gh0strat | 5d49b7898cfbb079b961f040be5389b6_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

5d49b7898cfbb079b961f040be5389b6_JaffaCakes118
Size

128KB
MD5

5d49b7898cfbb079b961f040be5389b6
SHA1

1b71bc109350da99ccc328b9f1ebfee0e578d174
SHA256

b0e21c5e752959c2a7e631f99404e9b9cd42a2f94559502d10a4b2c7a8307933
SHA512

da6bf210e10ec525c84ff8a18377a19d63a7c10c29c85535a5558ce76bb893ef5db553b390ee2d3f259e268d64bc5931f77068fca0b93e377934554de7ee3b67
SSDEEP

3072:zR0IDff7uSHMISYYSFBRoVLEKFg4rmNTMUWDFdzx:z3DffBHMIZ5hopFFg4rmNTMD

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
5d49b7898cfbb079b961f040be5389b6_JaffaCakes118

Files

5d49b7898cfbb079b961f040be5389b6_JaffaCakes118
.exe windows:4 windows x86 arch:x86

e4d69a2c15c20f56f59997742fc84f06

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetCurrentThreadId
GetCommandLineA
ReleaseMutex
CloseHandle
Sleep
SetLastError
lstrcmpA
lstrcmpiA
lstrlenA
lstrcpyA
FindResourceA
LoadResource
GetProcAddress
LockResource
ExitProcess
lstrcatA
GetLastError
GetModuleHandleA
LoadLibraryA
GetStartupInfoA

user32

wsprintfA

advapi32

StartServiceA
OpenSCManagerA
CreateServiceA
CloseServiceHandle
RegSetValueExA
RegDeleteKeyA
RegDeleteValueA
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
OpenServiceA

msvcrt

_XcptFilter
_except_handler3
strchr
fclose
fwrite
fopen
??2@YAPAXI@Z
__CxxFrameHandler
_CxxThrowException
strstr
??3@YAXPAX@Z
??1type_info@@UAE@XZ
_exit
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 120KB - Virtual size: 119KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ