gh0strat | JaffaCakes118_3ef2035ae2b543a1ee9153de6c52808b | Triage

Sharing

General

Target

JaffaCakes118_3ef2035ae2b543a1ee9153de6c52808b
Size

131KB
MD5

3ef2035ae2b543a1ee9153de6c52808b
SHA1

a1fbed0b629f7501b978c558892644bc3a70dfb8
SHA256

e5367beae3a7f84f9898b48067dad0077028a73016d7088ea0981b07a3692126
SHA512

9fcecc788439b971286435cbe7d34f5808ab192cf4249c3878a855e3bbb4f70a6d5387011178d52383137f9ce1dc8ada182136635a39d7fc53a48ea7eb5b6f9f
SSDEEP

3072:99IGrzfvjtlN9F3v8Xg3GPp8Wbpe/SeI7PKm/HpU0L3eqn3V97hC:999rTvjPvF3v8Q32Q9IT9m0T/n8

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
JaffaCakes118_3ef2035ae2b543a1ee9153de6c52808b

Files

JaffaCakes118_3ef2035ae2b543a1ee9153de6c52808b
.exe windows:4 windows x86 arch:x86

d5f5ff2398c401c8fc31cffe94f866af

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateMutexA
GetCommandLineA
FreeLibrary
GetProcAddress
ReleaseMutex
GetStartupInfoA
GetModuleHandleA
Sleep
SetUnhandledExceptionFilter
GetCurrentThreadId
GetTempPathA
GetModuleFileNameA
CreateFileA
SetFilePointer
ReadFile
lstrcatA
GetLastError
ExitProcess
SetLastError
lstrcpyA
LoadResource
SetFileTime
SizeofResource
lstrlenA
CloseHandle
ExpandEnvironmentStringsA
LoadLibraryA

user32

GetMessageA
wsprintfA
GetInputState
PostThreadMessageA

advapi32

OpenServiceA
StartServiceA
OpenSCManagerA
CreateServiceA
CloseServiceHandle
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegSetValueExA
RegDeleteKeyA
RegCreateKeyExA
RegDeleteValueA

shell32

ShellExecuteA

msvcrt

_XcptFilter
_strrev
_controlfp
??3@YAXPAX@Z
??2@YAPAXI@Z
__CxxFrameHandler
_CxxThrowException
realloc
malloc
_except_handler3
strchr
strstr
??1type_info@@UAE@XZ
_exit
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 121KB - Virtual size: 121KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ