gh0strat | 85ff9d8631cdc42e1e4d8fc4d4b7506f_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

85ff9d8631cdc42e1e4d8fc4d4b7506f_JaffaCakes118
Size

118KB
MD5

85ff9d8631cdc42e1e4d8fc4d4b7506f
SHA1

3ea72b275cf3ec623bb63a4e04c861f0e26eee57
SHA256

43fab2baae73bfbe32626139cdbb70c75f5e56b11cf403ed24f222dadaaf89b5
SHA512

ec5c7ca88e78a38b2fa9fc3f96371fa3494ce54600da526507f8e4a0674aa74ddbc224d771d452e5e6d3b5803c675d0722cb2118e59f6a3a949d111d02e741c7
SSDEEP

1536:f7wFlkLtj5uD1FH1TaiYIWQqCHIaWMLMX8BJNcB3/RfckyHEqlB+ff/342:f7wFlkLWDHBrYIHBJNG3/BckykG+fH

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
85ff9d8631cdc42e1e4d8fc4d4b7506f_JaffaCakes118

Files

85ff9d8631cdc42e1e4d8fc4d4b7506f_JaffaCakes118
.dll windows:4 windows x86 arch:x86

217c73bb0493d3517365c2da2c8aa8db

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

DisconnectNamedPipe
PeekNamedPipe
GlobalMemoryStatusEx
GetSystemInfo
GetVersionExA
ReleaseMutex
OpenEventA
CreatePipe
GlobalUnlock
GetModuleFileNameA
FreeConsole
LocalSize
WaitForSingleObject
lstrcmpiA
RaiseException
GlobalSize
GlobalAlloc
SetErrorMode
GlobalLock
GlobalFree
UnmapViewOfFile
CreateFileMappingA
GetProcessHeap
GetTickCount
OpenProcess
WriteProcessMemory
DeviceIoControl
GetVersion
GetCurrentProcess
ExitProcess
Sleep
SetLastError
HeapAlloc
HeapFree
WriteFile
SetFilePointer
GetProcAddress
ReadFile
GetFileSize
LocalAlloc
LocalReAlloc
LocalFree
FindClose
lstrcatA
lstrlenA
GetLastError
InterlockedExchange
lstrcpyA
CloseHandle
VirtualAlloc
FreeLibrary
LoadLibraryA
SetUnhandledExceptionFilter

user32

GetSystemMetrics
SetRect
GetDC
GetClipboardData
GetCursorInfo
SetProcessWindowStation
IsWindow
CloseWindow
CreateWindowExA
wsprintfA
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
mouse_event
SetCursorPos
SetCapture
MapVirtualKeyA
SendMessageA
BlockInput
ReleaseDC
MessageBoxA
GetActiveWindow
OpenWindowStationA
GetProcessWindowStation
GetWindowThreadProcessId
IsWindowVisible
EnumWindows
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetThreadDesktop
OpenDesktopA
DestroyCursor
LoadCursorA

gdi32

CreateCompatibleBitmap
GetDIBits
BitBlt
DeleteDC
DeleteObject
CreateCompatibleDC
SelectObject
CreateDIBSection

advapi32

RegCloseKey
RegisterServiceCtrlHandlerA
LookupPrivilegeValueA
DuplicateTokenEx
SetTokenInformation
CreateProcessAsUserA
InitializeSecurityDescriptor
CloseServiceHandle
DeleteService
ControlService
AdjustTokenPrivileges
OpenProcessToken
FreeSid
SetSecurityDescriptorDacl
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid

shell32

SHGetFileInfoA

shlwapi

SHDeleteKeyA

msvcrt

_strrev
_strnicmp
_initterm
_strnset
_adjust_fdiv
_strcmpi
??1type_info@@UAE@XZ
calloc
_beginthreadex
wcstombs
realloc
strncat
strtok
sprintf
rand
strchr
strncpy
atoi
strrchr
_except_handler3
malloc
free
??3@YAXPAX@Z
memmove
ceil
_ftol
strstr
__CxxFrameHandler
_CxxThrowException
??2@YAPAXI@Z

ws2_32

htonl
inet_addr
inet_ntoa
setsockopt
sendto
gethostname
recv
select
WSAStartup
WSAIoctl
connect
send
getsockname
closesocket
socket
gethostbyname
htons

msvcp60

?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z

imm32

ImmReleaseContext
ImmGetContext
ImmGetCompositionStringA

msvfw32

ICSeqCompressFrame
ICSeqCompressFrameEnd
ICCompressorFree
ICSeqCompressFrameStart
ICSendMessage
ICOpen
ICClose

wtsapi32

WTSQueryUserToken

userenv

CreateEnvironmentBlock

psapi

GetModuleFileNameExA
EnumProcessModules

Exports

Exports

Eternal
Go
Heart
On
ServiceMain

Sections

.text
Size: 110KB - Virtual size: 109KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

217c73bb0493d3517365c2da2c8aa8db

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

shlwapi

msvcrt

ws2_32

msvcp60

imm32

msvfw32

wtsapi32

userenv

psapi

Exports

Exports

Sections

.text Size: 110KB - Virtual size: 109KB

.rsrc Size: 512B - Virtual size: 16B

.reloc Size: 6KB - Virtual size: 6KB

.text
Size: 110KB - Virtual size: 109KB

.rsrc
Size: 512B - Virtual size: 16B

.reloc
Size: 6KB - Virtual size: 6KB