gh0strat | 075bd953ecc9a3e90b136b402ade7c11_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

075bd953ecc9a3e90b136b402ade7c11_JaffaCakes118
Size

152KB
MD5

075bd953ecc9a3e90b136b402ade7c11
SHA1

2adf0a72e1e0a29e158d00405729df4a1be11ddf
SHA256

e16fccd46b697d590d4adb6848cdf3c79159d5d8a9368f216fd52516f6f1a800
SHA512

bcf31a9d25ab27edbfc79db7891d980fba0401dd4cd06fa6405dae7f72b1a94f56ec71eb3def1753231968885e31db272132aa5a9b01a864a0cff4c18d4564ae
SSDEEP

3072:e+vab7k1kK+7WdkyUYZzSISi933aXHscBTBftN3MPw2r/2:e61kK++amnVcBTBlN3Mw

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
075bd953ecc9a3e90b136b402ade7c11_JaffaCakes118

Files

075bd953ecc9a3e90b136b402ade7c11_JaffaCakes118
.dll regsvr32 windows:4 windows x86 arch:x86

4c04529bc4481a75cc73b3559e618647

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

advapi32

RegOpenKeyExW

kernel32

InitializeCriticalSection
VirtualFree
LeaveCriticalSection
VirtualAlloc
ExpandEnvironmentStringsA
GetLastError
lstrcpyA
lstrlenA
CloseHandle
lstrcatA
LocalFree
LocalReAlloc
LocalAlloc
GetTickCount
ExitProcess
GetSystemDirectoryA
Sleep
GetExitCodeProcess
GetModuleFileNameA
SetUnhandledExceptionFilter
GetLocalTime
FormatMessageA
GetModuleHandleA
VirtualQuery
IsBadWritePtr
lstrcmpiA
GlobalUnlock
GlobalLock
GlobalSize
HeapFree
GetProcessHeap
MapViewOfFile
CreateFileMappingA
GetShortPathNameA
HeapAlloc
GetProcAddress
LocalSize
InterlockedExchange
FreeLibrary
MultiByteToWideChar
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
GetVersionExA
GetCurrentThreadId
GetTempFileNameA
GlobalFree
GlobalAlloc
GetCurrentProcess
GetCurrentProcessId
VirtualProtect
SetEnvironmentVariableA
GetTempPathA
GetLongPathNameA
InterlockedDecrement
InterlockedIncrement
GetSystemInfo
GetProcessTimes
GlobalMemoryStatusEx
DeleteFileA
RemoveDirectoryA
ExitThread
IsBadReadPtr
IsBadStringPtrW
RaiseException
LoadLibraryA

user32

CloseWindowStation
GetWindowRect
ShowWindow
GetWindow
GetClassNameA
DestroyWindow
CreateWindowExA
GetCursorInfo
DestroyCursor
LoadCursorA
MessageBoxA
wsprintfA
wvsprintfA

msvcrt

_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
_onexit
__dllonexit
_strlwr
_wcsicmp
_memicmp
_strupr
wcstombs
??3@YAXPAX@Z
memmove
ceil
_ftol
strstr
__CxxFrameHandler
free
malloc
_except_handler3
strrchr
??2@YAPAXI@Z
strchr
strncat
strncpy
rand
srand
wcsrchr
_CxxThrowException
wcslen
_beginthreadex
realloc
atoi

Exports

Exports

??0CDRMLiteCrypto@@QAE@XZ
??1CDRMLiteCrypto
?BackupLicenses
?CreatePMLicenseForJD@CDRMLiteCrypto@@QAEJPBDPAEKPAUPMLICENSE@@1@Z
?EncryptFast@CDRMLiteCrypto@@QAEJPBDKPAE1@Z
?EncryptIndirectFast@CDRMLiteCrypto@@QAEJPBDKPAE1@Z
?GenerateNewLicenseEx@CDRMLiteCrypto@@QAEJKPAE00PAPAD10@Z
?GetLicenses@CDRMLiteCrypto@@QAEJPBDPAUPMLICENSE@@PAKKPAX2PAE@Z
?GetPublicKey@CDRMLiteCrypto@@QAEJPAUPKCERT@@@Z
?QueryXferToJD@CDRMLiteCrypto@@QAEJPBDPAEK1@Z
?QueryXferToPMEx@CDRMLiteCrypto@@QAEJPBDKPAKPAEK2K12@Z
?RestoreLicenses
Bind
BindEx
CanDecrypt
CanDecryptEx
CreatePMLicense
Decrypt
DllMain
DllRegisterServer
DllUnregisterServer
Encrypt
GenerateNewLicense
GetPMLicenseFileName
GetPMLicenseSize
GetVersion
InitAppCerts
KeyExchange
ProcessResponse
QueryXferToPM
RequestLicense
SetAppSec
SetLicenseStore

Sections

.text
Size: 100KB - Virtual size: 97KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4c04529bc4481a75cc73b3559e618647

Headers

File Characteristics

Imports

advapi32

kernel32

user32

msvcrt

Exports

Exports

Sections

.text Size: 100KB - Virtual size: 97KB

.rdata Size: 24KB - Virtual size: 21KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 100KB - Virtual size: 97KB

.rdata
Size: 24KB - Virtual size: 21KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 8KB - Virtual size: 7KB