gh0strat | 2d831f707703c09db76838943281e2bb_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

2d831f707703c09db76838943281e2bb_JaffaCakes118
Size

130KB
MD5

2d831f707703c09db76838943281e2bb
SHA1

0f4a141473516f8c6a2a075b71f82d43367e7161
SHA256

1a41aba522b3973bd3f5e5e7d2376cdb88dfbff4fa26f59dbb171f5b7ddc8a50
SHA512

258743eaef07821cef281791f47f5976b2bc1487dd3430fdec76151d8c04f9a2fa4a7a9cb350f680d3a6459c8e553abe731d70182b47852eeec3392a58a379ac
SSDEEP

3072:rCvYHcmQ2hZgQPjS/nPv61OfsUAQ2awJ0fqxD0N:rgccmjhZZG/nXrfFsawJ0CA

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2d831f707703c09db76838943281e2bb_JaffaCakes118

Files

2d831f707703c09db76838943281e2bb_JaffaCakes118
.exe windows:4 windows x86 arch:x86

069c2d333fee633f1521f075bdc8a1e5

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CloseHandle
Process32Next
lstrcmpiA
Process32First
CreateToolhelp32Snapshot
lstrcpyA
lstrlenA
SetLastError
SizeofResource
LockResource
LoadResource
FindResourceA
GetLastError
WinExec
lstrcatA
ExpandEnvironmentStringsA
GetTempPathA
GetCurrentThreadId
ExitProcess
GetModuleFileNameA
Sleep
GetCommandLineA
FreeLibrary
GetProcAddress
LoadLibraryA
RaiseException
InterlockedExchange
LocalAlloc
GetStartupInfoA
GetModuleHandleA

msvcrt

strstr
??3@YAXPAX@Z
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
_except_handler3
__CxxFrameHandler
fopen
fclose
??2@YAPAXI@Z
fwrite

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 122KB - Virtual size: 122KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ