gh0strat | f285262791f5ade32a5c31f4556ef851_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

f285262791f5ade32a5c31f4556ef851_JaffaCakes118
Size

152KB
MD5

f285262791f5ade32a5c31f4556ef851
SHA1

9447665d39e0f67ee22fd71042c087270d16afb0
SHA256

16ee0f17c736d69f796c453cd709d171427a94f1fb686c4587d14125aa35c9c9
SHA512

f600032559be63309dcd529e87a44e5e2f7dd6a816707588059bb0e7736300ceb8597102e53dc322a3051f98d9b923507f911b7512a23aaceaf04bc7614d2a10
SSDEEP

3072:bsoNSaWhcOOeRn0GnNSsNPSBndc1S3zO9Wceqovo:bsySX6WXUBdPzOwceqo

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
f285262791f5ade32a5c31f4556ef851_JaffaCakes118

Files

f285262791f5ade32a5c31f4556ef851_JaffaCakes118
.exe windows:4 windows x86 arch:x86

468144bfb76bb4d599f7f1d92ae93707

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

Sleep
WriteFile
CreateFileA
DeleteFileA
SizeofResource
LockResource
LoadResource
FindResourceA
GetModuleFileNameA
FreeResource
CreateEventA
GetProcAddress
LoadLibraryA
GetWindowsDirectoryA
GetTickCount
GetModuleHandleA
GetLastError
RaiseException
WaitForSingleObject
CloseHandle
InterlockedExchange
GetStartupInfoA
LocalAlloc
FreeLibrary

user32

LoadCursorA
RegisterClassA
LoadIconA

gdi32

GetStockObject

msvcrt

_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
_exit
srand
sprintf
rand

Sections

.bss
Size: - Virtual size: 44B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 147KB - Virtual size: 146KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ