004901af635e30f84312be7d9f83a0c8_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

004901af635e30f84312be7d9f83a0c8_JaffaCakes118
Size

135KB
MD5

004901af635e30f84312be7d9f83a0c8
SHA1

5ea7e2e64dd3eabf29617935bf400e86c8fa2eca
SHA256

6f42e83a384959122bacab33f8f7245ff06d02ddf1204c7f277e5e892724aae8
SHA512

2d1edddf485d4bdc46537872827ed1ebb8e29ade54f51d9632000a93b4e49cef8612aa777e9e6f12e8c58c158780909dbd384a9e56bf8941a2c5e622d905987f
SSDEEP

3072:Buuk++WLeVLbFBWIdmME/JItWpxy+UsCPChsYod:BuoGLbFBWIdy47dPI1od

Score

1^/10

Malware Config

Signatures

Files

004901af635e30f84312be7d9f83a0c8_JaffaCakes118
.sys windows:5 windows x64 arch:x64

7302f4260aaa7d9f088731c785d84ea8

Code Sign

46:b8:7d:11:19:d2:31:78:f4:32:d3:86:a1:14:a3:48
Certificate

Issuer

CN=WoSign Class 3 Code Signing CA,O=WoSign CA Limited,C=CN

Not Before

02/09/2015, 03:22

Not After

02/09/2016, 03:22

Subject

CN=Broad Knowledge Media Limited,O=Broad Knowledge Media Limited,L=Shanghai,ST=Shanghai,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4c
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2024, 01:00

Subject

CN=WoSign Time Stamping Signer,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

46:bb:b3:40:fa:b9:c1:79:28:93:8c:93:da:10:86:79
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2024, 01:00

Subject

CN=WoSign Class 3 Code Signing CA,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:39:65:c4:72:e0:dc:2b:d9:65:00:00:00:00:00:39
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

29/04/2015, 17:12

Not After

29/04/2025, 17:12

Subject

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

54:c3:50:b1:e1:4c:fa:f4:a2:9a:f1:8f:3b:c4:a6:14:4d:35:de:ff
Signer

Actual PE Digest

54:c3:50:b1:e1:4c:fa:f4:a2:9a:f1:8f:3b:c4:a6:14:4d:35:de:ff

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\mycode\SmartEngine\Bin\x64\Release\EXKernel.pdb

Imports

ntoskrnl.exe

IoCreateFile
KeInitializeEvent
ZwDeleteValueKey
ZwSetValueKey
ObInsertObject
IoFreeMdl
IoFileObjectType
ZwQueryValueKey
ZwUnmapViewOfSection
ExAllocatePool
IoGetCurrentProcess
ExEventObjectType
MmCreateSection
NtClose
ZwEnumerateValueKey
ZwClose
MmMapViewOfSection
ObReferenceObjectByHandle
KeWaitForSingleObject
IoFreeIrp
MmProbeAndLockPages
IoAllocateIrp
MmUnlockPages
ObfDereferenceObject
ExAllocatePoolWithQuotaTag
ZwDeleteKey
ZwEnumerateKey
IoAllocateMdl
ZwQueryKey
ZwOpenKey
MmGetSystemRoutineAddress
MmIsAddressValid
IoCreateFileSpecifyDeviceObjectHint
PsGetVersion
ObfReferenceObject
PsLookupProcessByProcessId
ZwQuerySystemInformation
RtlEqualUnicodeString
KeUnstackDetachProcess
ZwSetInformationFile
ObQueryNameString
ZwWaitForSingleObject
PsCreateSystemThread
ZwDuplicateObject
ZwOpenProcess
PsGetCurrentProcessId
ZwSetInformationObject
KeStackAttachProcess
PsProcessType
NtQueryInformationProcess
NtSetInformationProcess
ZwTerminateProcess
ObOpenObjectByPointer
IoAcquireVpbSpinLock
ZwQuerySymbolicLinkObject
SeCreateAccessState
wcsncpy
IoGetFileObjectGenericMapping
ObCreateObject
ZwOpenSymbolicLinkObject
IoGetDeviceObjectPointer
IoGetDeviceAttachmentBaseRef
KeBugCheckEx
SeDeleteAccessState
ZwOpenFile
IoReleaseVpbSpinLock
ExAcquireResourceExclusiveLite
ProbeForWrite
KeEnterCriticalRegion
ExReleaseResourceLite
ExDeleteResourceLite
ExInitializeResourceLite
ExQueueWorkItem
_stricmp
RtlVolumeDeviceToDosName
ZwReadFile
KeDelayExecutionThread
wcsstr
RtlAppendUnicodeStringToString
ZwQueryInformationFile
wcschr
RtlAppendUnicodeToString
RtlCopyUnicodeString
ZwLoadDriver
IoThreadToProcess
IoGetTopLevelIrp
PsGetProcessId
RtlNumberGenericTableElements
ExReleaseFastMutex
ExAcquireFastMutex
ZwQueryObject
RtlDeleteElementGenericTable
PsSetCreateProcessNotifyRoutine
PsTerminateSystemThread
RtlLookupElementGenericTable
PsThreadType
ZwQueryInformationProcess
RtlEnumerateGenericTableWithoutSplaying
RtlIsGenericTableEmpty
RtlInitializeGenericTable
RtlInsertElementGenericTable
RtlGetAce
ZwQuerySecurityObject
RtlGetDaclSecurityDescriptor
CmRegisterCallback
CmUnRegisterCallback
_vsnwprintf
ExInterlockedInsertHeadList
KeInitializeSemaphore
KeReleaseSemaphore
ExInterlockedRemoveHeadList
KeWaitForMultipleObjects
RtlRandomEx
IofCompleteRequest
DbgPrint
RtlWalkFrameChain
IoDeleteSymbolicLink
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
MmUnmapIoSpace
MmMapIoSpace
KeSetEvent
IoGetRelatedDeviceObject
RtlInitUnicodeString
_wcsnicmp
IoGetBaseFileSystemDeviceObject
ExFreePoolWithTag
ZwCreateKey
KeClearEvent
ProbeForRead
KeLeaveCriticalRegion
ExAllocatePoolWithTag
__C_specific_handler
__chkstk

hal

HalSetBusDataByOffset
HalGetBusDataByOffset

fltmgr.sys

FltParseFileNameInformation
FltReleaseFileNameInformation
FltRegisterFilter
FltUnregisterFilter
FltGetFileNameInformation
FltSetCallbackDataDirty
FltStartFiltering

Sections

.text
Size: 113KB - Virtual size: 112KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 624B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 468B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7302f4260aaa7d9f088731c785d84ea8

Code Sign

46:b8:7d:11:19:d2:31:78:f4:32:d3:86:a1:14:a3:48Certificate

Extended Key Usages

Key Usages

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4cCertificate

Extended Key Usages

Key Usages

46:bb:b3:40:fa:b9:c1:79:28:93:8c:93:da:10:86:79Certificate

Extended Key Usages

Key Usages

33:00:00:00:39:65:c4:72:e0:dc:2b:d9:65:00:00:00:00:00:39Certificate

Extended Key Usages

Key Usages

54:c3:50:b1:e1:4c:fa:f4:a2:9a:f1:8f:3b:c4:a6:14:4d:35:de:ffSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

fltmgr.sys

Sections

.text Size: 113KB - Virtual size: 112KB

.data Size: 3KB - Virtual size: 4KB

.pdata Size: 5KB - Virtual size: 5KB

INIT Size: 4KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 624B

.reloc Size: 512B - Virtual size: 468B

46:b8:7d:11:19:d2:31:78:f4:32:d3:86:a1:14:a3:48
Certificate

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4c
Certificate

46:bb:b3:40:fa:b9:c1:79:28:93:8c:93:da:10:86:79
Certificate

33:00:00:00:39:65:c4:72:e0:dc:2b:d9:65:00:00:00:00:00:39
Certificate

54:c3:50:b1:e1:4c:fa:f4:a2:9a:f1:8f:3b:c4:a6:14:4d:35:de:ff
Signer

.text
Size: 113KB - Virtual size: 112KB

.data
Size: 3KB - Virtual size: 4KB

.pdata
Size: 5KB - Virtual size: 5KB

INIT
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 624B

.reloc
Size: 512B - Virtual size: 468B