8b59f18078af06b7c0ec166e3e40306e_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

8b59f18078af06b7c0ec166e3e40306e_JaffaCakes118
Size

1.1MB
MD5

8b59f18078af06b7c0ec166e3e40306e
SHA1

1fa4ee076c45f5af72a42e8819992bf3067cc1ff
SHA256

582245e8076c2c79e1272ababb96b91c1ed7d20cb0a5404280302fdbc8dfcd99
SHA512

8b2ab6585d1dd42e8dff8d1b0b269f645d0820b6f20bd7b81fc0095421e0b5e4825c374c3d4694b04250eaaa3daf55a6d536e5026f6998f8504e55304a532693
SSDEEP

24576:cGpsmJ1Jfg2izpM5P3DoWzmufbjhybJNtdPJDI1mi0lbW:HTizq57n6ucJZPFFiKW

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
8b59f18078af06b7c0ec166e3e40306e_JaffaCakes118

Files

8b59f18078af06b7c0ec166e3e40306e_JaffaCakes118
.dll windows:5 windows x86 arch:x86

ae674ef6d8bb4c96965788073a946a07

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

M:\newdll\新建文件夹 - 副本 (2)\Release\bluecg.pdb

Imports

kernel32

VirtualFree
GetCurrentProcess
VirtualAlloc
TerminateProcess
GetProcessId
InitializeCriticalSection
CreateMutexW
CreateMutexA
GetVersionExW
ReleaseMutex
UnmapViewOfFile
DuplicateHandle
OpenProcess
LoadLibraryA
CreateThread
VirtualProtectEx
GlobalLock
CreateFileMappingA
VirtualProtect
WideCharToMultiByte
MapViewOfFile
GlobalUnlock
SetUnhandledExceptionFilter
GetTickCount
SetEvent
SetThreadPriority
GetThreadPriority
GetCurrentThread
InterlockedIncrement
InterlockedDecrement
EnterCriticalSection
LeaveCriticalSection
LoadLibraryExA
GetLastError
FreeLibrary
FormatMessageA
WriteProcessMemory
GetModuleFileNameA
IsBadReadPtr
Sleep
WaitForSingleObject
GetProcAddress
GetModuleHandleA
CloseHandle
ReadProcessMemory
ReadFile
GetCurrentProcessId
LoadLibraryW
CreateTimerQueue
UnregisterWaitEx
QueryDepthSList
InterlockedPopEntrySList
ReleaseSemaphore
FreeLibraryAndExitThread
GetThreadTimes
UnregisterWait
RegisterWaitForSingleObject
SetThreadAffinityMask
GetProcessAffinityMask
GetNumaHighestNodeNumber
DeleteTimerQueueTimer
ChangeTimerQueueTimer
CreateTimerQueueTimer
GetLogicalProcessorInformation
UnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
TryEnterCriticalSection
DeleteCriticalSection
QueryPerformanceFrequency
SetLastError
InitializeCriticalSectionAndSpinCount
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EncodePointer
GetModuleFileNameW
InterlockedPushEntrySList
InterlockedFlushSList
RtlUnwind
RaiseException
LoadLibraryExW
ExitProcess
GetModuleHandleExW
MultiByteToWideChar
GetTempPathW
CreateProcessA
HeapAlloc
HeapFree
SetFilePointerEx
GetConsoleMode
ReadConsoleW
GetStdHandle
GetFileType
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetACP
GetTimeZoneInformation
HeapReAlloc
FlushFileBuffers
WriteFile
GetConsoleCP
GetCPInfo
GetStringTypeW
DeleteFileW
GetExitCodeProcess
GetFileAttributesExW
MoveFileExW
CreateFileW
CreatePipe
FindClose
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
GetProcessHeap
SetStdHandle
WriteConsoleW
SetEndOfFile
HeapSize
WaitForSingleObjectEx
DecodePointer
SignalObjectAndWait
SwitchToThread
LocalAlloc
GetCurrentProcess
GetCurrentThread
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
GetLastError
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

gdi32

DeleteDC
BitBlt
SelectObject
CreateCompatibleDC
CreateBitmapIndirect
StretchBlt
GetPixel
SetPixel
DeleteObject

user32

CloseClipboard
GetDesktopWindow
SetForegroundWindow
KillTimer
IsClipboardFormatAvailable
GetClipboardData
OpenClipboard
SetTimer
MessageBoxA

shell32

ShellExecuteA

ntdll

ZwOpenProcess
ZwQueryObject
ZwQuerySystemInformation
ZwDuplicateObject
RtlAdjustPrivilege

shlwapi

PathStripPathW

psapi

GetProcessImageFileNameW

advapi32

SystemFunction036
OpenSCManagerW
EnumServicesStatusExW
OpenServiceW
QueryServiceConfigW
CloseServiceHandle

Exports

Exports

?luaopen_api_opendll@@YAHPAUlua_State@@@Z
?luaopen_api_procaddress@@YAHPAUlua_State@@@Z
XEDParseAssemble
start

Sections

.text
Size: - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 574KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 1.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 624KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 296B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 636B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ae674ef6d8bb4c96965788073a946a07

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

gdi32

user32

shell32

ntdll

shlwapi

psapi

advapi32

Exports

Exports

Sections

.text Size: - Virtual size: 1.2MB

.rdata Size: - Virtual size: 574KB

.data Size: - Virtual size: 1.7MB

.gfids Size: - Virtual size: 2KB

.vmp0 Size: - Virtual size: 624KB

.vmp1 Size: 1.1MB - Virtual size: 1.1MB

.reloc Size: 512B - Virtual size: 296B

.rsrc Size: 1024B - Virtual size: 636B

.text
Size: - Virtual size: 1.2MB

.rdata
Size: - Virtual size: 574KB

.data
Size: - Virtual size: 1.7MB

.gfids
Size: - Virtual size: 2KB

.vmp0
Size: - Virtual size: 624KB

.vmp1
Size: 1.1MB - Virtual size: 1.1MB

.reloc
Size: 512B - Virtual size: 296B

.rsrc
Size: 1024B - Virtual size: 636B