gh0strat | JaffaCakes118_4c2909912dac739d2cce790dacb9cdd5

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_4c2909912dac739d2cce790dacb9cdd5
Size

196KB
MD5

4c2909912dac739d2cce790dacb9cdd5
SHA1

856b864ca31a9de4c749e58befcc80dd8bebfa4f
SHA256

cd2b8399b2a84f9f59197665777c9c8931870e4cc9fecc84ca905d7f05572fa5
SHA512

4fe68e49710b9ac37d92f9239bc76f8c0eef368fa2b4a4faa02f9e7eb96c15f56ed70734858e84bc85e00833e9e8761ecbf15d0416ccb2818bf3b8637984b03f
SSDEEP

3072:1a5gMYN37IHH1kdkOefmuvvpONDIK3I21qugTh4aPGS:fMYNMHwkNf7vU+K4gqugTOaPGS

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
JaffaCakes118_4c2909912dac739d2cce790dacb9cdd5

Files

JaffaCakes118_4c2909912dac739d2cce790dacb9cdd5
.exe windows:4 windows x86 arch:x86

e02f62991001217455ed7a36e36d76f8

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

MoveFileA
GetModuleHandleA
GetProcessHeap
GetProcAddress
lstrcatA
GetCurrentProcessId
FreeLibrary
CreateThread
Sleep
MultiByteToWideChar
lstrlenA
CloseHandle
GetCurrentProcess
OpenProcess
HeapAlloc
GlobalUnlock
GetLocalTime
GetTickCount
LoadLibraryA
GetStartupInfoA

user32

GetCursorInfo
LoadCursorA
DestroyCursor
EmptyClipboard
OpenClipboard
CloseClipboard
GetSystemMetrics
SetRect
ReleaseDC
SendMessageA
CreateWindowExA
IsWindow

gdi32

GetDIBits
BitBlt
DeleteDC
DeleteObject
CreateCompatibleDC
CreateDIBSection
SelectObject
CreateCompatibleBitmap

advapi32

RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegCreateKeyA
StartServiceA

shell32

ShellExecuteA
SHGetSpecialFolderPathA

msvcrt

_strupr
_strnicmp
??2@YAPAXI@Z
__CxxFrameHandler
_CxxThrowException
??3@YAXPAX@Z
memmove
ceil
_ftol
strstr
rand
sprintf
strncpy
strchr
malloc
_except_handler3
_iob
atoi
wcscpy
strncmp
free
_errno
exit
strncat
atol
_beginthreadex
calloc
??1type_info@@UAE@XZ
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
_strcmpi

ws2_32

closesocket
sendto
gethostname
__WSAFDIsSet
listen
accept
getpeername
bind
getsockname
inet_addr
send
socket
gethostbyname
htons
connect
WSAIoctl
select
recv
WSACleanup
WSAStartup
ntohs
inet_ntoa
htonl
setsockopt

wininet

InternetOpenA
InternetOpenUrlA
InternetCloseHandle

msvcp60

?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

netapi32

NetUserAdd
NetLocalGroupAddMembers

msvfw32

ICSeqCompressFrame
ICSeqCompressFrameEnd
ICCompressorFree
ICClose
ICOpen
ICSendMessage
ICSeqCompressFrameStart

Exports

Exports

aabbccdd
daxuewuli
eeffgghh
gaoshu
gongchengshuxue
iijjkkmm

Sections

.text
Size: 128KB - Virtual size: 127KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e02f62991001217455ed7a36e36d76f8

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcrt

ws2_32

wininet

msvcp60

netapi32

msvfw32

Exports

Exports

Sections

.text Size: 128KB - Virtual size: 127KB

.rdata Size: 12KB - Virtual size: 11KB

.data Size: 16KB - Virtual size: 17KB

.rsrc Size: 36KB - Virtual size: 35KB

.text
Size: 128KB - Virtual size: 127KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 16KB - Virtual size: 17KB

.rsrc
Size: 36KB - Virtual size: 35KB