gh0strat | 0a88788ba3f7c03168d4cc92f3d63dcd_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

0a88788ba3f7c03168d4cc92f3d63dcd_JaffaCakes118
Size

164KB
MD5

0a88788ba3f7c03168d4cc92f3d63dcd
SHA1

3a84bad8f1aeff5563239fe70db1f1bcf1c09034
SHA256

356af5f37bbca13402be62db6c06b63290024c37b47c453ee3753444823e36af
SHA512

1c0610d8c595f55ed2eeb62740b0990bcd6dc04438f874abb36b6bab95e08faad269f943b6204bafd67aa6e891fd25c68fe0bcd73fbed1a65be5d04e232a4c6b
SSDEEP

3072:BxUV9T+tEG3fwtm+D+o3xxUe+mUMZxFX0:BeDoEGPwYNmLymUMDd0

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
0a88788ba3f7c03168d4cc92f3d63dcd_JaffaCakes118

Files

0a88788ba3f7c03168d4cc92f3d63dcd_JaffaCakes118
.exe windows:4 windows x86 arch:x86

f89aca222bd00145c4db5fb66219b659

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GlobalMemoryStatus
GetSystemInfo
OpenEventA
SetErrorMode
CreateMutexA
SetFileAttributesA
MoveFileExA
GetStartupInfoA
GetModuleFileNameA
GetCurrentThreadId
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatusEx
OpenProcess
GetModuleHandleA
CreateProcessA
GetLastError
MoveFileA
WriteFile
SetFilePointer
ReadFile
CreateFileA
GetFileSize
RemoveDirectoryA
FindFirstFileA
LocalReAlloc
LocalSize
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
GetFileAttributesA
CreateDirectoryA
DeleteFileA
lstrcatA
GetVersionExA
GetPrivateProfileStringA
lstrcmpA
WideCharToMultiByte
MultiByteToWideChar
GetWindowsDirectoryA
lstrcpyA
GetPrivateProfileSectionNamesA
GetProcessHeap
HeapAlloc
GetCurrentProcessId
CreateThread
GetLocalTime
LoadLibraryA
GetProcAddress
InterlockedExchange
SetEvent
InitializeCriticalSection
ResetEvent
WaitForSingleObject
CloseHandle
CreateEventA
VirtualAlloc
EnterCriticalSection
Sleep
LeaveCriticalSection
GetSystemTime
CreateToolhelp32Snapshot
Process32First
Process32Next
lstrlenA
GetCurrentProcess
FindNextFileA
WinExec
VirtualFree
DeleteCriticalSection
DefineDosDeviceA

user32

SetCapture
WindowFromPoint
SetCursorPos
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
MapVirtualKeyA
GetDC
GetDesktopWindow
ReleaseDC
GetCursorInfo
GetCursorPos
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
GetMessageA
IsWindow
CloseWindow
wsprintfA
SendMessageA
SystemParametersInfoA
DestroyCursor
LoadCursorA
GetKeyState
GetAsyncKeyState
GetForegroundWindow
EnumWindows
IsWindowVisible
GetWindowTextA
MessageBoxA
ExitWindowsEx
CharNextA
SetRect
CreateWindowExA
OpenDesktopA
PostMessageA
OpenInputDesktop
GetThreadDesktop
GetUserObjectInformationA
SetThreadDesktop
CloseDesktop
GetWindowThreadProcessId
GetInputState
PostThreadMessageA

gdi32

GetDIBits
BitBlt
DeleteDC
DeleteObject
CreateCompatibleDC
CreateDIBSection
SelectObject
CreateCompatibleBitmap

advapi32

OpenEventLogA
RegQueryValueExA
RegCloseKey
IsValidSid
LookupAccountNameA
LsaClose
LsaRetrievePrivateData
LsaOpenPolicy
LsaFreeMemory
CloseEventLog
ClearEventLogA
RegSetValueExA
RegCreateKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
CloseServiceHandle
ControlService
QueryServiceStatus
OpenServiceA
OpenSCManagerA
RegCreateKeyExA
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegQueryInfoKeyA
UnlockServiceDatabase
ChangeServiceConfigA
LockServiceDatabase
DeleteService
StartServiceA
QueryServiceConfigA
EnumServicesStatusA
RegOpenKeyA
GetUserNameA
LookupAccountSidA
GetTokenInformation
RegOpenKeyExA

shell32

SHGetFileInfoA
ShellExecuteA
SHGetSpecialFolderPathA

msvcrt

_strupr
_XcptFilter
_strnicmp
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_strcmpi
_exit
??1type_info@@UAE@XZ
calloc
_beginthreadex
atol
strncat
exit
_errno
strncmp
wcscpy
atoi
_iob
strrchr
_except_handler3
free
malloc
strchr
strncpy
sprintf
rand
??2@YAPAXI@Z
strstr
_ftol
ceil
??3@YAXPAX@Z
__CxxFrameHandler
_CxxThrowException
memmove

ws2_32

gethostname
__WSAFDIsSet
recvfrom
listen
accept
getpeername
bind
getsockname
WSAStartup
WSACleanup
ntohs
inet_ntoa
htonl
sendto
inet_addr
send
closesocket
socket
gethostbyname
htons
connect
setsockopt
WSAIoctl
recv
select
WSASocketA

wininet

InternetOpenA
InternetReadFile
InternetCloseHandle
InternetOpenUrlA

msvcp60

?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z

urlmon

URLDownloadToFileA

netapi32

NetUserAdd
NetLocalGroupAddMembers

msvfw32

ICSendMessage
ICSeqCompressFrameEnd
ICCompressorFree
ICOpen
ICClose
ICSeqCompressFrame
ICSeqCompressFrameStart

psapi

EnumProcessModules
GetModuleFileNameExA

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationA

Sections

.text
Size: 108KB - Virtual size: 105KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 32KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f89aca222bd00145c4db5fb66219b659

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcrt

ws2_32

wininet

msvcp60

urlmon

netapi32

msvfw32

psapi

wtsapi32

Sections

.text Size: 108KB - Virtual size: 105KB

.data Size: 32KB - Virtual size: 28KB

.rsrc Size: 20KB - Virtual size: 17KB

.text
Size: 108KB - Virtual size: 105KB

.data
Size: 32KB - Virtual size: 28KB

.rsrc
Size: 20KB - Virtual size: 17KB