e7ff86b8b794a8d06a2996e89262397c_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

e7ff86b8b794a8d06a2996e89262397c_JaffaCakes118
Size

167KB
MD5

e7ff86b8b794a8d06a2996e89262397c
SHA1

f628d705bc07f8e4f2857548835ed0c3521c51dc
SHA256

238e882c70e041c883c31025976971be9a60ff7e8860594b1751a4d7a127b846
SHA512

2c158f88dba165f221f61b1af465c68e8e219563c63d964f34ff69627fb835b33d59872827942bceb575d1118a1188c493dc60b19fda0e745322d8e06e4bfa09
SSDEEP

3072:3fCX5YWYwMVLj+Fp2Uq0CuP2HszDxsOd8wdLVr4ekyTe:3faXYw6Y2Uq0/PWYFsIdB4ekye

Score

3^/10

Malware Config

Signatures

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/RUNASA.EXE
unpack001/RUNASA64.EXE
unpack001/RUNASAS.EXE
unpack001/RUNASAS64.EXE

Files

e7ff86b8b794a8d06a2996e89262397c_JaffaCakes118
.zip
RUNASA.EXE
.exe windows:1 windows x86 arch:x86

f4312c02e7cee6847d61331dca180ca4

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

kernel32

LocalFree
GetCommandLineA
Sleep
LockResource
GetModuleFileNameW
GetUserDefaultLCID
WriteFile
UpdateResourceW
SizeofResource
MultiByteToWideChar
HeapAlloc
GetProcAddress
FormatMessageA
GetTickCount
GetCurrentThreadId
EndUpdateResourceW
WaitForSingleObject
GetFileAttributesW
GetProcessHeap
ExitProcess
SetLastError
ReadFile
LoadResource
HeapFree
GetVersionExA
GetModuleHandleA
FindResourceW
GetComputerNameW
FreeLibrary
GetBinaryTypeA
GetLastError
GetExitCodeProcess
EnumResourceNamesW
GetModuleFileNameA
BeginUpdateResourceW
CallNamedPipeA
CloseHandle
CreateFileA
CreateFileW
CreateProcessW
DeleteFileW
GetEnvironmentStrings
GetCurrentProcessId
GetCurrentProcess
FindResourceA
SetEvent
GetCurrentDirectoryW
LocalAlloc
LoadLibraryExA
LoadLibraryA
GetComputerNameA

user32

SetWindowLongA
SetDlgItemTextA
CheckDlgButton
SendDlgItemMessageA
PostMessageA
DialogBoxParamA
OpenDesktopW
LoadIconA
SetProcessWindowStation
IsDlgButtonChecked
SetWindowTextA
GetWindowLongA
GetDlgItemTextA
GetUserObjectInformationA
GetProcessWindowStation
GetDlgItem
EndDialog
EnableWindow
DefDlgProcA
CloseWindowStation
CloseDesktop
GetUserObjectSecurity
GetThreadDesktop
CharNextA
LoadCursorA
MessageBoxA
InvalidateRect
RegisterClassA
OpenWindowStationW
SetFocus
SendDlgItemMessageW
SetWindowPos
SetUserObjectSecurity
ShowWindow
wsprintfA
wsprintfW

shell32

ShellExecuteExA
ShellExecuteA
DragQueryFileA
DragFinish

advapi32

RegSetValueExA
RegQueryValueExA
GetTokenInformation
RegOpenKeyExA
RegDeleteKeyA
GetSecurityDescriptorDacl
CopySid
RegCreateKeyExA
RegCloseKey
GetLengthSid
QueryServiceStatus
OpenServiceA
GetAclInformation
CloseServiceHandle
AddAce
OpenSCManagerA
OpenProcessToken
GetAce
AddAccessAllowedAce
AccessCheck
LookupPrivilegeValueA
FreeSid
LogonUserW
AllocateAndInitializeSid
InitializeSecurityDescriptor
InitializeAcl
DuplicateToken
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
ImpersonateNamedPipeClient
SetSecurityDescriptorDacl
AdjustTokenPrivileges
ImpersonateLoggedOnUser
CreateProcessAsUserW
RevertToSelf

ole32

CoUninitialize
CoInitialize
CoCreateInstance

comdlg32

GetOpenFileNameA

netapi32

NetUserEnum
NetApiBufferFree

Exports

Exports

__GetExceptDLLinfo

Sections

CODE
Size: 14KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
RUNASA.TXT
RUNASA64.EXE
.exe windows:5 windows x64 arch:x64

25917d8a7930e9e5172f65f3779edb11

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

LoadLibraryExA
BeginUpdateResourceW
WriteFile
FindResourceA
GetFileAttributesW
GetComputerNameA
GetExitCodeProcess
CreateProcessW
GetUserDefaultLCID
GetVersionExA
EnumResourceNamesW
FreeLibrary
EndUpdateResourceW
DeleteFileW
GetBinaryTypeA
GetModuleFileNameA
GetTickCount
CreateFileA
FindResourceW
LoadResource
LockResource
UpdateResourceW
SizeofResource
LocalAlloc
SetEvent
LoadLibraryA
GetComputerNameW
GetModuleFileNameW
GetCurrentDirectoryW
GetModuleHandleA
GetProcAddress
GetCurrentProcess
MultiByteToWideChar
Sleep
GetProcessHeap
HeapAlloc
HeapFree
CreateFileW
ReadFile
SetLastError
CallNamedPipeA
GetLastError
FormatMessageA
LocalFree
GetCurrentThreadId
GetCurrentProcessId
HeapReAlloc
HeapSize
GetLocaleInfoA
GetStringTypeW
GetStringTypeA
LCMapStringW
LCMapStringA
InitializeCriticalSectionAndSpinCount
EnterCriticalSection
LeaveCriticalSection
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
GetSystemTimeAsFileTime
QueryPerformanceCounter
HeapCreate
HeapSetInformation
FlsAlloc
FlsFree
FlsSetValue
FlsGetValue
DecodePointer
EncodePointer
DeleteCriticalSection
GetFileType
SetHandleCount
GetEnvironmentStringsW
WideCharToMultiByte
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
RtlUnwindEx
GetStdHandle
ExitProcess
WaitForSingleObject
CloseHandle
GetCommandLineA
GetStartupInfoA
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetModuleHandleW

advapi32

RevertToSelf
GetLengthSid
DuplicateToken
RegCreateKeyExA
RegSetValueExA
RegDeleteKeyA
AllocateAndInitializeSid
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
AccessCheck
FreeSid
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
LogonUserW
ImpersonateNamedPipeClient
ImpersonateLoggedOnUser
GetTokenInformation
CreateProcessAsUserW
InitializeSecurityDescriptor
GetSecurityDescriptorDacl
GetAclInformation
InitializeAcl
GetAce
AddAce
AddAccessAllowedAce
SetSecurityDescriptorDacl
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenSCManagerA
OpenServiceA
QueryServiceStatus
CloseServiceHandle
CopySid

ole32

CoCreateInstance
CoUninitialize
CoInitialize

netapi32

NetApiBufferFree
NetUserEnum

shell32

ShellExecuteExA
DragFinish
DragQueryFileA
ShellExecuteA

user32

PostMessageA
GetWindowLongPtrA
SetWindowLongPtrA
SetWindowPos
InvalidateRect
SendDlgItemMessageW
GetDlgItem
EnableWindow
CheckDlgButton
ShowWindow
EndDialog
IsDlgButtonChecked
SendDlgItemMessageA
SetFocus
SetDlgItemTextA
CharNextA
OpenWindowStationW
SetProcessWindowStation
OpenDesktopW
CloseWindowStation
CloseDesktop
wsprintfW
GetUserObjectSecurity
SetUserObjectSecurity
MessageBoxA
GetProcessWindowStation
GetThreadDesktop
GetUserObjectInformationA
SetWindowTextA
DialogBoxParamA
RegisterClassA
LoadIconA
LoadCursorA
DefDlgProcA
GetDlgItemTextA
wsprintfA

comdlg32

GetOpenFileNameA

Sections

.text
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 57KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
RUNASAS.EXE
.exe windows:1 windows x86 arch:x86

a86ef5cb42608ccd4aba97feefc0ff19

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

kernel32

GetCurrentDirectoryW
GetProcessHeap
GetStdHandle
GetCurrentProcess
CreateNamedPipeA
GetModuleHandleA
MultiByteToWideChar
GetVersionExA
GetLastError
GetCurrentThread
FlushFileBuffers
CreateThread
CallNamedPipeA
GetModuleFileNameW
Sleep
ReadFile
LoadLibraryA
HeapAlloc
GetProcAddress
GetModuleFileNameA
GetFileSize
GetEnvironmentStrings
GetComputerNameW
GetCommandLineA
ExitProcess
DisconnectNamedPipe
CreateFileW
CreateFileA
CloseHandle
CreateEventA
WriteFile
WaitForSingleObject
SetFilePointer
SetEvent
LocalFree
LocalAlloc
HeapReAlloc
HeapFree
ConnectNamedPipe

advapi32

RegOpenKeyExA
RegCloseKey
GetAclInformation
QueryServiceStatus
OpenThreadToken
GetAce
ControlService
OpenServiceA
OpenSCManagerA
FreeSid
OpenProcessToken
LookupPrivilegeValueA
DeregisterEventSource
CloseServiceHandle
AddAce
LogonUserW
DeleteService
InitializeAcl
AccessCheck
StartServiceCtrlDispatcherA
AddAccessAllowedAce
CreateServiceA
SetServiceStatus
AllocateAndInitializeSid
InitializeSecurityDescriptor
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
ImpersonateLoggedOnUser
SetSecurityDescriptorDacl
RevertToSelf
GetTokenInformation
CreateProcessAsUserW
ReportEventA
RegisterServiceCtrlHandlerA
GetSecurityDescriptorDacl
RegisterEventSourceA
RegQueryValueExA
GetLengthSid
CopySid
AdjustTokenPrivileges
ImpersonateNamedPipeClient
StartServiceA

user32

wsprintfW
SetUserObjectSecurity
SetProcessWindowStation
OpenWindowStationW
OpenDesktopW
MessageBoxA
GetUserObjectSecurity
GetProcessWindowStation
wsprintfA
CloseWindowStation
CloseDesktop

Exports

Exports

__GetExceptDLLinfo

Sections

CODE
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
RUNASAS64.EXE
.exe windows:5 windows x64 arch:x64

5f51b03b9a4e546c025cfbd78fa73158

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

HeapReAlloc
SetFilePointer
CreateFileA
GetFileSize
SetEvent
LoadLibraryA
GetComputerNameW
GetModuleFileNameW
GetCurrentDirectoryW
GetModuleHandleA
GetProcAddress
GetCurrentProcess
MultiByteToWideChar
GetProcessHeap
HeapAlloc
HeapFree
CreateFileW
GetVersionExA
LocalAlloc
CreateNamedPipeA
LocalFree
ConnectNamedPipe
ReadFile
FlushFileBuffers
DisconnectNamedPipe
CreateEventA
CreateThread
GetLastError
WaitForSingleObject
CallNamedPipeA
GetCurrentThread
CloseHandle
GetCommandLineA
Sleep
WriteFile
GetModuleFileNameA
GetStdHandle
HeapSize
GetLocaleInfoA
GetStringTypeW
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetModuleHandleW
ExitProcess
RtlUnwindEx
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
DeleteCriticalSection
EncodePointer
DecodePointer
FlsGetValue
FlsSetValue
FlsFree
SetLastError
GetCurrentThreadId
FlsAlloc
HeapSetInformation
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
LCMapStringA
LCMapStringW
GetStringTypeA

advapi32

AccessCheck
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
AllocateAndInitializeSid
FreeSid
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
LogonUserW
ImpersonateLoggedOnUser
CreateProcessAsUserW
InitializeSecurityDescriptor
GetSecurityDescriptorDacl
GetAclInformation
GetAce
AddAce
AddAccessAllowedAce
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
GetTokenInformation
GetLengthSid
CopySid
InitializeAcl
SetSecurityDescriptorDacl
RegisterEventSourceA
ReportEventA
DeregisterEventSource
ImpersonateNamedPipeClient
OpenThreadToken
RevertToSelf
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
OpenServiceA
ControlService
QueryServiceStatus
DeleteService
OpenSCManagerA
SetServiceStatus
CloseServiceHandle
StartServiceA
CreateServiceA

user32

MessageBoxA
GetProcessWindowStation
OpenWindowStationW
SetProcessWindowStation
OpenDesktopW
CloseWindowStation
CloseDesktop
wsprintfW
GetUserObjectSecurity
SetUserObjectSecurity
wsprintfA

Sections

.text
Size: 35KB - Virtual size: 34KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 688B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
RUSRC.LZH
.lzh
CFG.C
CFG.H
ISADMIN.C
ISADMIN.H
MAKEFILE
RUNASA.C
RUNASA.H
RUNASA.ICO
RUNASA.RC
RUNASAC.C
RUNASAM.C
RUNASAMD.C
RUNASAS.C
RUNASAS.RC
RUNASAT.RC
RUNASAX.C
RUNASAX.RC
SERVICE.C
SERVICE.H
SHORTCUT.CPP
SHORTCUT.H
SVTRAY.C
TOROWIN.H
TSECU.C
TSECU.H
TSTR.C
.vbs
TSTR.H

Sharing

General

Malware Config

Signatures

Files

f4312c02e7cee6847d61331dca180ca4

Headers

File Characteristics

Imports

kernel32

user32

shell32

advapi32

ole32

comdlg32

netapi32

Exports

Exports

Sections

CODE Size: 14KB - Virtual size: 16KB

DATA Size: 9KB - Virtual size: 12KB

.idata Size: 4KB - Virtual size: 4KB

.edata Size: 512B - Virtual size: 4KB

.reloc Size: 1024B - Virtual size: 4KB

.rsrc Size: 24KB - Virtual size: 24KB

25917d8a7930e9e5172f65f3779edb11

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

ole32

netapi32

shell32

user32

comdlg32

Sections

.text Size: 38KB - Virtual size: 38KB

.rdata Size: 16KB - Virtual size: 15KB

.data Size: 4KB - Virtual size: 8KB

.pdata Size: 2KB - Virtual size: 1KB

.rsrc Size: 57KB - Virtual size: 56KB

a86ef5cb42608ccd4aba97feefc0ff19

Headers

File Characteristics

Imports

kernel32

advapi32

user32

Exports

Exports

Sections

CODE Size: 12KB - Virtual size: 12KB

DATA Size: 2KB - Virtual size: 4KB

.idata Size: 3KB - Virtual size: 4KB

.edata Size: 512B - Virtual size: 4KB

.reloc Size: 1024B - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 4KB

5f51b03b9a4e546c025cfbd78fa73158

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

user32

Sections

.text Size: 35KB - Virtual size: 34KB

.rdata Size: 12KB - Virtual size: 12KB

.data Size: 4KB - Virtual size: 8KB

.pdata Size: 2KB - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 688B

CODE
Size: 14KB - Virtual size: 16KB

DATA
Size: 9KB - Virtual size: 12KB

.idata
Size: 4KB - Virtual size: 4KB

.edata
Size: 512B - Virtual size: 4KB

.reloc
Size: 1024B - Virtual size: 4KB

.rsrc
Size: 24KB - Virtual size: 24KB

.text
Size: 38KB - Virtual size: 38KB

.rdata
Size: 16KB - Virtual size: 15KB

.data
Size: 4KB - Virtual size: 8KB

.pdata
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 57KB - Virtual size: 56KB

CODE
Size: 12KB - Virtual size: 12KB

DATA
Size: 2KB - Virtual size: 4KB

.idata
Size: 3KB - Virtual size: 4KB

.edata
Size: 512B - Virtual size: 4KB

.reloc
Size: 1024B - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 4KB

.text
Size: 35KB - Virtual size: 34KB

.rdata
Size: 12KB - Virtual size: 12KB

.data
Size: 4KB - Virtual size: 8KB

.pdata
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 688B