gh0strat | 8747d12875629640d6ec2095417f1d96_JaffaCakes118

General

Target

8747d12875629640d6ec2095417f1d96_JaffaCakes118
Size

192KB
MD5

8747d12875629640d6ec2095417f1d96
SHA1

df999a73e3d933f330141c4abcf6a71141520cb4
SHA256

3ba6b762c8b2c1256967cb09088ecb3db45fa07dad5f2cfab0a21f23d91c7faa
SHA512

08c080e49f7e685ae8d3b79ca7c550061ce87d3af0907623a5c6cc1db48aaef9833c1a62a86db956684d6ab2be932defa7b63cd0486e97fee70a98500d6240d2
SSDEEP

3072:kBhGnWQcl2NJf7jmp+uCQn+KJq1MMplOIFIvoudQ0H4rTBftn+Zr6:ChGnWQcANJDje82MPINf4rTBlnG

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
8747d12875629640d6ec2095417f1d96_JaffaCakes118

Files

8747d12875629640d6ec2095417f1d96_JaffaCakes118
.exe windows:4 windows x86 arch:x86

eb527601ba3458c5132d28447e393ca2

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetProcAddress
GetModuleHandleA
GetLastError
Sleep
ExitProcess
LoadLibraryA
GetCurrentDirectoryA
GetTempPathA
CloseHandle
WriteFile
SetFilePointer
CreateFileA
SleepEx
CreateEventA
WaitForSingleObject
GetCurrentProcess
GetTickCount
ExpandEnvironmentStringsA
GetSystemDirectoryA
SetEnvironmentVariableA
SetUnhandledExceptionFilter
CreateProcessA
GetStartupInfoA
CopyFileA
GetCommandLineA
GetCurrentThreadId
GetModuleFileNameA
CreateDirectoryA
DeleteFileA
SetFileAttributesA
GetFileAttributesA
IsBadWritePtr
LocalAlloc
RaiseException
InterlockedExchange
FreeLibrary

user32

wsprintfA
GetActiveWindow
FlashWindow

msvcrt

_except_handler3
memset
__CxxFrameHandler
memmove
srand
rand
_ftol
tolower
strncmp
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
_itoa

shlwapi

SHGetValueA
PathFileExistsA
SHDeleteKeyA
SHCopyKeyA

ws2_32

closesocket
getprotobynumber

Sections

CODE
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 164KB - Virtual size: 166KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

eb527601ba3458c5132d28447e393ca2

Headers

File Characteristics

Imports

kernel32

user32

msvcrt

shlwapi

ws2_32

Sections

CODE Size: 16KB - Virtual size: 13KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 164KB - Virtual size: 166KB

.rsrc Size: 4KB - Virtual size: 1KB

CODE
Size: 16KB - Virtual size: 13KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 164KB - Virtual size: 166KB

.rsrc
Size: 4KB - Virtual size: 1KB