048ab6dbb86bebdc187b03cb5029127d_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

048ab6dbb86bebdc187b03cb5029127d_JaffaCakes118
Size

257KB
MD5

048ab6dbb86bebdc187b03cb5029127d
SHA1

aa5ce7b787e3510531fc8ae4f46af8b2d53a2938
SHA256

61a6b8d7f44883939782bd9d3d145c996762e359bb903f25ad638304ace8c46f
SHA512

b7754830447fe189fc57c0ed265b899accd5c6baca11f79568f4a7bfe99063fd1eda3b684b5548cbc1691cdae7d2ee4d820d242a416f9664a8e1000b345d8ca2
SSDEEP

3072:eWGrmFrxEWmbI3d0N4kRLTDUATUfw/CLLglwbqGy7eHC2TjOgjEOVfrqVc8I4KnV:eHSNmst0N4kRvDNMJL0vT7A5jjMOV

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
sample	upx

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
048ab6dbb86bebdc187b03cb5029127d_JaffaCakes118

Files

048ab6dbb86bebdc187b03cb5029127d_JaffaCakes118
.exe windows:6 windows x86 arch:x86

d254b62f670827c90376fa30e7f7f8ef

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

MpCmdRun.pdb

Imports

advapi32

TraceEvent
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
RegisterTraceGuidsW
UnregisterTraceGuids
FreeSid
CreateProcessAsUserW
CreateRestrictedToken
LogonUserW
GetUserNameW
OpenProcessToken
RegCloseKey
ReadEventLogW
RegQueryValueExW
RegOpenKeyExW
CloseEventLog
GetNumberOfEventLogRecords
GetOldestEventLogRecord
OpenEventLogW
CloseServiceHandle
QueryServiceStatusEx
OpenServiceW
OpenSCManagerW
RegEnumValueW
RegEnumKeyExW
CheckTokenMembership
IsValidSid
AllocateAndInitializeSid

kernel32

CreateEventW
UnhandledExceptionFilter
GetSystemTimeAsFileTime
Sleep
ExpandEnvironmentStringsW
LoadLibraryExW
FileTimeToLocalFileTime
FileTimeToSystemTime
DeleteFileW
SetFileAttributesW
HeapFree
HeapAlloc
GetFileInformationByHandle
FileTimeToDosDateTime
MultiByteToWideChar
WideCharToMultiByte
GetSystemPowerStatus
GetFileAttributesW
CreateTimerQueueTimer
SetFilePointerEx
WriteFile
GetModuleHandleW
GetSystemDirectoryW
GetCurrentProcessId
GetCurrentThreadId
QueryPerformanceCounter
GetModuleHandleA
SetUnhandledExceptionFilter
InterlockedCompareExchange
InterlockedExchange
FindFirstFileW
FindNextFileW
FindClose
CopyFileW
CreateDirectoryW
CreateFileW
TerminateProcess
DeleteTimerQueueTimer
GetSystemTime
GetCurrentProcess
WaitForSingleObject
GetExitCodeProcess
SetEvent
InterlockedIncrement
GetCommandLineW
GetTickCount
GetLocalTime
GetDateFormatW
GetTimeFormatW
SetLastError
GetLastError
CloseHandle
SetErrorMode
FormatMessageW
InterlockedDecrement
LoadLibraryW
GetProcAddress
FreeLibrary
LocalAlloc
LocalFree

msvcrt

??1type_info@@UAE@XZ
__set_app_type
__p__fmode
__p__commode
__setusermatherr
_amsg_exit
_initterm
exit
_XcptFilter
_exit
_cexit
__wgetmainargs
malloc
free
??0exception@@QAE@XZ
swscanf
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABQBD@Z
fclose
iswspace
feof
fgetws
__RTDynamicCast
towlower
__dllonexit
_errno
_wfopen
?terminate@@YAXXZ
_vsnprintf
__doserrno
_wopen
_read
_write
_close
_lseek
_wremove
_wtempnam
memcpy
_lock
_onexit
wprintf
__CxxFrameHandler3
memcpy_s
_CxxThrowException
memmove_s
_purecall
_getch
iswprint
swscanf_s
wcstoul
vwprintf
wcschr
wcsstr
memset
_vsnwprintf
_except_handler4_common
_controlfp
wcsrchr
_unlock
printf
_wcsicmp
memmove

ole32

CoInitializeEx
StringFromGUID2
CoUninitialize
CoCreateInstance

oleaut32

SysAllocString
SysFreeString

rpcrt4

UuidFromStringW

userenv

LoadUserProfileW
CreateEnvironmentBlock
DestroyEnvironmentBlock
UnloadUserProfile

mpclient

MpUtilsExportFunctions
MpConfigDelValue
MpConfigIteratorOpen
MpConfigIteratorEnum
MpConfigIteratorClose
MpConfigGetValueAlloc
MpUpdateStart
MpManagerVersionQuery
MpManagerOpen
MpScanStart
MpCleanOpen
MpCleanStart
MpConfigOpen
MpConfigClose
MpScanResult
MpConfigGetValue
MpHandleClose
MpConfigUninitialize
MpConfigInitialize
MpFreeMemory
MpClientUtilExportFunctions

cabinet

ord11
ord14
ord13
ord10

Sections

.text
Size: 136KB - Virtual size: 135KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.UPX0
Size: 104KB - Virtual size: 252KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

d254b62f670827c90376fa30e7f7f8ef

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

msvcrt

ole32

oleaut32

rpcrt4

userenv

mpclient

cabinet

Sections

.text Size: 136KB - Virtual size: 135KB

.data Size: 2KB - Virtual size: 2KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 12KB - Virtual size: 12KB

.UPX0 Size: 104KB - Virtual size: 252KB

.text
Size: 136KB - Virtual size: 135KB

.data
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 12KB - Virtual size: 12KB

.UPX0
Size: 104KB - Virtual size: 252KB