31d5bc3c75d1573d9606a69160c1c8dc_JaffaCakes118

General

Target

31d5bc3c75d1573d9606a69160c1c8dc_JaffaCakes118
Size

364KB
MD5

31d5bc3c75d1573d9606a69160c1c8dc
SHA1

967063b01f4703aad3ef5c1eacce2c529cd1899c
SHA256

ab4c08ea8f44544dc9724bb196677561746643eba735a31d2284040077e79080
SHA512

c266e7ddb921c626e561390a76c6a7efa3e9015118f5424fe745e7b154eac83a5c780d2c88f39901dda6cfc16d3559fe0bf33ce43d213eb5b24dbeb98c50a0f2
SSDEEP

3072:QemGVt8GTylTmxGQHp6IRgBWnzr7HD37nnrrLnvKx/B44/Fo9uV:juEylTm/Hpnz/HXnr/vYi4/Fo

Score

9^/10

cryptone packer

Malware Config

Signatures

CryptOne packer 1 IoCs
Detects CryptOne packer defined in NCC blogpost.
cryptone packer

Processes:

resource yara_rule

sample cryptone

resource	yara_rule
sample	cryptone

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
31d5bc3c75d1573d9606a69160c1c8dc_JaffaCakes118

Files

31d5bc3c75d1573d9606a69160c1c8dc_JaffaCakes118
.exe windows:4 windows x86 arch:x86

c94ede301410740e3977f98a1c33292f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrlenW
GetLastError
FreeLibrary
LoadLibraryW
SetLastError
WriteConsoleW
GetFileType
GetStdHandle
MultiByteToWideChar
GetModuleHandleA
FindFirstFileW
FindNextFileW
GetFileAttributesW
GetCommandLineW
LocalAlloc
LocalFree
VerifyVersionInfoW
FormatMessageW
GetModuleHandleW
VirtualAlloc
ExitProcess
LoadLibraryA
GetProcAddress
SetErrorMode

user32

UpdateWindow
LoadIconA
LoadCursorA
RegisterClassExA
CreateWindowExA
ShowWindow
LoadCursorW
GetDC
BeginPaint
GetClientRect
DrawTextA
EndPaint
PostQuitMessage

gdi32

GetStockObject
GetColorSpace

advapi32

RegSetValueExW
RegOpenKeyExA
RegQueryValueExA
GetSecurityDescriptorDacl
GetAclInformation
GetAce
IsWellKnownSid
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
OpenProcessToken
DuplicateTokenEx
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
RegCreateKeyExW
GetUserNameA
RegOpenKeyA

shell32

ShellExecuteW

winmm

PlaySoundA

Sections

.text
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 346KB - Virtual size: 346KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c94ede301410740e3977f98a1c33292f

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

winmm

Sections

.text Size: 3KB - Virtual size: 2KB

.rdata Size: 346KB - Virtual size: 346KB

.data Size: 5KB - Virtual size: 5KB

.rsrc Size: 8KB - Virtual size: 8KB

.text
Size: 3KB - Virtual size: 2KB

.rdata
Size: 346KB - Virtual size: 346KB

.data
Size: 5KB - Virtual size: 5KB

.rsrc
Size: 8KB - Virtual size: 8KB