gh0strat | 00804ad3d9997a7e00edc0f56d767526_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

00804ad3d9997a7e00edc0f56d767526_JaffaCakes118
Size

95KB
MD5

00804ad3d9997a7e00edc0f56d767526
SHA1

7abb14299094906f2ae798af9353c9b7ec3ab224
SHA256

3c6f00137125387ead68c229170c516293e79928234f5d59014f715f78b9b6f3
SHA512

43a231a3102c60e36bd932de01649cfafed5e22ceb2a9512240c99238594903d3efe4dc7c3de19bff47a4dd4d042b881ce2d2951ec11cc3454721ac60ac4028f
SSDEEP

1536:rHTiKFO71SElm5hAJVcs1+fBms9ZPXuPAYwb40DID3ct5:rTkRSE85qJVn14BmsDPXuPAYwb40DIDs

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
00804ad3d9997a7e00edc0f56d767526_JaffaCakes118

Files

00804ad3d9997a7e00edc0f56d767526_JaffaCakes118
.dll windows:4 windows x86 arch:x86

29ec32824a6685ff0ea878e5ad1128b7

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

user32

IsWindow
CloseWindow
CreateWindowExA
PostMessageA
OpenDesktopA
DispatchMessageA
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
EnumWindows
IsWindowVisible
GetWindowThreadProcessId
ExitWindowsEx
GetProcessWindowStation
OpenWindowStationA
SetProcessWindowStation
GetThreadDesktop
GetCursorInfo
ReleaseDC
GetDesktopWindow
GetDC
SetRect
GetSystemMetrics
GetClipboardData
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
mouse_event
SetCursorPos
WindowFromPoint
SetCapture
MapVirtualKeyA
keybd_event
SendMessageA
SystemParametersInfoA
BlockInput
DestroyCursor
LoadCursorA
UnhookWindowsHookEx
SetWindowsHookExA
CallNextHookEx
GetKeyNameTextA
GetActiveWindow
GetWindowTextA
wsprintfA
CharNextA
GetMessageA
TranslateMessage
GetCursorPos

gdi32

GetDIBits
DeleteDC
DeleteObject
CreateCompatibleDC
CreateCompatibleBitmap
BitBlt
SelectObject
CreateDIBSection

advapi32

RegDeleteKeyA
RegQueryValueA
RegOpenKeyExA
SetServiceStatus
RegisterServiceCtrlHandlerA
StartServiceA
RegCreateKeyExA
CloseServiceHandle
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
InitializeSecurityDescriptor
AllocateAndInitializeSid
GetLengthSid
InitializeAcl
AddAccessAllowedAce
SetSecurityDescriptorDacl
FreeSid
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenEventLogA
ClearEventLogA
CloseEventLog
RegOpenKeyA
RegQueryValueExA
RegCreateKeyA
RegSetValueExA
OpenSCManagerA
OpenServiceA
QueryServiceStatus
ControlService
DeleteService
RegCloseKey

shell32

SHGetFileInfoA

shlwapi

SHDeleteKeyA

msvcrt

realloc
atoi
wcstombs
_beginthreadex
calloc
??1type_info@@UAE@XZ
_initterm
_adjust_fdiv
_strnicmp
strchr
strncat
strncpy
_except_handler3
malloc
free
_CxxThrowException
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??3@YAXPAX@Z
??2@YAPAXI@Z
strrchr
_strcmpi

winmm

waveOutUnprepareHeader
waveOutClose
waveOutReset
waveInUnprepareHeader
waveInReset
waveInStop
waveOutWrite
waveInStart
waveInAddBuffer
waveInPrepareHeader
waveInOpen
waveInGetNumDevs
waveOutPrepareHeader
waveInClose
waveOutOpen
waveOutGetNumDevs

ws2_32

WSACleanup
WSAIoctl
WSAStartup
connect
gethostbyname
socket
ntohs
recv
closesocket
select
send
gethostname
getsockname
htons
setsockopt

msvcp60

?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

imm32

ImmGetContext
ImmReleaseContext
ImmGetCompositionStringA

wininet

InternetReadFile
InternetOpenUrlA
InternetOpenA
InternetCloseHandle

avicap32

capCreateCaptureWindowA
capGetDriverDescriptionA

msvfw32

ICClose
ICCompressorFree
ICSeqCompressFrameEnd
ICSendMessage
ICOpen
ICSeqCompressFrame
ICSeqCompressFrameStart

psapi

EnumProcessModules
GetModuleFileNameExA

kernel32

SetEvent
ResumeThread
CreateThread
EnterCriticalSection
VirtualAlloc
ResetEvent
lstrcpyA
InterlockedExchange
CancelIo
Sleep
DeleteFileA
GetLastError
CreateDirectoryA
GetFileAttributesA
lstrlenA
CreateProcessA
lstrcatA
GetDriveTypeA
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileA
InitializeCriticalSection
FindFirstFileA
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
WriteFile
MoveFileA
SetLastError
GetSystemDirectoryA
GetCurrentProcess
CreateRemoteThread
WriteProcessMemory
VirtualAllocEx
FreeLibrary
GetProcAddress
LoadLibraryA
OpenProcess
WaitForSingleObject
TerminateThread
CloseHandle
CreateEventA
MapViewOfFile
GetProcessHeap
GetTickCount
MoveFileExA
CreateFileMappingA
HeapAlloc
UnmapViewOfFile
GlobalFree
GlobalUnlock
DeleteCriticalSection
VirtualFree
GetLocalTime
LocalReAlloc
LeaveCriticalSection
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatus
GetVersionExA
SizeofResource
LoadResource
GetCurrentThreadId
lstrcmpiA
CreateToolhelp32Snapshot
Process32First
Process32Next
LocalSize
SetUnhandledExceptionFilter
CreateMutexA
SetErrorMode
OpenEventA
ReleaseMutex
FreeConsole
SetFileAttributesA
GetModuleHandleA
LoadLibraryExA
HeapFree
DeviceIoControl
FindResourceA

Exports

Exports

MyResetSSDT
MyTmpFun
ServiceMain

Sections

.text
Size: 63KB - Virtual size: 63KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

29ec32824a6685ff0ea878e5ad1128b7

Headers

File Characteristics

Imports

user32

gdi32

advapi32

shell32

shlwapi

msvcrt

winmm

ws2_32

msvcp60

imm32

wininet

avicap32

msvfw32

psapi

kernel32

Exports

Exports

Sections

.text Size: 63KB - Virtual size: 63KB

.rdata Size: 13KB - Virtual size: 13KB

.data Size: 7KB - Virtual size: 8KB

.rsrc Size: 5KB - Virtual size: 5KB

.reloc Size: 4KB - Virtual size: 4KB

.text
Size: 63KB - Virtual size: 63KB

.rdata
Size: 13KB - Virtual size: 13KB

.data
Size: 7KB - Virtual size: 8KB

.rsrc
Size: 5KB - Virtual size: 5KB

.reloc
Size: 4KB - Virtual size: 4KB