gh0strat | 426f1a240ed8affbcb3bd4d648243b9a_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

426f1a240ed8affbcb3bd4d648243b9a_JaffaCakes118
Size

152KB
MD5

426f1a240ed8affbcb3bd4d648243b9a
SHA1

8a08a7bb8c8a8c40c47ef4b21ac8a62edced1e85
SHA256

c97ee6300d209f23f2f4f152a59fed4393bc24a9b24d164740ef0fb61cc78621
SHA512

dd0c8c6ccf517d0e351462ff9873139199314df859777635fc4195fec46cdbe2463554ff46ded50bc3a2ba34a60a6217a57112f0771a2fc603248cc6bfc4fd17
SSDEEP

3072:WPLSB2g7NcfLx/a3knKrOKaCdby4qG7TBftClbtnhZ7L9+F7Q:WzS9eKC0R4G7TBlgbtJc7Q

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
426f1a240ed8affbcb3bd4d648243b9a_JaffaCakes118

Files

426f1a240ed8affbcb3bd4d648243b9a_JaffaCakes118
.dll regsvr32 windows:4 windows x86 arch:x86

ad3bf5656f94475ad5dbcc8d84ef5bcb

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CloseHandle
Sleep
MultiByteToWideChar
lstrlenA
FreeLibrary
GetProcAddress
WideCharToMultiByte
lstrcpyA
lstrcmpA
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
GetVersionExA
lstrcmpiA
ExpandEnvironmentStringsA
lstrcatA
GetTickCount
LocalFree
GetModuleHandleA
GetLastError
LocalReAlloc
LocalSize
LocalAlloc
InterlockedExchange
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetModuleFileNameA
SetUnhandledExceptionFilter
GetLocalTime
FormatMessageA
VirtualQuery
IsBadWritePtr
InitializeCriticalSection
VirtualFree
LeaveCriticalSection
VirtualAlloc
HeapFree
HeapAlloc
GetProcessHeap
GetSystemInfo
GetProcessTimes
GetCurrentProcess
GlobalMemoryStatusEx
GetTempFileNameA
GetSystemDirectoryA
GetCurrentProcessId
DeleteFileA
RemoveDirectoryA
ExitThread
GetShortPathNameA
IsBadReadPtr
IsBadStringPtrW
ExitProcess
GetExitCodeProcess
GetCurrentThreadId
MapViewOfFile
CreateFileMappingA
GetFileAttributesExA
SetEnvironmentVariableA
GetTempPathA
GetLongPathNameA
RaiseException
LoadLibraryA

user32

DestroyWindow
CreateWindowExA
EnableWindow
ShowWindow
GetWindow
GetClassNameA
GetCursorInfo
DestroyCursor
LoadCursorA
MessageBoxA
CloseWindowStation
wsprintfA
wvsprintfA

msvcrt

_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
_onexit
__dllonexit
_strupr
_stricmp
_strlwr
_wcsicmp
_memicmp
??2@YAPAXI@Z
??3@YAXPAX@Z
__CxxFrameHandler
rand
srand
_ftol
strchr
memmove
ceil
strstr
strncpy
atoi
strtol
_except_handler3
wcstombs
strrchr
malloc
strncat
_beginthreadex
realloc
wcsrchr
_CxxThrowException
free
wcslen

Exports

Exports

?ClearList@@YGXPAVCStructArray@@@Z
?CreateComponentLibraryTS@@YGJPBGJPAPAUIComponentRecords@@@Z
?DataConvert@@YGJGGKPAKPAX1KK0EEK@Z
?DestroyStgDatabase@@YGXPAVStgDatabase@@@Z
?GetDataConversion@@YGJPAPAUIDataConvert@@@Z
?GetDataConvertObject@@YGPAVCGetDataConversion@@XZ
?GetPropValue@@YGJGPAJPAXHPAHAAUtagDBPROP@@@Z
?GetStgDatabase@@YGJPAPAVStgDatabase@@@Z
?InitErrors@@YGXPAK@Z
?OpenComponentLibraryTS@@YGJPBGJPAPAUIComponentRecords@@@Z
?PostError
?ShutDownDataConversion@@YGXXZ
ActivatorUpdateForIsRouterChanges
CLSIDFromStringByBitness
CheckMemoryGates
CoRegCleanup
ComPlusEnablePartitions
ComPlusEnableRemoteAccess
ComPlusMigrate
ComPlusPartitionsEnabled
ComPlusRemoteAccessEnabled
CreateComponentLibraryEx
DeleteAllActivatorsForClsid
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
DowngradeAPL
GetCatalogObject
GetCatalogObject2
GetComputerObject
GetGlobalBabyJITEnabled
GetSimpleTableDispenser
InprocServer32FromString
OpenComponentLibraryEx
OpenComponentLibraryOnMemEx
OpenComponentLibraryOnStreamEx
ServerGetApplicationType
SetSetupOpen
SetSetupSave
SetupOpen
SetupSave
UpdateFromAppChange

Sections

.text
Size: 100KB - Virtual size: 99KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ad3bf5656f94475ad5dbcc8d84ef5bcb

Headers

File Characteristics

Imports

kernel32

user32

msvcrt

Exports

Exports

Sections

.text Size: 100KB - Virtual size: 99KB

.rdata Size: 24KB - Virtual size: 21KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 100KB - Virtual size: 99KB

.rdata
Size: 24KB - Virtual size: 21KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 8KB - Virtual size: 7KB