gh0strat | f789c478bb549d2d4d10ee8fda2f9854_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

f789c478bb549d2d4d10ee8fda2f9854_JaffaCakes118
Size

200KB
MD5

f789c478bb549d2d4d10ee8fda2f9854
SHA1

08bee05c86082e7ffa32e970fc532e8acd01bf16
SHA256

58629b687a1d4fd99ec84c207f7ff14b89e6cb2901437d39473d252c7999f013
SHA512

7cf92b3ec3e6da7a475d7ca7915a0a15fe0d05578521f4974e47ce1cb53427162edb7ecdf4202505ff0b71f373987da08e16fa4f124cacff9f242da7caefe82e
SSDEEP

3072:K+1p0tly24nhxMoX1MgjYduhQpYjt+Dmm1VtTFh3TKH:K+1p0f4hxM9Zdevjt+DmEVtT73TK

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
f789c478bb549d2d4d10ee8fda2f9854_JaffaCakes118

Files

f789c478bb549d2d4d10ee8fda2f9854_JaffaCakes118
.exe windows:4 windows x86 arch:x86

b25fdec325da6283b000310135431e2f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

VirtualAlloc
ResetEvent
lstrcpyA
InterlockedExchange
CancelIo
Sleep
lstrlenA
GetPrivateProfileSectionNamesA
lstrcatA
GetWindowsDirectoryA
FreeLibrary
GetProcAddress
LoadLibraryA
MultiByteToWideChar
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetVersionExA
DeleteFileA
GetLastError
CreateDirectoryA
GetFileAttributesA
CreateProcessA
GetDriveTypeA
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
EnterCriticalSection
MoveFileA
GetModuleFileNameA
SetLastError
GetSystemDirectoryA
GetCurrentProcess
CreateRemoteThread
WriteProcessMemory
VirtualAllocEx
OpenProcess
ExitProcess
GetTickCount
GetLocalTime
HeapFree
GetProcessHeap
MapViewOfFile
CreateFileMappingA
HeapAlloc
UnmapViewOfFile
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
OpenEventA
LocalSize
Process32Next
Process32First
lstrcmpiA
GetCurrentThreadId
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
CreateEventA
InitializeCriticalSection
CreateThread
ResumeThread
SetEvent
WaitForSingleObject
RaiseException
GetModuleHandleA
TerminateThread
CloseHandle
WriteFile

gdi32

CreateCompatibleBitmap
GetDIBits
BitBlt
DeleteDC
CreateCompatibleDC
CreateDIBSection
SelectObject
DeleteObject

msvcrt

atoi
_beginthreadex
calloc
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
realloc
__p__fmode
__set_app_type
_controlfp
__dllonexit
_onexit
_strnicmp
??2@YAPAXI@Z
??3@YAXPAX@Z
__CxxFrameHandler
memmove
ceil
strncat
strncpy
strrchr
_except_handler3
_strcmpi
free
malloc
strchr
_CxxThrowException
strstr
__p__commode
_ftol

ws2_32

connect
gethostbyname
socket
ntohs
recv
select
setsockopt
send
gethostname
getsockname
htons
WSAIoctl
WSACleanup
WSAStartup
closesocket

msvcp60

?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

wininet

InternetOpenA
InternetReadFile
InternetCloseHandle
InternetOpenUrlA

avicap32

capCreateCaptureWindowA
capGetDriverDescriptionA

msvfw32

ICSeqCompressFrame
ICSendMessage
ICOpen
ICSeqCompressFrameEnd
ICCompressorFree
ICClose
ICSeqCompressFrameStart

psapi

EnumProcessModules
GetModuleFileNameExA

Exports

Exports

heiyuxhj

Sections

.text
Size: 159KB - Virtual size: 158KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didat
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b25fdec325da6283b000310135431e2f

Headers

File Characteristics

Imports

kernel32

gdi32

msvcrt

ws2_32

msvcp60

wininet

avicap32

msvfw32

psapi

Exports

Exports

Sections

.text Size: 159KB - Virtual size: 158KB

.idata Size: 6KB - Virtual size: 6KB

.didat Size: 6KB - Virtual size: 6KB

.rsrc Size: 21KB - Virtual size: 20KB

.reloc Size: 6KB - Virtual size: 6KB

.text
Size: 159KB - Virtual size: 158KB

.idata
Size: 6KB - Virtual size: 6KB

.didat
Size: 6KB - Virtual size: 6KB

.rsrc
Size: 21KB - Virtual size: 20KB

.reloc
Size: 6KB - Virtual size: 6KB