gh0strat | a5ee8f00c6ab152eb8e83ff773d8e332_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

a5ee8f00c6ab152eb8e83ff773d8e332_JaffaCakes118
Size

96KB
MD5

a5ee8f00c6ab152eb8e83ff773d8e332
SHA1

73acb82e6ef40ea170c246342fde36387a3ed517
SHA256

276ffb211394d579b6143ecd272c80f9722ca95ce4b4615411736d92abe5e5db
SHA512

739d099cb944ca252de9dce7a014d5c7839f9757d82c16f5521470b8452d5656030e50175c3be5c02904036824889bf9fbb43cd38a55fc4ce038be8071f9097d
SSDEEP

1536:xBLGN/ReFcuNEAX8Et5Ea89YHWBLdxcbMofRzuNcR4j4vDRVL1yysKmz3v:xlGJYKTA/L/+LdxQMSRzuKLL1yysKmz3

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
a5ee8f00c6ab152eb8e83ff773d8e332_JaffaCakes118

Files

a5ee8f00c6ab152eb8e83ff773d8e332_JaffaCakes118
.dll regsvr32 windows:4 windows x86 arch:x86

d8dc1262c4314491eb5fc38edefb6ee9

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

user32

GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
OpenDesktopA
CloseDesktop
EnumWindows
IsWindowVisible
GetWindowThreadProcessId
ExitWindowsEx
GetProcessWindowStation
PostMessageA
SetThreadDesktop
LoadCursorA
DestroyCursor
BlockInput
SystemParametersInfoA
SendMessageA
keybd_event
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
OpenWindowStationA
SetProcessWindowStation
GetCursorPos
GetCursorInfo
ReleaseDC
GetDesktopWindow
GetDC
SetRect
GetSystemMetrics
GetClipboardData
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
mouse_event

gdi32

CreateCompatibleBitmap
GetDIBits
BitBlt
DeleteDC
DeleteObject
CreateCompatibleDC
CreateDIBSection
SelectObject

advapi32

OpenProcessToken
SetServiceStatus
RegisterServiceCtrlHandlerA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
InitializeSecurityDescriptor
AllocateAndInitializeSid
GetLengthSid
InitializeAcl
AddAccessAllowedAce
SetSecurityDescriptorDacl
FreeSid
RegCreateKeyA
OpenServiceA
QueryServiceStatus
ControlService
DeleteService
CloseServiceHandle

shell32

SHGetFileInfoA

kernel32

GetModuleHandleA
TerminateThread
GetTickCount
HeapFree
MapViewOfFile
CreateFileMappingA
GlobalLock
LoadLibraryA
GlobalSize
CreatePipe
DisconnectNamedPipe
PeekNamedPipe
WaitForMultipleObjects
GetVersionExA
ReleaseMutex
OpenEventA
GetProcAddress
VirtualAllocEx
GlobalAlloc
GlobalUnlock
GlobalFree
SetErrorMode
CreateMutexA
CreateThread
GetFullPathNameA
ExitProcess
FreeConsole
LocalSize
Process32Next
Process32First
lstrcmpiA
VirtualFreeEx
GetCurrentThreadId
FreeLibrary
WriteProcessMemory
GetCurrentProcess
InitializeCriticalSection
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
CreateEventA
lstrcpyA
CancelIo
CreateDirectoryA
GetFileAttributesA
lstrcatA
GetDriveTypeA
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
WriteFile
MoveFileA
CopyFileA
GetModuleFileNameA
GetWindowsDirectoryA
SetLastError
GetLastError
GetTempPathA

shlwapi

PathFileExistsA
SHDeleteKeyA

msvcrt

_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
calloc
_beginthreadex
time
_strcmpi
localtime
strftime
wcstombs
tolower
realloc
_itoa
_strnicmp
strncat
strtok
atoi
strncpy
??3@YAXPAX@Z
memmove
ceil
_ftol
strstr
__CxxFrameHandler
??2@YAPAXI@Z
_CxxThrowException
free
malloc
_except_handler3
strrchr
_stat

ws2_32

getsockname
gethostname
send
select
closesocket
recv
socket
gethostbyname
htons
connect
setsockopt
WSAIoctl
WSAStartup
WSACleanup
ntohs

msvcp60

?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z

wininet

InternetReadFile
InternetOpenUrlA
InternetOpenA
InternetCloseHandle

avicap32

capGetDriverDescriptionA

msvcirt

??0ofstream@@QAE@XZ
?openprot@filebuf@@2HB
?open@ofstream@@QAEXPBDHH@Z
?write@ostream@@QAEAAV1@PBDH@Z
?close@ofstream@@QAEXXZ
??1ofstream@@UAE@XZ
??1ios@@UAE@XZ
??_Dofstream@@QAEXXZ

psapi

EnumProcessModules
GetModuleFileNameExA

Exports

Exports

AlphaBlend
CreateMxPsObj
CreateMxPwObj
CreateMxSkObj
DeleteMxPsObj
DeleteMxPwObj
DeleteMxSkObj
Detoured
DllCanUnloadNow
DllGetClassObject
DllInitialize
DllRegisterServer
DllUnregisterServer
EnterThisPlease
FreeUnzipBuf
GetDllVersionA
GradientFill
PrepareUnzipFile
RegisterServerDirect
SetZipLevel
TransparentBlt
UnZip
UnZipEx
UnZipFile
ZipFolder
ZipFolderEx
comdl
mp_dc
mp_gt
mp_gv
mp_ms
mp_pf
mp_pl
mp_ps
mp_rd
run
vSetDdrawflag

Sections

.text
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d8dc1262c4314491eb5fc38edefb6ee9

Headers

File Characteristics

Imports

user32

gdi32

advapi32

shell32

kernel32

shlwapi

msvcrt

ws2_32

msvcp60

wininet

avicap32

msvcirt

psapi

Exports

Exports

Sections

.text Size: 67KB - Virtual size: 66KB

.rdata Size: 13KB - Virtual size: 13KB

.data Size: 8KB - Virtual size: 10KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 4KB

.text
Size: 67KB - Virtual size: 66KB

.rdata
Size: 13KB - Virtual size: 13KB

.data
Size: 8KB - Virtual size: 10KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 4KB