gh0strat | 358b05af733a0b7256a7a0947dd6f68e_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

358b05af733a0b7256a7a0947dd6f68e_JaffaCakes118
Size

153KB
MD5

358b05af733a0b7256a7a0947dd6f68e
SHA1

a25c26185b5d527fcc1ce47a25c77ffa220aab42
SHA256

a91e008ff02ee7866e466aa21d414509117e5d3044edf316076e3273b3987dc7
SHA512

348d973e57a4d6af8324f5f7331abc0b9cd2a1ea39c16e4485e28826a4631f8ebd96aeb25496eabc798f17877a355d82efaaa4d458127d5442f32125508f2e2a
SSDEEP

3072:DmMTcD77e9UrRQJm70mjbwNvz+bhr7baARTBftM/fzWlL1tjk:pTa7RRIfvahrXBRTBl8fz0jk

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
358b05af733a0b7256a7a0947dd6f68e_JaffaCakes118

Files

358b05af733a0b7256a7a0947dd6f68e_JaffaCakes118
.dll windows:4 windows x86 arch:x86

50cb2b406254546d88a8e21e77660a21

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CloseHandle
GetTickCount
GetLastError
InterlockedExchange
LeaveCriticalSection
Sleep
GetSystemDirectoryA
FreeLibrary
lstrcmpiA
lstrcpyA
GetVersionExA
GetCurrentThreadId
GetProcAddress
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetModuleHandleA
InterlockedDecrement
InterlockedIncrement
VirtualQuery
GetCurrentProcessId
lstrcmpA
VirtualProtect
MultiByteToWideChar
lstrlenA
SetEnvironmentVariableA
GetTempPathA
GetLongPathNameA
GetModuleFileNameA
SetUnhandledExceptionFilter
GetLocalTime
InitializeCriticalSection
IsBadWritePtr
ExpandEnvironmentStringsA
LocalFree
LocalReAlloc
LocalAlloc
LocalSize
GetCurrentProcess
HeapFree
HeapAlloc
GetProcessHeap
GetSystemInfo
GetProcessTimes
GlobalMemoryStatusEx
GetTempFileNameA
DeleteFileA
RemoveDirectoryA
ExitThread
IsBadReadPtr
IsBadStringPtrW
WideCharToMultiByte
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
MapViewOfFile
CreateFileMappingA
GetShortPathNameA
VirtualFree
VirtualAlloc
ExitProcess
GetExitCodeProcess
RaiseException
FormatMessageA
lstrcatA
LoadLibraryA

user32

GetClassNameA
GetWindow
DestroyWindow
CreateWindowExA
MessageBoxA
CloseWindowStation
wvsprintfA
GetCursorInfo
DestroyCursor
LoadCursorA
GetWindowRect
wsprintfA
ShowWindow

advapi32

RegOpenKeyExW

msvcrt

_adjust_fdiv
_initterm
_onexit
__dllonexit
??1type_info@@UAE@XZ
_memicmp
_strupr
_strlwr
_wcsicmp
wcslen
strchr
strncat
_except_handler3
__CxxFrameHandler
??3@YAXPAX@Z
strncpy
??2@YAPAXI@Z
_CxxThrowException
_ftol
wcsrchr
_beginthreadex
realloc
malloc
strstr
free
srand
rand
strrchr
atoi
wcstombs
memmove
ceil

Exports

Exports

WlDimsLock
WlDimsLogoff
WlDimsLogon
WlDimsShutdown
WlDimsStartShell
WlDimsStartup
WlDimsUnlock

Sections

.text
Size: 100KB - Virtual size: 97KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

50cb2b406254546d88a8e21e77660a21

Headers

File Characteristics

Imports

kernel32

user32

advapi32

msvcrt

Exports

Exports

Sections

.text Size: 100KB - Virtual size: 97KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 100KB - Virtual size: 97KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 8KB - Virtual size: 7KB