gh0strat | ede47a1d594092179877cce2224b2370_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

ede47a1d594092179877cce2224b2370_JaffaCakes118
Size

88KB
MD5

ede47a1d594092179877cce2224b2370
SHA1

79d0ae86f220c8234e6c5c8d35b792d146aed6e9
SHA256

9a547819e38b420f16c01185218b5aadf242004d4a31b1f13d9bdfbb8eb3f9a9
SHA512

6eaa1ea16ae20e236e66983202763cfdd735590c31836f963a52a8356681353bb6830f51159e6cb2fa643c998af8b8864f9c0afe63753084afa10cd0a8fdaf57
SSDEEP

1536:9QQioPups17wZsxAKHckvcmwqfR6qPJj9dfjhL2jWT0XU:9QeuG1cZsxekvtwsR6qRJ5NL2yT0XU

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ede47a1d594092179877cce2224b2370_JaffaCakes118

Files

ede47a1d594092179877cce2224b2370_JaffaCakes118
.dll windows:4 windows x86 arch:x86

885b2740addacdbb71ed51b9a764f81a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

_strnicmp
_strupr
_adjust_fdiv
_initterm
_onexit
__dllonexit
calloc
??3@YAXPAX@Z
strchr
strncat
printf
time
srand
rand
atoi
strrchr
_except_handler3
malloc
free
??2@YAPAXI@Z
__CxxFrameHandler
strstr
_ftol
ceil
memmove
_beginthreadex

ws2_32

closesocket
recv
ntohs
socket
gethostbyname
htons
connect
inet_ntoa
WSAGetLastError
select
send
inet_addr
sendto
htonl
setsockopt
WSAIoctl
gethostname
getsockname
WSAStartup
WSACleanup
WSASocketA

msvcp60

?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

mfc42

ord537
ord6648
ord2764
ord4129
ord926
ord924
ord922
ord535
ord858
ord6663
ord860
ord4278
ord2818
ord939
ord6877
ord800
ord540

kernel32

SetErrorMode
CreateMutexA
LocalSize
Process32First
CreateToolhelp32Snapshot
lstrcmpiA
GetCurrentThreadId
Process32Next
OpenEventA
ReleaseMutex
GetModuleFileNameA
GetVersionExA
GlobalMemoryStatus
WaitForMultipleObjects
PeekNamedPipe
TerminateProcess
DisconnectNamedPipe
CreatePipe
GetStartupInfoA
GlobalSize
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
GetSystemDirectoryA
MoveFileExA
TerminateThread
GetTickCount
CreateThread
ExitThread
OpenProcess
LoadLibraryA
GetProcAddress
InitializeCriticalSection
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
CreateEventA
CloseHandle
WaitForSingleObject
ResetEvent
lstrcpyA
SetEvent
InterlockedExchange
CancelIo
Sleep
DeleteFileA
GetLastError
CreateDirectoryA
GetFileAttributesA
lstrlenA
CreateProcessA
lstrcatA
GetDriveTypeA
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
WriteFile
MoveFileA
GetCurrentProcess
ExitProcess

user32

GetCursorInfo
GetCursorPos
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
ExitWindowsEx
GetWindowThreadProcessId
IsWindowVisible
GetWindowTextA
EnumWindows
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetThreadDesktop
OpenDesktopA
PostMessageA
ReleaseDC
GetClipboardData
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
mouse_event
SetCursorPos
WindowFromPoint
SetCapture
MapVirtualKeyA
keybd_event
SendMessageA
SystemParametersInfoA
BlockInput
DestroyCursor
LoadCursorA
wsprintfA
CharNextA
GetDesktopWindow
GetDC
FindWindowA
GetWindow
GetSystemMetrics
SetRect

gdi32

CreateCompatibleBitmap
GetDIBits
BitBlt
DeleteDC
DeleteObject
CreateCompatibleDC
CreateDIBSection
SelectObject

advapi32

OpenProcessToken
RegEnumKeyExA
RegQueryValueExA
RegDeleteValueA
RegDeleteKeyA
RegOpenKeyA
RegCloseKey
RegQueryValueA
RegOpenKeyExA
RegSetValueExA
RegCreateKeyExA
CloseEventLog
ClearEventLogA
OpenEventLogA
AdjustTokenPrivileges
LookupPrivilegeValueA
RegEnumValueA

shell32

SHGetFileInfoA

wininet

InternetOpenA
InternetOpenUrlA
InternetReadFile
InternetCloseHandle

avicap32

capGetDriverDescriptionA

psapi

GetModuleFileNameExA
EnumProcessModules

Exports

Exports

UpdateMain
_main@0

Sections

.text
Size: 63KB - Virtual size: 63KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

885b2740addacdbb71ed51b9a764f81a

Headers

File Characteristics

Imports

msvcrt

ws2_32

msvcp60

mfc42

kernel32

user32

gdi32

advapi32

shell32

wininet

avicap32

psapi

Exports

Exports

Sections

.text Size: 63KB - Virtual size: 63KB

.rdata Size: 12KB - Virtual size: 11KB

.data Size: 7KB - Virtual size: 10KB

.rsrc Size: 512B - Virtual size: 16B

.reloc Size: 4KB - Virtual size: 4KB

.text
Size: 63KB - Virtual size: 63KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 7KB - Virtual size: 10KB

.rsrc
Size: 512B - Virtual size: 16B

.reloc
Size: 4KB - Virtual size: 4KB