gh0strat | 17241de8837bc0e5dfefc40b2e15e7f7_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

17241de8837bc0e5dfefc40b2e15e7f7_JaffaCakes118
Size

85KB
MD5

17241de8837bc0e5dfefc40b2e15e7f7
SHA1

3efd8cb22d2f7a138e20f9e83f164a591a5304fd
SHA256

9e1eb694b5b3a179df685c5f59269c0bd8cdafd5bc9d07ea5b4d50e0b1f5a111
SHA512

66695ec3cd09d013abc224fdd3474f36c9577fe8e3278a9c0a89a58aa33e18177d2b75489ec5c1ca2396c7caef721ac6627eb33cc57adf86615ec09649473354
SSDEEP

1536:ufcOnZZOL7zLyR6B9cYI2f4n+io9d1SVlQPqAkInjtazx:ufxe7zeR6B9bIg4n+hyVlQPHkIjtazx

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
17241de8837bc0e5dfefc40b2e15e7f7_JaffaCakes118

Files

17241de8837bc0e5dfefc40b2e15e7f7_JaffaCakes118
.dll windows:4 windows x86 arch:x86

4ddfa5445835e599cbe0575aa979f1cc

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetTickCount
GetLocalTime
HeapFree
GetProcessHeap
HeapAlloc
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
OpenProcess
GetStartupInfoA
CreatePipe
Process32Next
Process32First
CreateToolhelp32Snapshot
TerminateProcess
CreateProcessA
PeekNamedPipe
MoveFileExA
GetVersionExA
ReleaseMutex
OpenEventA
SetErrorMode
CreateThread
CreateMutexA
SetUnhandledExceptionFilter
FreeConsole
GetCurrentProcessId
lstrcmpiA
GetCurrentThreadId
GetModuleFileNameA
SetLastError
MoveFileA
GetWindowsDirectoryA
TerminateThread
GetCurrentProcess
DisconnectNamedPipe
WriteFile
SetFilePointer
ReadFile
CreateFileA
GetFileSize
GetLogicalDriveStringsA
GetVolumeInformationA
LoadLibraryA
GetDiskFreeSpaceExA
GetDriveTypeA
FreeLibrary
lstrcatA
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
lstrlenA
GetFileAttributesA
CreateDirectoryA
GetLastError
DeleteFileA
Sleep
CancelIo
InterlockedExchange
SetEvent
ResetEvent
lstrcpyA
WaitForSingleObject
CloseHandle
GetModuleHandleA
GetProcAddress
CreateEventA
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
WaitForMultipleObjects
InitializeCriticalSection

user32

PostMessageA
OpenDesktopA
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
GetProcessWindowStation
OpenWindowStationA
SetProcessWindowStation
GetCursorPos
GetCursorInfo
ReleaseDC
GetDesktopWindow
GetDC
SetRect
GetSystemMetrics
GetClipboardData
OpenClipboard
CharNextA
wsprintfA
GetClassNameA
GetWindowTextA
GetActiveWindow
GetKeyNameTextA
GetThreadDesktop
LoadCursorA
DestroyCursor
SendMessageA
MapVirtualKeyA
SetCapture
EmptyClipboard
SetClipboardData
CloseClipboard
mouse_event
SetCursorPos
WindowFromPoint

gdi32

CreateDIBSection
CreateCompatibleDC
DeleteObject
DeleteDC
BitBlt
GetDIBits
CreateCompatibleBitmap
SelectObject

advapi32

RegisterServiceCtrlHandlerA
SetServiceStatus
DuplicateTokenEx
CreateProcessAsUserA
RegEnumKeyExA
RegEnumValueA
RegCloseKey
RegQueryValueA
RegOpenKeyExA
RegQueryValueExA
RegOpenKeyA
RegSetValueExA
OpenEventLogA
CloseServiceHandle
DeleteService
ControlService
QueryServiceStatus
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
FreeSid
SetSecurityDescriptorDacl
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
InitializeSecurityDescriptor
RegDeleteKeyA

shell32

SHGetFileInfoA

shlwapi

SHDeleteKeyA

msvcrt

wcstombs
_beginthreadex
calloc
??1type_info@@UAE@XZ
_adjust_fdiv
strtok
atoi
realloc
strchr
_stricmp
strncat
strncpy
_initterm
_strnicmp
_strlwr
_strrev
strrchr
sprintf
_except_handler3
malloc
free
??3@YAXPAX@Z
memmove
ceil
_ftol
strstr
__CxxFrameHandler
??2@YAPAXI@Z
_CxxThrowException

ws2_32

select
closesocket
gethostbyname
recv
connect
setsockopt
gethostname
htons
WSAStartup
WSACleanup
WSAIoctl
socket

msvcp60

?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

imm32

ImmGetCompositionStringA
ImmGetContext
ImmReleaseContext

wininet

InternetReadFile
InternetOpenA

Exports

Exports

QgptkagOckl
Test

Sections

.text
Size: 59KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 96B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4ddfa5445835e599cbe0575aa979f1cc

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

shlwapi

msvcrt

ws2_32

msvcp60

imm32

wininet

Exports

Exports

Sections

.text Size: 59KB - Virtual size: 58KB

.rdata Size: 11KB - Virtual size: 11KB

.data Size: 7KB - Virtual size: 9KB

.edata Size: 512B - Virtual size: 96B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 3KB

.text
Size: 59KB - Virtual size: 58KB

.rdata
Size: 11KB - Virtual size: 11KB

.data
Size: 7KB - Virtual size: 9KB

.edata
Size: 512B - Virtual size: 96B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 3KB