gh0strat | 60d324d6b941535c39284759b0b7bfc4_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

60d324d6b941535c39284759b0b7bfc4_JaffaCakes118
Size

156KB
MD5

60d324d6b941535c39284759b0b7bfc4
SHA1

224ad4c80685797e2f5ecfb1e41a940c7723ebcf
SHA256

c1fc66c915113f7c61ef11399da7935cf3e679bf1e73a78c713f1aad24c95227
SHA512

76dc653dfe1fa23dbe1fec5860754e3022affb351fb33716d0fcf458b7d4af5a1baea9db3e1a58bfdcbdce085e6d386746a4b1360bf2976bd6ff0a421ca54169
SSDEEP

3072:7Q+pCYLP6N2+9UCIuSUavir9/r5N8SmhTBftYQ1jh+anqZm:k+AYLSdnxuWxFdmhTBlYEjh+anq

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
60d324d6b941535c39284759b0b7bfc4_JaffaCakes118

Files

60d324d6b941535c39284759b0b7bfc4_JaffaCakes118
.dll windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Exports

Exports

AddEntryBootFileGpt
AddEntryBootFileMbr
CoDisableDynamicVolumes
DisplayError
DisplayErrorRgszw
DllMain
DmCommonNtOpenFile
DynamicSupport
FTrace
FTraceValist
FreeRgszw
GetErrorData
GetInstallDirectoryPath
GetSystemVolume
IsPersonalSKU
LowAcquirePrivilege
LowGetPartitionInfo
LowNtAddBootEntry
LowNtReadFile
LowNtReadOnlyAttributeOff
LowNtWriteFile
RgszwDupRgszw
RgszwFromArgs
RgszwFromValist
ShowMessage
ShowMessageValist
SzwDupSzw

Sections

.text
Size: 104KB - Virtual size: 100KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 12KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ