f86b30913e306e2d7f4e0d8752f2c113_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

f86b30913e306e2d7f4e0d8752f2c113_JaffaCakes118
Size

6.4MB
MD5

f86b30913e306e2d7f4e0d8752f2c113
SHA1

2ed298917c040961a864f8fb2d96f7e368765c58
SHA256

6f775fedf2018e21114819e70098cf57d520632b891d4c923e4fe80d2a36939d
SHA512

a8d9c1224227cec3d47ed3016d29a3a37a8d07dbaa0f2de763b32d5d2a00d07ca2f2079b74a5927ef26b92322cdca74653c2c14f57200d2cfaeebec07beda9eb
SSDEEP

196608:CLC9PP1CjGNXkfPJkS3gitqH1jahKpO9ka5:CLCWPJrltq0jqK

Score

1^/10

Malware Config

Signatures

Files

f86b30913e306e2d7f4e0d8752f2c113_JaffaCakes118
.sys windows:6 windows x64 arch:x64

87853b6c1953abcf8d705e94e79f2545

Code Sign

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

48:4b:80:a0:e2:6c:94:f7:77:32:38:59:a7:9a:de:c5
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

22/11/2013, 00:00

Not After

22/11/2014, 23:59

Subject

CN=Xinyi Electronic Technology (Shanghai) Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xinyi Electronic Technology (Shanghai) Co.\, Ltd.,L=Shanghai,ST=Shanghai,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

ed:62:d3:66:fe:33:b5:c0:46:f3:12:a7:58:23:32:7d:73:bd:15:00
Signer

Actual PE Digest

ed:62:d3:66:fe:33:b5:c0:46:f3:12:a7:58:23:32:7d:73:bd:15:00

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

KeDelayExecutionThread
IoFileObjectType
IoRegisterBootDriverReinitialization
IoUnregisterShutdownNotification
PsTerminateSystemThread
_vsnwprintf
ZwClose
IofCompleteRequest
ObReferenceObjectByHandle
RtlWriteRegistryValue
PsGetVersion
PsThreadType
ObfDereferenceObject
IoCreateDriver
IoCreateDevice
ZwOpenFile
RtlCreateRegistryKey
RtlRandomEx
_vsnprintf
ExInitializeNPagedLookasideList
ExpInterlockedPushEntrySList
ExpInterlockedPopEntrySList
ExDeletePagedLookasideList
ExQueryDepthSList
ExInitializePagedLookasideList
ExDeleteNPagedLookasideList
ExAcquireResourceExclusiveLite
KeLeaveCriticalRegion
KeReleaseInStackQueuedSpinLock
KeAcquireInStackQueuedSpinLock
KeEnterCriticalRegion
ExAcquireResourceSharedLite
ExReleaseResourceLite
ExDeleteResourceLite
ExInitializeResourceLite
IoGetLowerDeviceObject
IoBuildDeviceIoControlRequest
PsLookupProcessByProcessId
ZwQuerySymbolicLinkObject
ZwQueryDefaultUILanguage
MmGetSystemRoutineAddress
RtlAppendUnicodeToString
KeInitializeEvent
RtlGetVersion
ZwQuerySystemInformation
RtlEqualUnicodeString
IoVolumeDeviceToDosName
FsRtlIsNameInExpression
IoCancelIrp
PsCreateSystemThread
IoGetDeviceObjectPointer
ExSystemTimeToLocalTime
ZwQueryValueKey
RtlPrefixUnicodeString
KeQueryTimeIncrement
PsGetProcessSessionId
KeWaitForSingleObject
IoFreeIrp
IoAllocateIrp
ZwDeviceIoControlFile
ZwQueryInformationProcess
ObfReferenceObject
PsGetProcessWin32WindowStation
IoReleaseCancelSpinLock
ZwDeleteKey
ObOpenObjectByPointer
ZwEnumerateKey
IofCallDriver
ZwQueryKey
ZwOpenKey
ZwCreateKey
ObMakeTemporaryObject
KeSetEvent
ZwSetValueKey
RtlInitString
KeUnstackDetachProcess
RtlFreeUnicodeString
ZwFreeVirtualMemory
ZwDeleteFile
ZwOpenProcess
RtlEqualString
ZwLoadDriver
KeStackAttachProcess
PsLookupThreadByThreadId
ZwAllocateVirtualMemory
RtlInitAnsiString
MmAllocatePagesForMdl
MmMapLockedPagesSpecifyCache
MmFreePagesFromMdl
IoDriverObjectType
ObReferenceObjectByName
KeBugCheckEx
IoDeleteDevice
ZwOpenSymbolicLinkObject
RtlInitUnicodeString
IoReuseIrp
KeResetEvent
KeReadStateEvent
KeInitializeMutex
IoFreeMdl
KeReleaseMutex
ZwCreateFile
IoGetDeviceAttachmentBaseRef
MmProbeAndLockPages
MmUnlockPages
KeWaitForMultipleObjects
IoAllocateMdl
_wcsicmp
ZwUnloadKey
KeClearEvent
NtBuildNumber
_wcsnicmp
ZwReadFile
SeCreateAccessState
ExGetPreviousMode
IoGetFileObjectGenericMapping
ObCreateObject
IoCreateFile
ZwSaveKey
_wcslwr
ZwOpenDirectoryObject
ZwSetInformationFile
wcsrchr
ExAllocatePool
IoGetCurrentProcess
ZwQueryDirectoryObject
ZwFlushKey
ZwLoadKey
MmIsAddressValid
ZwWriteFile
IoGetRelatedDeviceObject
CcUninitializeCacheMap
MmForceSectionClosed
MmHighestUserAddress
KeInitializeApc
KeInsertQueueApc
IoRegisterShutdownNotification
ExFreePoolWithTag
RtlAnsiStringToUnicodeString
ExAllocatePoolWithTag
__C_specific_handler
ExAllocatePool
NtQuerySystemInformation
ExFreePoolWithTag
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
KeQueryActiveProcessors
KeSetSystemAffinityThread
KeRevertToUserAffinityThread
DbgPrint

fltmgr.sys

FltRegisterFilter
FltUnregisterFilter
FltStartFiltering

hal

KeQueryPerformanceCounter

Sections

.text
Size: - Virtual size: 108KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 3.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: - Virtual size: 2.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data0
Size: - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data1
Size: 6.4MB - Virtual size: 6.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

87853b6c1953abcf8d705e94e79f2545

Code Sign

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

48:4b:80:a0:e2:6c:94:f7:77:32:38:59:a7:9a:de:c5Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

ed:62:d3:66:fe:33:b5:c0:46:f3:12:a7:58:23:32:7d:73:bd:15:00Signer

Headers

File Characteristics

Imports

ntoskrnl.exe

fltmgr.sys

hal

Sections

.text Size: - Virtual size: 108KB

.rdata Size: - Virtual size: 5KB

.data Size: - Virtual size: 3.2MB

.pdata Size: - Virtual size: 2KB

PAGE Size: - Virtual size: 2.2MB

INIT Size: - Virtual size: 4KB

.data0 Size: - Virtual size: 3.1MB

.data1 Size: 6.4MB - Virtual size: 6.4MB

.reloc Size: 512B - Virtual size: 12B

61:19:93:e4:00:00:00:00:00:1c
Certificate

48:4b:80:a0:e2:6c:94:f7:77:32:38:59:a7:9a:de:c5
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

ed:62:d3:66:fe:33:b5:c0:46:f3:12:a7:58:23:32:7d:73:bd:15:00
Signer

.text
Size: - Virtual size: 108KB

.rdata
Size: - Virtual size: 5KB

.data
Size: - Virtual size: 3.2MB

.pdata
Size: - Virtual size: 2KB

PAGE
Size: - Virtual size: 2.2MB

INIT
Size: - Virtual size: 4KB

.data0
Size: - Virtual size: 3.1MB

.data1
Size: 6.4MB - Virtual size: 6.4MB

.reloc
Size: 512B - Virtual size: 12B