gh0strat | JaffaCakes118_417811564bbe489d3117fd04b338ac9b | Triage

Sharing

General

Target

JaffaCakes118_417811564bbe489d3117fd04b338ac9b
Size

156KB
MD5

417811564bbe489d3117fd04b338ac9b
SHA1

2ea1cb7e18666b7a52b1b099d2e151c7b4a35abf
SHA256

6be071163d6340ff98a0b9fe175f14144dbc751874b5dc5eeef8a83d91010889
SHA512

f0b0189ce9ef3d1259eb18c897dddbb9fae67fbe5e6c30671c01ad055924a851c94f8458c936a9219249c9b0210a01d739f0c21f4d41cf9bcf568936bf39db43
SSDEEP

3072:3hDj44zniIHhEF+AdDSpxXepxwiQEhiM8BKj:yqii2TIp9kxwiQEd8BA

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
JaffaCakes118_417811564bbe489d3117fd04b338ac9b

Files

JaffaCakes118_417811564bbe489d3117fd04b338ac9b
.exe windows:4 windows x86 arch:x86

21b9a029b08d85cf03f8e5678c162a54

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

Sleep
WritePrivateProfileStringA
CopyFileA
GetModuleFileNameA
GetEnvironmentVariableA
DeleteFileA
CreateEventA
GetCommandLineA
CreateThread
MoveFileExA
GetModuleHandleA
lstrcatA
SetFilePointer
ReadFile
CreateFileA
lstrlenA
FreeLibrary
CloseHandle
ExitProcess
GetTickCount
CreateToolhelp32Snapshot
lstrcmpiA
LoadLibraryA
GetProcAddress
GetLastError
RaiseException
InterlockedExchange
LocalAlloc
GetStartupInfoA

advapi32

CloseServiceHandle

msvcrt

strtok
free
strstr
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
_except_handler3
??3@YAXPAX@Z
rand
??2@YAPAXI@Z
_strcmpi

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 136KB - Virtual size: 133KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ