\n\n<p>To begin with, we discovered that the RDP protocol contains a NALU header with information about the upcoming video stream. In particular, we observed that the stream is encoded using the H.264 codec:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"430\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-30-1024x430.png\" alt=\"The video stream is encoded with the H.264 codec  \" class=\"wp-image-5199\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-30-1024x430.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-30-300x126.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-30-768x322.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-30-370x155.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-30-270x113.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-30-740x311.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-30.png 1406w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The video stream is encoded with the H.264 codec&nbsp;&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Secondly, we have developed a Python script, <a href=\"https:\/\/github.com\/anyrun\/blog-scripts\/blob\/main\/Scripts\/Gh0stBins\/build_stream.py\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>available in our GitHub<\/strong><\/a> repository, which is capable of extracting the encapsulated video stream from the RAT traffic. The script concatenates the extracted data and saves it as a separate file.&nbsp;<\/p>\n\n\n\n<p>Finally, we used a MPEG decoder to create an mp4 file:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"140\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-29-1024x140.png\" alt=\"An MPEG decoder creates an mp4 file \" class=\"wp-image-5198\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-29-1024x140.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-29-300x41.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-29-768x105.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-29-1536x209.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-29-370x50.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-29-270x37.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-29-740x101.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-29.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">MPEG decoder creates an mp4 file&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>As a result, we have the full video stream captured by the attacker, but upside down! Just compare the screen to the <a href=\"https:\/\/app.any.run\/tasks\/3b14ef62-5d21-48bb-a5e4-5b3fed402fb7\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ghost&amp;utm_content=service\" target=\"_blank\" rel=\"noreferrer noopener\">analyzed task<\/a>:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"627\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-31-1024x627.png\" alt=\"The recovered video stream is unfortunately saved upside down \" class=\"wp-image-5200\" style=\"width:650px;height:397px\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-31-1024x627.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-31-300x184.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-31-768x470.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-31-370x226.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-31-270x165.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-31-740x453.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-31.png 1284w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">We did it! But the recovered video stream is unfortunately saved upside down&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Thus we may conclude that the stream is not encrypted at all which, for example, might help you to write a Suricata signature.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Stage 6. Fake RAT Server&nbsp;<\/h2>\n\n\n\n<p>In order to simplify the process of the protocol analysis and only for educational purposes we wrote a simple fake server for the RAT, which can only accept the client, send a registration packet, and a heartbeat. This script is available on <a href=\"https:\/\/github.com\/anyrun\/blog-scripts\/blob\/main\/Scripts\/Gh0stBins\/fake-server.py\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>our GitHub page<\/strong><\/a><strong>. <\/strong>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"299\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-32-1024x299.png\" alt=\"We\u2019ve spun up a fake RAT server strickly for educational purposes \" class=\"wp-image-5201\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-32-1024x299.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-32-300x88.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-32-768x224.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-32-370x108.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-32-270x79.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-32-740x216.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-32.png 1090w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">We\u2019ve spun up a fake RAT server strictly for educational purposes&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Stage 7. Suricata Signature&nbsp;<\/h2>\n\n\n\n<p>We&#8217;ve developed 4 Suricata rules for detecting Gh0stBINS in network traffic. You can find them in <a href=\"https:\/\/github.com\/anyrun\/blog-scripts\/blob\/main\/Suricata\/Gh0stBins\/Gh0stBins.rules\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>our GitHub repository<\/strong><\/a><strong>.<\/strong>&nbsp;<\/p>\n\n\n\n<p>As an example, let&#8217;s look at the key points of the Gh0stBins rule (sid: 8000054).&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-4\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"5\"\n           data-wpID=\"4\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:40.281690140845%;                    padding:10px;\n                    \"\n                    >\n                                        Suricata keyword\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:59.718309859155%;                    padding:10px;\n                    \"\n                    >\n                                        Description\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        flow: established, to_client;\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Defines the direction of data packet transmission \u2014 from the remote PC to the client\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        dsize: 24;   \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        The size of the payload of the transmitted packet is 24 bytes\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        content: \"BINS\";depth:\u00a0 4;\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Magic constant \u2014 beginning of the data packet\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        content: \"|789c 0300 0000 0001|\"; distance: 12; within: 8;\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Payload of the Gh0stBins protocol, which is an empty zlib archive\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-4'>\ntable#wpdtSimpleTable-4{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-4 td, table.wpdtSimpleTable4 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Stage 8. YARA Rules&nbsp;<\/h2>\n\n\n\n<p>We\u2019ve developed multiple YARA rules for detecting Gh0stBINS in memory and files. You can familiarize yourself with them in detail in <a href=\"https:\/\/github.com\/anyrun\/blog-scripts\/blob\/main\/YARA\/Gh0stBins\/Gh0stBins.yara\" target=\"_blank\" rel=\"noreferrer noopener\">our GitHub repository<\/a>.&nbsp;<\/p>\n\n\n\n<p>These YARA rules are designed to detect:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Malicious DLL, used for CVE-2019-5526&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Core and RDP modules&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>Decryptor and loader shellcode&nbsp;<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>We hope that you&#8217;ve learned something new from today&#8217;s analysis. Gh0stBins is indeed an unusual sample. Despite its challenges, analyzing it was highly rewarding and may provide insights into the strategies used by adversaries from China.&nbsp;<\/p>\n\n\n\n<p>Don\u2019t forget, that we&#8217;ve written a Python script that can construct the payload from captured traffic dump for further analysis. We encourage you to download and try it. The script is <a href=\"https:\/\/github.com\/anyrun\/blog-scripts\/blob\/main\/Scripts\/Gh0stBins\/restore_rd.py\" target=\"_blank\" rel=\"noreferrer noopener\">available on our GitHub<\/a>.&nbsp;<\/p>\n\n\n\n<p>Interested in more malware deep dives? Read <a href=\"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/\" target=\"_blank\" rel=\"noreferrer noopener\">how we deobfuscated GuLoader<\/a>, or how we examined the <a href=\"https:\/\/any.run\/cybersecurity-blog\/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader\/\" target=\"_blank\" rel=\"noreferrer noopener\">encryption and decryption of PrivateLoader<\/a>.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Appendix 1: IOCs&nbsp;<\/h2>\n\n\n\n<p>Analyzed files:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-5\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"4\"\n           data-wpID=\"5\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" style=\"height:62px;\">\n                                <th class=\"wpdt-cell wpdt-align-left wpdt-valign-top wpdt-wrap-text\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:16.275430359937%;                    padding:10px;\n                    \"\n                    >\n                                        Name\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left wpdt-valign-top wpdt-wrap-text\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:83.724569640063%;                    padding:10px;\n                    \"\n                    >\n                                        payload_decrypted.bin\u00a0net-service.exe\u00a07f426b327c878f799c74bb4b8a532cb3.exe\u00a0shfolder.dll\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" style=\"height:53px;\">\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top wpdt-wrap-text\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        MD5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        4FEB48DDEB3F2BD55B2AF31BD77EAB2E\u00a0D9B422F37FCAF61BD80E12CC03E84816\u00a07F426B327C878F799C74BB4B8A532CB3\u00a0dfc04d8e76a4ea43e3932bcb2d101ac7\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" style=\"height:66px;\">\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top wpdt-wrap-text\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        20B5B6C2F24C2FDB9778BDFF5BC5976997C7E2AD\u00a01D9D212620F342AE0D5440A067F4DE3AE12877F9\u00a00315CC83C6D781DB16E7E34D7EFC5E2FB4DB4829\u00a074a6691a539488bbf5374e4ec2f04bace8619ce0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" style=\"height:71px;\">\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top wpdt-wrap-text\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-valign-top\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        16F3191FF882670F1288E1836CF4683C7A74863AD0BFFE153FE4A668995A714B\u00a04395003E0D81C685BE47C80DFF9DACCC2F0A3DF9B8B0F1BC557A93CF7C792CCB\u00a071B24F92A597F6EAAB7A64FD53008A8B29EAB8C48E32D45CAEBCC56BAF15FCDC\u00a02a2f9fcbafc9c7552ff03b36bae05b2d74a8f6fd1531e8ff3bf55adce8ec056a\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-5'>\ntable#wpdtSimpleTable-5{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-5 td, table.wpdtSimpleTable5 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p><\/p>\n\n\n\n<p>Connections (IP)&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201c118[.]107.7.166\u201d &nbsp;<\/li>\n\n\n\n<li>\u201c193[.]134.208.217\u201d&nbsp;<\/li>\n\n\n\n<li>\u201c49[.]235.129.40\u201d&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>HTTP Request&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>http:\/\/118[.]107[.]7[.]166\/foxx\/64.bin&nbsp;<\/li>\n\n\n\n<li>http:\/\/49[.]235.129.40\/update\/<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Appendix 2: MITRE MATRIX&nbsp;<\/h2>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-6\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"8\"\n           data-wpID=\"6\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-wrap-text wpdt-align-center\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Tactics\u00a0\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-wrap-text wpdt-align-center\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Techniques\u00a0\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-wrap-text wpdt-align-center\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Description\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0007:\u00a0\u00a0Software discovery\u00a0\u00a0\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1082:\u00a0\u00a0System Information\u00a0\u00a0Discovery\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Collects system data\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0011:\u00a0\u00a0Command and Control\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1071.001:\u00a0\u00a0Application Layer \u00a0\u00a0Protocol\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Sending collected data \u00a0\u00a0to the control server\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1105 Ingress Tool Transfer\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Requests binary from the Internet\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1572 \u2013 Protocol Tunneling\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        GhostBins protocol uses RDP\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0005:\u00a0Defense Evasion\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1027 \u2013 Obfuscated Files or Information\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Attempt to make an executable or file difficult to discover or analyze by encrypting XOR\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1140 \u2013 Deobfuscate\/Decode Files or Information\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Decrypts unpack file with XOR key\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0005: Defense Evasion\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1574.001 \u2013 Hijack Execution Flow: DLL Search Order Hijacking\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        CVE-2019-5526\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-6'>\ntable#wpdtSimpleTable-6{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-6 td, table.wpdtSimpleTable6 th { white-space: normal !important; }\n<\/style>\n\n","protected":false},"excerpt":{"rendered":"<p>It&#8217;s not every day that you come across a DLL so new that even VirusTotal draws a blank. But it&#8217;s even rarer when this sample turns out to be a sophisticated RAT from China.&nbsp; But this is exactly what happened in our recent case. We discovered what may be a previously unseen version of the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":5241,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[15,34,40],"class_list":["post-5170","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Gh0stBins Chinese RAT Malware Analysis<\/title>\n<meta name=\"description\" content=\"Learn about Gh0stBins RAT from China, its communication protocol, and RDP stream recovery. Python scripts, YARA, and Suricata rules included.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Electron, Jane and kinoshi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"20 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/\"},\"author\":{\"name\":\"Electron, Jane and kinoshi\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Gh0stBins, Chinese RAT: Malware Analysis, Protocol Description, RDP Stream Recovery\u00a0\",\"datePublished\":\"2023-06-22T08:26:51+00:00\",\"dateModified\":\"2025-12-09T10:23:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/\"},\"wordCount\":3083,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/\",\"name\":\"Gh0stBins Chinese RAT Malware Analysis\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2023-06-22T08:26:51+00:00\",\"dateModified\":\"2025-12-09T10:23:37+00:00\",\"description\":\"Learn about Gh0stBins RAT from China, its communication protocol, and RDP stream recovery. Python scripts, YARA, and Suricata rules included.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Gh0stBins, Chinese RAT: Malware Analysis, Protocol Description, RDP Stream Recovery\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},[{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Electron\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/6394744-150x150.png\",\"caption\":\"Electron\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jane\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Jane-150x150.jpg\",\"caption\":\"Jane\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"kinoshi\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-48-150x150.jpg\",\"caption\":\"kinoshi\"}}]]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Gh0stBins Chinese RAT Malware Analysis","description":"Learn about Gh0stBins RAT from China, its communication protocol, and RDP stream recovery. Python scripts, YARA, and Suricata rules included.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/","twitter_misc":{"Written by":"Electron, Jane and kinoshi","Est. reading time":"20 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/"},"author":{"name":"Electron, Jane and kinoshi","@id":"https:\/\/any.run\/"},"headline":"Gh0stBins, Chinese RAT: Malware Analysis, Protocol Description, RDP Stream Recovery\u00a0","datePublished":"2023-06-22T08:26:51+00:00","dateModified":"2025-12-09T10:23:37+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/"},"wordCount":3083,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/","name":"Gh0stBins Chinese RAT Malware Analysis","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2023-06-22T08:26:51+00:00","dateModified":"2025-12-09T10:23:37+00:00","description":"Learn about Gh0stBins RAT from China, its communication protocol, and RDP stream recovery. Python scripts, YARA, and Suricata rules included.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Gh0stBins, Chinese RAT: Malware Analysis, Protocol Description, RDP Stream Recovery\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},[{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Electron","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/6394744-150x150.png","caption":"Electron"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Jane","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Jane-150x150.jpg","caption":"Jane"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"kinoshi","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/MicrosoftTeams-image-48-150x150.jpg","caption":"kinoshi"}}]]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5170"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=5170"}],"version-history":[{"count":38,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5170\/revisions"}],"predecessor-version":[{"id":17286,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5170\/revisions\/17286"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/5241"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=5170"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=5170"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=5170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}