2aabc022f31eb36d7aad958b737acca8_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

2aabc022f31eb36d7aad958b737acca8_JaffaCakes118
Size

136KB
MD5

2aabc022f31eb36d7aad958b737acca8
SHA1

30826c69e198f7f23c5a8dec307eb9ccf9c48b6a
SHA256

30df064eedbe2d298b16c940b5736cd430c0208b62302b70211db1dfb6601c36
SHA512

623befda9e3ca2bbecdbe808a915702672d1c40d95ae5616ad7bc1c78abc7ac35daf974e868cbf6ecbae025771640e6d63cab6fa0ad1f027fd11fc6c1025584b
SSDEEP

3072:Mtv31JWWRKL1bL4L55eCw4RHwU7u/0aFLPuDMhyjo6J:MtuUKL1bEL55eyQPNGDnoY

Score

1^/10

Malware Config

Signatures

Files

2aabc022f31eb36d7aad958b737acca8_JaffaCakes118
.sys windows:5 windows x64 arch:x64

7302f4260aaa7d9f088731c785d84ea8

Code Sign

46:b8:7d:11:19:d2:31:78:f4:32:d3:86:a1:14:a3:48
Certificate

Issuer

CN=WoSign Class 3 Code Signing CA,O=WoSign CA Limited,C=CN

Not Before

02/09/2015, 03:22

Not After

02/09/2016, 03:22

Subject

CN=Broad Knowledge Media Limited,O=Broad Knowledge Media Limited,L=Shanghai,ST=Shanghai,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4c
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2024, 01:00

Subject

CN=WoSign Time Stamping Signer,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

46:bb:b3:40:fa:b9:c1:79:28:93:8c:93:da:10:86:79
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2024, 01:00

Subject

CN=WoSign Class 3 Code Signing CA,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:39:65:c4:72:e0:dc:2b:d9:65:00:00:00:00:00:39
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

29/04/2015, 17:12

Not After

29/04/2025, 17:12

Subject

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ba:83:f6:80:ac:af:c7:d4:fd:37:0c:69:0a:52:ca:9c:6a:cd:93:fe
Signer

Actual PE Digest

ba:83:f6:80:ac:af:c7:d4:fd:37:0c:69:0a:52:ca:9c:6a:cd:93:fe

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\build\SmartEngine\Bin\x64\Release\EXKernel.pdb

Imports

ntoskrnl.exe

IoCreateFile
KeInitializeEvent
ZwDeleteValueKey
ZwSetValueKey
ObInsertObject
IoFreeMdl
IoFileObjectType
ZwQueryValueKey
ZwUnmapViewOfSection
ExAllocatePool
IoGetCurrentProcess
ExEventObjectType
MmCreateSection
NtClose
ZwEnumerateValueKey
ZwClose
MmMapViewOfSection
ObReferenceObjectByHandle
KeWaitForSingleObject
IoFreeIrp
MmProbeAndLockPages
IoAllocateIrp
MmUnlockPages
ObfDereferenceObject
ExAllocatePoolWithQuotaTag
ZwDeleteKey
ZwEnumerateKey
IoAllocateMdl
ZwQueryKey
ZwOpenKey
MmGetSystemRoutineAddress
MmIsAddressValid
IoCreateFileSpecifyDeviceObjectHint
PsGetVersion
ObfReferenceObject
PsLookupProcessByProcessId
ZwQuerySystemInformation
RtlEqualUnicodeString
KeUnstackDetachProcess
ZwSetInformationFile
ObQueryNameString
ZwWaitForSingleObject
PsCreateSystemThread
ZwDuplicateObject
ZwOpenProcess
PsGetCurrentProcessId
ZwSetInformationObject
KeStackAttachProcess
PsProcessType
NtQueryInformationProcess
NtSetInformationProcess
ZwTerminateProcess
ObOpenObjectByPointer
IoAcquireVpbSpinLock
ZwQuerySymbolicLinkObject
SeCreateAccessState
wcsncpy
IoGetFileObjectGenericMapping
ObCreateObject
ZwOpenSymbolicLinkObject
IoGetDeviceObjectPointer
IoGetDeviceAttachmentBaseRef
KeBugCheckEx
SeDeleteAccessState
ZwOpenFile
IoReleaseVpbSpinLock
ExAcquireResourceExclusiveLite
ProbeForWrite
KeEnterCriticalRegion
ExReleaseResourceLite
ExDeleteResourceLite
ExInitializeResourceLite
ExQueueWorkItem
_stricmp
RtlVolumeDeviceToDosName
ZwReadFile
KeDelayExecutionThread
wcsstr
RtlAppendUnicodeStringToString
ZwQueryInformationFile
wcschr
RtlAppendUnicodeToString
RtlCopyUnicodeString
ZwLoadDriver
IoThreadToProcess
IoGetTopLevelIrp
PsGetProcessId
RtlNumberGenericTableElements
ExReleaseFastMutex
ExAcquireFastMutex
ZwQueryObject
RtlDeleteElementGenericTable
PsSetCreateProcessNotifyRoutine
PsTerminateSystemThread
RtlLookupElementGenericTable
PsThreadType
ZwQueryInformationProcess
RtlEnumerateGenericTableWithoutSplaying
RtlIsGenericTableEmpty
RtlInitializeGenericTable
RtlInsertElementGenericTable
RtlGetAce
ZwQuerySecurityObject
RtlGetDaclSecurityDescriptor
CmRegisterCallback
CmUnRegisterCallback
_vsnwprintf
ExInterlockedInsertHeadList
KeInitializeSemaphore
KeReleaseSemaphore
ExInterlockedRemoveHeadList
KeWaitForMultipleObjects
RtlRandomEx
IofCompleteRequest
DbgPrint
RtlWalkFrameChain
IoDeleteSymbolicLink
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
MmUnmapIoSpace
MmMapIoSpace
KeSetEvent
IoGetRelatedDeviceObject
RtlInitUnicodeString
_wcsnicmp
IoGetBaseFileSystemDeviceObject
ExFreePoolWithTag
ZwCreateKey
KeClearEvent
ProbeForRead
KeLeaveCriticalRegion
ExAllocatePoolWithTag
__C_specific_handler
__chkstk

hal

HalSetBusDataByOffset
HalGetBusDataByOffset

fltmgr.sys

FltParseFileNameInformation
FltReleaseFileNameInformation
FltRegisterFilter
FltUnregisterFilter
FltGetFileNameInformation
FltSetCallbackDataDirty
FltStartFiltering

Sections

.text
Size: 114KB - Virtual size: 113KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 624B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 468B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7302f4260aaa7d9f088731c785d84ea8

Code Sign

46:b8:7d:11:19:d2:31:78:f4:32:d3:86:a1:14:a3:48Certificate

Extended Key Usages

Key Usages

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4cCertificate

Extended Key Usages

Key Usages

46:bb:b3:40:fa:b9:c1:79:28:93:8c:93:da:10:86:79Certificate

Extended Key Usages

Key Usages

33:00:00:00:39:65:c4:72:e0:dc:2b:d9:65:00:00:00:00:00:39Certificate

Extended Key Usages

Key Usages

ba:83:f6:80:ac:af:c7:d4:fd:37:0c:69:0a:52:ca:9c:6a:cd:93:feSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

fltmgr.sys

Sections

.text Size: 114KB - Virtual size: 113KB

.data Size: 3KB - Virtual size: 4KB

.pdata Size: 5KB - Virtual size: 5KB

INIT Size: 4KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 624B

.reloc Size: 512B - Virtual size: 468B

46:b8:7d:11:19:d2:31:78:f4:32:d3:86:a1:14:a3:48
Certificate

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4c
Certificate

46:bb:b3:40:fa:b9:c1:79:28:93:8c:93:da:10:86:79
Certificate

33:00:00:00:39:65:c4:72:e0:dc:2b:d9:65:00:00:00:00:00:39
Certificate

ba:83:f6:80:ac:af:c7:d4:fd:37:0c:69:0a:52:ca:9c:6a:cd:93:fe
Signer

.text
Size: 114KB - Virtual size: 113KB

.data
Size: 3KB - Virtual size: 4KB

.pdata
Size: 5KB - Virtual size: 5KB

INIT
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 624B

.reloc
Size: 512B - Virtual size: 468B