Infection Channel: Downloaded from the Internet, Dropped by other malware
GHOSTRAT is a family of backdoors, or more accurately, remote administration tools (RATs), used to gain control of the computer it infects. It is affiliated with GhostNet bot network.
It steals information by logging keystrokes. The information it steals are usually system-related information such as operating system version and processor speed. All data are then communicated back to C&C servers operated by GhostNet.
Memory Resident: Yes
Payload: Connects to URLs/IPs, Steals information
This backdoor drops the following file(s)/component(s):
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
It drops the following copies of itself into the affected system:
%System Root%\Documents and Settings\All Users\Start Menu\Programs\Startup\Ball.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Windows% is the Windows folder, which is usually C:\Windows.)
It creates the following folders:
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
This backdoor adds the following registry entries to enable its automatic execution at every system startup: