gh0strat | f9a61beff2556ccdacaeef00fa00d703_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

f9a61beff2556ccdacaeef00fa00d703_JaffaCakes118
Size

276KB
MD5

f9a61beff2556ccdacaeef00fa00d703
SHA1

0d93311648fc20a3c4c266f1460953332cf9ea8e
SHA256

f9bb04e53aae76d5fd3d484047945e176a00518abe43d7fb374bfbb10793fc3f
SHA512

4bcc316cc9988bf848746874a13a27770de00b4c6ff13a588f57b5dc0bb53076da4d31c3457f7b37afe72df635141aaf73fdb80a87677b968bc7c2b9032d55b9
SSDEEP

6144:Y0yaaBhcTBly7wkmus365LuYS/BWiuUKX5:0aCcT3JDus365C5pWX

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
f9a61beff2556ccdacaeef00fa00d703_JaffaCakes118

Files

f9a61beff2556ccdacaeef00fa00d703_JaffaCakes118
.exe windows:4 windows x86 arch:x86

675ff63ce455a2388107de3574d7af83

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateFileA
GetFileAttributesA
CreateDirectoryA
GetWindowsDirectoryA
LocalFree
LocalSize
WriteFile
SetFilePointer
CreateProcessA
lstrcpyA
TerminateThread
MoveFileExA
MoveFileA
GetTickCount
GetModuleFileNameA
DeleteFileA
lstrcatA
GlobalMemoryStatusEx
GetDiskFreeSpaceExA
GetDriveTypeA
GetFileSize
GetVersionExA
OpenEventA
SetErrorMode
GetLastError
CreateMutexA
HeapAlloc
GetProcessHeap
VirtualProtect
IsBadReadPtr
HeapFree
FreeLibrary
lstrcmpiA
Process32Next
Process32First
GetCurrentThreadId
GetStartupInfoA
GetModuleHandleA
ReadFile
lstrlenA
LocalReAlloc
LocalAlloc
ResetEvent
Sleep
CancelIo
InterlockedExchange
SetEvent
WaitForSingleObject
CloseHandle
CreateEventA
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
GetTempPathA
LoadLibraryA
GetSystemInfo
GetProcAddress

user32

PtInRect
LoadCursorA
SetCursor
SendMessageA
UpdateWindow
EnableWindow
ScreenToClient
GetSysColor
DrawIconEx
LoadIconA
wsprintfA
GetCursorPos
IsRectEmpty
SetCapture
ReleaseCapture
GetClientRect
ClientToScreen
InvalidateRect
GetWindowDC
OpenDesktopA
GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
KillTimer
GetProcessWindowStation
OpenWindowStationA
SetProcessWindowStation
SetTimer
DrawFocusRect

gdi32

GetTextExtentPoint32A
CreateFontA

advapi32

RegCloseKey
RegQueryValueA
RegOpenKeyExA
CloseEventLog
ClearEventLogA
OpenEventLogA
RegQueryValueExA
RegOpenKeyA

shell32

SHFileOperationA

ole32

CoInitialize
CoCreateInstance
CoUninitialize

oleaut32

SysFreeString

wininet

InternetOpenA
InternetCloseHandle
InternetOpenUrlA
InternetReadFile

msvcrt

_setmbcp
_strcmpi
_stricmp
??3@YAXPAX@Z
memmove
ceil
_ftol
strstr
__CxxFrameHandler
_CxxThrowException
??2@YAPAXI@Z
puts
malloc
_mkdir
strrchr
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_XcptFilter
_exit
_onexit
__dllonexit
??1type_info@@UAE@XZ
_beginthreadex
_except_handler3
atoi
strncpy
atol
free
realloc
exit

shlwapi

PathFindExtensionA

ws2_32

getsockname
socket
WSAStartup
WSACleanup
recv
select
closesocket
setsockopt
send
WSAIoctl
htons
connect
gethostbyname

mfc42

ord1200
ord2089
ord6619
ord6565
ord4284
ord4000
ord2818
ord6008
ord3610
ord3574
ord2087
ord2494
ord2627
ord2626
ord6000
ord2117
ord4163
ord6625
ord4457
ord609
ord656
ord5252
ord6069
ord2011
ord2820
ord3811
ord4413
ord3797
ord3287
ord2078
ord4396
ord2575
ord620
ord366
ord529
ord6491
ord674
ord616
ord796
ord3582
ord3402
ord4398
ord2578
ord4218
ord2023
ord2411
ord4427
ord4436
ord1665
ord2649
ord5282
ord5237
ord4077
ord4151
ord2878
ord2879
ord3403
ord5472
ord975
ord5012
ord3350
ord4303
ord4467
ord5103
ord5100
ord3059
ord2390
ord2723
ord4242
ord1842
ord2431
ord1088
ord2860
ord5875
ord472
ord5788
ord2380
ord2567
ord4297
ord4133
ord470
ord755
ord3920
ord323
ord1640
ord6119
ord2405
ord640
ord6605
ord4299
ord3103
ord6209
ord2379
ord2864
ord1168
ord1146
ord810
ord3295
ord6154
ord2530
ord4366
ord4056
ord5471
ord4121
ord2389
ord5086
ord1710
ord1715
ord6055
ord4078
ord1776
ord4407
ord5234
ord2385
ord5163
ord6369
ord4353
ord5279
ord3798
ord4837
ord4441
ord2648
ord2055
ord6376
ord3749
ord5064
ord1727
ord5248
ord2444
ord2124
ord5277
ord2982
ord3147
ord3259
ord4465
ord3136
ord3262
ord2985
ord3081
ord2976
ord3830
ord3831
ord3825
ord3079
ord4080
ord4627
ord4424
ord3730
ord554
ord807
ord6215
ord6197
ord2080
ord5882
ord2012
ord4268
ord4615
ord4612
ord4610
ord4274
ord6375
ord4486
ord2554
ord2512
ord5731
ord3922
ord1089
ord5199
ord2396
ord3346
ord5300
ord5302
ord2725
ord4079
ord4698
ord5307
ord5289
ord5714
ord4622
ord3738
ord561
ord815
ord617
ord5301
ord5214
ord296
ord986
ord520
ord4159
ord6117
ord2621
ord1134
ord5265
ord4376
ord4853
ord4998
ord4710
ord2514
ord6052
ord1775
ord5241
ord6374
ord5280
ord5065
ord5261
ord2446
ord4425
ord3597
ord324
ord641
ord4234
ord1825
ord4238
ord4696
ord3058
ord3065
ord6336
ord2510
ord2542
ord5243
ord5740
ord1746
ord5577
ord3172
ord5653
ord4420
ord4953
ord4858
ord2399
ord4387
ord3454
ord3198
ord6080
ord6175
ord4623
ord4426
ord338
ord652
ord4823
ord4614
ord4613
ord1945
ord4273
ord4589
ord4899
ord5076
ord4341
ord4349
ord4723
ord4890
ord4531
ord4545
ord4543
ord4526
ord4529
ord4524
ord4964
ord4961
ord4108
ord5240
ord5290
ord3748
ord1726
ord4432
ord560
ord813
ord5260
ord2535
ord3619
ord4364
ord5082
ord1712
ord6053
ord3598
ord809
ord800
ord642
ord860
ord556
ord540
ord327
ord3626
ord3663
ord2414
ord4235
ord3398
ord3733
ord2122
ord2123
ord567
ord1641
ord6199
ord6334
ord1576

iphlpapi

GetIfTable

Sections

.text
Size: 56KB - Virtual size: 52KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 152KB - Virtual size: 151KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

675ff63ce455a2388107de3574d7af83

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

wininet

msvcrt

shlwapi

ws2_32

mfc42

iphlpapi

Sections

.text Size: 56KB - Virtual size: 52KB

.rdata Size: 28KB - Virtual size: 24KB

.data Size: 152KB - Virtual size: 151KB

.rsrc Size: 36KB - Virtual size: 35KB

.text
Size: 56KB - Virtual size: 52KB

.rdata
Size: 28KB - Virtual size: 24KB

.data
Size: 152KB - Virtual size: 151KB

.rsrc
Size: 36KB - Virtual size: 35KB