gh0strat | JaffaCakes118_603b93d3a8ca162e656d66116cdad792 | Triage

Sharing

General

Target

JaffaCakes118_603b93d3a8ca162e656d66116cdad792
Size

185KB
MD5

603b93d3a8ca162e656d66116cdad792
SHA1

7f62616012c36d6a1bd121e77869071239d72a87
SHA256

5945103c45c1ed26f7e3274a8addb1ae95a12d4e88ae2e526714820a0b215218
SHA512

9d80ddee599491735b0a7939088ea190d12a0ae150d1329e2f051ac05849fabca2d3fca017f630383f69a43791dc1d8a1efa55b8046c97e39718d7dab915d851
SSDEEP

3072:DVa/B5BBu+bcxBbe+DJkHNDyya/B5BBu+bcxBbe+DJkHNDy1tyk:yr0bxFnDJ8+r0bxFnDJ8Qtb

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
JaffaCakes118_603b93d3a8ca162e656d66116cdad792

Files

JaffaCakes118_603b93d3a8ca162e656d66116cdad792
.exe windows:4 windows x86 arch:x86

e200e779fb24e1fc287636a87685128f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

RegCloseKey
RegDeleteValueA
RegDeleteKeyA
RegSetValueExA
RegOpenKeyExA
RegCreateKeyExA
StartServiceA
CloseServiceHandle
OpenServiceA
OpenSCManagerA
RegQueryValueExA
CreateServiceA

user32

wsprintfA

msvcrt

_controlfp
__set_app_type
__p__fmode
__p__commode
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
strstr
strchr
malloc
realloc
??2@YAPAXI@Z
??3@YAXPAX@Z
_except_handler3
_adjust_fdiv

kernel32

GetStartupInfoA
GetCommandLineA
CreateMutexA
GetLastError
ReleaseMutex
Sleep
ExpandEnvironmentStringsA
GetTickCount
GetFileAttributesA
CreateDirectoryA
lstrcatA
LoadLibraryA
GetProcAddress
WriteFile
SetLastError
GetModuleHandleA
lstrcpyA
lstrlenA
GetModuleFileNameA
CreateFileA
SetFilePointer
ReadFile
CloseHandle

Sections

.text
Size: 179KB - Virtual size: 179KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ