runningrat | JaffaCakes118_b2674a5ea1a9dc7c64530d28fa3513b2 | Triage

Sharing

General

Target

JaffaCakes118_b2674a5ea1a9dc7c64530d28fa3513b2
Size

48KB
MD5

b2674a5ea1a9dc7c64530d28fa3513b2
SHA1

79ce6dd3a028410d4256e8e2a0224c45d6771923
SHA256

9657f9b7b8ef24748e61c4c6ac1bfc4a667a9845be5bbf616d2507071b24bf95
SHA512

5e59d828a29558fd1da4805d50a322ec813199747c3717f4a7a6738572bacece7d28a6376e7d649465d3f9044dedea9f7fd4690eb4912f1ab20b27a63b386a5a
SSDEEP

768:BR7dOahyoHokBtqN74W7bZZmYb9PyzcjRlYlwa6NVdkPnJJMIzDV:8aAoHoc2x7bZoYBAcQlwJdM3

Score

10^/10

rat runningrat

Malware Config

Extracted

Family

runningrat

C2

www.wulei168.pw

Signatures

RunningRat payload 1 IoCs

resource	yara_rule
sample	family_runningrat

Runningrat family
runningrat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
JaffaCakes118_b2674a5ea1a9dc7c64530d28fa3513b2

Files

JaffaCakes118_b2674a5ea1a9dc7c64530d28fa3513b2
.dll windows:4 windows x86 arch:x86

6a6702f5b47319e63a51e781cbc02006

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord5683
ord4129
ord825
ord800
ord823
ord537

msvcrt

_adjust_fdiv
malloc
_initterm
free
strstr
_except_handler3
__CxxFrameHandler
_access
srand
rand
_mkdir

kernel32

CloseHandle
CreateFileA
WriteFile
GetTickCount
GetLastError
GetFileAttributesA
lstrcpyA
DisableThreadLibraryCalls
ExpandEnvironmentStringsA
MoveFileExA
DeleteFileA
GetCommandLineA
LoadLibraryA
GetProcAddress
GetLocalTime
FreeLibrary

user32

wsprintfA

Exports

Exports

Main

Sections

.text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 752B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 438B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ