gh0strat | 162736c0606599bacce1894214d0660d_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

162736c0606599bacce1894214d0660d_JaffaCakes118
Size

164KB
MD5

162736c0606599bacce1894214d0660d
SHA1

9559600a6c3231d590b0afeb0a0c58fa4e0ca4db
SHA256

b8b2e8ab74d132b305df0e370c5f3b26db92fdefffd4ff13620c9bb0a949bd8f
SHA512

bae17d923ab2438b3a24cccf84ce89cc84b2dec09253bd78655e6a4bd1b8d3a18372896a810c2b9adefe2b9317881e4013fbce992ade16986c77bfd9a9623f6d
SSDEEP

3072:hTKdyY2mWnJbJc2KTQZOG99owib0SDWk25woAQApL:hTuCO2qwr4wwxWkWwovw

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
162736c0606599bacce1894214d0660d_JaffaCakes118

Files

162736c0606599bacce1894214d0660d_JaffaCakes118
.exe windows:4 windows x86 arch:x86

71e07ab929e12fbf4112496a8f8157d7

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

Sleep
LockResource
GetProcAddress
LoadLibraryA
WaitForSingleObject
GetModuleHandleA
GetLastError
RaiseException
InterlockedExchange
LocalAlloc
FreeLibrary
GetStartupInfoA

msvcrt

__setusermatherr
_adjust_fdiv
_initterm
__p__fmode
__set_app_type
_except_handler3
_controlfp
__getmainargs
_acmdln
exit
_XcptFilter
_exit
srand
rand
__p__commode

Sections

.text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 148KB - Virtual size: 146KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data
.rdata
.reloc
.rsrc/BITMAP/103.bmp
.rsrc/MANIFEST/1
.xml
.rsrc/MENU/102
.rsrc/version.txt
.text