gh0strat | 3cbd7f535e56d0dcc940f49620da5ca7_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

3cbd7f535e56d0dcc940f49620da5ca7_JaffaCakes118
Size

147KB
MD5

3cbd7f535e56d0dcc940f49620da5ca7
SHA1

4eae8b69a4009f7a5a821d8c4c584b7b28f9c9e9
SHA256

b5f1af35ac1a7345e0e53246fc96588805c9d7a53c70a6529115ca1b025dfb5c
SHA512

1431e2d0330c65931483c91e588e7f7e7e83328d59aee435f9546167f91c199daca1cc6dd6e239c1332ae3add3b2c9576fa8f29b207c787d8b71c092be7aa31b
SSDEEP

3072:HZyyNP25oKVqBsI0pBLLUr3lLBFTBft2kq1rcOS11J:woWnXk3lLBFTBl01rcOI

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
3cbd7f535e56d0dcc940f49620da5ca7_JaffaCakes118

Files

3cbd7f535e56d0dcc940f49620da5ca7_JaffaCakes118
.dll windows:4 windows x86 arch:x86

e95182910599f96eccdcf6fc70bc1849

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetProcAddress
OutputDebugStringA
InterlockedExchange
GetModuleHandleA
MultiByteToWideChar
lstrlenA
GetPrivateProfileSectionNamesA
GetCurrentThread
ExpandEnvironmentStringsA
FreeLibrary
LoadLibraryA
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetVersionExA
GetModuleFileNameA
GetTempPathA
lstrcatA
GetCurrentProcess
CopyFileA
GetFileAttributesA
SetFileTime
GetFileTime
GetLastError
EndUpdateResourceA
UpdateResourceA
BeginUpdateResourceA
MoveFileA
HeapFree
GetProcessHeap
GetTickCount
HeapAlloc
MoveFileExA
GetDriveTypeA
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLogicalDriveStringsA
GetFileSize
EnterCriticalSection
LocalAlloc
GetTempFileNameA
VirtualAllocEx
GetLocalTime
GlobalUnlock
GlobalLock
GlobalSize
LocalSize
GlobalFree
GlobalAlloc
InterlockedDecrement
InterlockedIncrement
GetConsoleOutputCP
SetConsoleCtrlHandler
ExitProcess
SetConsoleWindowInfo
SetConsoleScreenBufferSize
GetStdHandle
GetConsoleWindow
AllocConsole
FillConsoleOutputCharacterA
FreeConsole
WriteConsoleInputA
GenerateConsoleCtrlEvent
ReadConsoleOutputA
GetExitCodeProcess
SetConsoleOutputCP
GetConsoleScreenBufferInfo
GlobalMemoryStatusEx
GetSystemInfo
LoadLibraryExA
CreateFileA
ReplaceFileA
CloseHandle
OpenMutexA
lstrcmpiA
GetCurrentThreadId
lstrcpyA
VirtualAlloc
DeleteCriticalSection
LeaveCriticalSection
VirtualFree
ResumeThread
InitializeCriticalSection
Sleep
LocalFree
LocalReAlloc
GetSystemWindowsDirectoryA
RaiseException

user32

CloseWindowStation
ShowWindow
DestroyCursor
wsprintfA
BlockInput
LoadCursorA
GetCursorInfo
CreateWindowExA

advapi32

EnumServicesStatusA
QueryServiceConfigA
StartServiceA
RegOpenKeyExW
RegSetKeySecurity
ChangeServiceConfigA
RegQueryInfoKeyA
QueryServiceConfig2A
ConvertSidToStringSidA
ChangeServiceConfig2A

shlwapi

SHCopyKeyA
SHDeleteKeyA

msvcrt

__dllonexit
_onexit
free
malloc
_stricmp
_memicmp
_except_handler3
_adjust_fdiv
_strupr
??1type_info@@UAE@XZ
??2@YAPAXI@Z
??3@YAXPAX@Z
__CxxFrameHandler
memmove
ceil
_ftol
strstr
_CxxThrowException
_beginthreadex
_initterm
_strnicmp
strrchr
strchr
wcscpy
strncat
realloc
atoi

ws2_32

closesocket
ntohs
recv
select
send
gethostname
socket
gethostbyname
listen
connect
accept
ioctlsocket
__WSAFDIsSet
inet_addr
htons
shutdown
getsockname
bind
setsockopt
WSAIoctl
WSACleanup
WSAStartup

userenv

GetProfilesDirectoryA
GetUserProfileDirectoryA

Exports

Exports

a
streset
strupd

Sections

.text
Size: 98KB - Virtual size: 98KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.dataseg
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e95182910599f96eccdcf6fc70bc1849

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shlwapi

msvcrt

ws2_32

userenv

Exports

Exports

Sections

.text Size: 98KB - Virtual size: 98KB

.rdata Size: 21KB - Virtual size: 20KB

.data Size: 8KB - Virtual size: 11KB

.dataseg Size: 512B - Virtual size: 4B

.rsrc Size: 11KB - Virtual size: 10KB

.reloc Size: 7KB - Virtual size: 6KB

.text
Size: 98KB - Virtual size: 98KB

.rdata
Size: 21KB - Virtual size: 20KB

.data
Size: 8KB - Virtual size: 11KB

.dataseg
Size: 512B - Virtual size: 4B

.rsrc
Size: 11KB - Virtual size: 10KB

.reloc
Size: 7KB - Virtual size: 6KB