01fc20e3188ec0b39c6a26f031f77b05_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

01fc20e3188ec0b39c6a26f031f77b05_JaffaCakes118
Size

443KB
MD5

01fc20e3188ec0b39c6a26f031f77b05
SHA1

f233c1d8fd439c1d26c35ef4a7220a4c4382eac4
SHA256

2d573e392c6c5ef71a6e94f5f7965557f42adca005e3eb6723c1f14f5e4ea396
SHA512

f957adc56c46802c89d7a5010440154290f541574a170ab8bea8251b2a3333801149f133f14b44382d890b1b47ff4db98513f1fc45829fdcfdced1ca2ab89d46
SSDEEP

6144:gEc8GngikIrMbA96Vid9szw77k6M8i1cES128JV3Lk1q13+pKSSFxi8d0Q7kTUxf:i8GnykJs0MO128JtpuY9ccSI8tAZH

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
01fc20e3188ec0b39c6a26f031f77b05_JaffaCakes118

Files

01fc20e3188ec0b39c6a26f031f77b05_JaffaCakes118
.dll windows:5 windows x86 arch:x86

307617dac32b6b8a007db0dd3d8a4fc0

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

Z:\QplFffm\mFqhxcOpaypwtl\WHhfVaEYfz.pdb

Imports

ntoskrnl.exe

MmUnlockPagableImageSection
ZwOpenKey
RtlExtendedIntegerMultiply
KeLeaveCriticalRegion
KeQueryTimeIncrement
RtlAnsiStringToUnicodeString
IoInitializeIrp
RtlFindUnicodePrefix
RtlSetAllBits
FsRtlIsDbcsInExpression
IoRegisterFileSystem
FsRtlCheckLockForReadAccess
ExLocalTimeToSystemTime
RtlDeleteRegistryValue
FsRtlSplitLargeMcb
IoBuildPartialMdl
SeReleaseSubjectContext
ExVerifySuite
KeInsertHeadQueue
PsDereferencePrimaryToken
MmProbeAndLockPages
MmCanFileBeTruncated
MmBuildMdlForNonPagedPool
IoGetDeviceToVerify
IoCreateNotificationEvent
CcPinRead
CcUninitializeCacheMap
ExReinitializeResourceLite
ZwEnumerateKey
KeCancelTimer
IoRegisterDeviceInterface
IoVerifyVolume
KeRemoveByKeyDeviceQueue
RtlMultiByteToUnicodeN
IoRaiseHardError
RtlFindLongestRunClear
KeGetCurrentThread
RtlGetVersion
KeReleaseSemaphore
MmHighestUserAddress
RtlFreeOemString
FsRtlCheckOplock
MmAllocateContiguousMemory
IoGetRequestorProcessId
RtlInsertUnicodePrefix
IoReportResourceForDetection
RtlGUIDFromString
ExUuidCreate
ZwQueryVolumeInformationFile
ZwClose
IoWriteErrorLogEntry
ExQueueWorkItem
MmAddVerifierThunks
IoAllocateErrorLogEntry
SeFreePrivileges
ExDeleteResourceLite
KeWaitForMultipleObjects
MmMapLockedPages
SeFilterToken
RtlLengthSid
IoSetStartIoAttributes
ZwFlushKey
IoQueryFileInformation
RtlCopySid
IofCompleteRequest
ExUnregisterCallback
PsLookupThreadByThreadId
RtlCompareUnicodeString
ExReleaseResourceLite
RtlFindClearBitsAndSet
ZwOpenSymbolicLinkObject
RtlMapGenericMask
ExGetPreviousMode
IoCheckShareAccess
ZwOpenSection
IoReleaseRemoveLockAndWaitEx
KeInitializeDpc
FsRtlIsTotalDeviceFailure
RtlCharToInteger
ExCreateCallback
IoGetRelatedDeviceObject
CcPinMappedData
RtlCreateSecurityDescriptor
CcSetDirtyPinnedData
IoAcquireRemoveLockEx
MmPageEntireDriver
CcUnpinData
PoSetSystemState
RtlTimeToSecondsSince1970
ZwCreateKey
KeReadStateEvent
CcGetFileObjectFromBcb
IoVolumeDeviceToDosName
RtlUpcaseUnicodeToOemN
FsRtlNotifyUninitializeSync
IoOpenDeviceRegistryKey
IoAcquireVpbSpinLock
RtlUpperChar
ZwFreeVirtualMemory
ZwPowerInformation
FsRtlIsNameInExpression
FsRtlFastCheckLockForRead
PoRegisterSystemState
RtlSecondsSince1980ToTime
CcPreparePinWrite
SeTokenIsAdmin
SeOpenObjectAuditAlarm
RtlUnicodeStringToInteger
RtlCreateRegistryKey
ExFreePool
ExRaiseDatatypeMisalignment
ProbeForRead
KeWaitForSingleObject
IoMakeAssociatedIrp
RtlUnicodeToOemN
ZwSetValueKey
IoCheckQuotaBufferValidity
IoAllocateAdapterChannel
KeSetEvent
RtlStringFromGUID
IoGetDeviceObjectPointer
ZwLoadDriver
KeRemoveDeviceQueue
SePrivilegeCheck
MmUnlockPages
SeDeleteObjectAuditAlarm
KeInitializeTimer
RtlClearBits
ZwQueryInformationFile
RtlInitAnsiString
FsRtlNotifyInitializeSync
IoThreadToProcess
RtlSecondsSince1970ToTime
RtlRemoveUnicodePrefix
RtlAnsiCharToUnicodeChar
ProbeForWrite
ExAcquireFastMutexUnsafe
ExSetResourceOwnerPointer
KeUnstackDetachProcess
RtlVolumeDeviceToDosName
MmLockPagableDataSection
IoEnumerateDeviceObjectList
ZwOpenProcess
KeRemoveQueue
IoDeviceObjectType
MmFreeContiguousMemory
RtlRandom
RtlClearAllBits
CcRepinBcb
KeInsertQueue
MmSecureVirtualMemory
IoReleaseCancelSpinLock
MmIsThisAnNtAsSystem
IoSetPartitionInformationEx
RtlTimeToSecondsSince1980
FsRtlMdlWriteCompleteDev
KeSynchronizeExecution
MmFreeNonCachedMemory
ZwNotifyChangeKey
ExGetSharedWaiterCount
ZwCreateEvent
MmSetAddressRangeModified
IoFreeErrorLogEntry
CcFastCopyRead
KeBugCheckEx
PsCreateSystemThread
PsSetLoadImageNotifyRoutine
SeTokenIsRestricted
IoGetRequestorProcess
RtlIsNameLegalDOS8Dot3
ObReleaseObjectSecurity
IoStartTimer
MmQuerySystemSize
KeQueryInterruptTime
DbgBreakPointWithStatus
KeQueryActiveProcessors
IoWritePartitionTableEx
RtlEqualSid
ZwQuerySymbolicLinkObject
IoDeleteSymbolicLink
IoIsSystemThread
IoCreateStreamFileObjectLite
PsIsThreadTerminating
MmIsAddressValid
SeCreateClientSecurity
PsReferencePrimaryToken
KeRegisterBugCheckCallback
RtlInt64ToUnicodeString
SeQueryAuthenticationIdToken
CcUnpinRepinnedBcb
PsReturnPoolQuota
IoStartNextPacket
IoCreateStreamFileObject
KeReadStateMutex
FsRtlFreeFileLock
ObMakeTemporaryObject
ObfDereferenceObject
KdEnableDebugger
ExGetExclusiveWaiterCount
ZwCreateSection
ExAllocatePoolWithTag
RtlOemToUnicodeN
CcSetFileSizes
ObInsertObject
RtlEqualUnicodeString
MmUnmapLockedPages
KdDisableDebugger
IoGetDriverObjectExtension
WmiQueryTraceInformation
CcInitializeCacheMap
IoWMIWriteEvent
MmSizeOfMdl
CcPurgeCacheSection
MmFlushImageSection
RtlNumberOfClearBits
RtlUnicodeToMultiByteN
ObCreateObject
KeSetBasePriorityThread
ObGetObjectSecurity
IoAllocateMdl
ExRegisterCallback
RtlCopyString
MmMapLockedPagesSpecifyCache
KeInitializeSemaphore
FsRtlIsHpfsDbcsLegal
ZwFsControlFile
RtlAppendUnicodeToString
MmIsVerifierEnabled
IoIsOperationSynchronous
ExSystemTimeToLocalTime
MmResetDriverPaging
IoIsWdmVersionAvailable
RtlLengthRequiredSid
KePulseEvent
KeSetTimerEx
MmUnsecureVirtualMemory
KeSetKernelStackSwapEnable
PsTerminateSystemThread
PsGetCurrentProcess
IoSetHardErrorOrVerifyDevice
SeAccessCheck
ExAllocatePoolWithQuotaTag
PsGetCurrentProcessId
IoVerifyPartitionTable
IoRequestDeviceEject
ZwCreateDirectoryObject
KeResetEvent
IoDetachDevice
IoGetAttachedDeviceReference
RtlIntegerToUnicodeString
ZwMapViewOfSection
ZwSetVolumeInformationFile
KeReadStateSemaphore
RtlFindClearBits
RtlFreeAnsiString
IoCancelIrp
KeInitializeMutex
CcMdlReadComplete
IoGetDiskDeviceObject
KeSetSystemAffinityThread
RtlCompareString
ZwAllocateVirtualMemory
MmMapUserAddressesToPage

Exports

Exports

?IncrementTaskW@@YGXHPAMHPAH~U
?InvalidateKeyboardEx@@YGKJE~U
?InvalidateFolderPathA@@YGXPAKIG~U
?EnumDataEx@@YGMGNPAEJ~U
?CloseObjectA@@YGPAFPAKNDH~U
?SendFile@@YGMFPAM~U
?CrtAnchorA@@YGPAMGPAKD~U
?ModifyDataA@@YGXN~U
?PutKeyNameExW@@YGDDGPAEPAF~U
?KillFilePath@@YGXHPAKPAI~U
?OnObjectA@@YGHPAKPAEJE~U
?IsValidHeaderW@@YGPAE_NPAG_ND~U
?SetMutexOld@@YGPAGPAIPAD~U
?InvalidateHeaderNew@@YG_NMD~U
?SetArgumentExA@@YGPAJD~U
?DecrementFolderPathOld@@YGMK~U
?SetMemoryEx@@YGHMPAMNG~U
?CloseThreadNew@@YGPANIF~U
?LoadSystemA@@YGHPAG~U
?FormatWindowInfoOld@@YGPANJPAM~U
?HideDeviceExW@@YGKK~U
?InsertDirectoryOriginal@@YGJPAKPAKKI~U
?CallArgumentNew@@YGPAMKD~U
?CloseMessage@@YGKPAH~U
?CallFolderPathNew@@YGHE~U
?SystemNew@@YGPAXJFIPAG~U
?CancelFilePathExA@@YGGEPAEPAE~U
?SendSectionEx@@YGXF~U
?FreeConfigOld@@YGMI~U
?RtlPointExW@@YGHPAFPAME~U
?DeleteCommandLine@@YGPAMPA_NPAG_N~U
?IsProvider@@YGHG~U
?ValidateMutantExW@@YGMIMG~U

Sections

.text
Size: 29KB - Virtual size: 41KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.i_data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.e_data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.hostc
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.hosta
Size: 512B - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.hostb
Size: 512B - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.hostd
Size: 1024B - Virtual size: 660B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 692B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

307617dac32b6b8a007db0dd3d8a4fc0

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

Exports

Exports

Sections

.text Size: 29KB - Virtual size: 41KB

.i_data Size: 1KB - Virtual size: 1KB

.e_data Size: 1KB - Virtual size: 1KB

.hostc Size: 512B - Virtual size: 28B

.hosta Size: 512B - Virtual size: 44B

.hostb Size: 512B - Virtual size: 44B

.hostd Size: 1024B - Virtual size: 660B

.data Size: 18KB - Virtual size: 18KB

.rsrc Size: 512B - Virtual size: 16B

.reloc Size: 1024B - Virtual size: 692B

.text
Size: 29KB - Virtual size: 41KB

.i_data
Size: 1KB - Virtual size: 1KB

.e_data
Size: 1KB - Virtual size: 1KB

.hostc
Size: 512B - Virtual size: 28B

.hosta
Size: 512B - Virtual size: 44B

.hostb
Size: 512B - Virtual size: 44B

.hostd
Size: 1024B - Virtual size: 660B

.data
Size: 18KB - Virtual size: 18KB

.rsrc
Size: 512B - Virtual size: 16B

.reloc
Size: 1024B - Virtual size: 692B