81b364166eb331f8f9f940c0b9c86c53_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

81b364166eb331f8f9f940c0b9c86c53_JaffaCakes118
Size

364KB
MD5

81b364166eb331f8f9f940c0b9c86c53
SHA1

6c8f70c026c7e84a76aa82c9dce40e143ec56162
SHA256

7e105552aebf7277840032782bc9d67b7c5e353beee041fc2c8598b3ea74cada
SHA512

d29438eb38e7eaf8d3f3bd2c3a2b5148b56c85185cc2be2b57ac59725f38b451bdbf02d7479b7f298d6efec5d4dcd5bd49c0d57a73fe88d5cf34f3a44240bcfa
SSDEEP

6144:5LjPM8O6atB1TZ5zLmPykTqtT8tZECWvAYtv8TBz4kqckHU:VjPM8O6azlZ5HmPcyE3vntv8TBB3k0

Score

1^/10

Malware Config

Signatures

Files

81b364166eb331f8f9f940c0b9c86c53_JaffaCakes118
.dll windows:4 windows x86 arch:x86

6048b00f601ff1616dbb518b78fc8e0a

Code Sign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

11:21:67:1b:9c:9c:88:b9:69:99:d2:12:24:77:66:a5:d4:04
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

03/12/2013, 17:49

Not After

01/03/2017, 12:33

Subject

CN=Biz Secure Labs Pvt. Ltd.,O=Biz Secure Labs Pvt. Ltd.,L=Pune,ST=Maharashfra,C=IN,1.2.840.113549.1.9.1=#0c1a737570706f727440696e646961616e746976697275732e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

00:3d:30:18:66:1f:78:d5:7b:93:d5:5e:fa:b1:53:cc:25:9d:4f:9f
Signer

Actual PE Digest

00:3d:30:18:66:1f:78:d5:7b:93:d5:5e:fa:b1:53:cc:25:9d:4f:9f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\projects\projectsJ\nfsdk2\bin\release\win32\NtWinSecService.pdb

Imports

kernel32

ReadFile
WriteFile
GetFileSize
SetEndOfFile
GetTempPathW
GetTempFileNameW
OpenProcess
InterlockedIncrement
SetFilePointer
CreateDirectoryW
LoadLibraryA
GetProcAddress
FreeLibrary
ProcessIdToSessionId
GetTickCount
CreateFileW
CreateMutexA
ReleaseMutex
LeaveCriticalSection
GetLastError
EnterCriticalSection
SetEvent
DeleteCriticalSection
lstrlenA
ResetEvent
InitializeCriticalSection
DeleteFileW
CreateEventA
WaitForMultipleObjects
ExpandEnvironmentStringsW
CloseHandle
WaitForSingleObject
CreateProcessW
FindClose
FindNextFileW
InterlockedDecrement
FindFirstFileW
CreateFileA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
GetLocaleInfoA
GetStringTypeW
GetStringTypeA
GetCurrentProcessId
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
SetStdHandle
FlushFileBuffers
LCMapStringW
LCMapStringA
HeapSize
Sleep
GetConsoleMode
GetConsoleCP
WideCharToMultiByte
GetStartupInfoA
GetFileType
SetHandleCount
RtlUnwind
RaiseException
GetACP
GetCPInfo
GetModuleFileNameA
GetStdHandle
ExitProcess
GetModuleHandleA
HeapCreate
HeapDestroy
VirtualAlloc
VirtualFree
GetVersionExA
GetCommandLineA
HeapReAlloc
CreateThread
GetCurrentThreadId
ExitThread
GetProcessHeap
GetSystemTimeAsFileTime
MultiByteToWideChar
IsDebuggerPresent
GetOEMCP
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
HeapFree
HeapAlloc
IsValidCodePage
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError

advapi32

OpenProcessToken
LookupAccountSidA
LookupAccountSidW
DuplicateTokenEx
ImpersonateLoggedOnUser
RevertToSelf
GetTokenInformation

oleaut32

SysAllocString
VariantClear
SysFreeString

crypt32

CertCloseStore
CertGetCertificateChain
CertAddEncodedCertificateToStore
CertOpenStore
CertVerifyCertificateChainPolicy
CertFreeCertificateChain
CertOpenSystemStoreA
CertEnumCertificatesInStore
CertFindCertificateInStore
CertAddCertificateContextToStore
CertFreeCertificateContext
PFXExportCertStoreEx

nppacket

ord48
ord86
ord116
ord110
ord82
ord83
ord75
ord112
ord12
ord22
ord28
ord265
ord155
ord94
ord385
ord8
ord43
ord78
ord58
ord61
ord35
ord96
ord166
ord84
ord6
ord243
ord284
ord370
ord45
ord90
ord391
ord108
ord359
ord31
ord242
ord74
ord183
ord60

nppfsnif

ord129
ord648
ord657
ord579
ord578
ord566
ord2442
ord1958
ord1654
ord1653
ord3024
ord664
ord3171
ord2186
ord3106
ord283
ord485
ord279
ord673
ord670
ord629
ord188
ord656
ord2411
ord1804
ord573
ord1912
ord672
ord197
ord669
ord668
ord585
ord181
ord624
ord910
ord658
ord1206
ord246
ord667
ord364
ord2604
ord674
ord3164
ord224
ord3315
ord3048
ord109
ord1308
ord1291
ord3020
ord170
ord3173
ord227
ord581
ord653
ord2291
ord3205
ord2639
ord2684
ord2746
ord909
ord1299
ord444
ord1318
ord2734
ord1317
ord2672
ord58
ord164
ord2239
ord150
ord649
ord541
ord633
ord1177
ord1508
ord905
ord626
ord333
ord639
ord851
ord2838
ord857
ord2971
ord363
ord2713
ord316
ord2966
ord4701
ord298
ord921
ord281
ord254
ord641
ord66
ord89
ord52
ord421
ord95
ord78
ord754

ws2_32

WSAStartup
WSACleanup
ntohs
ntohl
htons
WSAAddressToStringA

Exports

Exports

?PFObject_create@NtWinSecService@@YAPAVPFObject@1@HH@Z
?pf_addFilter@NtWinSecService@@YAH_KW4_PF_FilterType@1@KW4_PF_OpTarget@1@1@Z
?pf_canDisableFiltering@NtWinSecService@@YAH_K@Z
?pf_deleteFilter@NtWinSecService@@YAH_KW4_PF_FilterType@1@@Z
?pf_free@NtWinSecService@@YAXXZ
?pf_getFilterCount@NtWinSecService@@YAH_K@Z
?pf_getNFEventHandler@NtWinSecService@@YAPAVNF_EventHandler@npflt@@XZ
?pf_getProcessOwnerA@NtWinSecService@@YAHKPADH@Z
?pf_getProcessOwnerW@NtWinSecService@@YAHKPA_WH@Z
?pf_init@NtWinSecService@@YAHPAVPFEvents@1@PB_W@Z
?pf_isFilterActive@NtWinSecService@@YAH_KW4_PF_FilterType@1@@Z
?pf_postObject@NtWinSecService@@YAH_KPAVPFObject@1@@Z
?pf_setRootSSLCertImportFlags@NtWinSecService@@YAXK@Z
?pf_setRootSSLCertSubject@NtWinSecService@@YAXPBD@Z
?pf_unzipStream@NtWinSecService@@YAHPAVPFStream@1@@Z

Sections

.text
Size: 276KB - Virtual size: 273KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 52KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6048b00f601ff1616dbb518b78fc8e0a

Code Sign

04:00:00:00:00:01:2f:4e:e1:35:5cCertificate

Extended Key Usages

Key Usages

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0bCertificate

Extended Key Usages

Key Usages

11:21:67:1b:9c:9c:88:b9:69:99:d2:12:24:77:66:a5:d4:04Certificate

Extended Key Usages

Key Usages

00:3d:30:18:66:1f:78:d5:7b:93:d5:5e:fa:b1:53:cc:25:9d:4f:9fSigner

Headers

File Characteristics

PDB Paths

Imports

kernel32

advapi32

oleaut32

crypt32

nppacket

nppfsnif

ws2_32

Exports

Exports

Sections

.text Size: 276KB - Virtual size: 273KB

.rdata Size: 52KB - Virtual size: 49KB

.data Size: 8KB - Virtual size: 15KB

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 16KB - Virtual size: 15KB

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

11:21:67:1b:9c:9c:88:b9:69:99:d2:12:24:77:66:a5:d4:04
Certificate

00:3d:30:18:66:1f:78:d5:7b:93:d5:5e:fa:b1:53:cc:25:9d:4f:9f
Signer

.text
Size: 276KB - Virtual size: 273KB

.rdata
Size: 52KB - Virtual size: 49KB

.data
Size: 8KB - Virtual size: 15KB

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 16KB - Virtual size: 15KB