gh0strat | 6a91824004ccdf0f3f8550404bf8f057_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

6a91824004ccdf0f3f8550404bf8f057_JaffaCakes118
Size

147KB
MD5

6a91824004ccdf0f3f8550404bf8f057
SHA1

2a09ea828a251478d79710ba3c4340a774e98f1a
SHA256

1f9ff2755e1eb16c03e502a58f522d47d54039591cebabc63b72e72812237acb
SHA512

fcce637d6e369aabf2f351c33bfffdd8a0aae3e53e37dc4ac7e0eda71d2e6a9f34dd746cf7ca7f2af397a2e109a91f12a31d49ae2104e9311cb928e459083f5c
SSDEEP

3072:AiaaIIf5xahjfNfpDhBis1MWVUvwLZnrH9Nj:A/WHahJJhA+bUvw1nb

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

6a91824004ccdf0f3f8550404bf8f057_JaffaCakes118
.exe windows:4 windows x86 arch:x86

e8e5e2d613c0aaf2559e5dff4d75bff9

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

77:8b:d7:e8:bb:92:7c:a9:65:11:90:8a:d9:41:d0:28
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

21/02/2008, 00:00

Not After

13/03/2009, 23:59

Subject

CN=Kaspersky Lab,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Technical dept,O=Kaspersky Lab,L=Moscow,ST=Moscow,C=RU

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

17:04:9d:38:0e:e2:d7:cf:09:50:e5:de:b1:d7:3f:61:7d:c5:1b:91
Signer

Actual PE Digest

17:04:9d:38:0e:e2:d7:cf:09:50:e5:de:b1:d7:3f:61:7d:c5:1b:91

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

WaitForSingleObject
CreateEventA
LoadLibraryA
GetTickCount
GetModuleFileNameA
FindResourceA
LoadResource
LockResource
SizeofResource
DeleteFileA
CreateFileA
WriteFile
FreeResource
CloseHandle
GetWindowsDirectoryA
GetModuleHandleA
GetStartupInfoA

advapi32

OpenServiceA
OpenSCManagerA
ChangeServiceConfigA
ControlService
StartServiceA
CloseServiceHandle
RegCreateKeyExA
RegOpenKeyA
RegSetValueExA
RegCloseKey

msvcrt

srand
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
sprintf
rand

Sections

.text
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 204B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 124KB - Virtual size: 124KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e8e5e2d613c0aaf2559e5dff4d75bff9

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

77:8b:d7:e8:bb:92:7c:a9:65:11:90:8a:d9:41:d0:28Certificate

Extended Key Usages

Key Usages

17:04:9d:38:0e:e2:d7:cf:09:50:e5:de:b1:d7:3f:61:7d:c5:1b:91Signer

Headers

File Characteristics

Imports

kernel32

advapi32

msvcrt

Sections

.text Size: 4KB - Virtual size: 1KB

.rdata Size: 4KB - Virtual size: 1KB

.data Size: 4KB - Virtual size: 204B

.rsrc Size: 124KB - Virtual size: 124KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

77:8b:d7:e8:bb:92:7c:a9:65:11:90:8a:d9:41:d0:28
Certificate

17:04:9d:38:0e:e2:d7:cf:09:50:e5:de:b1:d7:3f:61:7d:c5:1b:91
Signer

.text
Size: 4KB - Virtual size: 1KB

.rdata
Size: 4KB - Virtual size: 1KB

.data
Size: 4KB - Virtual size: 204B

.rsrc
Size: 124KB - Virtual size: 124KB