gh0strat | 2cf23326a5f61f107f2d1bdf7e85fdba_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

2cf23326a5f61f107f2d1bdf7e85fdba_JaffaCakes118
Size

120KB
MD5

2cf23326a5f61f107f2d1bdf7e85fdba
SHA1

ea128534414b8beb177055e27201e863b0ccc76a
SHA256

c16d45553c26a3a6f3250ed725414e4b5a9ab1c691698b5b88edc24cb2b401e4
SHA512

d39dfccbab53edeb781346bd4fa6bd6ab4b308b9c45786f5419d94cde69571a34e1c2eb00cff9ec2dddef7f97b008f3a44fa92d4493f2cd698189b5ce16cc4ed
SSDEEP

3072:H/IuirquePliRDnyhP+dIz9Q7vgrui6/ASwt2N4XkN:H/IuiGuePMR7yhWCGgiroSwcN42

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2cf23326a5f61f107f2d1bdf7e85fdba_JaffaCakes118

Files

2cf23326a5f61f107f2d1bdf7e85fdba_JaffaCakes118
.exe windows:4 windows x86 arch:x86

1e3f8c72d24af7878ae0633b714f5431

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

Sleep
ReleaseMutex
CreateMutexA
GetCommandLineA
SetFileAttributesA
SetUnhandledExceptionFilter
GetSystemDirectoryA
GetCurrentThreadId
GetStartupInfoA
GetModuleHandleA
GetModuleFileNameA
CreateFileA
SetFilePointer
ReadFile
lstrcatA
GetLastError
SetLastError
lstrcmpiA
FreeLibrary
lstrcpyA
LoadResource
SetFileTime
SizeofResource
lstrlenA
CloseHandle
ExitProcess
GetWindowsDirectoryA
LoadLibraryA
GetProcAddress
CreateDirectoryA

user32

GetInputState
GetMessageA
wsprintfA
PostThreadMessageA

advapi32

OpenServiceA
StartServiceA
OpenSCManagerA
CreateServiceA
CloseServiceHandle
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegSetValueExA
RegDeleteKeyA
RegCreateKeyExA
RegDeleteValueA

msvcrt

_XcptFilter
strtok
??2@YAPAXI@Z
strchr
realloc
malloc
__CxxFrameHandler
_CxxThrowException
_except_handler3
??3@YAXPAX@Z
strstr
??1type_info@@UAE@XZ
_exit
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 111KB - Virtual size: 111KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ