gh0strat | 0568cd9e57edbb81b41fba890ea58b8a_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

0568cd9e57edbb81b41fba890ea58b8a_JaffaCakes118
Size

153KB
MD5

0568cd9e57edbb81b41fba890ea58b8a
SHA1

f6805b628054f1204be14dbf94ce64b62254dee5
SHA256

9deb361302c0cd79759813f9617c4a0fb46447fd962099b7087dfe3bb9f46b61
SHA512

875188169df5b58189ce0fad70756e36fd3b982e6d0a965ca155f00387bae8d481d3eb9a50805a232d4b13d9cf1be3136f1ab83565150f02e1d63ce787b6791d
SSDEEP

3072:USICKx1IXyKYn2ngGB+ugjK7u153+lZTBftEs5QLs44:ULraXymz+ug0u153+lZTBlE6QV4

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
0568cd9e57edbb81b41fba890ea58b8a_JaffaCakes118

Files

0568cd9e57edbb81b41fba890ea58b8a_JaffaCakes118
.dll windows:4 windows x86 arch:x86

686422e263801c56360f5a828bba1e48

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

Sleep
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetTickCount
lstrlenA
LocalFree
GetProcAddress
GetModuleHandleA
GetLastError
lstrcmpiA
lstrcpyA
LocalReAlloc
LocalSize
LocalAlloc
GetCurrentThreadId
GetTempFileNameA
lstrcatA
InitializeCriticalSection
LeaveCriticalSection
ExpandEnvironmentStringsA
WideCharToMultiByte
GetModuleFileNameA
SetUnhandledExceptionFilter
GetLocalTime
FormatMessageA
VirtualQuery
IsBadWritePtr
ExitProcess
GetSystemDirectoryA
InterlockedExchange
HeapFree
HeapAlloc
GetProcessHeap
GetSystemInfo
GetVersionExA
GetProcessTimes
GetCurrentProcess
GlobalMemoryStatusEx
FreeLibrary
DeleteFileA
RemoveDirectoryA
ExitThread
IsBadReadPtr
IsBadStringPtrW
MultiByteToWideChar
lstrcmpA
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
MapViewOfFile
CreateFileMappingA
GetShortPathNameA
GetCurrentProcessId
VirtualProtect
SetEnvironmentVariableA
GetTempPathA
GetLongPathNameA
VirtualFree
VirtualAlloc
InterlockedDecrement
InterlockedIncrement
GetExitCodeProcess
CloseHandle
RaiseException
LoadLibraryA

advapi32

RegOpenKeyExW

user32

GetWindowRect
ShowWindow
GetWindow
GetClassNameA
CloseWindowStation
wvsprintfA
GetCursorInfo
DestroyCursor
LoadCursorA
DestroyWindow
CreateWindowExA
wsprintfA
MessageBoxA

msvcrt

_adjust_fdiv
_initterm
_onexit
__dllonexit
??1type_info@@UAE@XZ
_strlwr
_wcsicmp
_strupr
_memicmp
ceil
??3@YAXPAX@Z
??2@YAPAXI@Z
__CxxFrameHandler
rand
srand
_ftol
strchr
strrchr
malloc
strstr
strncpy
_CxxThrowException
free
_except_handler3
wcslen
atoi
wcstombs
_beginthreadex
realloc
wcsrchr
strncat
memmove

Exports

Exports

CpyCommon

Sections

.text
Size: 100KB - Virtual size: 97KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

686422e263801c56360f5a828bba1e48

Headers

File Characteristics

Imports

kernel32

advapi32

user32

msvcrt

Exports

Exports

Sections

.text Size: 100KB - Virtual size: 97KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 100KB - Virtual size: 97KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 8KB - Virtual size: 7KB