gh0strat | b899ef5cf9e41f4f7dee68346b8d9b1d_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

b899ef5cf9e41f4f7dee68346b8d9b1d_JaffaCakes118
Size

151KB
MD5

b899ef5cf9e41f4f7dee68346b8d9b1d
SHA1

5f67ef59c8791ab37dcf3e7a600cc2ae2f89a168
SHA256

c871006656f400af964e7b0473656e835c095159adc777c8ae251ab89e461eb6
SHA512

cc4734a2125b5c8474f20b94c4f074349ce7d58ade72ec49ce9b0cf841d125cd1c1572547a305670756b07b29f2bb2f8735bbd3c0b2d95df09b5005f19195c65
SSDEEP

3072:X+zq9/U5uqIbuS7EYWGqmCMUWKt3yjQhrsb9tOP5lTBftakUJmtcZskpxI:DAW8ii09tOP5lTBlmJmtcZS

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
b899ef5cf9e41f4f7dee68346b8d9b1d_JaffaCakes118

Files

b899ef5cf9e41f4f7dee68346b8d9b1d_JaffaCakes118
.dll windows:4 windows x86 arch:x86

54ff228a1d1387810175c72d389c47a8

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

MultiByteToWideChar
GetCurrentThread
GetModuleHandleA
lstrlenA
ExpandEnvironmentStringsA
lstrcatA
FreeLibrary
GetPrivateProfileSectionNamesA
LoadLibraryA
lstrcmpA
GetPrivateProfileStringA
GetVersionExA
GetConsoleTitleA
GetConsoleWindow
SetEnvironmentVariableA
GetTempPathA
GetLastError
WideCharToMultiByte
GetCurrentProcess
GetModuleFileNameA
GetFileSize
CopyFileA
GetFileAttributesA
SetFileTime
GetFileTime
EndUpdateResourceA
UpdateResourceA
BeginUpdateResourceA
MoveFileA
GetLocalTime
HeapFree
GetProcessHeap
HeapAlloc
MoveFileExA
GetDriveTypeA
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLongPathNameA
InterlockedExchange
LocalReAlloc
LocalAlloc
GetTempFileNameA
VirtualAllocEx
GetTickCount
GlobalUnlock
GlobalLock
GlobalSize
LocalSize
GlobalFree
GlobalAlloc
InterlockedDecrement
InterlockedIncrement
GetConsoleOutputCP
SetConsoleCtrlHandler
ExitProcess
SetConsoleWindowInfo
SetConsoleScreenBufferSize
GetStdHandle
AllocConsole
FillConsoleOutputCharacterA
FreeConsole
WriteConsoleInputA
GenerateConsoleCtrlEvent
ReadConsoleOutputA
GetExitCodeProcess
SetConsoleOutputCP
GetConsoleScreenBufferInfo
GlobalMemoryStatusEx
GetSystemInfo
LoadLibraryExA
CreateFileA
ReplaceFileA
GetSystemWindowsDirectoryA
OpenMutexA
CloseHandle
GetCurrentThreadId
GetProcAddress
OutputDebugStringA
EnterCriticalSection
lstrcpyA
VirtualAlloc
DeleteCriticalSection
LeaveCriticalSection
VirtualFree
ResumeThread
InitializeCriticalSection
Sleep
GetLogicalDriveStringsA
LocalFree
lstrcmpiA
RaiseException

user32

CloseWindowStation
wsprintfA
DestroyCursor
ShowWindow
FindWindowA
BlockInput
LoadCursorA
GetCursorInfo
CreateWindowExA

advapi32

EnumServicesStatusA
DuplicateTokenEx
StartServiceA
QueryServiceConfigA
GetUserNameA
CreateProcessAsUserA
RegOpenKeyExW
RegSetKeySecurity
ChangeServiceConfigA
RegQueryInfoKeyA
QueryServiceConfig2A
ConvertSidToStringSidA
ChangeServiceConfig2A

shlwapi

SHDeleteKeyA
SHCopyKeyA

msvcrt

__dllonexit
strchr
free
_stricmp
_memicmp
_strupr
_strnicmp
_onexit
_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
??2@YAPAXI@Z
??3@YAXPAX@Z
__CxxFrameHandler
memmove
ceil
_ftol
strstr
_CxxThrowException
_except_handler3
wcstombs
setlocale
malloc
strrchr
wcscpy
atoi
strncat
realloc
_beginthreadex

ws2_32

recv
select
send
shutdown
ntohs
gethostname
closesocket
bind
connect
ioctlsocket
__WSAFDIsSet
inet_addr
gethostbyname
socket
htons
getsockname
listen
accept
setsockopt
WSAIoctl
WSACleanup
WSAStartup

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock
GetProfilesDirectoryA
GetUserProfileDirectoryA

Exports

Exports

a
streset
strupd

Sections

.text
Size: 102KB - Virtual size: 101KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.dataseg
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

54ff228a1d1387810175c72d389c47a8

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shlwapi

msvcrt

ws2_32

userenv

Exports

Exports

Sections

.text Size: 102KB - Virtual size: 101KB

.rdata Size: 21KB - Virtual size: 20KB

.data Size: 9KB - Virtual size: 11KB

.dataseg Size: 512B - Virtual size: 4B

.rsrc Size: 11KB - Virtual size: 10KB

.reloc Size: 7KB - Virtual size: 6KB

.text
Size: 102KB - Virtual size: 101KB

.rdata
Size: 21KB - Virtual size: 20KB

.data
Size: 9KB - Virtual size: 11KB

.dataseg
Size: 512B - Virtual size: 4B

.rsrc
Size: 11KB - Virtual size: 10KB

.reloc
Size: 7KB - Virtual size: 6KB