b56d8105d7a4497f73482a5fbf87e185_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

b56d8105d7a4497f73482a5fbf87e185_JaffaCakes118
Size

6.1MB
MD5

b56d8105d7a4497f73482a5fbf87e185
SHA1

fa54a56bd9cb329761e24f1bd6f707a2cf54919d
SHA256

9daea978770dc1880f0e17a729b9c40b7b066ca073168a68f3715447bdccdb7e
SHA512

5420fb9d2e8cf7e5819d1ace3f4a13bcc77a211cf3855e6eddcfcd1cf47b2071e603f7280e28a8ebc45f84f6667456dea264ebd81a7144e920096b5ee67bb9e0
SSDEEP

196608:tTWWf5rDAYtOUqNZ1giaemcLsTdT3WTZtdaff69KErh:Nf9kYtpq1LmcLodTmTLdbd

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/KnightOnLine.exe

Files

b56d8105d7a4497f73482a5fbf87e185_JaffaCakes118
.zip
KnightOnLine.exe
.exe windows:4 windows x86 arch:x86

b539f394ab765c572faff5e3044d7f96

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_ISOLATION

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree

advapi32

RegCloseKey

avifil32

AVIFileWriteData

dinput8

DirectInput8Create

dsound

DirectSoundCaptureCreate8

gdi32

CreateDCA

imm32

ImmReleaseContext

oleaut32

VariantClear

openal32

alGetEnumValue

shell32

ShellExecuteA

user32

IntersectRect

wininet

FtpPutFileA

winmm

mmioSeek

wsock32

WSACleanup

d3d9

Direct3DCreate9

iphlpapi

GetAdaptersInfo

libvorbisfile

ov_pcm_total

ole32

CoCreateInstance

Sections

.text
Size: 4.0MB - Virtual size: 19.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 14KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
R3ACS.dll
.dll windows:6 windows x86 arch:x86

7ee99234c10d24188eb5dc123b04f0f3

Code Sign

13:b9:9c:ee:11:bd:9c:a7:4c:f3:ae:6c:b4:fd:14:eb
Certificate

Issuer

CN=R3ACS\, INC

Not Before

05/04/2020, 08:17

Not After

05/04/2021, 08:37

Subject

CN=R3ACS\, INC

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
Certificate

Issuer

CN=DigiCert Assured ID CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22/10/2014, 00:00

Not After

22/10/2024, 00:00

Subject

CN=DigiCert Timestamp Responder,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

10/11/2006, 00:00

Not After

10/11/2021, 00:00

Subject

CN=DigiCert Assured ID CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageEmailProtection
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:b5:b5:89:a2:61:57:48:d1:3b:23:fb:33:5b:ca:06:6c:b3:f9:00
Signer

Actual PE Digest

61:b5:b5:89:a2:61:57:48:d1:3b:23:fb:33:5b:ca:06:6c:b3:f9:00

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\source\repos\Win32Project1\Release\Win32Project1.pdb

Imports

iphlpapi

GetAdaptersInfo

ws2_32

send

crypt32

CryptQueryObject
CryptMsgGetParam
CryptMsgClose
CertCloseStore
CertFindCertificateInStore
CertGetNameStringW

wininet

FtpPutFileA
InternetOpenA
InternetConnectA
InternetCloseHandle

gdiplus

GdipSaveImageToFile
GdipDisposeImage
GdipAlloc
GdipFree
GdipCreateBitmapFromHBITMAP
GdipGetImageEncodersSize
GdipCloneImage
GdiplusStartup
GdiplusShutdown
GdipGetImageEncoders

kernel32

WriteConsoleW
SetEndOfFile
HeapSize
GetTickCount
GetProcAddress
GetModuleHandleA
GetCurrentProcess
CreateFileA
DeviceIoControl
CloseHandle
IsBadReadPtr
WriteProcessMemory
DeleteFileA
VirtualProtect
GetCurrentThreadId
SuspendThread
ResumeThread
WaitForSingleObject
TerminateProcess
LocalAlloc
LocalFree
CreateToolhelp32Snapshot
Module32FirstW
Module32NextW
Process32FirstW
GetCurrentProcessId
Process32NextW
GetCommandLineW
GlobalFree
OpenProcess
K32GetModuleFileNameExW
CreateTimerQueueTimer
Sleep
ExitProcess
GetLastError
CreateThread
CreateFileW
SetStdHandle
GetProcessHeap
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
HeapReAlloc
GetConsoleCP
WriteFile
FlushFileBuffers
GetFileAttributesExW
CreateProcessW
GetExitCodeProcess
ReadConsoleW
GetConsoleMode
SetFilePointerEx
IsDebuggerPresent
GetFileSizeEx
GetFileType
GetStdHandle
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
GetStartupInfoW
GetModuleHandleW
WideCharToMultiByte
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
EncodePointer
DecodePointer
MultiByteToWideChar
SetLastError
InitializeCriticalSectionAndSpinCount
SwitchToThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetCPInfo
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
RtlUnwind
RaiseException
InterlockedFlushSList
FreeLibrary
LoadLibraryExW
ReadFile
GetModuleHandleExW
GetModuleFileNameW
GetTimeZoneInformation
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
HeapFree
HeapAlloc

user32

wsprintfA
MessageBoxA
GetWindowThreadProcessId
GetWindowTextW
IsWindowVisible
SetWindowTextA
FindWindowA
EnumWindows

gdi32

CreateCompatibleDC
GetDeviceCaps
DeleteObject
RestoreDC
BitBlt
SelectObject
SaveDC
DeleteDC
CreateDIBSection
CreateDCA

advapi32

CheckTokenMembership
FreeSid
AllocateAndInitializeSid

shell32

ShellExecuteExA
ShellExecuteA
CommandLineToArgvW

Sections

.text
Size: 252KB - Virtual size: 252KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 72KB - Virtual size: 72KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1.9MB - Virtual size: 5.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

b539f394ab765c572faff5e3044d7f96

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

avifil32

dinput8

dsound

gdi32

imm32

oleaut32

openal32

shell32

user32

wininet

winmm

wsock32

d3d9

iphlpapi

libvorbisfile

ole32

Sections

.text Size: 4.0MB - Virtual size: 19.5MB

.rsrc Size: 14KB - Virtual size: 16KB

7ee99234c10d24188eb5dc123b04f0f3

Code Sign

13:b9:9c:ee:11:bd:9c:a7:4c:f3:ae:6c:b4:fd:14:ebCertificate

Extended Key Usages

Key Usages

03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66Certificate

Extended Key Usages

Key Usages

06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1bCertificate

Extended Key Usages

Key Usages

61:b5:b5:89:a2:61:57:48:d1:3b:23:fb:33:5b:ca:06:6c:b3:f9:00Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

iphlpapi

ws2_32

crypt32

wininet

gdiplus

kernel32

user32

gdi32

advapi32

shell32

Sections

.text Size: 252KB - Virtual size: 252KB

.rdata Size: 72KB - Virtual size: 72KB

.data Size: 4KB - Virtual size: 7KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 1.9MB - Virtual size: 5.6MB

.text
Size: 4.0MB - Virtual size: 19.5MB

.rsrc
Size: 14KB - Virtual size: 16KB

13:b9:9c:ee:11:bd:9c:a7:4c:f3:ae:6c:b4:fd:14:eb
Certificate

03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
Certificate

06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
Certificate

61:b5:b5:89:a2:61:57:48:d1:3b:23:fb:33:5b:ca:06:6c:b3:f9:00
Signer

.text
Size: 252KB - Virtual size: 252KB

.rdata
Size: 72KB - Virtual size: 72KB

.data
Size: 4KB - Virtual size: 7KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 1.9MB - Virtual size: 5.6MB