964f7648070fd675b9a84d3be46acdf2_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

964f7648070fd675b9a84d3be46acdf2_JaffaCakes118
Size

4.7MB
MD5

964f7648070fd675b9a84d3be46acdf2
SHA1

13150bef2e631657f01224018fbff804d31d003e
SHA256

898dda4bd3fed1342489c46f447342f2e9179e827f8f2dbd9592a5802e1d8d12
SHA512

19cf35038d8aa50fe1db4a9f854a61feed976daed87424d5f20626426afab1c92d0deeae1db9049e6c727053a6b7eaa25f1a5068d7cd99ff937fd0b73d8be440
SSDEEP

98304:t6CjAlvyPrLOyHj84J+ZClLrx9j7lcH31z2MScs9:0RvyDXDxkClLrxVlclz7Sc

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
964f7648070fd675b9a84d3be46acdf2_JaffaCakes118

Files

964f7648070fd675b9a84d3be46acdf2_JaffaCakes118
.exe windows:5 windows x86 arch:x86

a402ba568b6a2b9270c03a2dff393540

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_ISOLATION
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

Process32NextW
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

wsprintfA
GetUserObjectInformationW
GetProcessWindowStation
GetUserObjectInformationW

advapi32

RegQueryValueExW

shell32

SHChangeNotify

shlwapi

StrStrA

ntdll

_chkstk

rpcrt4

UuidCreate

wtsapi32

WTSSendMessageW

Sections

.rdata
Size: - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 2.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 4.7MB - Virtual size: 4.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ