gh0strat | 0f5a3fcf093a69ee316acd6c2dac8f1b_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

0f5a3fcf093a69ee316acd6c2dac8f1b_JaffaCakes118
Size

528KB
MD5

0f5a3fcf093a69ee316acd6c2dac8f1b
SHA1

40ebeb5d1a1eaf8141216d580dc6ac6112909041
SHA256

2b850002a1d9d3ab035c6283a3a4166d224c9639e0b795da23215e58f746fcff
SHA512

474ab23b75637b17cfc562bf83f52c5f4370e13e687008648b4290dbcb0c6410cb0d6a9b0b108ad925162c11ed5f65f86d4b974e6cdc01af44f94f30e4a873ba
SSDEEP

12288:HhjtZ8aY5Vwwx/Hr+T8fdMtWQMk10sTxUM5jDGC:HJw9Vwwx/Hr+T8fdMxMs0sxUM5jDn

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
0f5a3fcf093a69ee316acd6c2dac8f1b_JaffaCakes118

Files

0f5a3fcf093a69ee316acd6c2dac8f1b_JaffaCakes118
.exe windows:4 windows x86 arch:x86

def55d2932db7659d3d5e41a25eec01f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
strstr
_except_handler3
??2@YAPAXI@Z
??3@YAXPAX@Z

kernel32

CloseHandle
GetStartupInfoA
GetModuleHandleA
GetLastError
RaiseException
InterlockedExchange
LocalAlloc
FreeLibrary
GetLocalTime
WritePrivateProfileStringA
CreateDirectoryA
Sleep
GetModuleFileNameA
CopyFileA
ExitProcess
DeleteFileA
SetLastError
lstrcpyA
GetProcAddress
LoadLibraryA
SetFileAttributesA
lstrlenA
GetCurrentProcess

Sections

.text
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 508KB - Virtual size: 505KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ