gh0strat | 251c35ab6e52facd0f7f67e1c3c968cf_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

251c35ab6e52facd0f7f67e1c3c968cf_JaffaCakes118
Size

152KB
MD5

251c35ab6e52facd0f7f67e1c3c968cf
SHA1

255209355cb14f0c612bf697426afd05cdb2ac52
SHA256

cb03b1095755ffa5dd1d2e03c9d2676f05e5242162928e799f623766c4b512a1
SHA512

559e63ee7c0738439a1d84b15917925cabb776bfd889eafe00e27acbfd58712f52694197a66d5b8bd31d478253041fcf703cdd230fa7e85989da5ef618e50eca
SSDEEP

3072:UKRymSvllK7prxIb4zlIH75rLxlZTBft3h3drP16kaw:DUmSvIhxIGlYVlZTBlR3drt

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
251c35ab6e52facd0f7f67e1c3c968cf_JaffaCakes118

Files

251c35ab6e52facd0f7f67e1c3c968cf_JaffaCakes118
.dll regsvr32 windows:4 windows x86 arch:x86

439fc6a8e54e022e15a05ad8e86c22fa

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CloseHandle
Sleep
GetTickCount
lstrlenA
LocalFree
GetProcAddress
GetModuleHandleA
GetLastError
lstrcmpiA
lstrcpyA
LocalReAlloc
LocalSize
LocalAlloc
MultiByteToWideChar
FreeLibrary
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
GetVersionExA
ExpandEnvironmentStringsA
lstrcatA
ExitProcess
GetSystemDirectoryA
GetExitCodeProcess
InterlockedExchange
HeapFree
HeapAlloc
GetProcessHeap
GetSystemInfo
GetProcessTimes
GetCurrentProcess
GlobalMemoryStatusEx
GlobalFree
GlobalAlloc
GetTempFileNameA
DeleteFileA
RemoveDirectoryA
ExitThread
GetModuleFileNameA
IsBadReadPtr
IsBadStringPtrW
SetUnhandledExceptionFilter
GetLocalTime
FormatMessageA
VirtualQuery
IsBadWritePtr
GetCurrentThreadId
GetCurrentProcessId
VirtualProtect
SetEnvironmentVariableA
GetTempPathA
GetLongPathNameA
InitializeCriticalSection
VirtualFree
LeaveCriticalSection
VirtualAlloc
GlobalUnlock
GlobalLock
GlobalSize
InterlockedDecrement
InterlockedIncrement
MapViewOfFile
CreateFileMappingA
GetShortPathNameA
RaiseException
LoadLibraryA

user32

DestroyWindow
CreateWindowExA
GetCursorInfo
DestroyCursor
LoadCursorA
ShowWindow
MessageBoxA
wvsprintfA
wsprintfA
CloseWindowStation

msvcrt

_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
_onexit
__dllonexit
_strupr
_strlwr
??2@YAPAXI@Z
??3@YAXPAX@Z
__CxxFrameHandler
rand
srand
_ftol
strchr
_except_handler3
wcsrchr
strncpy
atoi
strstr
wcstombs
strrchr
malloc
free
_beginthreadex
strncat
memmove
ceil
wcslen
_CxxThrowException
_memicmp
_wcsicmp

Exports

Exports

?ClearList@@YGXPAVCStructArray@@@Z
?CreateComponentLibraryTS@@YGJPBGJPAPAUIComponentRecords@@@Z
?DataConvert@@YGJGGKPAKPAX1KK0EEK@Z
?DestroyStgDatabase@@YGXPAVStgDatabase@@@Z
?GetDataConversion@@YGJPAPAUIDataConvert@@@Z
?GetDataConvertObject@@YGPAVCGetDataConversion@@XZ
?GetPropValue@@YGJGPAJPAXHPAHAAUtagDBPROP@@@Z
?GetStgDatabase
?InitErrors@@YGXPAK@Z
?OpenComponentLibraryTS@@YGJPBGJPAPAUIComponentRecords@@@Z
?PostError@@YAJJZZ
?ShutDownDataConversion@@YGXXZ
ActivatorUpdateForIsRouterChanges
CLSIDFromStringByBitness
CheckMemoryGates
CoRegCleanup
ComPlusEnablePartitions
ComPlusEnableRemoteAccess
ComPlusMigrate
ComPlusPartitionsEnabled
ComPlusRemoteAccessEnabled
CreateComponentLibraryEx
DeleteAllActivatorsForClsid
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
DowngradeAPL
GetCatalogObject
GetCatalogObject2
GetComputerObject
GetGlobalBabyJITEnabled
GetSimpleTableDispenser
InprocServer32FromString
OpenComponentLibraryEx
OpenComponentLibraryOnMemEx
OpenComponentLibraryOnStreamEx
ServerGetApplicationType
SetSetupOpen
SetSetupSave
SetupOpen
SetupSave
UpdateFromAppChange
UpdateFromComponentChange

Sections

.text
Size: 100KB - Virtual size: 97KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

439fc6a8e54e022e15a05ad8e86c22fa

Headers

File Characteristics

Imports

kernel32

user32

msvcrt

Exports

Exports

Sections

.text Size: 100KB - Virtual size: 97KB

.rdata Size: 24KB - Virtual size: 21KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 100KB - Virtual size: 97KB

.rdata
Size: 24KB - Virtual size: 21KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 8KB - Virtual size: 7KB