mimikatz | a1357d3ccef89827f4c10aa4fd397a76_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

a1357d3ccef89827f4c10aa4fd397a76_JaffaCakes118
Size

26KB
MD5

a1357d3ccef89827f4c10aa4fd397a76
SHA1

dee4bba374a11d1b7ab381e70f077dc388225747
SHA256

8ef52a0581d0972bd296104130ee20857b63aa22b3da60a94267fb4b359ab629
SHA512

900845ce497ed9d55a242046269c8c8d12d28d5f78cdcc61c7070464982c976b3003c3eec5708997a52bf583cd3b1b9b8a99decf8fcbdf73b405248316aa7dcc
SSDEEP

384:2aer1+IqCG4szrm83/HCUlf8Wyz+3t4SF46aD+AlJmT9IKVnVYEHiw8dUb+gCg:2xi4oXDyq3p46aD+AlJ66WVHCOig/

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
sample	mimikatz

Files

a1357d3ccef89827f4c10aa4fd397a76_JaffaCakes118
.sys windows:6 windows x86 arch:x86

f520bf8aab71499bc1f00d479eb40e59

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28/06/2011, 09:46

Not After

28/06/2014, 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

11:21:40:5c:1f:0e:d2:58:88:2b:e5:4d:86:86:ba:11:ea:45
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

23/08/2013, 00:00

Not After

23/09/2024, 00:00

Subject

CN=GlobalSign TSA for MS Authenticode - G1,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:00

Not After

23/05/2016, 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

68:6e:53:d5:d6:4b:61:3e:b1:1f:0c:f1:b0:75:04:50:d3:29:e9:62
Signer

Actual PE Digest

68:6e:53:d5:d6:4b:61:3e:b1:1f:0c:f1:b0:75:04:50:d3:29:e9:62

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\security\mimikatz\mimidrv\objfre_wnet_x86\i386\mimidrv.pdb

Imports

ntoskrnl.exe

KeBugCheck
IoCreateSymbolicLink
IoCreateDevice
PsInitialSystemProcess
ObfDereferenceObject
PsLookupProcessByProcessId
PsGetProcessImageFileName
PsGetProcessId
ZwClose
ZwSetInformationProcess
ZwDuplicateToken
ObOpenObjectByPointer
IofCompleteRequest
PsDereferencePrimaryToken
PsReferencePrimaryToken
IoGetCurrentProcess
RtlCompareMemory
ZwOpenProcessTokenEx
ExFreePoolWithTag
ExAllocatePoolWithTag
KeServiceDescriptorTable
MmGetSystemRoutineAddress
RtlInitUnicodeString
IoEnumerateRegisteredFiltersList
KeTickCount
NtBuildNumber
IoDeleteSymbolicLink
IoDeleteDevice
memset
PsProcessType
_vsnwprintf
PsGetVersion
ExAllocatePoolWithQuotaTag
ZwQuerySystemInformation
RtlUnwind
KeBugCheckEx

fltmgr.sys

FltGetFilterInformation
FltEnumerateInstances
FltGetVolumeFromInstance
FltObjectDereference
FltEnumerateFilters

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 1024B - Virtual size: 614B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 842B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f520bf8aab71499bc1f00d479eb40e59

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7Certificate

Key Usages

04:00:00:00:00:01:2f:4e:e1:35:5cCertificate

Extended Key Usages

Key Usages

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0Certificate

Extended Key Usages

Key Usages

11:21:40:5c:1f:0e:d2:58:88:2b:e5:4d:86:86:ba:11:ea:45Certificate

Extended Key Usages

Key Usages

61:0b:7f:6b:00:00:00:00:00:19Certificate

Key Usages

68:6e:53:d5:d6:4b:61:3e:b1:1f:0c:f1:b0:75:04:50:d3:29:e9:62Signer

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

fltmgr.sys

Sections

.text Size: 8KB - Virtual size: 7KB

.rdata Size: 3KB - Virtual size: 2KB

.data Size: 2KB - Virtual size: 2KB

PAGE Size: 1024B - Virtual size: 614B

INIT Size: 1KB - Virtual size: 1KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 1024B - Virtual size: 842B

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

11:21:40:5c:1f:0e:d2:58:88:2b:e5:4d:86:86:ba:11:ea:45
Certificate

61:0b:7f:6b:00:00:00:00:00:19
Certificate

68:6e:53:d5:d6:4b:61:3e:b1:1f:0c:f1:b0:75:04:50:d3:29:e9:62
Signer

.text
Size: 8KB - Virtual size: 7KB

.rdata
Size: 3KB - Virtual size: 2KB

.data
Size: 2KB - Virtual size: 2KB

PAGE
Size: 1024B - Virtual size: 614B

INIT
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 842B