gh0strat | 31b2c0b7622626b7045ec79c09dccc58_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

31b2c0b7622626b7045ec79c09dccc58_JaffaCakes118
Size

152KB
MD5

31b2c0b7622626b7045ec79c09dccc58
SHA1

a139c425b2539a2acd52f44f746d102bc4692235
SHA256

5d102ede6ef7c89e9f4f9a36eb236d437a215a55701c26b83fed07f03acdb8a6
SHA512

7079d6f76d04a805a9e12553a2bf19021bedcdf330b40eb880eafad49eda58982eaf7c3f3bff18f676819eb6ee6a2106f8c1cbdc4b5435face42b739d5cb536a
SSDEEP

3072:YwvFIAbaSqviCI8NMQigKUWvSUfUFYmaYWjuzQJJTBft2A86pG:YwvFNbaSTbM3ukIjuzQJJTBl2A8

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
31b2c0b7622626b7045ec79c09dccc58_JaffaCakes118

Files

31b2c0b7622626b7045ec79c09dccc58_JaffaCakes118
.dll windows:4 windows x86 arch:x86

c5f0f6ae12a4de5d5c5df0062dd9e872

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

oleaut32

SysFreeString

user32

GetCursorInfo
CloseWindowStation
MessageBoxA
DestroyCursor
LoadCursorA
GetWindowRect
ShowWindow
GetWindow
GetClassNameA
wvsprintfA
DestroyWindow
CreateWindowExA
wsprintfA

shlwapi

StrStrIA

kernel32

MapViewOfFile
RaiseException
InterlockedIncrement
InterlockedDecrement
GetExitCodeProcess
ExitProcess
GetLongPathNameA
GetTempPathA
SetEnvironmentVariableA
GetCurrentProcessId
GetShortPathNameA
CreateFileMappingA
LoadLibraryA
VirtualAlloc
VirtualFree
IsBadWritePtr
CloseHandle
Sleep
GetProcAddress
GetModuleHandleA
InterlockedExchange
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
lstrcatA
InitializeCriticalSection
GetTickCount
GetLastError
LeaveCriticalSection
HeapFree
HeapAlloc
GetProcessHeap
lstrlenA
GetSystemInfo
GetVersionExA
GetProcessTimes
GetCurrentProcess
GlobalMemoryStatusEx
FreeLibrary
GetTempFileNameA
lstrcpyA
GetSystemDirectoryA
DeleteFileA
RemoveDirectoryA
ExitThread
GetModuleFileNameA
IsBadReadPtr
IsBadStringPtrW
LocalFree
LocalSize
LocalAlloc
LocalReAlloc
GetCurrentThreadId
lstrcmpiA
ExpandEnvironmentStringsA
VirtualQuery
MultiByteToWideChar
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
SetUnhandledExceptionFilter
GetLocalTime
FormatMessageA

ws2_32

gethostbyname
gethostname
connect
setsockopt
WSAIoctl
WSACleanup
WSAStartup
recv
select
closesocket
send
getsockname
shutdown
listen
bind
accept
ioctlsocket
__WSAFDIsSet
socket

iphlpapi

GetAdaptersInfo

userenv

GetProfilesDirectoryA
GetUserProfileDirectoryA

msvcrt

ceil
??3@YAXPAX@Z
__CxxFrameHandler
_onexit
__dllonexit
_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
_strupr
_memicmp
_strlwr
_wcsicmp
_beginthreadex
strncat
wcsrchr
realloc
??2@YAPAXI@Z
memmove
wcslen
free
malloc
strrchr
wcstombs
strstr
srand
rand
atoi
_ftol
_CxxThrowException
strncpy
strchr
_except_handler3

Exports

Exports

CMP_Init_Detection
CMP_RegisterNotification
CMP_Report_LogOn
CMP_UnregisterNotification
CMP_WaitNoPendingInstallEvents
CMP_WaitServicesAvailable
CM_Add_Empty_Log_Conf
CM_Add_Empty_Log_Conf_Ex
CM_Add_IDA
CM_Add_IDW
CM_Add_ID_ExA
CM_Add_ID_ExW
CM_Add_Range
CM_Add_Res_Des
CM_Add_Res_Des_Ex
CM_Connect_MachineA
CM_Connect_MachineW
CM_Create_DevNodeA
CM_Create_DevNodeW
CM_Create_DevNode_ExA
CM_Create_DevNode_ExW
CM_Create_Range_List
CM_Delete_Class_Key
CM_Delete_Class_Key_Ex
CM_Delete_DevNode_Key
CM_Delete_DevNode_Key_Ex
CM_Delete_Range
CM_Detect_Resource_Conflict
CM_Detect_Resource_Conflict_Ex
CM_Disable_DevNode
CM_Disable_DevNode_Ex
CM_Disconnect_Machine
CM_Dup_Range_List
CM_Enable_DevNode
CM_Enable_DevNode_Ex
CM_Enumerate_Classes
CM_Enumerate_Classes_Ex
CM_Enumerate_EnumeratorsA
CM_Enumerate_EnumeratorsW
CM_Enumerate_Enumerators_ExA
CM_Enumerate_Enumerators_ExW
CM_Find_Range
CM_First_Range
CM_Free_Log_Conf
CM_Free_Log_Conf_Ex
CM_Free_Log_Conf_Handle
CM_Free_Range_List
CM_Free_Res_Des
CM_Free_Res_Des_Ex
CM_Free_Res_Des_Handle

Sections

.text
Size: 100KB - Virtual size: 98KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c5f0f6ae12a4de5d5c5df0062dd9e872

Headers

File Characteristics

Imports

oleaut32

user32

shlwapi

kernel32

ws2_32

iphlpapi

userenv

msvcrt

Exports

Exports

Sections

.text Size: 100KB - Virtual size: 98KB

.rdata Size: 24KB - Virtual size: 21KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 100KB - Virtual size: 98KB

.rdata
Size: 24KB - Virtual size: 21KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 8KB - Virtual size: 7KB