gh0strat | 958840c408463e9c6b70c0d76c1eb5e8_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

958840c408463e9c6b70c0d76c1eb5e8_JaffaCakes118
Size

122KB
MD5

958840c408463e9c6b70c0d76c1eb5e8
SHA1

40f247a3cd13c4fce93aed3e1f16c0205c168e3a
SHA256

481a2be8cc5eec17c76aeba156eb8f8edb1b0965dcd40bb8bd805413969bfd57
SHA512

a1eb8cccdc120fd80d236ee45752611e5293660ca923fbbb3f7886cad7ebc42036b0fc967e7743d9a089a892f2fea527e2c5bcdfd35c4383a94cf981ce63d984
SSDEEP

3072:W87ei5tAEOZzMoLJbJdQeU79BknqA1kxb2j:FtjnORVJOvPEqAaB2

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
958840c408463e9c6b70c0d76c1eb5e8_JaffaCakes118

Files

958840c408463e9c6b70c0d76c1eb5e8_JaffaCakes118
.dll windows:4 windows x86 arch:x86

3012019a25e3bb601648ccd0b7a9211b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatusEx
WriteFile
LocalSize
OpenEventA
SetErrorMode
CreateMutexA
SetUnhandledExceptionFilter
FreeConsole
Process32Next
Process32First
CreateToolhelp32Snapshot
lstrcmpiA
GetCurrentThreadId
HeapFree
ExpandEnvironmentStringsA
MoveFileExA
UnmapViewOfFile
CreateFileMappingA
ReleaseMutex
MapViewOfFile
SetFilePointer
ReadFile
CreateFileA
OpenProcess
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
CreateProcessA
GetFileAttributesA
CreateDirectoryA
GetLastError
DeleteFileA
GetVersionExA
GetPrivateProfileStringA
lstrcmpA
WideCharToMultiByte
MultiByteToWideChar
GetWindowsDirectoryA
lstrcatA
GetPrivateProfileSectionNamesA
lstrlenA
GetProcessHeap
HeapAlloc
GetCurrentProcessId
LoadLibraryA
GetProcAddress
FreeLibrary
GetLocalTime
GetTickCount
Sleep
CancelIo
InterlockedExchange
lstrcpyA
ResetEvent
VirtualAlloc
EnterCriticalSection
CreateEventA
LeaveCriticalSection
VirtualAllocEx
WriteProcessMemory
CreateRemoteThread
GetCurrentProcess
GetSystemDirectoryA
SetLastError
GetModuleFileNameA
GetFileSize
MoveFileA
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
CreateThread
ResumeThread
SetEvent
WaitForSingleObject
TerminateThread
CloseHandle
GetSystemInfo

user32

SetCursorPos
mouse_event
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetDC
GetDesktopWindow
ReleaseDC
GetCursorInfo
GetCursorPos
SetProcessWindowStation
OpenWindowStationA
MapVirtualKeyA
GetWindowThreadProcessId
IsWindowVisible
WindowFromPoint
keybd_event
SendMessageA
SystemParametersInfoA
BlockInput
DispatchMessageA
DestroyCursor
LoadCursorA
UnhookWindowsHookEx
SetWindowsHookExA
CallNextHookEx
GetKeyNameTextA
GetActiveWindow
TranslateMessage
GetMessageA
wsprintfA
CharNextA
ExitWindowsEx
MessageBoxA
GetWindowTextA
EnumWindows
SetCapture
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetThreadDesktop
OpenDesktopA
PostMessageA
CreateWindowExA
CloseWindow
IsWindow
GetProcessWindowStation

gdi32

DeleteObject
BitBlt
CreateDIBSection
SelectObject
CreateCompatibleBitmap
GetDIBits
CreateCompatibleDC
DeleteDC

advapi32

DeleteService
LsaFreeMemory
LsaOpenPolicy
LsaRetrievePrivateData
LsaClose
LookupAccountNameA
IsValidSid
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
CloseServiceHandle
ControlService
QueryServiceStatus
OpenServiceA
OpenSCManagerA
RegSetValueExA
RegCreateKeyA
RegOpenKeyA
RegCreateKeyExA
CloseEventLog
ClearEventLogA
OpenEventLogA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
FreeSid
SetSecurityDescriptorDacl
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
InitializeSecurityDescriptor
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegQueryInfoKeyA
EnumServicesStatusA
QueryServiceConfigA
UnlockServiceDatabase
ChangeServiceConfigA
LockServiceDatabase
StartServiceA
RegisterServiceCtrlHandlerA
SetServiceStatus
LookupAccountSidA
GetTokenInformation
RegQueryValueA

shell32

SHGetFileInfoA
SHGetSpecialFolderPathA

shlwapi

SHDeleteKeyA

msvcrt

_strnicmp
_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
calloc
_beginthreadex
wcstombs
realloc
strncat
_snprintf
wcscpy
_errno
strncmp
atoi
strrchr
_except_handler3
free
malloc
strchr
strncpy
sprintf
puts
putchar
rand
_CxxThrowException
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??3@YAXPAX@Z
??2@YAPAXI@Z
_strcmpi

winmm

waveInStop
waveOutWrite
waveInReset
waveInAddBuffer
waveInPrepareHeader
waveInOpen
waveInUnprepareHeader
waveInClose
waveOutReset
waveInStart
waveOutUnprepareHeader
waveInGetNumDevs
waveOutPrepareHeader
waveOutOpen
waveOutGetNumDevs
waveOutClose

ws2_32

closesocket
recv
select
socket
gethostbyname
htons
connect
setsockopt
WSAIoctl
WSACleanup
WSAStartup
send
inet_addr
sendto
WSASocketA
htonl
gethostname
ioctlsocket
__WSAFDIsSet
recvfrom
listen
accept
getpeername
bind
getsockname
ntohs
inet_ntoa

wininet

InternetOpenUrlA
InternetReadFile
InternetCloseHandle
InternetOpenA

msvcp60

?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB

netapi32

NetUserAdd
NetLocalGroupAddMembers

imm32

ImmReleaseContext
ImmGetContext
ImmGetCompositionStringA

avicap32

capGetDriverDescriptionA
capCreateCaptureWindowA

msvfw32

ICSeqCompressFrameEnd
ICCompressorFree
ICClose
ICOpen
ICSeqCompressFrame
ICSeqCompressFrameStart
ICSendMessage

psapi

EnumProcessModules
GetModuleFileNameExA

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationA

Exports

Exports

ServiceMain

Sections

.text
Size: 90KB - Virtual size: 89KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3012019a25e3bb601648ccd0b7a9211b

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

shlwapi

msvcrt

winmm

ws2_32

wininet

msvcp60

netapi32

imm32

avicap32

msvfw32

psapi

wtsapi32

Exports

Exports

Sections

.text Size: 90KB - Virtual size: 89KB

.rdata Size: 15KB - Virtual size: 15KB

.data Size: 8KB - Virtual size: 10KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 6KB - Virtual size: 5KB

.text
Size: 90KB - Virtual size: 89KB

.rdata
Size: 15KB - Virtual size: 15KB

.data
Size: 8KB - Virtual size: 10KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 6KB - Virtual size: 5KB