gh0strat | c2655f6d82213a61a646d7663815a4fc_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

c2655f6d82213a61a646d7663815a4fc_JaffaCakes118
Size

130KB
MD5

c2655f6d82213a61a646d7663815a4fc
SHA1

a3017d8ae22d11e1bb07b57b38ff95b6de2f9b68
SHA256

963bfea2c51b9ff0cb5e02f6acdba19e2f5af162720fc0cb5837fb0207bc376b
SHA512

529e430a9747eebcd2c5a1fe86648b921954eaf4aa5a0ae73ad4438c55057c4586ec853f48adfc3d1efb4c6aa2314898ed76872044e4ccee96911a5ceb1919af
SSDEEP

3072:Ta2BDDjPmBExP+Nj8GuNu/PxYqWe2NptHf:u25HGEdqj8hk/P2qWtr

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
c2655f6d82213a61a646d7663815a4fc_JaffaCakes118

Files

c2655f6d82213a61a646d7663815a4fc_JaffaCakes118
.exe windows:4 windows x86 arch:x86

e93daa8f8b34fc4a5ac30aff41f9c50b

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ReadFile
SetFilePointer
WriteFile
MoveFileA
GetLastError
SetLastError
GetSystemDirectoryA
GetFileAttributesA
GetTempPathA
TerminateThread
WinExec
ResumeThread
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetCurrentProcess
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
GetTickCount
GetLocalTime
GetModuleHandleA
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
SetFileTime
SystemTimeToFileTime
GetSystemTime
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
OpenProcess
ReleaseMutex
OpenEventA
CreateThread
CreateFileA
SetErrorMode
LocalSize
Process32Next
Process32First
CreateToolhelp32Snapshot
lstrcmpiA
GetCurrentThreadId
FlushFileBuffers
SetStdHandle
LCMapStringW
LCMapStringA
GetOEMCP
GetACP
GetCPInfo
GetStringTypeW
GetStringTypeA
IsBadCodePtr
IsBadReadPtr
InterlockedIncrement
InterlockedDecrement
GetFileType
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
UnhandledExceptionFilter
HeapSize
IsBadWritePtr
HeapCreate
HeapDestroy
GetFileSize
SetUnhandledExceptionFilter
TlsAlloc
HeapFree
GetVersion
GetCommandLineA
ExitThread
TlsGetValue
TlsSetValue
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
CreateProcessA
DeleteFileA
GetVersionExA
GetPrivateProfileStringA
lstrcmpA
WideCharToMultiByte
MultiByteToWideChar
LoadLibraryA
GetProcAddress
FreeLibrary
GetWindowsDirectoryA
lstrcatA
GetPrivateProfileSectionNamesA
lstrlenA
Sleep
CancelIo
InterlockedExchange
SetEvent
ResetEvent
lstrcpyA
WaitForSingleObject
CloseHandle
CreateEventA
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
CopyFileA
HeapReAlloc
ExitProcess
HeapAlloc
RaiseException
RtlUnwind

user32

ExitWindowsEx
wsprintfA
GetWindowTextA
GetActiveWindow
GetKeyNameTextA
GetFocus
CallNextHookEx
SetWindowsHookExA
UnhookWindowsHookEx
SystemParametersInfoA
SendMessageA
keybd_event
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
SetRect
GetSystemMetrics
GetDC
GetDesktopWindow
ReleaseDC
IsWindow
CloseWindow
CreateWindowExA
PostMessageA
GetThreadDesktop
EnumWindows
IsWindowVisible
GetWindowThreadProcessId
GetProcessWindowStation
OpenInputDesktop
GetUserObjectInformationA
CloseDesktop
OpenWindowStationA
SetProcessWindowStation
OpenDesktopA
SetThreadDesktop
GetCursorPos

gdi32

BitBlt
CreateDIBSection
CreateHalftonePalette
GetPaletteEntries
SelectObject
DeleteDC
DeleteObject
CreateCompatibleDC

advapi32

IsValidSid
LookupAccountNameA
LsaRetrievePrivateData
LsaOpenPolicy
GetTokenInformation
LookupAccountSidA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenEventLogA
ClearEventLogA
CloseEventLog
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
LsaFreeMemory
RegOpenKeyExA
RegQueryValueA
RegCloseKey
LsaClose

shell32

SHGetSpecialFolderPathA
SHGetFileInfoA

ws2_32

getsockname
gethostname
select
closesocket
setsockopt
connect
htons
gethostbyname
socket
recv
ntohs
WSACleanup
send
WSAStartup

dbghelp

MakeSureDirectoryPathExists

imm32

ImmGetContext
ImmGetCompositionStringA
ImmReleaseContext

urlmon

URLDownloadToFileA

avicap32

capCreateCaptureWindowA
capGetDriverDescriptionA

psapi

EnumProcessModules
GetModuleFileNameExA

wtsapi32

WTSQuerySessionInformationA
WTSFreeMemory

Sections

.text
Size: 94KB - Virtual size: 93KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 19KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.shared
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e93daa8f8b34fc4a5ac30aff41f9c50b

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ws2_32

dbghelp

imm32

urlmon

avicap32

psapi

wtsapi32

Sections

.text Size: 94KB - Virtual size: 93KB

.rdata Size: 14KB - Virtual size: 13KB

.data Size: 19KB - Virtual size: 26KB

.shared Size: 1KB - Virtual size: 1KB

.rsrc Size: 512B - Virtual size: 16B

.text
Size: 94KB - Virtual size: 93KB

.rdata
Size: 14KB - Virtual size: 13KB

.data
Size: 19KB - Virtual size: 26KB

.shared
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 512B - Virtual size: 16B