254c8558e0f4e4789b946efa690c77e9_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

254c8558e0f4e4789b946efa690c77e9_JaffaCakes118
Size

479KB
MD5

254c8558e0f4e4789b946efa690c77e9
SHA1

830f299174818366cb0663cc59fcfefce9897396
SHA256

f12283349212be554a90a619d2466cfc88391c54a270cf4c8d1c5086a0ccfc85
SHA512

53d60e62005fa24b019297a22c7d7fbe8b2c5698436be0f4098cd56ccc41f9e22af6ac3ecf06d59db892438bf7b8dbf7d5b86a77ce48bec95ff75880d5447bf8
SSDEEP

12288:HcaK+ZNrLJnwKiA8ffaId4S+e777777777777777777WI:RK+ZNr1nwKi3XaIdT+

Score

1^/10

Malware Config

Signatures

Files

254c8558e0f4e4789b946efa690c77e9_JaffaCakes118
.exe regsvr32 windows:4 windows x86 arch:x86

6ddc0fe4651ead90bcd2ec9b32553773

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

71:70:bd:93:cf:3f:18:9a:e6:45:2b:51:4c:49:34:0e
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

17/01/2013, 00:00

Not After

16/02/2016, 23:59

Subject

CN=Tencent Technology(Shenzhen) Company Limited,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Tencent Technology(Shenzhen) Company Limited,L=shenzhen,ST=guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

ae:33:8f:72:ad:37:5e:63:35:8e:6d:46:0d:e5:b9:40:a1:2c:04:81
Signer

Actual PE Digest

ae:33:8f:72:ad:37:5e:63:35:8e:6d:46:0d:e5:b9:40:a1:2c:04:81

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

R:\TempView\Output\BinFinal\Timwp.pdb

Imports

common

??1CTXBSTR@@QAE@XZ
??BCTXBSTR@@QBEPA_WXZ
??ICTXBSTR@@QAEPAPA_WXZ
?IsEmpty@CTXBSTR@@QAEHXZ
??0CTXBSTR@@QAE@PB_W@Z
??0CTXBSTR@@QAE@XZ
?Format@CTXStringA@@QAAXPBDZZ
??0CTXStringA@@QAE@XZ
??M@YA_NABVCTXStringA@@0@Z
??0CTXBSTR@@QAE@ABVCTXStringW@@@Z
?CreateTXData@Data@Util@@YAHPAPAUITXData@@@Z
??4CTXStringW@@QAEAAV0@PB_W@Z
?IsEmpty@CTXStringW@@QBE_NXZ
??0CTXStringW@@QAE@ABV0@@Z
??1CTXHttpDownloadSink@@UAE@XZ
??1CTXHttpDownload@@UAE@XZ
?CancelDownload@CTXHttpDownload@@QAEXXZ
??YCTXStringW@@QAEAAV0@ABV0@@Z
?GetLength@CTXStringW@@QBEHXZ
??YCTXStringW@@QAEAAV0@_W@Z
??H@YA?AVCTXStringW@@PB_WABV0@@Z
?Replace@CTXStringW@@QAEH_W0@Z
??ACTXStringW@@QBE_WH@Z
?Replace@CTXStringW@@QAEHPB_W0@Z
??0CTXHttpDownload@@QAE@XZ
??0CTXHttpDownloadSink@@IAE@XZ
?Download@CTXHttpDownload@@QAEHPB_WPAU_SYSTEMTIME@@0HPA_J@Z
?MoveDownloadFile@CTXHttpDownload@@QAEHPB_WH@Z
?GetLastModifyTime@CTXHttpDownload@@QAEHAAU_SYSTEMTIME@@@Z
?CompareNoCase@CTXStringW@@QBEHPB_W@Z
??YCTXStringW@@QAEAAV0@PB_W@Z
??9@YA_NABVCTXStringW@@0@Z
??4CTXStringW@@QAEAAV0@PA_W@Z
?Empty@CTXStringW@@QAEXXZ
??0CTXStringW@@QAE@PA_W@Z
??0CTXStringW@@QAE@UtagGBK@@PBDH@Z
?EnableQQNetworkSettings@CTXHttpDownload@@QAEHH@Z
?SetUIInterface@CTXHttpDownload@@QAEXPAVCTXHttpDownloadSink@@@Z
?GetResponseFileName@CTXHttpDownload@@QAEHAAVCTXStringW@@@Z
?SafeCoLoadLibrary@Sys@Util@@YAPAUHINSTANCE__@@PB_WH@Z
?Find@CTXStringW@@QBEH_WH@Z
?MakeLower@CTXStringW@@QAEAAV1@XZ
??8@YA_NABVCTXStringW@@PB_W@Z
?Right@CTXStringW@@QBE?AV1@H@Z
??9@YA_N_WABVCTXStringW@@@Z
??8@YA_N_WABVCTXStringW@@@Z
?IsFileExist@FS@@YAHPB_W@Z
?CombineQNC@FS@@YA?AVCTXStringW@@PB_W0@Z
ord34
?Compare@CTXStringW@@QBEHPB_W@Z
??M@YA_NABVCTXStringW@@0@Z
?Delete@CTXStringW@@QAEHHH@Z
??0CTXStringW@@QAE@PB_WH@Z
??0CTXStringW@@QAE@H@Z
?Format@CTXStringW@@QAAXPB_WZZ
?Find@CTXStringW@@QBEHPB_WH@Z
?GetBSTR@CTXStringW@@QBEPA_WXZ
?TXLog_DoTXLogVW@@YAXPAUtagLogObj@@PB_W1PAD@Z
?Mid@CTXStringW@@QBE?AV1@H@Z
ord33
?Trim@CTXStringW@@QAEAAV1@XZ
??8@YA_NPB_WABVCTXStringW@@@Z
?GetAt@CTXStringW@@QBE_WH@Z
??8@YA_NABVCTXStringW@@0@Z
?GetString@CTXStringW@@QBEPB_WXZ
?GetBuffer@CTXStringW@@QAEPA_WXZ
??4CTXBSTR@@QAEAAV0@PB_W@Z
?Empty@CTXBSTR@@QAEXXZ
?Length@CTXBSTR@@QBEIXZ
??4CTXStringW@@QAEAAV0@ABVCTXBSTR@@@Z
?AllocSysString@CTXStringW@@QBEPA_WXZ
ord26
??4CTXBSTR@@QAEAAV0@ABV0@@Z
??BCTXStringA@@QBEPBDXZ
??0CTXStringA@@QAE@UtagGBK@@PB_WH@Z
?SetMainAndLogicThreadId@Misc@Util@@YAXKK@Z
?GetExeDir@Sys@Util@@YA?AVCTXStringW@@XZ
??0CTXStringW@@QAE@ABVCTXBSTR@@@Z
?GetCore@CoreCenter@Util@@YAHPA_WPAPAUITXCore@@@Z
?GetParentDir@File@Util@@YA?AVCTXStringW@@ABV3@@Z
?InitNetwork@Network@Util@@YAHXZ
?InitPlatformModeConfig@Boot@Util@@YAHXZ
?InitPlatformCoreConfig@Boot@Util@@YAHXZ
?InitPlatformFileSystem@Boot@Util@@YAHXZ
?InitPlatformI18NConfig@Boot@Util@@YAHXZ
?InitPlatform@CoreCenter@Util@@YAHPA_W@Z
?CreateObjectFromDllFile@Com@Util@@YGJPB_WABU_GUID@@1PAPAXPAUIUnknown@@@Z
?ClearDeadQueue@Misc@Util@@YAXXZ
?OnUninitCom@Misc@Util@@YAXXZ
?OnExitCoreCenter@Misc@Util@@YAXXZ
?OnExitWinMain@Misc@Util@@YAXXZ
?InitPlatformGFConfig@Boot@Util@@YAHXZ
?GetPlatformCore@CoreCenter@Util@@YAHPAPAUITXPlatformCore@@@Z
?GetFilePrefix@FS@Util@@YA?AVCTXStringW@@ABV3@@Z
?CheckVistaAndStartSelfMediumLevel@Sys@Util@@YAHXZ
??H@YA?AVCTXStringW@@ABV0@0@Z
??4CTXStringW@@QAEAAV0@ABV0@@Z
??H@YA?AVCTXStringW@@ABV0@PB_W@Z
?GetLength@CTXStringA@@QBEHXZ
??4CTXStringA@@QAEAAV0@ABV0@@Z
?Find@CTXStringA@@QBEHPBDH@Z
?IsEmpty@CTXStringA@@QBE_NXZ
?TrimRight@CTXStringA@@QAEAAV1@XZ
?TrimLeft@CTXStringA@@QAEAAV1@XZ
??0CTXStringA@@QAE@ABV0@@Z
?GetBuffer@CTXStringA@@QAEPADH@Z
??YCTXStringA@@QAEAAV0@ABV0@@Z
??0CTXStringA@@QAE@PBD@Z
??YCTXStringA@@QAEAAV0@PBD@Z
?TrimRight@CTXStringA@@QAEAAV1@D@Z
??H@YA?AVCTXStringW@@ABV0@_W@Z
??BCTXStringW@@QBEPB_WXZ
?LoadStringW@TXStringBundle@@YAPB_WPB_W@Z
?GetBuffer@CTXStringW@@QAEPA_WH@Z
?ReleaseBuffer@CTXStringW@@QAEXH@Z
?ReverseFind@CTXStringW@@QBEH_W@Z
?Left@CTXStringW@@QBE?AV1@H@Z
??0CTXStringW@@QAE@PB_W@Z
?GetPlatformCore@Core@Util@@YAHPAPAUITXCore@@@Z
??1CTXStringA@@QAE@XZ
??0CTXStringW@@QAE@XZ
?Mid@CTXStringW@@QBE?AV1@HH@Z
??1CTXStringW@@QAE@XZ

gf

?SetCustomObjectFactory@GF@Util@@YAXP6AHABU_GUID@@0PAPAX@Z@Z
?RawCreateGFElementByXtml@GF@Util@@YAJPA_WPAPAUIGFElement@@PAU3@0H@Z

mfc80u

ord4255
ord2985
ord5210
ord4226
ord1393
ord5911
ord6721
ord1536
ord2077
ord3286
ord1572
ord1634
ord293
ord354
ord1883
ord1785
ord6232
ord776
ord2651
ord6086
ord2311
ord2155
ord630
ord3082
ord2012
ord3050
ord385
ord3383
ord3635
ord4574
ord3627
ord1479
ord6111
ord2895
ord282
ord6700
ord6751
ord1194
ord807
ord2241
ord314
ord2244
ord2243
ord2827
ord6063
ord631
ord1431
ord2745
ord2742
ord3925
ord2279
ord2271
ord386
ord629
ord1430
ord5319
ord5083
ord384
ord258
ord2340
ord1571
ord590
ord331
ord3163
ord4475
ord2832
ord3629
ord496
ord3677
ord4535
ord664
ord757
ord427
ord566
ord3327
ord5562
ord5209
ord5226
ord4562
ord3942
ord2239
ord5222
ord5220
ord2925
ord1911
ord3826
ord5378
ord6215
ord5096
ord1007
ord3800
ord5579
ord2009
ord2054
ord4320
ord6274
ord3795
ord6272
ord4008
ord4032
ord1049
ord4347
ord1189
ord3204
ord1118
ord1925
ord3296
ord1271
ord3311
ord4234
ord1582
ord2086
ord741
ord501
ord2366
ord6061
ord3678
ord313
ord2897
ord6284
ord5427
ord4061
ord283
ord866
ord3017
ord572
ord1894
ord4119
ord5148
ord4206
ord5178
ord4729
ord4884
ord2011
ord1662
ord1661
ord1542
ord6720
ord5908
ord1611
ord1608
ord3940
ord1392
ord4238
ord1899
ord5067
ord6271
ord4179
ord5199
ord3397
ord4716
ord4276
ord1591
ord5956
ord5231
ord5229
ord920
ord925
ord929
ord927
ord931
ord2384
ord2404
ord2388
ord2394
ord2392
ord2390
ord2407
ord2402
ord2386
ord2409
ord2397
ord2379
ord2381
ord2399
ord2169
ord2163
ord1513
ord6273
ord3796
ord6275
ord3339
ord4961
ord1353
ord5171
ord1955
ord1647
ord1646
ord1590
ord5196
ord2531
ord2725
ord2829
ord4301
ord2708
ord2856
ord2534
ord2640
ord2527
ord3712
ord3713
ord3703
ord2638
ord3943
ord4480
ord4256
ord3176
ord577
ord587
ord715
ord605
ord870
ord557
ord745
ord1908
ord6293
ord5327
ord6282
ord762
ord5316
ord1172
ord3249
ord1058
ord1079
ord266
ord265
ord5712
ord1182
ord1176
ord1178
ord764
ord3158
ord1198

msvcr80

_decode_pointer
_onexit
_lock
__dllonexit
_unlock
?terminate@@YAXXZ
__set_app_type
_encode_pointer
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_configthreadlocale
_initterm_e
_initterm
_wcmdln
exit
_XcptFilter
_exit
_cexit
__wgetmainargs
_amsg_exit
?_open@@YAHPBDHH@Z
_snprintf
_wtempnam
_wremove
_lseek
_except_handler4_common
_write
_read
?_wopen@@YAHPB_WHH@Z
_errno
strncpy
_snwprintf
memmove
wcsstr
wcsncmp
wcschr
_beginthreadex
_byteswap_ulong
sprintf_s
srand
__CxxFrameHandler3
memcpy_s
_invalid_parameter_noinfo
memmove_s
memset
??0exception@std@@QAE@ABQBD@Z
?what@exception@std@@UBEPBDXZ
??1exception@std@@UAE@XZ
??0exception@std@@QAE@XZ
swprintf_s
_purecall
_CxxThrowException
??0exception@std@@QAE@ABV01@@Z
_invoke_watson
_controlfp_s
_crt_debugger_hook
_close
_recalloc
free
memcmp
memcpy
wcscpy_s
_wtoi
fread
ftell
fseek
?_type_info_dtor_internal_method@type_info@@QAEXXZ
fclose
fwrite
wcslen
_wfopen
_wtol
rand
__argc
__wargv
wcsncpy
malloc
realloc
_flushall
_time64

kernel32

GetLastError
RaiseException
DeleteCriticalSection
InitializeCriticalSection
SetThreadLocale
GetThreadLocale
GetCurrentProcessId
CreateEventW
ResetEvent
SetEvent
GetFileSize
GlobalAlloc
GlobalFree
MulDiv
GlobalUnlock
GlobalLock
LockResource
FreeResource
SizeofResource
LoadResource
FindResourceW
ResumeThread
FileTimeToDosDateTime
FileTimeToLocalFileTime
GetFileInformationByHandle
GetVersionExW
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
CreateFileA
InterlockedExchange
Sleep
InterlockedCompareExchange
GetStartupInfoW
SetUnhandledExceptionFilter
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
IsDebuggerPresent
WinExec
GetModuleHandleW
WriteFile
SetEndOfFile
CreateFileW
GetFileSizeEx
EnterCriticalSection
LeaveCriticalSection
GetModuleFileNameW
InterlockedIncrement
InterlockedDecrement
lstrlenW
GetTickCount
GetVersion
GetPrivateProfileIntW
GetFileAttributesW
CreateDirectoryW
CopyFileW
GetPrivateProfileStringW
QueryPerformanceCounter
GetCurrentThreadId
WaitForSingleObject
CreateMutexW
ReleaseMutex
RemoveDirectoryW
DeleteFileW
CloseHandle
TerminateThread
GetExitCodeThread
SetFileAttributesA
GetProcAddress
GetACP
GetLocaleInfoA
GetVersionExA
ReadFile

user32

GetClassInfoExA
CreateWindowExW
DefWindowProcW
GetDesktopWindow
UnregisterClassA
LoadIconW
GetClassInfoExW
CopyRect
LoadCursorA
UnregisterClassW
RegisterClassExA
SetRect
FillRect
GetClientRect
InvalidateRect
ReleaseDC
GetDC
GetWindow
IsWindow
GetPropW
IsIconic
ShowWindow
SetForegroundWindow
KillTimer
SetTimer
PostMessageW
GetSysColor
EnableWindow
SendMessageW
GetWindowRect
OffsetRect
RegisterClassExW
LoadCursorW

gdi32

DeleteObject
CreateSolidBrush
GetDeviceCaps
SelectObject
DeleteDC
CreateCompatibleDC
CreateCompatibleBitmap
SetBkColor
ExtTextOutW
SelectClipRgn
SetStretchBltMode
StretchBlt
BitBlt
CreateRectRgnIndirect
GetStockObject

advapi32

RegQueryValueExW
RegOpenKeyExW
RegSetValueExW
RegOpenKeyW
RegCloseKey

shell32

ShellExecuteExW
SHCreateDirectoryExW
ShellExecuteW
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHGetMalloc
SHGetDesktopFolder
SHFileOperationW
SHGetSpecialFolderPathW

shlwapi

PathRemoveFileSpecW
PathFileExistsW

ole32

CoInitialize
CoCreateInstance
CreateStreamOnHGlobal

oleaut32

OleLoadPicture
VariantCopy
VariantInit
SysAllocString
VariantClear
LoadTypeLi
LoadRegTypeLi
SysStringLen
SysFreeString

msvcp80

??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z

atl80

ord30
ord58
ord31
ord32
ord15
ord18
ord22
ord64

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 232KB - Virtual size: 230KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 64KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 168KB - Virtual size: 167KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6ddc0fe4651ead90bcd2ec9b32553773

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fdCertificate

Extended Key Usages

Key Usages

71:70:bd:93:cf:3f:18:9a:e6:45:2b:51:4c:49:34:0eCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

ae:33:8f:72:ad:37:5e:63:35:8e:6d:46:0d:e5:b9:40:a1:2c:04:81Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

common

gf

mfc80u

msvcr80

kernel32

user32

gdi32

advapi32

shell32

shlwapi

ole32

oleaut32

msvcp80

atl80

Exports

Exports

Sections

.text Size: 232KB - Virtual size: 230KB

.rdata Size: 64KB - Virtual size: 60KB

.data Size: 4KB - Virtual size: 6KB

.rsrc Size: 168KB - Virtual size: 167KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

71:70:bd:93:cf:3f:18:9a:e6:45:2b:51:4c:49:34:0e
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

ae:33:8f:72:ad:37:5e:63:35:8e:6d:46:0d:e5:b9:40:a1:2c:04:81
Signer

.text
Size: 232KB - Virtual size: 230KB

.rdata
Size: 64KB - Virtual size: 60KB

.data
Size: 4KB - Virtual size: 6KB

.rsrc
Size: 168KB - Virtual size: 167KB