gh0strat | 13b078ed347a0116d1a781e77cb4a4a8_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

13b078ed347a0116d1a781e77cb4a4a8_JaffaCakes118
Size

176KB
MD5

13b078ed347a0116d1a781e77cb4a4a8
SHA1

8a3453ebb11ef9087b02f4e85c6a97ad123f6537
SHA256

e91651c17d63974290dc99d7f4956443a0d14570f4c9b94a2411b67964b1ea90
SHA512

c90908149a12e1c1c0cbd5ec326032d9f6ff1a3916841b34aa5f2b882675924459ee9a3f68361c4e2a0b2c17d83e4cd60ac5ad2321a1c83daba5a55896109ce4
SSDEEP

3072:7fz8JPQqUmu+DojOcOXLaT6FK7CpcmmRklt2pIM41jJ/DNsm/dVI:pE3XOz7uDlt2mM0lrFb

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
13b078ed347a0116d1a781e77cb4a4a8_JaffaCakes118

Files

13b078ed347a0116d1a781e77cb4a4a8_JaffaCakes118
.exe windows:4 windows x86 arch:x86

dae581127308ed057079afff252d673b

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvfw32

ICSeqCompressFrameEnd
ICCompressorFree
ICClose
ICOpen
ICSendMessage
ICSeqCompressFrameStart
ICSeqCompressFrame

kernel32

GetModuleFileNameA
GetStartupInfoA
GetModuleHandleA
WaitForSingleObject
CreateEventA
Process32Next
GetLastError
DeleteCriticalSection
GetProcAddress
LoadLibraryA
ResetEvent
lstrcpyA
SetEvent
InterlockedExchange
GetTickCount
GetLocalTime
Sleep
CloseHandle
CreateThread
FreeLibrary
GetCurrentProcessId
HeapAlloc
GetProcessHeap
lstrlenA
GetPrivateProfileSectionNamesA
lstrcatA
GetWindowsDirectoryA
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
DeleteFileA
CreateDirectoryA
GetFileAttributesA
CreateProcessA
GetDriveTypeA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindFirstFileA
LocalAlloc
MoveFileA
GetVersionExA
MultiByteToWideChar
VirtualFree
VirtualAlloc
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GlobalMemoryStatusEx
OutputDebugStringA
GetSystemInfo
CopyFileA
GetTempPathA
OpenProcess
RaiseException

msvcrt

_strnicmp
_strcmpi
??0exception@@QAE@ABV0@@Z
strlen
??3@YAXPAX@Z
__CxxFrameHandler
_CxxThrowException
memmove
ceil
_ftol
strstr
??2@YAPAXI@Z
rand
putchar
puts
sprintf
strncpy
strchr
malloc
free
_except_handler3
strrchr
atoi
strncmp
_errno
wcscpy
exit
strncat
atol
_beginthreadex
calloc
??1type_info@@UAE@XZ
__dllonexit
_onexit
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
??1exception@@UAE@XZ
??0exception@@QAE@ABQBD@Z
memcpy

Sections

.text
Size: 92KB - Virtual size: 90KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

dae581127308ed057079afff252d673b

Headers

File Characteristics

Imports

msvfw32

kernel32

msvcrt

Sections

.text Size: 92KB - Virtual size: 90KB

.rdata Size: 16KB - Virtual size: 12KB

.data Size: 12KB - Virtual size: 14KB

.rsrc Size: 52KB - Virtual size: 52KB

.text
Size: 92KB - Virtual size: 90KB

.rdata
Size: 16KB - Virtual size: 12KB

.data
Size: 12KB - Virtual size: 14KB

.rsrc
Size: 52KB - Virtual size: 52KB