gh0strat | 1ade9c478700d293853985754d5c8f89_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

1ade9c478700d293853985754d5c8f89_JaffaCakes118
Size

153KB
MD5

1ade9c478700d293853985754d5c8f89
SHA1

f07c941c12f1430cbfb71eb5347cd2d2bed30a9c
SHA256

74319aa3c9c52db235ed20a569def6d5437ae58578cfc53b3fbd5a737394ee49
SHA512

bb8bedc4f873043def86e48bcf65571d2cfe0fafbed7b21e7a3a700b9baf8e15e8320ea780f914c8d5b9e9bf2b2fbb0b1d9d9bf8e75d71876ac68e35d93bafb9
SSDEEP

3072:9/r3endTMB099fWYeZsRfn3nVKVTBftPj47kJ/M:5rOdIiT88/8VTBlPBM

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
1ade9c478700d293853985754d5c8f89_JaffaCakes118

Files

1ade9c478700d293853985754d5c8f89_JaffaCakes118
.dll regsvr32 windows:4 windows x86 arch:x86

204b9f7a15f434afc6ed4fe5c5628116

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

user32

LoadCursorA
DestroyCursor
GetCursorInfo
GetClassNameA
GetWindow
ShowWindow
GetWindowRect
CreateWindowExA
DestroyWindow
CloseWindowStation
MessageBoxA
wvsprintfA
wsprintfA

kernel32

RaiseException
GetCurrentProcessId
GetPrivateProfileSectionNamesA
GetPrivateProfileStringA
IsBadStringPtrW
IsBadReadPtr
ExitThread
RemoveDirectoryA
DeleteFileA
GetTempFileNameA
lstrlenA
lstrcpyA
CloseHandle
lstrcmpiA
GetVersionExA
GetCurrentThreadId
GetProcAddress
GetTickCount
LocalFree
LocalSize
LocalAlloc
Sleep
LocalReAlloc
GetLastError
GetCurrentProcess
InitializeCriticalSection
VirtualFree
LeaveCriticalSection
VirtualAlloc
ExpandEnvironmentStringsA
lstrcatA
GetModuleHandleA
GetLocalTime
GlobalUnlock
GlobalLock
GlobalSize
HeapFree
GetProcessHeap
MapViewOfFile
CreateFileMappingA
GetShortPathNameA
HeapAlloc
ExitProcess
GetSystemDirectoryA
GetExitCodeProcess
GetModuleFileNameA
SetUnhandledExceptionFilter
FormatMessageA
VirtualQuery
IsBadWritePtr
InterlockedExchange
GlobalFree
GlobalAlloc
InterlockedDecrement
InterlockedIncrement
LoadLibraryA
lstrcmpA
VirtualProtect
MultiByteToWideChar
SetEnvironmentVariableA
GetTempPathA
GetLongPathNameA
FreeLibrary
WideCharToMultiByte
GetSystemInfo
GetProcessTimes
GlobalMemoryStatusEx

advapi32

RegOpenKeyExW

msvcrt

strncpy
_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
_onexit
__dllonexit
_wcsicmp
_memicmp
_strupr
_strlwr
strncat
__CxxFrameHandler
??3@YAXPAX@Z
??2@YAPAXI@Z
_beginthreadex
_except_handler3
memmove
ceil
_ftol
strstr
free
malloc
strrchr
wcstombs
rand
srand
strchr
realloc
_CxxThrowException
wcsrchr
wcslen
atoi

Exports

Exports

??0CDRMLiteCrypto@@QAE@XZ
??1CDRMLiteCrypto@@QAE@XZ
?BackupLicenses@CDRMLiteCrypto@@QAEJKPAGPAUIUnknown@@PAHPAX@Z
?CreatePMLicenseForJD@CDRMLiteCrypto@@QAEJPBDPAEKPAUPMLICENSE@@1@Z
?EncryptFast@CDRMLiteCrypto@@QAEJPBDKPAE1@Z
?EncryptIndirectFast@CDRMLiteCrypto@@QAEJPBDKPAE1@Z
?GenerateNewLicenseEx@CDRMLiteCrypto@@QAEJKPAE00PAPAD10@Z
?GetLicenses@CDRMLiteCrypto@@QAEJPBDPAUPMLICENSE@@PAKKPAX2PAE@Z
?GetPublicKey@CDRMLiteCrypto@@QAEJPAUPKCERT@@@Z
?QueryXferToJD@CDRMLiteCrypto@@QAEJPBDPAEK1@Z
?QueryXferToPMEx@CDRMLiteCrypto@@QAEJPBDKPAKPAEK2K12@Z
?RestoreLicenses@CDRMLiteCrypto@@QAEJKPAEPAGPAUIUnknown@@PAHPAX@Z
Bind
BindEx
CanDecrypt
CanDecryptEx
CreatePMLicense
Decrypt
DllMain
DllRegisterServer
DllUnregisterServer
Encrypt
GenerateNewLicense
GetPMLicenseFileName
GetPMLicenseSize
GetVersion
InitAppCerts
KeyExchange
ProcessResponse
QueryXferToPM
RequestLicense
SetAppSec
SetLicenseStore

Sections

.text
Size: 100KB - Virtual size: 97KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

204b9f7a15f434afc6ed4fe5c5628116

Headers

File Characteristics

Imports

user32

kernel32

advapi32

msvcrt

Exports

Exports

Sections

.text Size: 100KB - Virtual size: 97KB

.rdata Size: 24KB - Virtual size: 21KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 100KB - Virtual size: 97KB

.rdata
Size: 24KB - Virtual size: 21KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 8KB - Virtual size: 7KB