gh0strat | 52c0d9e7ebdb377b9f7b43e8f16d2eb5_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

52c0d9e7ebdb377b9f7b43e8f16d2eb5_JaffaCakes118
Size

116KB
MD5

52c0d9e7ebdb377b9f7b43e8f16d2eb5
SHA1

5a9df8b2b0555de19330c98058a8d1f3bb08c4c6
SHA256

c9f2d8067288818f8644b9a2774c4181113b33351bf2fb059996480db2e99c08
SHA512

973325c17c6468a5d78db0bdc1aa67cb52eef100b566c42f527610bd458e0e0189ef977a8958f3d614e5c9afb1289ed38a57e2d8294c443156c6845cd1fba47f
SSDEEP

3072:+8ChZFSs6WtJBN7zNA4P+uEC9BIzCiaAL:tChHShWbVAKjt9BIuiaAL

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
52c0d9e7ebdb377b9f7b43e8f16d2eb5_JaffaCakes118

Files

52c0d9e7ebdb377b9f7b43e8f16d2eb5_JaffaCakes118
.dll windows:4 windows x86 arch:x86

6f2478ddf30a65cc436a4a056e338cb5

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

EnterCriticalSection
VirtualAlloc
CreateEventA
CloseHandle
WaitForSingleObject
ResetEvent
lstrcpyA
SetEvent
InterlockedExchange
CancelIo
Sleep
GetFileAttributesA
OpenProcess
lstrcatA
GetProcAddress
LoadLibraryA
FreeLibrary
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetVersionExA
DeleteFileA
GetLastError
CreateDirectoryA
GetDriveTypeA
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
GetFileSize
ReadFile
SetFilePointer
MoveFileA
CreateFileA
GetModuleFileNameA
SetLastError
GetSystemDirectoryA
LeaveCriticalSection
WritePrivateProfileStringA
GetWindowsDirectoryA
GetCurrentProcess
CreateRemoteThread
WriteProcessMemory
VirtualAllocEx
CreateThread
TerminateThread
MoveFileExA
GetTickCount
WriteFile
GetLocalTime
HeapFree
GetProcessHeap
MapViewOfFile
CreateFileMappingA
HeapAlloc
UnmapViewOfFile
LocalSize
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatusEx
GetSystemInfo
ReleaseMutex
OpenEventA
SetErrorMode
CreateMutexA
SetUnhandledExceptionFilter
FreeConsole
Process32Next
Process32First
CreateToolhelp32Snapshot
lstrcmpiA
GetCurrentThreadId
RaiseException
VirtualFree
DeleteCriticalSection
CreateProcessA
InitializeCriticalSection

msvcrt

strncmp
strchr
_errno
wcscpy
strncat
realloc
wcstombs
_beginthreadex
calloc
atoi
_initterm
_adjust_fdiv
_strnicmp
_stricmp
??3@YAXPAX@Z
__CxxFrameHandler
strrchr
strncpy
sprintf
putchar
malloc
free
_except_handler3
_CxxThrowException
??2@YAPAXI@Z
??1type_info@@UAE@XZ
memmove
ceil
_ftol
strstr
_strcmpi

userenv

GetUserProfileDirectoryA
GetProfilesDirectoryA

msvcp60

?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB

netapi32

NetUserAdd
NetLocalGroupAddMembers

imm32

ImmReleaseContext
ImmGetContext
ImmGetCompositionStringA

msvfw32

ICSeqCompressFrameEnd
ICSeqCompressFrame
ICSeqCompressFrameStart
ICSendMessage
ICOpen
ICClose
ICCompressorFree

Exports

Exports

FantasyMain

Sections

.text
Size: 85KB - Virtual size: 84KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6f2478ddf30a65cc436a4a056e338cb5

Headers

File Characteristics

Imports

kernel32

msvcrt

userenv

msvcp60

netapi32

imm32

msvfw32

Exports

Exports

Sections

.text Size: 85KB - Virtual size: 84KB

.rdata Size: 15KB - Virtual size: 14KB

.data Size: 8KB - Virtual size: 10KB

.rsrc Size: 512B - Virtual size: 16B

.reloc Size: 6KB - Virtual size: 6KB

.text
Size: 85KB - Virtual size: 84KB

.rdata
Size: 15KB - Virtual size: 14KB

.data
Size: 8KB - Virtual size: 10KB

.rsrc
Size: 512B - Virtual size: 16B

.reloc
Size: 6KB - Virtual size: 6KB