gh0strat | 4dc899ee792d3adb655467a803989c75_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

4dc899ee792d3adb655467a803989c75_JaffaCakes118
Size

104KB
MD5

4dc899ee792d3adb655467a803989c75
SHA1

c7e79f6809f929d4d688a5edff665f8e70b5b009
SHA256

3d4458c2c4428a295386aabdad7ab658477659c0bca38b3991cc2b4f4a5c4796
SHA512

45505c8228f58b794cb1c36778815dcbd97dfb638737616935542fb098481864b6ed5a60ac58692d244f3fc00d713ec2d7ddfdf2209b6d76c8dc014af1222c01
SSDEEP

1536:kkW4e77bsmdniw1GCa7C1k4XDTO62qUnStRVo:kkJe71/1GLl472vStRVo

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
4dc899ee792d3adb655467a803989c75_JaffaCakes118

Files

4dc899ee792d3adb655467a803989c75_JaffaCakes118
.dll windows:4 windows x86 arch:x86

b9402d74b93f15cc8c6d86fe52f3584b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetModuleHandleA
LoadLibraryA
GetProcAddress
IsBadReadPtr
GetCurrentProcess
SuspendThread
ResumeThread
OpenThread
GetCurrentProcessId
GetCurrentThreadId
lstrcpyA
lstrcmpiA
GetFileSize
lstrlenA

ole32

CoCreateInstance

psapi

GetProcessMemoryInfo
GetModuleInformation

msvcrt

_adjust_fdiv
_initterm
??3@YAXPAX@Z
memmove
ceil
_ftol
__CxxFrameHandler
??2@YAPAXI@Z
_beginthreadex
realloc
free
strncpy
wcstombs
_access
_except_handler3
malloc
_stricmp

wtsapi32

WTSQueryUserToken

userenv

CreateEnvironmentBlock

Exports

Exports

FUCC
PMain
RMain
ServiceMain

Sections

.text
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 64KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 816B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ