58b71252bf2d489141518620d297be2a_JaffaCakes118 | Triage

Sharing

General

Target

58b71252bf2d489141518620d297be2a_JaffaCakes118
Size

378KB
MD5

58b71252bf2d489141518620d297be2a
SHA1

a7f554a1b9fba7880ba80f3138a2e31aab899263
SHA256

16b90a2a33eb0ee77808dc95ba87fc08f8b76ca4c4cbfdfc2ec65121f0b2c654
SHA512

90ef7413a3158d1ea2a150cd333d234c8b247c7d1698950a62f1d4df89342d953a679bd30172119bab7e8b9c8f5ea8c521c8dc7c22dc46d6741465e504f76c4b
SSDEEP

6144:KojzIWmeMy+048lqjO4vGTCraVmZgmfLaafxChizK6VWxtoloBj5rbx:KojsWKy+KlqC4+WrumfXfxxvVJ6Bj5r1

Score

9^/10

cryptone packer

Malware Config

Signatures

CryptOne packer 1 IoCs
Detects CryptOne packer defined in NCC blogpost.
cryptone packer

Processes:

resource yara_rule

sample cryptone

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
58b71252bf2d489141518620d297be2a_JaffaCakes118

Files

58b71252bf2d489141518620d297be2a_JaffaCakes118
.dll windows:4 windows x86 arch:x86

1238489ba1addb9c1df809630e25e0fc

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

VirtualAlloc
SetErrorMode
GetModuleHandleW
LoadLibraryA
GetProcAddress

gdi32

StrokePath
GetStockObject
Pie

advapi32

RegQueryValueExA

shell32

ord18

ole32

OleDraw

comctl32

ImageList_Add

imm32

ImmGetVirtualKey

Sections

.text
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 198KB - Virtual size: 197KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 36KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 139KB - Virtual size: 139KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 328B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ