gh0strat | b57827ef1538d156e48ef3bf8d0e4ebe_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

b57827ef1538d156e48ef3bf8d0e4ebe_JaffaCakes118
Size

158KB
MD5

b57827ef1538d156e48ef3bf8d0e4ebe
SHA1

18942df08e2c2b2c18b624f89c8e8c2d7856bc4f
SHA256

4860ed07218c013d2e621610995c52b4b684564a6cff024e8fab6365c7800ee0
SHA512

b8be7c718af352becee14d1af4f65edf91cc272245719f9fb9fd37944805eea17a37e62101e3fca511ed3d345cf428a0656c04737b7584fbb592c5069ec69e0b
SSDEEP

3072:IHfSWcZQ5wsMCkE847UR4dbZvwp/PN1xm5Ox+Ih:IN7Wa8qmCZvwpd1xmOx+S

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
b57827ef1538d156e48ef3bf8d0e4ebe_JaffaCakes118

Files

b57827ef1538d156e48ef3bf8d0e4ebe_JaffaCakes118
.exe windows:4 windows x86 arch:x86

9ea02c74d4e0ebcdd1ffae40b9ba9bba

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateEventA
GetWindowsDirectoryA
GetModuleFileNameA
WaitForSingleObject
FindResourceA
LoadResource
LockResource
LoadLibraryA
GetModuleHandleA
SizeofResource
DeleteFileA
CreateFileA
WriteFile
CloseHandle
Sleep
FreeResource
GetTickCount
GetStartupInfoA

user32

LoadIconA
RegisterClassA
LoadCursorA

gdi32

GetStockObject

advapi32

CloseServiceHandle
ControlService
StartServiceA
RegCreateKeyExA
RegOpenKeyA
RegSetValueExA
RegCloseKey
OpenServiceA
OpenSCManagerA
ChangeServiceConfigA

msvcrt

sprintf
rand
srand
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp

Sections

.text
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 204B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 140KB - Virtual size: 140KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ