gh0strat | fe15a2a0e0275a091ce5f5bffb2bee4b_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

fe15a2a0e0275a091ce5f5bffb2bee4b_JaffaCakes118
Size

496KB
MD5

fe15a2a0e0275a091ce5f5bffb2bee4b
SHA1

b5d7ef69b6c295ee67d3f7da4025686a99e5b7a3
SHA256

03d4a9ab2bedf63c8db3319c09511d3aa8e9666a02659c787c953859385a3804
SHA512

532baa2b88fec81e31aa0814890d340b8ae822828112c7e0de92eb189ae82f7f2e611d504c7ac2cd06b1614f9475f2290bb6221333feeab0baafff7d22331db4
SSDEEP

12288:eXHcckZVQQxfnr+T8/t8rWCSmLl1AIwM5976:eX8cWVQQxfnr+T8/t85S8lhwM597

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
fe15a2a0e0275a091ce5f5bffb2bee4b_JaffaCakes118

Files

fe15a2a0e0275a091ce5f5bffb2bee4b_JaffaCakes118
.exe windows:4 windows x86 arch:x86

724b4e2e7801b449d37cc8063e630057

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

__getmainargs
_acmdln
_XcptFilter
_exit
??1type_info@@UAE@XZ
calloc
vsprintf
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_strcmpi
_controlfp
strncat
exit
wcscpy
strchr
strncmp
atoi
strrchr
_except_handler3
malloc
free
strncpy
sprintf
puts
putchar
rand
_purecall
strstr
_ftol
ceil
memmove
_CxxThrowException
__CxxFrameHandler
??3@YAXPAX@Z
??2@YAPAXI@Z
_beginthreadex
_strnicmp

kernel32

GetModuleHandleA
CreateToolhelp32Snapshot
Process32First
Process32Next
WaitForMultipleObjects
PeekNamedPipe
TerminateProcess
DisconnectNamedPipe
CreatePipe
GetStartupInfoA
GetSystemDirectoryA
GetModuleFileNameA
GetWindowsDirectoryA
CopyFileA
SetFileAttributesA
GetCurrentThreadId
OpenEventA
Sleep
CreateEventA
CloseHandle
TerminateThread
GetProcAddress
LoadLibraryA
WaitForSingleObject
SetEvent
ResumeThread
CreateThread
InitializeCriticalSection
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
WideCharToMultiByte
ResetEvent
lstrcpyA
InterlockedExchange
CancelIo
GetTickCount
GetLocalTime
FreeLibrary
GetCurrentProcessId
DeleteFileA
GetLastError
CreateDirectoryA
GetFileAttributesA
lstrlenA
CreateProcessA
lstrcatA
GetVersionExA
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
WriteFile
MoveFileA
MultiByteToWideChar
GetDriveTypeA
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize

user32

SetThreadDesktop
CloseDesktop
GetInputState
PostThreadMessageA
GetCursorPos
GetCursorInfo
ReleaseDC
GetDesktopWindow
GetDC
SetRect
GetSystemMetrics
GetClipboardData
OpenClipboard
OpenInputDesktop
GetThreadDesktop
CloseClipboard
mouse_event
SetCursorPos
WindowFromPoint
SetCapture
MapVirtualKeyA
keybd_event
SendMessageA
SystemParametersInfoA
BlockInput
DestroyCursor
GetLastInputInfo
EmptyClipboard
GetUserObjectInformationA
OpenDesktopA
PostMessageA
TranslateMessage
GetMessageA
SetClipboardData
CreateWindowExA
CloseWindow
GetClientRect
CharNextA
wsprintfA
LoadCursorA

gdi32

BitBlt
CreateCompatibleBitmap
DeleteObject
CreateCompatibleDC
CreateDIBSection
DeleteDC
GetDIBits
SelectObject

advapi32

OpenSCManagerA
CreateServiceA
LockServiceDatabase
ChangeServiceConfig2A
OpenServiceA
StartServiceA
RegOpenKeyA
CloseServiceHandle
StartServiceCtrlDispatcherA
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegQueryValueA
RegSetValueExA
SetServiceStatus
RegisterServiceCtrlHandlerA

shell32

SHGetFileInfoA

ole32

CoInitialize
CoUninitialize
CoCreateInstance
CoTaskMemFree

oleaut32

SysFreeString

winmm

waveOutPrepareHeader
waveOutOpen
waveOutGetNumDevs
waveInStop
waveInClose
waveOutReset
waveOutUnprepareHeader
waveOutClose
waveInOpen
waveInGetNumDevs
waveInPrepareHeader
waveInStart
waveInUnprepareHeader
waveOutWrite

msvcp60

?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z

ws2_32

WSAStartup
WSAIoctl
setsockopt
connect
htons
gethostbyname
socket
closesocket
select
send
inet_addr
sendto
WSASocketA
htonl
getsockname
gethostname
recv

urlmon

URLDownloadToFileA

netapi32

NetLocalGroupAddMembers
NetUserAdd

Sections

.text
Size: 396KB - Virtual size: 395KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rodata
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 470KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

724b4e2e7801b449d37cc8063e630057

Headers

File Characteristics

Imports

msvcrt

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

winmm

msvcp60

ws2_32

urlmon

netapi32

Sections

.text Size: 396KB - Virtual size: 395KB

.rodata Size: 12KB - Virtual size: 10KB

.rdata Size: 40KB - Virtual size: 39KB

.data Size: 12KB - Virtual size: 470KB

.rsrc Size: 32KB - Virtual size: 32KB

.text
Size: 396KB - Virtual size: 395KB

.rodata
Size: 12KB - Virtual size: 10KB

.rdata
Size: 40KB - Virtual size: 39KB

.data
Size: 12KB - Virtual size: 470KB

.rsrc
Size: 32KB - Virtual size: 32KB