gh0strat | 2cdd620ccc8c4f162a501aa30cabdc32_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

2cdd620ccc8c4f162a501aa30cabdc32_JaffaCakes118
Size

152KB
MD5

2cdd620ccc8c4f162a501aa30cabdc32
SHA1

4d29758fb71e31abd1d90c96123149b45eba61c1
SHA256

8d600223e48ba2bf0bc424c583f8059ffe9baa91b30fc9da9860e2330f1055dc
SHA512

be38677393746c51c4a889aed4c5d028c2a1b46913ef2ebd28fb9e2d9fc023acf4f1c00a50da5f78d4c1e09d8d33f7a964c0eb0a0d6ca92cb80006d370f612a0
SSDEEP

3072:IEtNKpBER/fYMxspKhKMGqXu7PMC1HTBftiOjSn:Pt2+R/fxKpLN7PfHTBlLSn

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2cdd620ccc8c4f162a501aa30cabdc32_JaffaCakes118

Files

2cdd620ccc8c4f162a501aa30cabdc32_JaffaCakes118
.dll windows:4 windows x86 arch:x86

3491e401a46f6835c6434de4570f7ab5

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

shell32

SHFileOperationA

ole32

CoUninitialize
CoCreateInstance
CoTaskMemFree
CoInitialize

kernel32

RaiseException
GetPrivateProfileStringA
GetModuleHandleA
lstrcmpA
lstrcatA
GetProcAddress
CloseHandle
Sleep
lstrcpyA
lstrlenA
GetSystemInfo
GetVersionExA
GetProcessTimes
GetCurrentProcess
GlobalMemoryStatusEx
GetTickCount
GetSystemDirectoryA
GetCommandLineA
HeapFree
GetProcessHeap
VirtualFree
HeapAlloc
DeleteFileA
RemoveDirectoryA
ExitThread
GetShortPathNameA
GetModuleFileNameA
IsBadReadPtr
IsBadStringPtrW
lstrcmpiA
GetCurrentThreadId
InterlockedExchange
WinExec
VirtualQuery
GetCurrentProcessId
VirtualAlloc
GetLastError
GetFileAttributesExA
MultiByteToWideChar
SetEnvironmentVariableA
GetTempPathA
GetLongPathNameA
ExitProcess
LocalFree
LocalReAlloc
LocalSize
LocalAlloc
SetUnhandledExceptionFilter
GetLocalTime
FormatMessageA
IsBadWritePtr
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
FreeLibrary
InitializeCriticalSection
LeaveCriticalSection
GetTempFileNameA
WideCharToMultiByte
ExpandEnvironmentStringsA
LoadLibraryA
GetPrivateProfileSectionNamesA
MapViewOfFile
CreateFileMappingA

oleaut32

SysFreeString

advapi32

QueryServiceStatusEx
RegOpenKeyExW
RegisterServiceCtrlHandlerExA

shlwapi

SHDeleteKeyA

userenv

GetUserProfileDirectoryA
GetProfilesDirectoryA

iphlpapi

GetAdaptersInfo

ws2_32

socket
connect
select
recv
WSAStartup
shutdown
closesocket
gethostbyname
getsockname
gethostname
WSACleanup
WSAIoctl
setsockopt
send

msvcrt

strstr
rand
atoi
strncpy
_adjust_fdiv
_initterm
_onexit
__dllonexit
_strupr
_memicmp
_stricmp
_wcsicmp
_strlwr
wcslen
atol
free
ceil
wcsrchr
malloc
realloc
memmove
strrchr
strncat
_beginthreadex
wcstombs
_except_handler3
_ftol
strchr
??3@YAXPAX@Z
__CxxFrameHandler
??2@YAPAXI@Z
srand

Exports

Exports

ATMAddFont
ATMAddFontA
ATMAddFontEx
ATMAddFontExA
ATMAddFontExW
ATMAddFontW
ATMBBoxBaseXYShowText
ATMBBoxBaseXYShowTextA
ATMBBoxBaseXYShowTextW
ATMBeginFontChange
ATMClient
ATMEndFontChange
ATMEnumFonts
ATMEnumFontsA
ATMEnumFontsW
ATMEnumMMFonts
ATMEnumMMFontsA
ATMEnumMMFontsW
ATMFinish
ATMFontAvailable
ATMFontAvailableA
ATMFontAvailableW
ATMFontSelected
ATMFontStatus
ATMFontStatusA
ATMFontStatusW
ATMForceFontChange
ATMGetBuildStr
ATMGetBuildStrA
ATMGetBuildStrW
ATMGetFontBBox
ATMGetFontInfo
ATMGetFontInfoA
ATMGetFontInfoW
ATMGetFontPaths
ATMGetFontPathsA
ATMGetFontPathsW
ATMGetGlyphList
ATMGetGlyphListA
ATMGetGlyphListW
ATMGetMenuName
ATMGetMenuNameA
ATMGetMenuNameW
ATMGetNtmFields
ATMGetNtmFieldsA
ATMGetNtmFieldsW
ATMGetOutline
ATMGetOutlineA
ATMGetOutlineW
ATMGetPostScriptName

Sections

.text
Size: 100KB - Virtual size: 99KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 294B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3491e401a46f6835c6434de4570f7ab5

Headers

File Characteristics

Imports

shell32

ole32

kernel32

oleaut32

advapi32

shlwapi

userenv

iphlpapi

ws2_32

msvcrt

Exports

Exports

Sections

.text Size: 100KB - Virtual size: 99KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 294B

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 100KB - Virtual size: 99KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 294B

.reloc
Size: 8KB - Virtual size: 7KB