gh0strat | be6d1e8d8ba9b01f8b8ea42c12a2bac6_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

be6d1e8d8ba9b01f8b8ea42c12a2bac6_JaffaCakes118
Size

128KB
MD5

be6d1e8d8ba9b01f8b8ea42c12a2bac6
SHA1

536f539d2d9d8d06c5a4a2ae9ccec97b0ce6f81f
SHA256

ea62a4090d46c3015a4fb0abab76b584eaac0f52072c8b120dfd1198aabbe46d
SHA512

d536444ee718ec107c5651369b1664bae73efca862c8af47dfdedcda74ca370bf170d08109b4fe0c4dccea5301a9538a4c836439b0a18c74a885c04902be1cc8
SSDEEP

3072:SGNqeqyEtnAbA0W8tVR+eU3ww+DD1JJww1:SGW6tzPU3ww+DD1J11

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
be6d1e8d8ba9b01f8b8ea42c12a2bac6_JaffaCakes118

Files

be6d1e8d8ba9b01f8b8ea42c12a2bac6_JaffaCakes118
.dll windows:4 windows x86 arch:x86

4bc1d13fe019264cde50f6cbf98979e0

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetProcAddress
LoadLibraryA
FreeLibrary
CloseHandle
TerminateThread
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
VirtualAlloc
ResetEvent
InterlockedExchange
CancelIo
GetTickCount
GetLocalTime
GetCurrentProcessId
HeapAlloc
GetProcessHeap
FindClose
LocalFree
LocalReAlloc
LocalAlloc
GetFileSize
ReadFile
MoveFileA
lstrcmpiA
HeapFree
UnmapViewOfFile
GetModuleHandleA
GlobalFree
GlobalUnlock
GlobalLock
GlobalSize
GetStartupInfoA
OpenProcess
GetCurrentThreadId
GlobalMemoryStatus
GetVersionExA
SetErrorMode

user32

SendMessageA
IsWindow
CreateWindowExA
RegisterClassA
LoadIconA
GetSystemMetrics

msvcrt

memmove
putchar
ceil
_ftol
strstr
_CxxThrowException
rand
sprintf
strncpy
free
malloc
_except_handler3
strrchr
_beginthreadex
atoi
wcstombs
_access
srand
calloc
??1type_info@@UAE@XZ
_initterm
_adjust_fdiv
__dllonexit
_onexit
puts
??3@YAXPAX@Z
??2@YAPAXI@Z
_strrev
__CxxFrameHandler
_stricmp

ws2_32

sendto
WSASocketA
htonl
getsockname
connect
htons
setsockopt
WSAIoctl
WSACleanup
WSAStartup
inet_addr
send
closesocket
select
recv
socket
gethostbyname

msvcp60

?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

Exports

Exports

Runing
ServiceMain
Working
jieshu

Sections

.text
Size: 88KB - Virtual size: 87KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 920B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.data
.debug0
.rdata
.reloc
.rsrc/BITMAP/103.bmp
.rsrc/MANIFEST/1
.xml
.rsrc/MENU/102
.text

Sharing

General

Malware Config

Signatures

Files

4bc1d13fe019264cde50f6cbf98979e0

Headers

File Characteristics

Imports

kernel32

user32

msvcrt

ws2_32

msvcp60

Exports

Exports

Sections

.text Size: 88KB - Virtual size: 87KB

.rdata Size: 12KB - Virtual size: 8KB

.data Size: 12KB - Virtual size: 14KB

.rsrc Size: 4KB - Virtual size: 920B

.reloc Size: 8KB - Virtual size: 5KB

.text
Size: 88KB - Virtual size: 87KB

.rdata
Size: 12KB - Virtual size: 8KB

.data
Size: 12KB - Virtual size: 14KB

.rsrc
Size: 4KB - Virtual size: 920B

.reloc
Size: 8KB - Virtual size: 5KB