gh0strat | 4070c63f2747a689397d17746e198c05_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

4070c63f2747a689397d17746e198c05_JaffaCakes118
Size

127KB
MD5

4070c63f2747a689397d17746e198c05
SHA1

7006158e474edeb5c43a56b1b630e2746ec67715
SHA256

2bc1854af032dcd1818408a8a37f8015087af0e9e4116ccfd0a5fdac5c607ef0
SHA512

64aacb096eadd3ce8f274dcad33cf6c33186b3ce9db3fb6b2537db96ad9ccefba0a161fb5bf08a8a640728b5f12190dd03e54573736d208caa6338b8cf7551ee
SSDEEP

3072:qpFqlZVM06sKYpvjPP9+4WeNmsdrBlsztd:q+lZV/WcjPVvWeAsBet

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
4070c63f2747a689397d17746e198c05_JaffaCakes118

Files

4070c63f2747a689397d17746e198c05_JaffaCakes118
.exe windows:4 windows x86 arch:x86

de5495ac342dab25bc7203d8c32a4324

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetProcessHeap
MapViewOfFile
CreateFileMappingA
HeapAlloc
UnmapViewOfFile
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
GetVersionExA
ReleaseMutex
OpenEventA
SetErrorMode
FreeConsole
LocalSize
Process32Next
Process32First
CreateToolhelp32Snapshot
lstrcmpiA
GetCurrentThreadId
SetStdHandle
FlushFileBuffers
LCMapStringW
LCMapStringA
GetOEMCP
GetACP
HeapFree
GetCPInfo
GetStringTypeW
GetStringTypeA
MultiByteToWideChar
IsBadCodePtr
IsBadReadPtr
GetFileType
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
UnhandledExceptionFilter
HeapSize
IsBadWritePtr
HeapCreate
HeapDestroy
GetEnvironmentVariableA
SetUnhandledExceptionFilter
TlsAlloc
GetModuleHandleA
ExitProcess
GetVersion
GetCommandLineA
GetLocalTime
GetTickCount
MoveFileExA
TerminateThread
OpenProcess
LoadLibraryA
GetProcAddress
InitializeCriticalSection
FreeLibrary
VirtualAllocEx
WriteProcessMemory
CreateRemoteThread
GetCurrentProcess
DeviceIoControl
GetSystemDirectoryA
SetLastError
GetModuleFileNameA
MoveFileA
WriteFile
SetFilePointer
ReadFile
CreateFileA
GetFileSize
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
lstrcatA
CreateProcessA
lstrlenA
GetFileAttributesA
CreateDirectoryA
GetLastError
DeleteFileA
Sleep
CancelIo
InterlockedExchange
SetEvent
lstrcpyA
ResetEvent
WaitForSingleObject
CloseHandle
CreateEventA
ExitThread
TlsGetValue
TlsSetValue
CreateThread
WideCharToMultiByte
InterlockedIncrement
InterlockedDecrement
HeapReAlloc
RaiseException
RtlUnwind
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection

user32

SetWindowsHookExA
UnhookWindowsHookEx
LoadCursorA
DestroyCursor
BlockInput
SystemParametersInfoA
SendMessageA
MessageBoxA
wsprintfA
CallNextHookEx
keybd_event
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
SetClipboardData
EmptyClipboard
GetActiveWindow
GetKeyNameTextA
CharNextA
GetWindowTextA
PostMessageA
OpenDesktopA
GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
EnumWindows
IsWindowVisible
GetWindowThreadProcessId
ExitWindowsEx
GetCursorPos
GetCursorInfo
ReleaseDC
GetDesktopWindow
GetDC
SetRect
GetSystemMetrics
GetClipboardData
OpenClipboard

gdi32

CreateCompatibleDC
CreateDIBSection
DeleteObject
CreateCompatibleBitmap
GetDIBits
BitBlt
DeleteDC
SelectObject

advapi32

OpenEventLogA
RegQueryValueA
RegOpenKeyExA
CloseServiceHandle
DeleteService
ControlService
SetServiceStatus
RegisterServiceCtrlHandlerA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
InitializeSecurityDescriptor
AllocateAndInitializeSid
GetLengthSid
InitializeAcl
AddAccessAllowedAce
SetSecurityDescriptorDacl
FreeSid
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
QueryServiceStatus
ClearEventLogA
CloseEventLog
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
OpenSCManagerA
OpenServiceA
RegCloseKey

shell32

SHGetFileInfoA

shlwapi

SHDeleteKeyA

ws2_32

htons
gethostname
getsockname
connect
gethostbyname
socket
setsockopt
WSAStartup
WSAIoctl
WSACleanup
ntohs
recv
closesocket
select
send

imm32

ImmGetCompositionStringA
ImmGetContext
ImmReleaseContext

avicap32

capGetDriverDescriptionA

psapi

EnumProcessModules
GetModuleFileNameExA

Exports

Exports

Rool
ServiceMain
qshb

Sections

.text
Size: 106KB - Virtual size: 106KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 19KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

de5495ac342dab25bc7203d8c32a4324

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

shlwapi

ws2_32

imm32

avicap32

psapi

Exports

Exports

Sections

.text Size: 106KB - Virtual size: 106KB

.data Size: 19KB - Virtual size: 25KB

.rsrc Size: 1024B - Virtual size: 960B

.text
Size: 106KB - Virtual size: 106KB

.data
Size: 19KB - Virtual size: 25KB

.rsrc
Size: 1024B - Virtual size: 960B