gh0strat | 609c6308c7267fd791313db275b7383c_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

609c6308c7267fd791313db275b7383c_JaffaCakes118
Size

152KB
MD5

609c6308c7267fd791313db275b7383c
SHA1

142f362c41942d6e9c6c3e589aa9020a4c9b6579
SHA256

f7c7aefab5ad45594fbc9804c313d289459b325b848b5a2072664ae21e3ce1f0
SHA512

243d3f19a6f400aa6d23c4bf03e61885fe7bb3bea49fb4830f9ebc617f5f63c7b5326f449d17e6b913b049a5cc9b505686559dd9765d8e5f2927f73b04346fa2
SSDEEP

3072:/3kdSanRUriwLIRRTGmErvR3w3viqUvhxaHC2ZXTBftnX4Jl:/Ee5W8mErvi3hQAHC2ZXTBln6

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
609c6308c7267fd791313db275b7383c_JaffaCakes118

Files

609c6308c7267fd791313db275b7383c_JaffaCakes118
.dll windows:4 windows x86 arch:x86

49c47199290dbaa5aed34e29e0c53b14

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

oleaut32

SysFreeString

user32

DestroyCursor
GetCursorInfo
CreateWindowExA
LoadCursorA
wsprintfA
MessageBoxA
wvsprintfA
CloseWindowStation
GetClassNameA
GetWindow
ShowWindow
EnableWindow
GetWindowRect
DestroyWindow

kernel32

RaiseException
IsBadReadPtr
GetLongPathNameA
GetTempPathA
SetEnvironmentVariableA
GetFileAttributesExA
VirtualAlloc
GetCurrentProcessId
IsBadStringPtrW
LoadLibraryA
GetShortPathNameA
ExitThread
CloseHandle
GetProcAddress
GetModuleHandleA
InitializeCriticalSection
GetTickCount
GetLastError
lstrcpyA
lstrlenA
InterlockedExchange
LeaveCriticalSection
Sleep
MultiByteToWideChar
FreeLibrary
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
GetVersionExA
lstrcmpiA
ExpandEnvironmentStringsA
lstrcatA
ExitProcess
GetSystemDirectoryA
LocalFree
LocalReAlloc
LocalSize
LocalAlloc
VirtualQuery
GetCurrentThreadId
GetTempFileNameA
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetLocalTime
HeapFree
GetProcessHeap
MapViewOfFile
CreateFileMappingA
HeapAlloc
GetModuleFileNameA
SetUnhandledExceptionFilter
FormatMessageA
IsBadWritePtr
GetSystemInfo
GetProcessTimes
GetCurrentProcess
GlobalMemoryStatusEx
VirtualFree
DeleteFileA
RemoveDirectoryA

advapi32

RegisterServiceCtrlHandlerExA
RegOpenKeyExW

shell32

SHFileOperationA

ws2_32

WSAStartup
getsockname
shutdown
send
closesocket
select
recv
gethostname
gethostbyname
socket
connect
setsockopt
WSAIoctl
WSACleanup

userenv

GetUserProfileDirectoryA
GetProfilesDirectoryA

iphlpapi

GetAdaptersInfo

msvcrt

_strlwr
strchr
srand
rand
_ftol
strncpy
??2@YAPAXI@Z
??3@YAXPAX@Z
__CxxFrameHandler
_except_handler3
malloc
strstr
strrchr
_beginthreadex
wcslen
wcsrchr
strncat
atoi
_onexit
__dllonexit
_adjust_fdiv
_initterm
_stricmp
_wcsicmp
free
_strupr
_memicmp
ceil
memmove
realloc
wcstombs

Exports

Exports

DhcpAcquireParameters
DhcpAcquireParametersByBroadcast
DhcpCApiCleanup
DhcpCApiInitialize
DhcpDeRegisterOptions
DhcpDeRegisterParamChange
DhcpDelPersistentRequestParams
DhcpEnumClasses
DhcpFallbackRefreshParams
DhcpHandlePnPEvent
DhcpLeaseIpAddress
DhcpLeaseIpAddressEx
DhcpNotifyConfigChange
DhcpNotifyConfigChangeEx
DhcpNotifyMediaReconnected
DhcpOpenGlobalEvent
DhcpPersistentRequestParams
DhcpRegisterOptions
DhcpRegisterParamChange
DhcpReleaseIpAddressLease
DhcpReleaseIpAddressLeaseEx
DhcpReleaseParameters
DhcpRemoveDNSRegistrations
DhcpRenewIpAddressLease
DhcpRenewIpAddressLeaseEx
DhcpRequestOptions
DhcpRequestParams
DhcpStaticRefreshParams
DhcpUndoRequestParams
McastApiCleanup
McastApiStartup
McastEnumerateScopes
McastGenUID
McastReleaseAddress
McastRenewAddress

Sections

.text
Size: 100KB - Virtual size: 97KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 294B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

49c47199290dbaa5aed34e29e0c53b14

Headers

File Characteristics

Imports

oleaut32

user32

kernel32

advapi32

shell32

ws2_32

userenv

iphlpapi

msvcrt

Exports

Exports

Sections

.text Size: 100KB - Virtual size: 97KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 12KB - Virtual size: 16KB

.rsrc Size: 4KB - Virtual size: 294B

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 100KB - Virtual size: 97KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 12KB - Virtual size: 16KB

.rsrc
Size: 4KB - Virtual size: 294B

.reloc
Size: 8KB - Virtual size: 7KB