gh0strat | JaffaCakes118_6438374da1cd51af7d65bf3d3ccc6ed5

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_6438374da1cd51af7d65bf3d3ccc6ed5
Size

512KB
MD5

6438374da1cd51af7d65bf3d3ccc6ed5
SHA1

e0e01af69fe21d7f4bc990ac6b93c1237a3de5d2
SHA256

3a57565bc9b68c8b8383d82410cb8daf820b0ec536e263f20071add4808cb7fc
SHA512

ea4e41b684e5fa63e8e0104c6e77da86b4c989f6eccc83ac5ab461578ce598519255c813cebc5579dd2af32fed5b2e1dcc8d1ae35bfd79ee0316c0138fe3e1f7
SSDEEP

3072:iRmPV0GCs+G2ZCoXbkL4G6MS4ZIfwCIpTBftdDKT4bw3k/zvUJiFWFl7:igPPAH7MlefwCIpTBldDK0F/zvUJGUR

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
JaffaCakes118_6438374da1cd51af7d65bf3d3ccc6ed5

Files

JaffaCakes118_6438374da1cd51af7d65bf3d3ccc6ed5
.dll regsvr32 windows:4 windows x86 arch:x86

e3872ce87d9df1ba86441c74cdb9577f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

shlwapi

SHDeleteKeyA

kernel32

lstrcmpiA
MultiByteToWideChar
FreeLibrary
lstrcmpA
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
GetVersionExA
InterlockedExchange
LeaveCriticalSection
GetTickCount
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetCurrentThreadId
GetSystemDirectoryA
InitializeCriticalSection
GetSystemInfo
GetProcessTimes
GetCurrentProcess
GlobalMemoryStatusEx
HeapFree
GetProcessHeap
GetLastError
DeleteFileA
RemoveDirectoryA
ExitThread
GetShortPathNameA
GetModuleFileNameA
IsBadReadPtr
IsBadStringPtrW
GetCurrentProcessId
GetCommandLineA
VirtualQuery
GetFileAttributesExA
SetEnvironmentVariableA
GetTempPathA
GetLongPathNameA
ExitProcess
GetLocalTime
GetTempFileNameA
SetUnhandledExceptionFilter
FormatMessageA
IsBadWritePtr
LoadLibraryA
RaiseException
LocalAlloc
GetModuleHandleA
GetProcAddress
HeapAlloc

user32

wvsprintfA
GetCursorInfo
PtInRect
DestroyCursor
LoadCursorA
MessageBoxA
DestroyWindow
CreateWindowExA
GetWindowRect
EnableWindow
ShowWindow
GetWindow
GetClassNameA
SendMessageTimeoutA
CopyRect
wsprintfA
CloseWindowStation

advapi32

RegisterServiceCtrlHandlerExA
RegSaveKeyA
RegOpenKeyExW
RegRestoreKeyA

msvcrt

_adjust_fdiv
_initterm
_stricmp
_strupr
_wcsicmp
_strlwr
_memicmp
ceil
strncat
wcslen
__dllonexit
_onexit
realloc
strrchr
rand
srand
time
__CxxFrameHandler
_ftol
strchr
strncpy
_beginthreadex
_except_handler3
free
malloc
atoi
memmove
wcstombs
_callnewh

Exports

Exports

CORLockDownProvider
CORPolicyEE
CORPolicyProvider
DllCanUnloadNow
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 104KB - Virtual size: 100KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 294B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e3872ce87d9df1ba86441c74cdb9577f

Headers

File Characteristics

Imports

shlwapi

kernel32

user32

advapi32

msvcrt

Exports

Exports

Sections

.text Size: 104KB - Virtual size: 100KB

.rdata Size: 20KB - Virtual size: 19KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 294B

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 104KB - Virtual size: 100KB

.rdata
Size: 20KB - Virtual size: 19KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 294B

.reloc
Size: 8KB - Virtual size: 7KB