gh0strat | JaffaCakes118_599d2c08c55b2ffe365e1c5f0ee1061b

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_599d2c08c55b2ffe365e1c5f0ee1061b
Size

153KB
MD5

599d2c08c55b2ffe365e1c5f0ee1061b
SHA1

dfccc0f499982f0226b690dd51dcfd217b6b30d8
SHA256

5a4d9bf7c8d5cf1d15d692a39e1733d8e54a57e7e5f93b2118e25f36f10d0293
SHA512

eca020aae83a013efbd7590b632add22e30d755dc2fe0eada4f7304cb6c9fd773789dc7252e047d244ec0f9ddd53025d85e5e87fae3cd952bed0e7f5ca3ced93
SSDEEP

3072:59oesPqrkiQLRXdilvYXirXumHTBftWmtOqnUK:5YqIiExcdNumHTBlWmtOE

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
JaffaCakes118_599d2c08c55b2ffe365e1c5f0ee1061b

Files

JaffaCakes118_599d2c08c55b2ffe365e1c5f0ee1061b
.dll windows:4 windows x86 arch:x86

821a53959a245feba0515c81a0a4501d

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

advapi32

RegOpenKeyExW

user32

GetClassNameA
GetWindow
ShowWindow
GetWindowRect
CloseWindowStation
MessageBoxA
wvsprintfA
CreateWindowExA
DestroyWindow
LoadCursorA
DestroyCursor
GetCursorInfo
wsprintfA

kernel32

RaiseException
GetShortPathNameA
CreateFileMappingA
MapViewOfFile
VirtualAlloc
VirtualFree
LeaveCriticalSection
InitializeCriticalSection
GetExitCodeProcess
ExitProcess
IsBadWritePtr
FormatMessageA
GetLocalTime
MultiByteToWideChar
lstrlenA
FreeLibrary
GetProcAddress
WideCharToMultiByte
lstrcpyA
lstrcmpA
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
GetVersionExA
lstrcmpiA
CloseHandle
ExpandEnvironmentStringsA
lstrcatA
VirtualQuery
GetModuleHandleA
GetCurrentProcessId
GetCurrentThreadId
Sleep
GetTickCount
VirtualProtect
GetSystemDirectoryA
SetEnvironmentVariableA
GetTempPathA
GetLongPathNameA
GetLastError
GetModuleFileNameA
LocalFree
LocalSize
LocalAlloc
LocalReAlloc
GetCurrentProcess
HeapFree
HeapAlloc
GetProcessHeap
GetSystemInfo
GetProcessTimes
GlobalMemoryStatusEx
GlobalFree
GlobalAlloc
GetTempFileNameA
DeleteFileA
RemoveDirectoryA
ExitThread
IsBadReadPtr
IsBadStringPtrW
InterlockedExchange
GlobalUnlock
GlobalLock
GlobalSize
InterlockedDecrement
InterlockedIncrement
SetUnhandledExceptionFilter
LoadLibraryA

msvcrt

_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
_onexit
__dllonexit
_memicmp
_wcsicmp
_strupr
_strlwr
wcslen
??2@YAPAXI@Z
??3@YAXPAX@Z
realloc
malloc
strstr
free
srand
rand
_ftol
__CxxFrameHandler
_beginthreadex
_except_handler3
strrchr
strncpy
atoi
strchr
wcstombs
wcsrchr
strncat
_CxxThrowException
memmove
ceil

Exports

Exports

CpyCommon

Sections

.text
Size: 100KB - Virtual size: 97KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

821a53959a245feba0515c81a0a4501d

Headers

File Characteristics

Imports

advapi32

user32

kernel32

msvcrt

Exports

Exports

Sections

.text Size: 100KB - Virtual size: 97KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 100KB - Virtual size: 97KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 8KB - Virtual size: 7KB