gh0strat | 8b2ac9abb95daefa5728a5e9d4e7526d_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

8b2ac9abb95daefa5728a5e9d4e7526d_JaffaCakes118
Size

107KB
MD5

8b2ac9abb95daefa5728a5e9d4e7526d
SHA1

cd8bd69aa80aac744a2df8a86b427df269faf95c
SHA256

09308f1fcb3e5ae9dfee6cb95bdca13e4228caea2ec419c66756db124687f719
SHA512

2fd008f8662851aca9f15467ff09d9a6585ebf0b31592ab349f16a2ae3db0c10e8c30734eedbb306ac1083e357985f0e4c59e0e23eb3ba3a7381f8b4f956db97
SSDEEP

1536:gkw1R4KRtAS6WpRn0VPxnnMPnxF1N84GdRc8+1f4XedL0sR0bpGwOPSYlI:W1RdDIpwNqxdRf+t4Xe50sR0bpGwKc

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
8b2ac9abb95daefa5728a5e9d4e7526d_JaffaCakes118

Files

8b2ac9abb95daefa5728a5e9d4e7526d_JaffaCakes118
.dll windows:4 windows x86 arch:x86

7064c7b403c356d9e93a701d4acfacc9

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

FindFirstFileA
LocalAlloc
GetFileSize
ReadFile
SetFilePointer
MoveFileA
CreateProcessA
Process32Next
lstrcmpiA
Process32First
HeapFree
MapViewOfFile
CreateFileMappingA
UnmapViewOfFile
GetModuleHandleA
GlobalFree
GlobalUnlock
LocalFree
GlobalAlloc
GlobalSize
GetStartupInfoA
WaitForMultipleObjects
LocalSize
GetCurrentThreadId
GlobalMemoryStatus
GetSystemInfo
GetComputerNameA
OpenEventA
SetErrorMode
GetCurrentProcess
LocalReAlloc
ExpandEnvironmentStringsA
CreateFileA
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetProcAddress
GetDriveTypeA
lstrlenA
lstrcpyA
GetFileAttributesA
CreateDirectoryA
GetProcessHeap
HeapAlloc
GetCurrentProcessId
GetLocalTime
GetTickCount
CancelIo
InterlockedExchange
ResetEvent
GetLastError
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
CreateThread
ResumeThread
SetEvent
Sleep
TerminateThread
CopyFileA
FindNextFileA
FreeLibrary
LoadLibraryA
GlobalLock

user32

RegisterClassA
LoadIconA
LoadMenuA
CreateWindowExA
CloseWindow
IsWindow
PostMessageA
GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
IsWindowVisible
GetWindowThreadProcessId
ExitWindowsEx
GetCursorPos
GetCursorInfo
DestroyCursor
ReleaseDC
GetDesktopWindow
GetDC
SetRect
GetSystemMetrics
GetClipboardData
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
mouse_event
SetCursorPos
WindowFromPoint
DispatchMessageA
TranslateMessage
GetMessageA
CharNextA
GetWindowTextA
MessageBoxA
LoadCursorA
BlockInput
SendMessageA
keybd_event
MapVirtualKeyA
SetCapture
OpenDesktopA

gdi32

GetStockObject

advapi32

RegSaveKeyA
RegDeleteKeyA
RegRestoreKeyA
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
CloseEventLog
ClearEventLogA
OpenEventLogA
RegSetValueExA
RegCreateKeyExA
CloseServiceHandle
DeleteService
FreeSid
SetSecurityDescriptorDacl
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
InitializeSecurityDescriptor
SetServiceStatus
RegisterServiceCtrlHandlerA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
StartServiceA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken

shell32

SHGetSpecialFolderPathA

msvcrt

rand
sprintf
strncpy
free
malloc
_except_handler3
strrchr
_beginthreadex
atoi
_CxxThrowException
_access
srand
calloc
??1type_info@@UAE@XZ
_initterm
_adjust_fdiv
strstr
??2@YAPAXI@Z
??3@YAXPAX@Z
puts
__CxxFrameHandler
memmove
_stricmp
putchar
ceil
wcstombs
_strrev
_ftol

ws2_32

sendto
WSASocketA
htonl
getsockname
inet_addr
send
closesocket
select
recv
socket
gethostbyname
htons
setsockopt
WSAIoctl
WSACleanup
WSAStartup
connect

msvcp60

?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

Exports

Exports

EndWork
Runing
ServiceMain
Working

Sections

.text
Size: 78KB - Virtual size: 78KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.data
.rdata
.reloc
.rsrc/BITMAP/103.bmp
.rsrc/MANIFEST/1
.xml
.rsrc/MENU/102
.text

Sharing

General

Malware Config

Signatures

Files

7064c7b403c356d9e93a701d4acfacc9

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcrt

ws2_32

msvcp60

Exports

Exports

Sections

.text Size: 78KB - Virtual size: 78KB

.rdata Size: 11KB - Virtual size: 11KB

.data Size: 9KB - Virtual size: 11KB

.rsrc Size: 1024B - Virtual size: 4KB

.reloc Size: 5KB - Virtual size: 5KB

.text
Size: 78KB - Virtual size: 78KB

.rdata
Size: 11KB - Virtual size: 11KB

.data
Size: 9KB - Virtual size: 11KB

.rsrc
Size: 1024B - Virtual size: 4KB

.reloc
Size: 5KB - Virtual size: 5KB