23bd988f5cf2e25c309355ec73a834f4_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

23bd988f5cf2e25c309355ec73a834f4_JaffaCakes118
Size

121KB
MD5

23bd988f5cf2e25c309355ec73a834f4
SHA1

07d79e0d0b5bafea1bf6cf33140b44c39c5c44fa
SHA256

03060593b5bea1080243bcd979ee540ad9bd911faff5b26472bc0401638aaa25
SHA512

8456100696dedd0dff408b7c2ca7b0b8c4abf597481efe1ca288545d1bb0208bb8edfd8e19d5545fb5ff4b6fd4b48dc2c95417f776bffde78123b83407d2ce54
SSDEEP

3072:sHzD8Jn8sUwibYlI3FZJECXxjVhylB0uw5VpVjgCR5e:sHq8A2Yl0Emxb3bpKCR5e

Score

1^/10

Malware Config

Signatures

Files

23bd988f5cf2e25c309355ec73a834f4_JaffaCakes118
.sys windows:5 windows x86 arch:x86

af9cd142267cd47743539323ce1617ca

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

75:9b:9c:70:c9:f8:02:d8:9e:d5:c3:66:be:3b:13:78
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

12/10/2015, 00:00

Not After

20/09/2016, 23:59

Subject

CN=Kunming Shuangyinqing Science and Technology Co.\, Ltd.,O=Kunming Shuangyinqing Science and Technology Co.\, Ltd.,L=Kunming,ST=Yunnan,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

d2:87:f0:b6:b9:25:24:a0:78:1c:93:d4:1d:64:4f:48:f1:bf:b9:56
Signer

Actual PE Digest

d2:87:f0:b6:b9:25:24:a0:78:1c:93:d4:1d:64:4f:48:f1:bf:b9:56

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

E:\build\SmartEngine\Bin\Win32\Release\EXKernel.pdb

Imports

ntoskrnl.exe

IoGetCurrentProcess
ExEventObjectType
MmCreateSection
NtClose
ZwClose
MmMapViewOfSection
ObReferenceObjectByHandle
KeWaitForSingleObject
IoFreeIrp
MmProbeAndLockPages
IoAllocateIrp
MmUnlockPages
ObfReferenceObject
ObfDereferenceObject
ZwCreateSection
ExAllocatePoolWithQuotaTag
IoAllocateMdl
_stricmp
MmGetSystemRoutineAddress
ZwQuerySystemInformation
PsGetVersion
ZwOpenFile
PsLookupProcessByProcessId
RtlEqualUnicodeString
KeUnstackDetachProcess
ZwSetInformationFile
ObQueryNameString
ZwWaitForSingleObject
PsCreateSystemThread
IoCreateFileSpecifyDeviceObjectHint
ZwDuplicateObject
ZwOpenProcess
PsGetCurrentProcessId
MmIsAddressValid
ZwSetInformationObject
KeStackAttachProcess
KeServiceDescriptorTable
RtlImageNtHeader
NtQueryInformationProcess
NtSetInformationProcess
ObOpenObjectByPointer
IoAcquireVpbSpinLock
ZwQuerySymbolicLinkObject
SeCreateAccessState
wcsncpy
IoGetFileObjectGenericMapping
ObCreateObject
ZwOpenSymbolicLinkObject
IoGetDeviceObjectPointer
IoGetDeviceAttachmentBaseRef
KeBugCheckEx
SeDeleteAccessState
RtlCompareUnicodeString
IoReleaseVpbSpinLock
ExAcquireResourceExclusiveLite
KeLeaveCriticalRegion
KeEnterCriticalRegion
ExReleaseResourceLite
ExDeleteResourceLite
ExInitializeResourceLite
ExQueueWorkItem
RtlVolumeDeviceToDosName
KeGetCurrentThread
memmove
RtlAnsiStringToUnicodeString
ZwReadFile
ZwSetValueKey
KeDelayExecutionThread
wcsstr
ZwQueryValueKey
RtlAppendUnicodeStringToString
KeTickCount
ZwQueryInformationFile
ZwOpenKey
wcschr
RtlAppendUnicodeToString
ZwDeleteValueKey
ZwEnumerateValueKey
RtlCopyUnicodeString
IoThreadToProcess
IoGetTopLevelIrp
PsGetProcessId
PsProcessType
RtlNumberGenericTableElements
ZwQueryObject
RtlDeleteElementGenericTable
PsSetCreateProcessNotifyRoutine
PsTerminateSystemThread
RtlLookupElementGenericTable
PsThreadType
ZwQueryInformationProcess
RtlEnumerateGenericTableWithoutSplaying
RtlIsGenericTableEmpty
RtlInitializeGenericTable
RtlInsertElementGenericTable
RtlGetAce
ZwQuerySecurityObject
RtlGetDaclSecurityDescriptor
CmRegisterCallback
CmUnRegisterCallback
KeQuerySystemTime
_vsnwprintf
ExfInterlockedRemoveHeadList
ExfInterlockedInsertHeadList
KeInitializeSemaphore
KeReleaseSemaphore
KeWaitForMultipleObjects
RtlRandomEx
IofCompleteRequest
DbgPrint
RtlWalkFrameChain
IoDeleteSymbolicLink
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
READ_REGISTER_BUFFER_ULONG
MmUnmapIoSpace
MmMapIoSpace
READ_REGISTER_BUFFER_UCHAR
READ_REGISTER_BUFFER_USHORT
ExAllocatePool
ZwUnmapViewOfSection
IoFileObjectType
IoFreeMdl
ObInsertObject
KeInitializeEvent
IoCreateFile
ProbeForWrite
ExGetPreviousMode
KeSetEvent
ZwMapViewOfSection
RtlInitUnicodeString
IoGetRelatedDeviceObject
_wcsnicmp
IoGetBaseFileSystemDeviceObject
ExFreePoolWithTag
KeClearEvent
ProbeForRead
ZwCreateKey
ExAllocatePoolWithTag
memcpy
memset
_except_handler3
_allmul

hal

READ_PORT_USHORT
WRITE_PORT_ULONG
HalGetBusDataByOffset
HalSetBusDataByOffset
READ_PORT_UCHAR
WRITE_PORT_UCHAR
WRITE_PORT_USHORT
ExAcquireFastMutex
ExReleaseFastMutex
KeGetCurrentIrql
READ_PORT_ULONG

fltmgr.sys

FltParseFileNameInformation
FltReleaseFileNameInformation
FltRegisterFilter
FltUnregisterFilter
FltGetFileNameInformation
FltSetCallbackDataDirty
FltStartFiltering

Sections

.text
Size: 95KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 624B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

af9cd142267cd47743539323ce1617ca

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

75:9b:9c:70:c9:f8:02:d8:9e:d5:c3:66:be:3b:13:78Certificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

d2:87:f0:b6:b9:25:24:a0:78:1c:93:d4:1d:64:4f:48:f1:bf:b9:56Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

fltmgr.sys

Sections

.text Size: 95KB - Virtual size: 95KB

.data Size: 5KB - Virtual size: 7KB

INIT Size: 4KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 624B

.reloc Size: 6KB - Virtual size: 5KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

75:9b:9c:70:c9:f8:02:d8:9e:d5:c3:66:be:3b:13:78
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

d2:87:f0:b6:b9:25:24:a0:78:1c:93:d4:1d:64:4f:48:f1:bf:b9:56
Signer

.text
Size: 95KB - Virtual size: 95KB

.data
Size: 5KB - Virtual size: 7KB

INIT
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 624B

.reloc
Size: 6KB - Virtual size: 5KB