gh0strat | 6ee7f6bf5505cc885ac0a95ae19324f5_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

6ee7f6bf5505cc885ac0a95ae19324f5_JaffaCakes118
Size

152KB
MD5

6ee7f6bf5505cc885ac0a95ae19324f5
SHA1

54915c55e6d3b21d87fc4e35366699707f33dec4
SHA256

871f912eb4cdff6f24d3911e16c89bbe6c4eb2a1782a91d7c4449af442910f53
SHA512

72b875bc9976002c1a05eb8e53b693bae6ae4dfe22c141778512097b41d7445b549f7bc8732ad4990a8d0488e236693001ba4af7ab1d3b88d47fae0e63cc575f
SSDEEP

3072:g6Ikclbbo89wROjOsitwWfhduRIPtTBftk9X6TXyom:TIDlbbo6Y3siJvPtTBlKX6mom

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
6ee7f6bf5505cc885ac0a95ae19324f5_JaffaCakes118

Files

6ee7f6bf5505cc885ac0a95ae19324f5_JaffaCakes118
.dll windows:4 windows x86 arch:x86

3b3ecc0cb3ed95ff51433e27369088b5

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

shlwapi

SHDeleteKeyA

user32

wsprintfA
CopyRect
SendMessageTimeoutA
wvsprintfA
CloseWindowStation
GetCursorInfo
PtInRect
DestroyCursor
LoadCursorA
DestroyWindow
CreateWindowExA
GetWindowRect
EnableWindow
ShowWindow
GetWindow
GetClassNameA
MessageBoxA

oleaut32

SysFreeString

advapi32

RegRestoreKeyA
RegSaveKeyA
RegOpenKeyExW
RegisterServiceCtrlHandlerExA

kernel32

IsBadWritePtr
FormatMessageA
SetUnhandledExceptionFilter
IsBadStringPtrW
IsBadReadPtr
ExitThread
RemoveDirectoryA
DeleteFileA
GetProcessTimes
GetPrivateProfileSectionNamesA
GetPrivateProfileStringA
InitializeCriticalSection
HeapAlloc
GetProcessHeap
HeapFree
LocalAlloc
RaiseException
LoadLibraryA
GlobalMemoryStatusEx
GetSystemInfo
GetLastError
lstrcmpiA
GetTickCount
ExitProcess
GetSystemDirectoryA
InterlockedExchange
LeaveCriticalSection
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetCurrentThreadId
GetShortPathNameA
GetTempFileNameA
GetCommandLineA
VirtualQuery
GetProcAddress
GetModuleHandleA
GetCurrentProcessId
GetFileAttributesExA
lstrcmpA
MultiByteToWideChar
SetEnvironmentVariableA
GetTempPathA
GetCurrentProcess
GetLongPathNameA
GetModuleFileNameA
GetVersionExA
FreeLibrary
GetLocalTime

userenv

GetUserProfileDirectoryA
GetProfilesDirectoryA

ws2_32

gethostbyname
closesocket
shutdown
send
recv
gethostname
getsockname
connect
socket
WSAStartup
WSACleanup
WSAIoctl
setsockopt
select

msvcrt

atoi
strncpy
free
_onexit
__dllonexit
_adjust_fdiv
_initterm
_wcsicmp
_strupr
_stricmp
_strlwr
_memicmp
_callnewh
strncat
wcstombs
__CxxFrameHandler
ceil
_beginthreadex
wcslen
_ftol
time
srand
rand
realloc
memmove
strchr
_except_handler3
strrchr
malloc

Exports

Exports

?COMToCRBvr@@YGPAVCRBvr@@PAUIUnknown@@@Z
?CRAbs@@YGPAVCRNumber@@PAV1@@Z
?CRAcos
?CRAcquireGCLock@@YG_NXZ
?CRAdd
?CRAdd@@YGPAVCRNumber@@PAV1@0@Z
?CRAdd@@YGPAVCRPoint2@@PAV1@PAVCRVector2@@@Z
?CRAdd@@YGPAVCRVector2@@PAV1@0@Z
?CRAdd@@YGPAVCRVector3@@PAV1@0@Z
?CRAddBvrToRun@@YG_NPAVCRView@@PAVCRBvr@@_NPAJ@Z
?CRAddElement@@YGJPAVCRArray@@PAVCRBvr@@K@Z
?CRAddPickData@@YGPAVCRGeometry@@PAV1@PAUIUnknown@@_N@Z
?CRAddPickData@@YGPAVCRImage@@PAV1@PAUIUnknown@@_N@Z
?CRAddRefGC@@YG_NPAX@Z
?CRAddSite@@YG_NPAVCRSite@@@Z
?CRAlways@@YGPAVCREvent@@XZ
?CRAmbientColor@@YGPAVCRGeometry@@PAV1@PAVCRColor@@@Z
?CRAmbientLight@@YGPAVCRGeometry@@XZ
?CRAnd@@YGPAVCRBoolean@@PAV1@0@Z
?CRAndEvent@@YGPAVCREvent@@PAV1@0@Z
?CRAntiAliasing@@YGPAVCRFontStyle@@PAV1@N@Z
?CRAntiAliasing@@YGPAVCRLineStyle@@PAV1@N@Z
?CRAppTriggeredEvent@@YGPAVCREvent@@XZ
?CRApplyDXTransform
?CRAqua@@YGPAVCRColor@@XZ
?CRArc@@YGPAVCRPath2@@NNNN@Z
?CRArcRadians@@YGPAVCRPath2@@NNNN@Z
?CRArcRadians@@YGPAVCRPath2@@PAVCRNumber@@000@Z
?CRAsin@@YGPAVCRNumber@@PAV1@@Z
?CRAtan2@@YGPAVCRNumber@@PAV1@0@Z
?CRAtan@@YGPAVCRNumber@@PAV1@@Z
?CRAttachData@@YGPAVCREvent@@PAV1@PAVCRBvr@@@Z
?CRBSpline@@YGPAVCRBvr@@HJQAPAVCRNumber@@JQAPAV1@J0PAV2@W4CR_BVR_TYPEID@@@Z
?CRBillboard@@YGPAVCRGeometry@@PAV1@PAVCRVector3@@@Z
?CRBlack@@YGPAVCRColor@@XZ
?CRBlendTextureDiffuse@@YGPAVCRGeometry@@PAV1@PAVCRBoolean@@@Z
?CRBlue@@YGPAVCRColor@@XZ
?CRBold@@YGPAVCRFontStyle@@PAV1@@Z
?CRBoundingBox@@YGPAVCRBbox2@@PAVCRImage@@@Z
?CRBoundingBox@@YGPAVCRBbox2@@PAVCRPath2@@PAVCRLineStyle@@@Z
?CRBoundingBox@@YGPAVCRBbox3@@PAVCRGeometry@@@Z
?CRBvrApplyPreference@@YGPAVCRBvr@@PAV1@PAGUtagVARIANT@@@Z
?CRBvrToCOM@@YG_NPAVCRBvr@@ABU_GUID@@PAPAX@Z
?CRCeiling@@YGPAVCRNumber@@PAV1@@Z
?CRClearLastError
?CRClearMatte@@YGPAVCRMatte@@XZ
?CRClip@@YGPAVCRImage@@PAV1@PAVCRMatte@@@Z
?CRClipPolygonImage@@YGPAVCRImage@@PAV1@PAVCRArray@@@Z
?CRClose@@YGPAVCRPath2@@PAV1@@Z
?CRColorHsl

Sections

.text
Size: 100KB - Virtual size: 99KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 294B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3b3ecc0cb3ed95ff51433e27369088b5

Headers

File Characteristics

Imports

shlwapi

user32

oleaut32

advapi32

kernel32

userenv

ws2_32

msvcrt

Exports

Exports

Sections

.text Size: 100KB - Virtual size: 99KB

.rdata Size: 24KB - Virtual size: 21KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 294B

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 100KB - Virtual size: 99KB

.rdata
Size: 24KB - Virtual size: 21KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 294B

.reloc
Size: 8KB - Virtual size: 7KB