gh0strat | d20b3e03157f2285e4f4b0a6a3d27460_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

d20b3e03157f2285e4f4b0a6a3d27460_JaffaCakes118
Size

149KB
MD5

d20b3e03157f2285e4f4b0a6a3d27460
SHA1

e3e969f9e8fad7fdecff15c7a4474669ec4da5ee
SHA256

90c37f1484bcda161e19381c3518ebe5f60b22a9522f9a339c4b82ff04146301
SHA512

e7787bc291494608b975dfb03a3ad47da3fe828cb3bd09d9700393636ddd1ebaf256f409935b5b7d9ffb5bf174350f2ff07f9831890a6912038cb9851d5cb978
SSDEEP

3072:3HezSLLqGcRcRCnM30k4mdX0SHAYHTBftcVl0pCc0c:3+zSrCnuX0SH9HTBlcK0c

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
d20b3e03157f2285e4f4b0a6a3d27460_JaffaCakes118

Files

d20b3e03157f2285e4f4b0a6a3d27460_JaffaCakes118
.dll windows:4 windows x86 arch:x86

3a74543e0854770d85b48f82c7334e67

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

advapi32

RegOpenKeyExW

kernel32

Sleep
lstrlenA
CloseHandle
lstrcmpiA
lstrcpyA
GetVersionExA
GetCurrentThreadId
GetProcAddress
GetTickCount
GetTempFileNameA
lstrcatA
InterlockedExchange
GetSystemDirectoryA
FreeLibrary
ExitProcess
GetExitCodeProcess
LocalFree
GetModuleHandleA
GetLastError
LocalReAlloc
LocalSize
LocalAlloc
WideCharToMultiByte
GetLocalTime
GlobalUnlock
GlobalLock
GlobalSize
HeapFree
GetProcessHeap
MapViewOfFile
CreateFileMappingA
GetShortPathNameA
HeapAlloc
GetModuleFileNameA
SetUnhandledExceptionFilter
FormatMessageA
VirtualQuery
IsBadWritePtr
GlobalFree
GlobalAlloc
GetCurrentProcess
InitializeCriticalSection
VirtualFree
LeaveCriticalSection
VirtualAlloc
GetCurrentProcessId
VirtualProtect
MultiByteToWideChar
SetEnvironmentVariableA
GetTempPathA
GetLongPathNameA
lstrcmpA
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
ExpandEnvironmentStringsA
InterlockedDecrement
InterlockedIncrement
GetSystemInfo
GetProcessTimes
GlobalMemoryStatusEx
DeleteFileA
RemoveDirectoryA
ExitThread
IsBadReadPtr
IsBadStringPtrW
RaiseException
LoadLibraryA

user32

CloseWindowStation
ShowWindow
wvsprintfA
GetCursorInfo
DestroyCursor
LoadCursorA
DestroyWindow
CreateWindowExA
wsprintfA
MessageBoxA

msvcrt

_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
_onexit
__dllonexit
_strupr
_memicmp
_except_handler3
__CxxFrameHandler
_beginthreadex
??3@YAXPAX@Z
??2@YAPAXI@Z
strrchr
malloc
strstr
wcsrchr
rand
srand
_ftol
strchr
strncpy
free
wcslen
memmove
ceil
strncat
atoi
wcstombs
_CxxThrowException
_strlwr
_wcsicmp

Exports

Exports

TestProject

Sections

.text
Size: 96KB - Virtual size: 94KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3a74543e0854770d85b48f82c7334e67

Headers

File Characteristics

Imports

advapi32

kernel32

user32

msvcrt

Exports

Exports

Sections

.text Size: 96KB - Virtual size: 94KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 12KB - Virtual size: 16KB

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 96KB - Virtual size: 94KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 12KB - Virtual size: 16KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 8KB - Virtual size: 7KB