gh0strat | 95c4214ccc13bd20c05de05474b4fef1_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

95c4214ccc13bd20c05de05474b4fef1_JaffaCakes118
Size

104KB
MD5

95c4214ccc13bd20c05de05474b4fef1
SHA1

4491eec77d17549a7c75d9e1c50026f30dfbaf1d
SHA256

659db83f459833cc6f14f63d7278d3ed66660aa0edc13efd2a64b6effa425d8a
SHA512

9afcf7b49cc3218a618ca23a82b4e22f1ddc7bc57fdbdac262848350bbac20c7cc3dca35e3e102c888f46c9e0eef8bcdb0c4b41a6d0134a7fab00543285368b1
SSDEEP

3072:CsMHMeT3lk/NLqK0ODyTvMQBpKCik1rhg:CsMHM+q/09TElCi

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
95c4214ccc13bd20c05de05474b4fef1_JaffaCakes118

Files

95c4214ccc13bd20c05de05474b4fef1_JaffaCakes118
.dll windows:4 windows x86 arch:x86

1308d34fd6f9bf5553b222d819ed6ae1

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetVersionExA
ReleaseMutex
OpenEventA
SetErrorMode
CreateMutexA
DeviceIoControl
FreeConsole
LocalSize
lstrcmpiA
GetCurrentThreadId
GlobalMemoryStatus
WaitForMultipleObjects
HeapAlloc
PeekNamedPipe
CreateFileMappingA
MapViewOfFile
GetProcessHeap
HeapFree
GetLocalTime
MoveFileExA
DeleteFileA
MultiByteToWideChar
GetVersion
Process32First
Process32Next
OpenProcess
FreeLibrary
TerminateProcess
SetLastError
GetModuleFileNameA
MoveFileA
SetFilePointer
ReadFile
CreateFileA
GetFileSize
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
lstrlenA
GetFileAttributesA
CreateDirectoryA
GetLastError
Sleep
InterlockedExchange
lstrcpyA
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
LoadLibraryA
GetProcAddress
CreateThread
CreateEventA
ResumeThread
SetEvent
WaitForSingleObject
DisconnectNamedPipe
CreatePipe
GetStartupInfoA
GlobalSize
GlobalLock
GlobalUnlock
GlobalFree
GetCurrentProcess
UnmapViewOfFile
TerminateThread
CloseHandle
SetUnhandledExceptionFilter

user32

SystemParametersInfoA
SendMessageA
keybd_event
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
SetClipboardData
CallNextHookEx
OpenClipboard
GetClipboardData
BlockInput
SetRect
GetDC
GetDesktopWindow
ReleaseDC
GetCursorInfo
GetCursorPos
SetProcessWindowStation
OpenWindowStationA
IsWindow
CloseWindow
CreateWindowExA
PostMessageA
GetKeyNameTextA
GetActiveWindow
LoadCursorA
DestroyCursor
GetSystemMetrics
UnhookWindowsHookEx
EmptyClipboard
GetWindowTextA
DispatchMessageA
TranslateMessage
GetMessageA
CharNextA
OpenDesktopA
GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
EnumWindows
IsWindowVisible
GetWindowThreadProcessId
ExitWindowsEx
GetProcessWindowStation

gdi32

GetDIBits
BitBlt
DeleteDC
DeleteObject
CreateCompatibleDC
CreateDIBSection
SelectObject
CreateCompatibleBitmap

advapi32

OpenServiceA
RegQueryValueA
RegCloseKey
DeleteService
ControlService
QueryServiceStatus
RegOpenKeyA
CloseEventLog
ClearEventLogA
OpenEventLogA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
SetFileSecurityA
SetSecurityDescriptorDacl
AddAccessAllowedAce
EqualSid
GetLengthSid
GetAclInformation
GetSecurityDescriptorDacl
InitializeSecurityDescriptor
GetFileSecurityA
LookupAccountNameA
OpenSCManagerA
CloseServiceHandle
UnlockServiceDatabase
ChangeServiceConfigA
LockServiceDatabase
RegQueryValueExA
FreeSid
InitializeAcl
AllocateAndInitializeSid
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
RegisterServiceCtrlHandlerA
SetServiceStatus
RegOpenKeyExA

shell32

SHGetFileInfoA

shlwapi

SHDeleteKeyA

msvcrt

_strrev
_strlwr
_strnicmp
wcstombs
_strnset
_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
calloc
_beginthreadex
_strcmpi
atoi
realloc
strchr
strncat
isdigit
strtoul
strncmp
strncpy
strrchr
_except_handler3
malloc
free
_CxxThrowException
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??3@YAXPAX@Z
??2@YAPAXI@Z

winmm

waveInClose
waveInUnprepareHeader
waveInReset
waveInStop
waveOutReset
waveInStart
waveOutGetNumDevs
waveOutPrepareHeader
waveInGetNumDevs
waveOutUnprepareHeader
waveOutClose
waveOutWrite
waveOutOpen
waveInOpen
waveInPrepareHeader
waveInAddBuffer

ws2_32

WSAStartup
WSACleanup
WSAIoctl
connect
htons
getsockname
gethostname
closesocket
send

msvcp60

?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z

imm32

ImmReleaseContext
ImmGetContext
ImmGetCompositionStringA

wininet

InternetOpenUrlA
InternetCloseHandle
InternetOpenA

msvfw32

ICSeqCompressFrame
ICSendMessage
ICOpen
ICClose
ICCompressorFree
ICSeqCompressFrameEnd
ICSeqCompressFrameStart

Exports

Exports

AvengerMask
MaskAvenger
ServiceMain

Sections

.text
Size: 83KB - Virtual size: 82KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.xx1
Size: 1024B - Virtual size: 688B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.xx2
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.xx3
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.xx4
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.xx5
Size: 512B - Virtual size: 336B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.xx6
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.xx7
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1308d34fd6f9bf5553b222d819ed6ae1

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

shlwapi

msvcrt

winmm

ws2_32

msvcp60

imm32

wininet

msvfw32

Exports

Exports

Sections

.text Size: 83KB - Virtual size: 82KB

.xx1 Size: 1024B - Virtual size: 688B

.xx2 Size: 4KB - Virtual size: 3KB

.xx3 Size: 2KB - Virtual size: 1KB

.xx4 Size: 3KB - Virtual size: 2KB

.xx5 Size: 512B - Virtual size: 336B

.xx6 Size: 1KB - Virtual size: 1KB

.xx7 Size: 2KB - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 960B

.reloc Size: 5KB - Virtual size: 5KB

.text
Size: 83KB - Virtual size: 82KB

.xx1
Size: 1024B - Virtual size: 688B

.xx2
Size: 4KB - Virtual size: 3KB

.xx3
Size: 2KB - Virtual size: 1KB

.xx4
Size: 3KB - Virtual size: 2KB

.xx5
Size: 512B - Virtual size: 336B

.xx6
Size: 1KB - Virtual size: 1KB

.xx7
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 960B

.reloc
Size: 5KB - Virtual size: 5KB