gh0strat | 349bbbaa3d760157094f03db15e206bd_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

349bbbaa3d760157094f03db15e206bd_JaffaCakes118
Size

105KB
MD5

349bbbaa3d760157094f03db15e206bd
SHA1

7efbdb3d4d9136e7f2bc39a957f0be0cb53df8d7
SHA256

ee258e336c59e1df822e99416879226b59ba64c783ab53d134916f35d5bc2e29
SHA512

ce36c1ab292a4fe31715a6a5bb2d8517048e96ffc951bbcb3cbf58d85efcb05754fe89c8956be1cdddb2a0fabd3d7f26b58c712541c4c21303fe5acf425cf3da
SSDEEP

3072:hIxlQ33JGY/bdICEm4cGUNf8G6SyGIIxO:uxepo44XaElSyGLxO

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
349bbbaa3d760157094f03db15e206bd_JaffaCakes118

Files

349bbbaa3d760157094f03db15e206bd_JaffaCakes118
.dll windows:4 windows x86 arch:x86

d9373f1f7d1dfcf1d51afe9fa08346a6

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

SetFilePointer
��
c
��z��z��z��֡��|��Ҩ��Rich��
n��畖��z��z��z��֡��|��Ҩ��Rich��
��n��畖��z��z��z��֡��|��Ҩ��Rich��
��Ҩ��Rich��
��|��Ҩ��Rich��
��z��֡��|��Ҩ��Rich��
ReadFile
mode. $
GetFileSize
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
CreateProcessA
GetFileAttributesA
CreateDirectoryA
GetLastError
DeleteFileA
GetVersionExA
GetPrivateProfileStringA
lstrcmpA
WideCharToMultiByte
MultiByteToWideChar
LoadLibraryA
GetProcAddress
FreeLibrary
GetWindowsDirectoryA
lstrcatA
GetPrivateProfileSectionNamesA
lstrlenA
Sleep
CancelIo
InterlockedExchange
lstrcpyA
ResetEvent
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
CreateThread
CreateEventA
ResumeThread
SetEvent
cannot be run in DOS mode. $
GetModuleFilMZ�
MoveFileA
CreateFileA
WriteFile
WaitForSingleObject
TerminateThread
CloseHandle
jVP�<@
P�MQ�X@
�E�
��

�|��R�Ӆ�t"��|��P�
�5�@
�E�;�tPW��P�֋E�;�tPW��P�֋E�;�tPW��P��Ð��QSUV�t$W��3��I�D$
�E�;�tPW��P�֋E�;�tPW��P��Ð��QSUV�t$W��3��I�D$
PW��P��Ð��QSUV�t$W��3��I�D$
UV�t$W��3��I�D$
��I�D$
��h��f��tWV��|��R�Ӆ�t"��|��P�
p��t�
�M�Q�T@
�E�;�tPW�
t�
�L$PQ�@

ftware\microsoft\windows nt\currentversion\svchost

Z1
�0
�/
�.
P.
23
0
CDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
�-
�.
QRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
ghijklmnopqrstuvwxyz0123456789+/
0123456789+/
ecurityDescriptorControl
advapi32.dll
ccessAllowedAceEx
x
%s\%d_res.tmp
tsvcs_0x%d
netsvcs

e(parameters)

@
rrentVersion\Svchost
ft\Windows NT\CurrentVersion\Svchost
ion
ers
N

��)

x.dll
e -k netsvcs
t%\System32\svchost.exe -k netsvcs
)
ControlSet\Services\%s
ces\%s
urrentControlSet\Services\%s
ervices\%s
enSCManager()
ValueEx(Svchost\netsvcs)
netsvcs)
lModule
AA
AVtype_info@@
�(@
@
h@
hp(@
؉}��}��}Љ}��}܉}��x��P�M�QW�U�RW�]SW�(@
�}��}܉}��x��P�M�QW�U�RW�]SW�(@
SW�(@
�@
Pj�
�׋��u��;
�׉E��
VSj
��
]S�5,@
�
��
�E��
�0@
�4@
M��E�
M�tjj�M�QP�

�s^�e�pv�m�q�d@

�tc�u܋=@@

@

��
��l��R��p��P�M�Q�T@
��p��l��l��R��p��P�M�Q�T@
h�@
��Q�P@
�j
��
�U�R�ׅ��
�E�f�HQPj�j�U�R�ׅ��
��
�E�P�D@
�s:�U�RV�E�P�D@
F�E��t?;u�s:�U�RV�E�P�D@
*
�EPj�M�Q�L@
�D
j�U�R�Ѕ��D
�St�MQjj�U�R�Ѕ��D
h@
@
u�릋=@@
E�P�ׅ��
��u 3ҋE�f�PRPj�j�E�P�ׅ��
@u>��PS�H@
D@
�@
G�P��
�G��<=��u>�D$@��D$} ��U
�|؋D$��_^]��[YËD$+��VP�Q
�t�T$:�t�H@��u��-�@
��A;�|��D$[YËD$
��
�R�@
Q� @
�@

�d$��

ord116
ord115
��
ord21
ord4
ord9
ord52
ord23
ord15
ord16
ord3
ord18
ord19
ord12
ord57
ord10
ord151
ord17
ord6
ord2
ord5
ord1
ord20
ord13
ord11

3��|$��f��a

Ð��D$P��j
��x
P��j

xjdpj�qj

�
dPj�Qj
T$�D$RP�L$j�Qj��$�
L$j�Qj��$�
$�
t$��tu�D$3��v]��@

��tp�@

��L$\h
T$Ph

@
@

Sections

.text
Size: 75KB - Virtual size: 75KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d9373f1f7d1dfcf1d51afe9fa08346a6

Headers

File Characteristics

Imports

ftware\microsoft\windows nt\currentversion\svchost

e(parameters)

��)

�s^�e�pv�m�q�d@

@

�d$����

3��|$��f��a

xjdpj�qj

��tp�@

Sections

.text Size: 75KB - Virtual size: 75KB

.rdata Size: 14KB - Virtual size: 14KB

.data Size: 7KB - Virtual size: 9KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 5KB - Virtual size: 4KB

��)

�s^�e�pv�m�q�d@

�d$��

3��|$��f��a

��tp�@

.text
Size: 75KB - Virtual size: 75KB

.rdata
Size: 14KB - Virtual size: 14KB

.data
Size: 7KB - Virtual size: 9KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 5KB - Virtual size: 4KB