gh0strat | f82bf4979ca1a6a01395e2a9f3275cd2_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

f82bf4979ca1a6a01395e2a9f3275cd2_JaffaCakes118
Size

92KB
MD5

f82bf4979ca1a6a01395e2a9f3275cd2
SHA1

28b7d491e3316818c6c5b6cc902293ee5d935f68
SHA256

d4d1822eeb5d33258581310776757f6fb20bc432a05c0ed0588011b09a8b9bcc
SHA512

b1e71faa1df02e6c12f6c31201dd14efd6dba8f7d0811edd717b15b4ff5e87548e303c853b58d9f91ae5f22337916fde40839301ebad6fb311398b559afd5342
SSDEEP

1536:dEqk79xJAepsEpezV0BDwXSOc0DqfC8SIDbaJy/z:dEqk7nJAerGmDhOrDsC8SIDbaJyb

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
f82bf4979ca1a6a01395e2a9f3275cd2_JaffaCakes118

Files

f82bf4979ca1a6a01395e2a9f3275cd2_JaffaCakes118
.exe windows:4 windows x86 arch:x86

85325f0dddf954902ce2951dc53888c9

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

_controlfp
__set_app_type
__p__fmode
__p__commode
??3@YAXPAX@Z
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_XcptFilter
_exit
??1type_info@@UAE@XZ
calloc
_beginthreadex
strncmp
sprintf
rand
atoi
exit
free
realloc
_except_handler3
malloc
??2@YAPAXI@Z
_CxxThrowException
__CxxFrameHandler
strstr
_ftol
ceil
memmove

kernel32

GetStartupInfoA
Process32First
Process32Next
lstrcmpiA
GetCurrentThreadId
MoveFileA
MoveFileExA
ExitProcess
CreateMutexA
OpenEventA
GetVersionExA
GetSystemInfo
GlobalMemoryStatusEx
GetDriveTypeA
InitializeCriticalSection
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
Sleep
VirtualAlloc
CreateEventA
CloseHandle
WaitForSingleObject
ResetEvent
GetProcAddress
LoadLibraryA
SetEvent
InterlockedExchange
CancelIo
WriteFile
SetFilePointer
CreateFileA
GetFileSize
ReadFile
GetWindowsDirectoryA
GetFileAttributesA
lstrlenA
CreateProcessA
lstrcpyA
TerminateThread
lstrcatA
GetTickCount
DeleteFileA
GetLastError
GetCurrentProcess
HeapAlloc
GetProcessHeap
GetModuleHandleA
GetDiskFreeSpaceExA
GetModuleFileNameA

user32

SetThreadDesktop
CloseDesktop
LoadIconA
LoadCursorA
RegisterClassA
PostThreadMessageA
GetInputState
GetMessageA
ShowWindow
GetWindow
FindWindowA
FindWindowExA
SendMessageA
GetDlgCtrlID
PostMessageA
SendInput
wsprintfA
GetUserObjectInformationA
GetThreadDesktop
OpenDesktopA
OpenInputDesktop

gdi32

GetStockObject

advapi32

RegCreateKeyExA
CreateServiceA
CloseEventLog
ClearEventLogA
OpenEventLogA
RegCloseKey
RegQueryValueExA
RegOpenKeyA
RegSetValueExA
StartServiceCtrlDispatcherA
RegOpenKeyExA
CloseServiceHandle
StartServiceA
OpenServiceA
ChangeServiceConfig2A
LockServiceDatabase

shell32

SHGetSpecialFolderPathA
ShellExecuteA

ws2_32

htons
gethostbyname
socket
recv
select
connect
closesocket
gethostname
getsockname
WSAStartup
send
WSACleanup
setsockopt

iphlpapi

GetIfTable

wininet

InternetCloseHandle

ole32

CoInitialize
CoCreateInstance
CoUninitialize

oleaut32

SysFreeString

Sections

.text
Size: 60KB - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

85325f0dddf954902ce2951dc53888c9

Headers

File Characteristics

Imports

msvcrt

kernel32

user32

gdi32

advapi32

shell32

ws2_32

iphlpapi

wininet

ole32

oleaut32

Sections

.text Size: 60KB - Virtual size: 57KB

.rdata Size: 12KB - Virtual size: 8KB

.data Size: 8KB - Virtual size: 9KB

.rsrc Size: 8KB - Virtual size: 5KB

.text
Size: 60KB - Virtual size: 57KB

.rdata
Size: 12KB - Virtual size: 8KB

.data
Size: 8KB - Virtual size: 9KB

.rsrc
Size: 8KB - Virtual size: 5KB