gh0strat | 2b5913778d7c0d504018dc4e7cf5fe19_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

2b5913778d7c0d504018dc4e7cf5fe19_JaffaCakes118
Size

524KB
MD5

2b5913778d7c0d504018dc4e7cf5fe19
SHA1

42fd57b6add8c0e287df3581d0845c4d98b7b595
SHA256

d3278a51dc3121820b4451e3632913097a4d3cebbb42c3907d1f951ff5daa600
SHA512

fe5c2cdada67e7985c6a0c1c04993fd306347361b71c5b382576e50d7aed1db4b390804e475896b0d7ecd76a6fed6b8e8a93dae66106a24caabd3cb65c1fcbe1
SSDEEP

12288:NMM5s0Jfa1EsxzTr+TxrsAXWxQn3ZqAUDxq2W:NMM5s0k1EsxzTr+TxrsAWQ3ZqB82W

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2b5913778d7c0d504018dc4e7cf5fe19_JaffaCakes118

Files

2b5913778d7c0d504018dc4e7cf5fe19_JaffaCakes118
.exe windows:4 windows x86 arch:x86

960717efa43ac0bb2d873c98af6833ac

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetProcAddress
LoadLibraryA
LeaveCriticalSection
WideCharToMultiByte
ResetEvent
lstrcpyA
InterlockedExchange
lstrlenA
GetPrivateProfileSectionNamesA
lstrcatA
GetWindowsDirectoryA
FreeLibrary
lstrcmpA
GetPrivateProfileStringA
DeleteFileA
CreateDirectoryA
GetFileAttributesA
CreateProcessA
GetDriveTypeA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindFirstFileA
LocalAlloc
MoveFileA
GetVersion
DeviceIoControl
Sleep
MultiByteToWideChar
HeapFree
HeapAlloc
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
QueryPerformanceCounter
QueryPerformanceFrequency
SetThreadPriority
SetPriorityClass
GetThreadPriority
GetCurrentThread
GetPriorityClass
GetCurrentProcess
GlobalMemoryStatus
GetTickCount
GetSystemInfo
GetModuleFileNameA
GetStartupInfoA
OpenProcess
Process32Next
RtlUnwind
ExitProcess
TerminateProcess
GetLastError
CreateThread
GetCurrentThreadId
TlsSetValue
TlsGetValue
ExitThread
GetModuleHandleA
GetCommandLineA
TlsAlloc
SetLastError
RaiseException
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
IsBadWritePtr
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
HeapSize
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
WriteFile
CloseHandle
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadCodePtr
InterlockedDecrement
InterlockedIncrement
GetStringTypeA
GetStringTypeW
GetCPInfo
GetACP
GetOEMCP
SetStdHandle
FlushFileBuffers
SetFilePointer
LCMapStringA
LCMapStringW

shell32

SHGetFileInfoA
SHGetSpecialFolderPathA

oleaut32

SysFreeString

netapi32

NetUserAdd
NetLocalGroupAddMembers

wtsapi32

WTSQuerySessionInformationA
WTSFreeMemory

Sections

.text
Size: 499KB - Virtual size: 499KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 23KB - Virtual size: 492KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 328B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

960717efa43ac0bb2d873c98af6833ac

Headers

File Characteristics

Imports

kernel32

shell32

oleaut32

netapi32

wtsapi32

Sections

.text Size: 499KB - Virtual size: 499KB

.data Size: 23KB - Virtual size: 492KB

.rsrc Size: 512B - Virtual size: 328B

.text
Size: 499KB - Virtual size: 499KB

.data
Size: 23KB - Virtual size: 492KB

.rsrc
Size: 512B - Virtual size: 328B