gh0strat | aab26439e33a5d566939ae52dac12abc_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

aab26439e33a5d566939ae52dac12abc_JaffaCakes118
Size

109KB
MD5

aab26439e33a5d566939ae52dac12abc
SHA1

55a23ad6239e61a9f8cc06b1343fa78c37f979cb
SHA256

c9674dcfed8e9a3d8b4c27cb510876ed4fef5c664d1faf938cbfbbdbe2e23abe
SHA512

02227bbf8ec9f1ef38ec489cc1b4c7514eda849e93ca610c13a27bafc226e3580dbf599f4f7651329120f0511c5aa2274736416cda6155ba518e553e14e9c961
SSDEEP

1536:RmTgWMkSibNG8YIaT024cKau2f9d0hK5+NkXq+mHi:XWnSiDYI124Wug9d0G+aXq+mHi

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
aab26439e33a5d566939ae52dac12abc_JaffaCakes118

Files

aab26439e33a5d566939ae52dac12abc_JaffaCakes118
.dll windows:4 windows x86 arch:x86

908083373c14ff9a7d66f30e43f9d08e

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

_wcsnicmp
wcschr
_snprintf
_errno
sprintf
strncpy
strncmp
wcstombs
fputs
wcsncpy
wcslen
wcsrchr
_except_handler3
free
_wcsupr
wcsstr
_strnicmp
fclose
fgets
mbstowcs
wcscpy
strchr
atoi
malloc
realloc
_CxxThrowException
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??3@YAXPAX@Z
??2@YAPAXI@Z
wcscat
wcsncat
_beginthreadex
calloc
??1type_info@@UAE@XZ
_initterm
_adjust_fdiv
fopen

user32

OpenWindowStationW
GetProcessWindowStation
CharNextW
MessageBoxW
LoadCursorW
DestroyCursor
MapVirtualKeyW
SetRect
GetSystemMetrics
GetDC
GetDesktopWindow
ReleaseDC
GetCursorInfo
DispatchMessageW
TranslateMessage
GetCursorPos
MoveWindow
GetWindowRect
ShowWindow
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationW
GetThreadDesktop
OpenDesktopW
CreateWindowExW
CloseWindow
SendMessageW
IsWindow
SetProcessWindowStation
wsprintfW
GetMessageW

winmm

waveInOpen
waveOutPrepareHeader
waveOutOpen
waveOutGetNumDevs
waveInPrepareHeader
waveInAddBuffer
waveInStart
waveOutWrite
waveInReset
waveInUnprepareHeader
waveInClose
waveOutReset
waveOutUnprepareHeader
waveOutClose
waveInGetNumDevs
waveInStop

ws2_32

WSACleanup
WSAIoctl
setsockopt
connect
htons
gethostbyname
socket
ntohs
recv
closesocket
select
send
gethostname
WSASocketW
ioctlsocket
__WSAFDIsSet
recvfrom
sendto
listen
accept
getpeername
bind
inet_addr
getsockname
inet_ntoa
WSAStartup

msvfw32

ICClose
ICSeqCompressFrameStart
ICSeqCompressFrameEnd
ICCompressorFree
ICSeqCompressFrame
ICOpen
ICSendMessage

msvcp60

??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z
?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB
?_Refcnt@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEAAEPBG@Z
?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z
?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z

kernel32

GetModuleHandleA
CreateEventW
CloseHandle
TerminateThread
WaitForSingleObject
SetEvent
ResumeThread
CreateThread
VirtualFree
VirtualAlloc
ResetEvent
CancelIo
lstrlenW
MultiByteToWideChar
OutputDebugStringW
lstrcpyW
GetVersionExW
DeleteFileA
GetFileSize
lstrcatW
SetErrorMode
SetUnhandledExceptionFilter
GetTickCount
ExitProcess
Sleep
FreeConsole
SetFileAttributesW
GetProcAddress
LoadLibraryW
LocalFree
lstrcmpW
LocalReAlloc
LocalAlloc
GetLocalTime
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
LocalSize
GetCurrentProcess
lstrcmpiW

Exports

Exports

BeginProc
EndProc
RunProc
ServiceMain

Sections

.text
Size: 75KB - Virtual size: 75KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

908083373c14ff9a7d66f30e43f9d08e

Headers

File Characteristics

Imports

msvcrt

user32

winmm

ws2_32

msvfw32

msvcp60

kernel32

Exports

Exports

Sections

.text Size: 75KB - Virtual size: 75KB

.rdata Size: 11KB - Virtual size: 11KB

.data Size: 13KB - Virtual size: 25KB

.rsrc Size: 1KB - Virtual size: 4KB

.reloc Size: 6KB - Virtual size: 6KB

.text
Size: 75KB - Virtual size: 75KB

.rdata
Size: 11KB - Virtual size: 11KB

.data
Size: 13KB - Virtual size: 25KB

.rsrc
Size: 1KB - Virtual size: 4KB

.reloc
Size: 6KB - Virtual size: 6KB