gh0strat | 49951457092456c45957e746a9e659bf_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

49951457092456c45957e746a9e659bf_JaffaCakes118
Size

180KB
MD5

49951457092456c45957e746a9e659bf
SHA1

871cc9b9695abfec5f7e97fea157a3b151264fa2
SHA256

78240db6283d51081b53bdd202baddc68a35e614a1a354a909d48834129c002c
SHA512

9576f023fbf5f017b3f96e0810592fba8c383ba9cc040ca8aaa1f752f5de350d106395cceb93684db5780502ac54ce9a334c9881c6462a7e7d81a30d804e8b4d
SSDEEP

3072:6k4iljTed0yF1BEAEtfWpc1QawQAVK/4+3TBftvBKnKxW4TyF1BEAEi:N4idTEPrEtt+pc1QZp+3TBlvBKnKxDgj

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
49951457092456c45957e746a9e659bf_JaffaCakes118

Files

49951457092456c45957e746a9e659bf_JaffaCakes118
.dll regsvr32 windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Exports

Exports

CORLockDownProvider
CORPolicyEE
CORPolicyProvider
DllCanUnloadNow
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 100KB - Virtual size: 98KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 12KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ