6e13df3da08bc23ca98c90954858988c_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

6e13df3da08bc23ca98c90954858988c_JaffaCakes118
Size

156KB
MD5

6e13df3da08bc23ca98c90954858988c
SHA1

182614fed814b4e90fd7071774b9aab84e615366
SHA256

f6ba54888f5047a82cd80f8e8a79ce70411f94985f83d69117c53f78ffc45e45
SHA512

68dd7d1699f30b986137e2e64a77ec1f00d428359612d8b492f03ba10ad042bd8e7e52491e722d7ad0f639d3459162e1b902ddb6a85f2783cc722a80a7ac3598
SSDEEP

3072:265ZqUsSngWryFc7e80Lb2nm0D3Tfk2a3aPl48UEnOfPavkqP:f5QmnEFc7afEZdPl4dEnOfPa1

Score

1^/10

Malware Config

Signatures

Files

6e13df3da08bc23ca98c90954858988c_JaffaCakes118
.dll windows:5 windows x86 arch:x86

77bd077ff001333e3dc9c36756ce51ce

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1f:d2:d3:0e:26:0f:c2:89:cf:af:11:51:8f:2c:d3:6f
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

15/12/2015, 00:00

Not After

06/02/2018, 23:59

Subject

CN=BeiJing Baidu Netcom Science Technology Co.\, Ltd,OU=\ Engineering Excellence,O=BeiJing Baidu Netcom Science Technology Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

77:cf:e1:3e:57:1b:5c:3e:b9:74:7d:46:e3:61:99:ad:93:1a:0a:03
Signer

Actual PE Digest

77:cf:e1:3e:57:1b:5c:3e:b9:74:7d:46:e3:61:99:ad:93:1a:0a:03

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\jenkins\workspace\minibaidu_tag_20160121_2.3.0_Normal\Basic\Tools\NSIS\Plugins\InstallHelper.pdb

Imports

bdmskin

?IsEmpty@CStdString@BDMUtils@BDMSkin@@QBE_NXZ
?GetLength@CStdString@BDMUtils@BDMSkin@@QBEHXZ
??0CStdString@BDMUtils@BDMSkin@@QAE@XZ
?m_pStrResourceZip@IResourceManager@ExpandInterface@BDMSkin@@0VCStdString@BDMUtils@3@A
?BDMSkinMessageBox@BDMSkin@@YAHPAUHWND__@@PB_W1IK11111H@Z
?BDMSkinMessageBoxSetBtnText@BDMSkin@@YAXPB_W00@Z
?OnFinalMessage@CBDMBaseWnd@BDMSkin@@MAEXPAUHWND__@@@Z
?GetClassStyle@CBDMBaseWnd@BDMSkin@@MBEIXZ
?GetSuperClassName@CBDMBaseWnd@BDMSkin@@MBEPB_WXZ
??0CBDMBaseWnd@BDMSkin@@QAE@XZ
?GetHBitmapFromRes@CRenderEngine@BDMSkin@@SAPAUHBITMAP__@@PAVIControlManger@ExpandInterface@2@PB_W@Z
?GetControlSnapShot@CRenderEngine@BDMSkin@@SAPAUHBITMAP__@@PAVIControlManger@ExpandInterface@2@PAVIControlUI@52@@Z
?GetAt@CStdString@BDMUtils@BDMSkin@@QBE_WH@Z
?SetFont@CBDMLabelUI@BDMSkin@@QAEXH@Z
?IsSelected@CBDMOptionUI@BDMSkin@@QBE_NXZ
?Stop@CBDMGifViewUI@BDMSkin@@QAEXXZ
?Play@CBDMGifViewUI@BDMSkin@@QAEXXZ
?GetAnimationFactory@BDMSkin@@YGJPAPAUIAnimationFactory@1@@Z
?SetValue@CBDMProgressUI@BDMSkin@@QAEXH_N@Z
?SetMaxValue@CBDMProgressUI@BDMSkin@@QAEXH@Z
??1CBDMControlManger@BDMSkin@@QAE@XZ
??0CBDMControlManger@BDMSkin@@QAE@XZ
??1CBDMBaseWnd@BDMSkin@@UAE@XZ
??4CStdString@BDMUtils@BDMSkin@@QAEABV012@PB_W@Z
??HCStdString@BDMUtils@BDMSkin@@QAE?AV012@PB_W@Z
??YCStdString@BDMUtils@BDMSkin@@QAEABV012@_W@Z
?MakeLower@CStdString@BDMUtils@BDMSkin@@QAEXXZ
?Left@CStdString@BDMUtils@BDMSkin@@QBE?AV123@H@Z
?Mid@CStdString@BDMUtils@BDMSkin@@QBE?AV123@HH@Z
?Right@CStdString@BDMUtils@BDMSkin@@QBE?AV123@H@Z
?Find@CStdString@BDMUtils@BDMSkin@@QBEHPB_WH@Z
?Find@CStdString@BDMUtils@BDMSkin@@QBEH_WH@Z
?GetHWND@CBDMBaseWnd@BDMSkin@@QBEPAUHWND__@@XZ
?Create@CBDMBaseWnd@BDMSkin@@QAEPAUHWND__@@PAU3@PB_WKKHHHHPAUHMENU__@@@Z
?ShowWindow@CBDMBaseWnd@BDMSkin@@QAEX_N0@Z
?CenterWindow@CBDMBaseWnd@BDMSkin@@QAEXPAUHWND__@@@Z
?SetResourceZip@IResourceManager@ExpandInterface@BDMSkin@@SAXPB_W@Z
?TranslateMessage@IControlManger@ExpandInterface@BDMSkin@@SA_NQAUtagMSG@@@Z
??1CBDMDialogBuilder@BDMSkin@@QAE@XZ
??0CBDMDialogBuilder@BDMSkin@@QAE@XZ
?Create@CBDMDialogBuilder@BDMSkin@@QAEPAVIControlUI@ExpandInterface@2@VSTRINGorID@BDMUtils@2@PB_WPAVIDialogBuilderCallback@2@PAVIControlManger@42@PAV342@@Z
?AttachDialog@CBDMControlManger@BDMSkin@@QAE_NPAVIControlUI@ExpandInterface@2@@Z
?AddNotifier@CBDMControlManger@BDMSkin@@QAE_NPAVINotifyUI@ExpandInterface@2@@Z
??YCBDMEventSource@ExpandInterface@BDMSkin@@QAEXAAVCBDMDelegateBase@12@@Z
??0CBDMDelegateBase@ExpandInterface@BDMSkin@@QAE@ABV012@@Z
??0CBDMDelegateBase@ExpandInterface@BDMSkin@@QAE@PAX0@Z
??1CBDMDelegateBase@ExpandInterface@BDMSkin@@UAE@XZ
?Equals@CBDMDelegateBase@ExpandInterface@BDMSkin@@UBE_NABV123@@Z
?GetObjectW@CBDMDelegateBase@ExpandInterface@BDMSkin@@IAEPAXXZ
??0CStdString@BDMUtils@BDMSkin@@QAE@PB_W@Z
??0CStdString@BDMUtils@BDMSkin@@QAE@ABV012@@Z
??1CStdString@BDMUtils@BDMSkin@@QAE@XZ
?GetData@CStdString@BDMUtils@BDMSkin@@QBEPB_WXZ
??BCStdString@BDMUtils@BDMSkin@@QBEPB_WXZ
??4CStdString@BDMUtils@BDMSkin@@QAEABV012@ABV012@@Z
??8CStdString@BDMUtils@BDMSkin@@QBE_NPB_W@Z
??BCBDMBaseWnd@BDMSkin@@QBEPAUHWND__@@XZ
?HandleMessage@CBDMBaseWnd@BDMSkin@@MAEJIIJ@Z
?Append@CStdString@BDMUtils@BDMSkin@@QAEXPB_WH@Z
?SendMessageW@CBDMBaseWnd@BDMSkin@@IAEJIIJ@Z

psapi

GetProcessImageFileNameW

kernel32

RemoveDirectoryW
Process32NextW
lstrcmpiW
FindNextFileW
CreateToolhelp32Snapshot
DeleteFileW
GetCurrentProcessId
GetThreadTimes
lstrcpyW
SetFileAttributesW
CreateThread
ExpandEnvironmentStringsW
WaitForSingleObject
CreateEventW
GetDriveTypeW
GetModuleFileNameW
GetFileSize
UnmapViewOfFile
GetCPInfo
MapViewOfFileEx
IsDBCSLeadByte
CreateFileMappingW
GetWindowsDirectoryW
GetProcessHeap
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
HeapDestroy
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
RaiseException
GetSystemTimeAsFileTime
GetCurrentThreadId
QueryPerformanceCounter
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
InterlockedCompareExchange
Sleep
InterlockedExchange
DecodePointer
EncodePointer
IsProcessorFeaturePresent
GetTickCount
FreeLibrary
OpenProcess
LoadLibraryW
GetVersionExW
GetProcAddress
CloseHandle
MultiByteToWideChar
FindFirstFileW
FindResourceExW
FindResourceW
LoadResource
CreateProcessW
SetDllDirectoryW
MoveFileExW
GetCurrentProcess
CompareFileTime
CreateDirectoryW
GetModuleHandleW
WriteFile
GlobalAlloc
LockResource
OpenThread
Process32FirstW
FindClose
GlobalFree
GetLastError
CreateFileW
Thread32Next
TerminateProcess
GetFileAttributesW
lstrcpynW
SizeofResource
CopyFileW
WideCharToMultiByte
Thread32First
GetSystemDirectoryW

user32

UpdateWindow
SetDlgItemTextW
CloseWindow
GetDlgItemTextW
MessageBoxW
GetDlgItem
EnableMenuItem
GetWindowTextW
InvalidateRect
KillTimer
PostMessageW
SetTimer
GetSystemMenu
SetWindowPos
ShowWindow
SetWindowTextW
CallWindowProcW
wsprintfW
EnableWindow
GetDC
IsWindow
FindWindowExW
PostThreadMessageW
DestroyWindow
SetWindowRgn
ScreenToClient
GetWindowRect
IsIconic
IsZoomed
FindWindowW
GetClientRect
OffsetRect
GetWindowLongW
SetWindowLongW
GetCursorPos
SendMessageW

gdi32

EnumFontsW
DeleteObject
CreateRoundRectRgn

advapi32

OpenProcessToken
AllocateAndInitializeSid
FreeSid
CheckTokenMembership
CreateServiceW
CloseServiceHandle
DeleteService
OpenSCManagerW
OpenServiceW
RegQueryValueExW
LookupPrivilegeValueW
StartServiceW
QueryServiceStatus
RegOpenKeyExW
ControlService
AdjustTokenPrivileges
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegCreateKeyW
RegQueryInfoKeyW
RegDeleteKeyW
RegEnumKeyExW
IsTextUnicode

shell32

SHGetSpecialFolderPathW
SHGetMalloc
SHBrowseForFolderW
SHChangeNotify
SHCreateDirectoryExW
ShellExecuteW
SHGetPathFromIDListW

ole32

CoInitializeEx
CoUninitialize
CoCreateInstance
CoInitialize

oleaut32

SysStringLen
SysFreeString
SysAllocString

msvcp100

??0_Locinfo@std@@QAE@HPBD@Z
??1_Locinfo@std@@QAE@XZ
??Bid@locale@std@@QAEIXZ
?_Incref@facet@locale@std@@QAEXXZ
?_Decref@facet@locale@std@@QAEPAV123@XZ
??1_Locimp@locale@std@@MAE@XZ
??0_Locimp@locale@std@@AAE@_N@Z
?toupper@?$ctype@_W@std@@QBE_W_W@Z
?_Getcat@?$ctype@_W@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?imbue@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAE?AVlocale@2@ABV32@@Z
?_Init@locale@std@@CAPAV_Locimp@12@XZ
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
?_Makeloc@_Locimp@locale@std@@CAPAV123@ABV_Locinfo@3@HPAV123@PBV23@@Z
??0_Lockit@std@@QAE@H@Z
??1_Lockit@std@@QAE@XZ
?_Xruntime_error@std@@YAXPBD@Z
?id@?$ctype@_W@std@@2V0locale@2@A
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?_Xlength_error@std@@YAXPBD@Z
?_Xout_of_range@std@@YAXPBD@Z

msvcr100

_time64
srand
rand
_itow
_itow_s
wcsncpy
exit
_CxxThrowException
memcpy
__RTDynamicCast
fclose
wcscat_s
memcpy_s
free
malloc
wcsspn
wcscspn
__CxxFrameHandler3
?terminate@@YAXXZ
_unlock
__dllonexit
_lock
_onexit
_malloc_crt
_encoded_null
_initterm
_initterm_e
_amsg_exit
__CppXcptFilter
_crt_debugger_hook
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_except_handler4_common
__clean_type_info_names_internal
_wtmpnam_s
_vscwprintf
??3@YAXPAX@Z
??2@YAPAXI@Z
?what@exception@std@@UBEPBDXZ
??1exception@std@@UAE@XZ
??0exception@std@@QAE@ABQBD@Z
??0exception@std@@QAE@ABV01@@Z
memmove
??_V@YAXPAX@Z
wcstoul
_wcsnicmp
wcsnlen
_snwprintf_s
_wfopen_s
wcschr
memmove_s
_purecall
??1bad_cast@std@@UAE@XZ
??0bad_cast@std@@QAE@PBD@Z
??0bad_cast@std@@QAE@ABV01@@Z
??8type_info@@QBE_NABV0@@Z
fwprintf
_wtoi
wmemcpy_s
vswprintf_s
wcsrchr
wcsstr
memset

shlwapi

PathFileExistsW
PathStripToRootW
PathRemoveFileSpecW

Exports

Exports

CallHoldProc
CallWebDownloadDll
CleanBeforeKillProcess
CompareVersion
CopyHelp
CreateDir
CreateInstallWnd
CreateProcessLow
CreateUnInstallWnd
DeleteDirectory
Encrypt
ExitInstallProcess
ExitRunningProcess
FileExist
FindYhFont
FireWallAddApp
FireWallDelApp
FolderExist
GetAllUserAppDataDir
GetAllUserProfileDir
GetCostTime
GetDeleteConfigFile
GetParentProcess
GetQuickLaunch
GetSetDefault
GetSysTempDir
GetTempDir
GetUnInstallReason
GetUserAppDataDir
GetWndHandle
GetXmlPath
GoNext
HandleFirewall
HandleInviterUK
HandleTipsConfig
HideInstallWnd
InitReport
InitSetupLog
InstallBaiduService
InstallBaiduServiceDelay
InstallSC
InstallSCDelay
IsMainWindowExist
IsProcessRunning
IsSystemCompatible
IsWow64
IsZhunruExist
KVMessageBox
KillRunningProcess
NavigateUrl
NotifyHostSetupStatus
NotifyHostSetupStatus_GS
RecordEndTime
RecordSetupBeginTime
RecordStartTime
RefreshIcon
RegisterSC
RegisterSCDelay
RemoveDefaultBrowser
RenameAndDeleteFile
ReportInstallCancel
ReportInstallFinish
ReportInstallLaunch
ReportUninstallCaller
ReportUninstallCancel
ReportUninstallFinish
SendComplete
SetInstallParam
SetUnInstallParam
SetWebDownloaderPath
StartPin
StartUnPin
StopDocker
TaskBarPin
TaskBarUnPin
UnInstallSC
UninstPangolin
UnistallBaiduService
ValidateInstDir
WriteRegForDockWhenInstall
WriteRegForDockWhenUnInstall
WriteRegTnBin
WriteRegValue
WriteSetupLog

Sections

.text
Size: 98KB - Virtual size: 98KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 33KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

77bd077ff001333e3dc9c36756ce51ce

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fdCertificate

Extended Key Usages

Key Usages

61:0c:12:06:00:00:00:00:00:1bCertificate

Key Usages

1f:d2:d3:0e:26:0f:c2:89:cf:af:11:51:8f:2c:d3:6fCertificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

77:cf:e1:3e:57:1b:5c:3e:b9:74:7d:46:e3:61:99:ad:93:1a:0a:03Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

bdmskin

psapi

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

msvcp100

msvcr100

shlwapi

Exports

Exports

Sections

.text Size: 98KB - Virtual size: 98KB

.rdata Size: 33KB - Virtual size: 32KB

.data Size: 4KB - Virtual size: 13KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 10KB - Virtual size: 9KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

1f:d2:d3:0e:26:0f:c2:89:cf:af:11:51:8f:2c:d3:6f
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

77:cf:e1:3e:57:1b:5c:3e:b9:74:7d:46:e3:61:99:ad:93:1a:0a:03
Signer

.text
Size: 98KB - Virtual size: 98KB

.rdata
Size: 33KB - Virtual size: 32KB

.data
Size: 4KB - Virtual size: 13KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 10KB - Virtual size: 9KB