gh0strat | 857e22a2df4095ad1e5e12afe8a5675d_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

857e22a2df4095ad1e5e12afe8a5675d_JaffaCakes118
Size

134KB
MD5

857e22a2df4095ad1e5e12afe8a5675d
SHA1

5f686796cf9148d70909fb1094ca899d8ee2be04
SHA256

d96404dec296f602701e96a321096318c538eb8fccd64b52eba912051688636a
SHA512

9beb74b6db3125174cf9e39be9efb7183e508493ebda31601bf418dc6f91361217e9d42abe17bb3ae2a017c67c8b1627d947de0a84ce0e89509dfcbdb823872e
SSDEEP

3072:UP6w5AZb+3fLhgzf61iWaRIpcSYmfJ09:BsvL+zWK6cSY

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
857e22a2df4095ad1e5e12afe8a5675d_JaffaCakes118

Files

857e22a2df4095ad1e5e12afe8a5675d_JaffaCakes118
.dll windows:4 windows x86 arch:x86

248830c9c303e907c81f9777a250572d

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetVersionExA
GetLastError
CreateDirectoryA
lstrlenA
GetDiskFreeSpaceExA
FindClose
LocalFree
LocalReAlloc
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
WriteFile
MoveFileA
lstrcatA
SetFilePointer
GetModuleFileNameA
SetLastError
CopyFileA
GetCurrentProcess
VirtualAllocEx
GetTempPathA
GetLocalTime
MoveFileExA
GetTickCount
HeapFree
GetProcessHeap
HeapAlloc
ResetEvent
GlobalFree
MultiByteToWideChar
GlobalLock
GlobalAlloc
GlobalSize
LocalSize
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatusEx
DeviceIoControl
GetSystemInfo
ReleaseMutex
OpenEventA
SetErrorMode
CreateMutexA
SetUnhandledExceptionFilter
FreeConsole
CreateToolhelp32Snapshot
lstrcmpiA
GetCurrentThreadId
CreateRemoteThread
GetModuleHandleA
OpenProcess
Module32Next
Module32First
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
ResumeThread
RaiseException
InterlockedExchange
SetEvent
WaitForSingleObject
DeleteFileA
FreeLibrary
GetFileAttributesA
GlobalUnlock
Sleep
LoadLibraryA
GetProcAddress
lstrcpyA
CloseHandle
UnmapViewOfFile
CreateEventA

user32

SetProcessWindowStation
GetCursorPos
GetCursorInfo
ReleaseDC
GetDesktopWindow
GetDC
SetRect
GetClipboardData
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
mouse_event
SetCursorPos
OpenWindowStationA
SetCapture
MapVirtualKeyA
keybd_event
SystemParametersInfoA
DestroyCursor
CloseWindow
DispatchMessageA
TranslateMessage
ExitWindowsEx
wsprintfA
CharNextA
MessageBoxA
GetSystemMetrics
IsWindow
SendMessageA
WindowFromPoint
DefWindowProcA
PostQuitMessage
LoadCursorA
LoadIconA
RegisterClassA
CreateWindowExA
ShowWindow
UpdateWindow
UnhookWindowsHookEx
CallNextHookEx
GetActiveWindow
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetAsyncKeyState
GetForegroundWindow
GetWindowTextA
EnumWindows
IsWindowVisible
GetWindowThreadProcessId
GetProcessWindowStation
GetThreadDesktop
GetMessageA
OpenDesktopA
PostMessageA

gdi32

CreateCompatibleDC
CreateDIBSection
SelectObject
GetStockObject
CreateCompatibleBitmap
DeleteObject
DeleteDC
BitBlt
GetDIBits

shell32

SHGetSpecialFolderPathA
SHGetFileInfoA

shlwapi

SHDeleteKeyA

msvcrt

_snprintf
_beginthreadex
wcstombs
atol
strchr
strncat
sprintf
strncmp
_strcmpi
atoi
realloc
calloc
fwrite
fclose
strncpy
strrchr
malloc
free
_except_handler3
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??3@YAXPAX@Z
??2@YAPAXI@Z
_initterm
_adjust_fdiv
_strnset
_strrev
_stricmp
_strnicmp
fopen

winmm

waveInStart
waveInAddBuffer
waveInPrepareHeader
waveOutPrepareHeader
waveInGetNumDevs
waveOutOpen

userenv

GetProfilesDirectoryA
GetUserProfileDirectoryA

msvcp60

?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z

psapi

GetModuleFileNameExA
EnumProcessModules
GetProcessMemoryInfo

imm32

ImmReleaseContext
ImmGetContext
ImmGetCompositionStringA

avicap32

capCreateCaptureWindowA
capGetDriverDescriptionA

msvfw32

ICCompressorFree
ICOpen
ICSendMessage
ICSeqCompressFrameStart
ICSeqCompressFrame
ICSeqCompressFrameEnd
ICClose

wtsapi32

WTSFreeMemory
WTSQueryUserToken
WTSQuerySessionInformationA

Exports

Exports

CodeMain
CodeService
MainCode
MainService
ServiceCode
ServiceMain

Sections

.text
Size: 97KB - Virtual size: 97KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

248830c9c303e907c81f9777a250572d

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

shlwapi

msvcrt

winmm

userenv

msvcp60

psapi

imm32

avicap32

msvfw32

wtsapi32

Exports

Exports

Sections

.text Size: 97KB - Virtual size: 97KB

.rdata Size: 15KB - Virtual size: 14KB

.data Size: 11KB - Virtual size: 26KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 7KB - Virtual size: 7KB

.text
Size: 97KB - Virtual size: 97KB

.rdata
Size: 15KB - Virtual size: 14KB

.data
Size: 11KB - Virtual size: 26KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 7KB - Virtual size: 7KB