mimikatz | b5dcc869a91efcc6e8ea0c3c07605d63_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

b5dcc869a91efcc6e8ea0c3c07605d63_JaffaCakes118
Size

28KB
MD5

b5dcc869a91efcc6e8ea0c3c07605d63
SHA1

98588b1d1b63747fa6ee406983bf50ad48a2208b
SHA256

80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3
SHA512

ed39573cb9e7f8a6f484ce89ec60b3423948df0661616c279945172051edab6cb53349e997db7e633df6c9890e7cc29ec05ed0b95fd56ec14563436ee8d0df53
SSDEEP

768:tiHyA4sEMyjJ5+zfZ+B8YluJVHZC5isP7:teyAyMmJk7MB8YlKJwisz

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
sample	mimikatz

Files

b5dcc869a91efcc6e8ea0c3c07605d63_JaffaCakes118
.sys windows:6 windows x86 arch:x86

25862203800205f80fd8b3a6634ea1c6

Code Sign

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28/06/2011, 09:46

Not After

28/06/2014, 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

75:1e:3e:e9:c5:dc:2f:3e:8f:04:e5:9d:ee:5e:d4:09
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2026, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageOCSPSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:00

Not After

23/05/2016, 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:35:c5:e8:53:6d:3a:bc:f2:0f:0a:f3:ba:a2:49:43:d6:7a:43:26
Signer

Actual PE Digest

08:35:c5:e8:53:6d:3a:bc:f2:0f:0a:f3:ba:a2:49:43:d6:7a:43:26

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\security\mimikatz\mimidrv\objfre_wnet_x86\i386\mimidrv.pdb

Imports

ntoskrnl.exe

NtBuildNumber
IofCompleteRequest
KeBugCheck
IoCreateSymbolicLink
IoCreateDevice
PsInitialSystemProcess
ObfDereferenceObject
PsLookupProcessByProcessId
PsGetProcessImageFileName
PsGetProcessId
ZwClose
ZwSetInformationProcess
ZwDuplicateToken
ObOpenObjectByPointer
PsProcessType
RtlInitUnicodeString
PsReferencePrimaryToken
IoGetCurrentProcess
RtlCompareMemory
ZwOpenProcessTokenEx
ExFreePoolWithTag
ExAllocatePoolWithTag
IoFreeMdl
MmUnlockPages
MmProbeAndLockPages
IoAllocateMdl
memcpy
KeServiceDescriptorTable
IoEnumerateRegisteredFiltersList
KeTickCount
MmGetSystemRoutineAddress
IoDeleteSymbolicLink
IoDeleteDevice
memset
PsDereferencePrimaryToken
_vsnwprintf
PsGetVersion
ExAllocatePoolWithQuotaTag
ZwQuerySystemInformation
RtlUnwind
KeBugCheckEx

fltmgr.sys

FltGetFilterInformation
FltEnumerateInstances
FltGetVolumeFromInstance
FltObjectDereference
FltEnumerateFilters

Sections

.text
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 1024B - Virtual size: 614B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

25862203800205f80fd8b3a6634ea1c6

Code Sign

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0Certificate

Extended Key Usages

Key Usages

75:1e:3e:e9:c5:dc:2f:3e:8f:04:e5:9d:ee:5e:d4:09Certificate

Extended Key Usages

Key Usages

61:0b:7f:6b:00:00:00:00:00:19Certificate

Key Usages

08:35:c5:e8:53:6d:3a:bc:f2:0f:0a:f3:ba:a2:49:43:d6:7a:43:26Signer

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

fltmgr.sys

Sections

.text Size: 9KB - Virtual size: 8KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 5KB - Virtual size: 4KB

PAGE Size: 1024B - Virtual size: 614B

INIT Size: 1KB - Virtual size: 1KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 1KB - Virtual size: 1KB

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

75:1e:3e:e9:c5:dc:2f:3e:8f:04:e5:9d:ee:5e:d4:09
Certificate

61:0b:7f:6b:00:00:00:00:00:19
Certificate

08:35:c5:e8:53:6d:3a:bc:f2:0f:0a:f3:ba:a2:49:43:d6:7a:43:26
Signer

.text
Size: 9KB - Virtual size: 8KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 5KB - Virtual size: 4KB

PAGE
Size: 1024B - Virtual size: 614B

INIT
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1KB - Virtual size: 1KB