gh0strat | ea89547ed3ece1bfc73edae1abe07472_JaffaCakes118 | Triage

Sharing

General

Target

ea89547ed3ece1bfc73edae1abe07472_JaffaCakes118
Size

130KB
MD5

ea89547ed3ece1bfc73edae1abe07472
SHA1

dc9eff3c4a58667fc0c6602beaaa417babe875bc
SHA256

ea6d3b8152ff2f984cc360e3b0b83b9a8efdc9f255eb722797f9e6a322d8ed55
SHA512

ce9e0c020682caa201c30e265c5dc468d5f35e5cce74a54bd90867641555012f8a5ebe85d9f0c9ea98a6ec483e562f245ba94f0534ef8032a37bd2bf6ec9009c
SSDEEP

3072:a+wsECvdHcm6CQ8jiS672Hk+abOFsUAsCg0Meb90j:a+wpgBcm6CQzl72HNZFF50Mb

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ea89547ed3ece1bfc73edae1abe07472_JaffaCakes118

Files

ea89547ed3ece1bfc73edae1abe07472_JaffaCakes118
.exe windows:4 windows x86 arch:x86

069c2d333fee633f1521f075bdc8a1e5

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CloseHandle
Process32Next
lstrcmpiA
Process32First
CreateToolhelp32Snapshot
lstrcpyA
lstrlenA
SetLastError
SizeofResource
LockResource
LoadResource
FindResourceA
GetLastError
WinExec
lstrcatA
ExpandEnvironmentStringsA
GetTempPathA
GetCurrentThreadId
ExitProcess
GetModuleFileNameA
Sleep
GetCommandLineA
FreeLibrary
GetProcAddress
LoadLibraryA
RaiseException
InterlockedExchange
LocalAlloc
GetStartupInfoA
GetModuleHandleA

msvcrt

strstr
??3@YAXPAX@Z
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
_except_handler3
__CxxFrameHandler
fopen
fclose
??2@YAPAXI@Z
fwrite

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 122KB - Virtual size: 122KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ