gh0strat | a1a5fd02e14cbc8b299cd2de41beb368_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

a1a5fd02e14cbc8b299cd2de41beb368_JaffaCakes118
Size

131KB
MD5

a1a5fd02e14cbc8b299cd2de41beb368
SHA1

afaf2cd11cda20b16bda2c5e021dd7067fcff634
SHA256

092ce2309c5d657dc923a14eda8879d58e9d3e0925103b9a2ccbbfba0a70814c
SHA512

19a72f9613c94a8b302cf3756583a5b351d17a9e6bb0cdc0d7d5c9d99fdb94e483865ad97f0839cad54a459cb4511544e6d7b2b044db1981cc51690713b780a0
SSDEEP

3072:cPFORmgXDBDrrvhwU74HMP/WJDTu4GZ8Xzmn7wathN0MklU0W:yMRmgX1Drrv6UbP/Mydq6nE+v0Mb

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
a1a5fd02e14cbc8b299cd2de41beb368_JaffaCakes118

Files

a1a5fd02e14cbc8b299cd2de41beb368_JaffaCakes118
.exe windows:4 windows x86 arch:x86

2611c23dae7bd8c8be694a24f74c34cb

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

FreeLibrary
GetProcAddress
LoadLibraryA
GetWindowsDirectoryA
ExitProcess
CloseHandle
lstrlenA
SizeofResource
SetFileTime
LoadResource
lstrcpyA
lstrcmpiA
SetLastError
GetLastError
lstrcatA
ReadFile
SetFilePointer
CreateFileA
GetModuleFileNameA
Process32First
CreateToolhelp32Snapshot
GetTempPathA
SetFileAttributesA
DeleteFileA
CopyFileA
CreateDirectoryA
MoveFileA
GetFileAttributesA
CreateThread
SetUnhandledExceptionFilter
Sleep
ReleaseMutex
CreateMutexA
GetCommandLineA
GetSystemDirectoryA
GetCurrentThreadId
RaiseException
InterlockedExchange
LocalAlloc
GetStartupInfoA
GetModuleHandleA

msvcrt

__CxxFrameHandler
_CxxThrowException
_except_handler3
??3@YAXPAX@Z
fclose
fputs
fopen
strstr
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
realloc
strchr
??2@YAPAXI@Z
sprintf
strtok
malloc
_strrev
_stricmp

Sections

.text
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 119KB - Virtual size: 118KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ