gh0strat | 185643f147b9f31ee247eaff4e205952_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

185643f147b9f31ee247eaff4e205952_JaffaCakes118
Size

112KB
MD5

185643f147b9f31ee247eaff4e205952
SHA1

187a5f20826f9249ac5f512d3cc2aa74fbab6c52
SHA256

69c169d1d2f44a2c8c88e781a7a87fa4f67aae76f4b654bf680553e3759521fd
SHA512

f4fb01b102ac9fb5bdacd23a151130048c56ef0967a225e232f52393ccfbe1924a94baf2534c277c5d7db206bb092651362ae29bc6bd65de7ea7fd563e21badf
SSDEEP

3072:Kci9rW8Y0x7KTTiHJWS45aFgst+cwQKSi/Bw:qrW8nx7KTGHJrR1+JrSi/e

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
185643f147b9f31ee247eaff4e205952_JaffaCakes118

Files

185643f147b9f31ee247eaff4e205952_JaffaCakes118
.dll windows:4 windows x86 arch:x86

fae11e3ee92f2c4eb5c72fefede6c2d6

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetProcAddress
LoadLibraryA
ResetEvent
lstrcpyA
InterlockedExchange
CancelIo
Sleep
lstrlenA
GetPrivateProfileSectionNamesA
lstrcatA
FreeLibrary
MultiByteToWideChar
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetVersionExA
DeleteFileA
GetLastError
CreateDirectoryA
GetFileAttributesA
CreateProcessA
GetDiskFreeSpaceExA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
WriteFile
MoveFileA
GetModuleFileNameA
SetLastError
GetSystemDirectoryA
GetCurrentProcess
VirtualAlloc
WriteProcessMemory
VirtualAllocEx
OpenProcess
GetWindowsDirectoryA
MoveFileExA
GetLocalTime
GetTickCount
HeapFree
GetProcessHeap
MapViewOfFile
CreateFileMappingA
HeapAlloc
UnmapViewOfFile
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
DeviceIoControl
GlobalMemoryStatus
OpenEventA
SetErrorMode
SetUnhandledExceptionFilter
SleepEx
FreeConsole
LocalSize
Process32Next
Process32First
CreateToolhelp32Snapshot
lstrcmpiA
GetCurrentThreadId
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
CreateThread
ResumeThread
SetEvent
WaitForSingleObject
RaiseException
TerminateThread
CloseHandle
CreateRemoteThread
CreateEventA

gdi32

BitBlt
CreateDIBSection
CreateCompatibleDC
CreateCompatibleBitmap
GetDIBits
SelectObject
DeleteDC
DeleteObject

msvcrt

_errno
strtok
strncat
realloc
wcstombs
_beginthreadex
strncmp
??1type_info@@UAE@XZ
_initterm
_adjust_fdiv
atoi
strncpy
strrchr
_ftol
_except_handler3
free
malloc
strchr
_CxxThrowException
strstr
calloc
ceil
memmove
__CxxFrameHandler
??3@YAXPAX@Z
_strnicmp
??2@YAPAXI@Z
_strcmpi

msvcp60

?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

imm32

ImmGetContext
ImmReleaseContext
ImmGetCompositionStringA

msvfw32

ICOpen
ICClose
ICCompressorFree
ICSeqCompressFrameEnd
ICSendMessage
ICSeqCompressFrame
ICSeqCompressFrameStart

wtsapi32

WTSQueryUserToken
WTSQuerySessionInformationA
WTSFreeMemory

Exports

Exports

ServiMain
ServiceMain
aaaaaaaaaaaa
bbbbbbbbbbbb
cccccccccccc
zzzzzzzzzzzzz

Sections

ddata
Size: 104KB - Virtual size: 103KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 192B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

fae11e3ee92f2c4eb5c72fefede6c2d6

Headers

File Characteristics

Imports

kernel32

gdi32

msvcrt

msvcp60

imm32

msvfw32

wtsapi32

Exports

Exports

Sections

ddata Size: 104KB - Virtual size: 103KB

.rsrc Size: 512B - Virtual size: 192B

.reloc Size: 6KB - Virtual size: 6KB

ddata
Size: 104KB - Virtual size: 103KB

.rsrc
Size: 512B - Virtual size: 192B

.reloc
Size: 6KB - Virtual size: 6KB