0fd1e6fcdf8175c95bd3272e735ecb3a_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

0fd1e6fcdf8175c95bd3272e735ecb3a_JaffaCakes118
Size

470KB
MD5

0fd1e6fcdf8175c95bd3272e735ecb3a
SHA1

dbdc484b6d312f904a232ece8febe3fe0498f895
SHA256

115e7ee8aad399818d14676cfab4999c4022596ddc3e0794ae6490b71ca5b4fd
SHA512

31159addd269a4893a83edaf5890e85d79ea71b22851c8c902548ce6bb00a578e4af64d64f36a06a05161aca2db21d1096dfad35bc5b23aa30f4690da3365dbf
SSDEEP

6144:w+U5VhOuzz4Jms1kN08FabM2n09yG+w8r2N48jqqJoMfRfcWrbKOIOAlrJcWp/:q5Vh/2kvFabNn0yBw7K8RDRXr0NV

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
0fd1e6fcdf8175c95bd3272e735ecb3a_JaffaCakes118

Files

0fd1e6fcdf8175c95bd3272e735ecb3a_JaffaCakes118
.dll windows:5 windows x86 arch:x86

68f9369a0dec1075c6d2685ea2dfdfa9

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

samsrv.pdb

Imports

msvcrt

wcscat
vsprintf
sprintf
wcscpy
_purecall
wcsncmp
wcsncat
free
_wcsicmp
wcstok
wcsstr
_wcsupr
wcspbrk
wcsncpy
wcscspn
swprintf
_itow
_except_handler3
strncpy
wcslen
memmove

ntdll

NtSetInformationThread
RtlMakeSelfRelativeSD
RtlValidAcl
RtlGetSaclSecurityDescriptor
RtlGetOwnerSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlCopySecurityDescriptor
RtlQueryInformationAcl
RtlDeleteSecurityObject
RtlAddAce
RtlSetSecurityObject
RtlInitializeResource
NtQueryKey
RtlNtStatusToDosError
NtRaiseHardError
RtlAdjustPrivilege
NtShutdownSystem
NtOpenProcessToken
NtAdjustPrivilegesToken
RtlAllocateAndInitializeSid
NtSetValueKey
NtDeleteKey
NtOpenKey
RtlQueryRegistryValues
LdrLoadDll
LdrGetProcedureAddress
LdrUnloadDll
RtlInitializeCriticalSectionAndSpinCount
RtlInitializeCriticalSection
RtlCompareMemory
RtlReleaseResource
RtlAcquireResourceExclusive
RtlEqualPrefixSid
RtlpNtEnumerateSubKey
RtlAbortRXact
RtlApplyRXact
NtOpenThreadToken
NtQueryInformationToken
RtlLengthSecurityDescriptor
RtlFreeUnicodeString
RtlIdentifierAuthoritySid
RtlAreAllAccessesGranted
NtCloseObjectAuditAlarm
RtlInitializeBitMap
RtlEnterCriticalSection
RtlLeaveCriticalSection
NtFlushKey
RtlGetNtProductType
RtlInitializeRXact
RtlInitializeSid
NtCreateToken
RtlConvertSidToUnicodeString
RtlpNtCreateKey
RtlpNtSetValueKey
RtlAppendUnicodeStringToString
RtlStartRXact
RtlCopyUnicodeString
NtQuerySystemTime
RtlAppendUnicodeToString
RtlApplyRXactNoFlush
RtlCreateSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlCreateAcl
RtlMapGenericMask
RtlAddAccessAllowedAce
RtlSetDaclSecurityDescriptor
RtlAddAuditAccessAce
RtlSetSaclSecurityDescriptor
RtlAbsoluteToSelfRelativeSD
RtlGetDaclSecurityDescriptor
RtlGetAce
RtlSubAuthorityCountSid
RtlSubAuthoritySid
RtlSetBits
NtQueryValueKey
RtlSetAllBits
RtlFreeHeap
RtlAllocateHeap
RtlAddAttributeActionToRXact
RtlClearAllBits
DbgPrint
RtlLengthRequiredSid
NtDeleteObjectAuditAlarm
RtlValidSid
RtlAddActionToRXact
RtlpNtOpenKey
RtlpNtQueryValueKey
NtClose
NtAllocateLocallyUniqueId
NtAccessCheckByTypeResultListAndAuditAlarm
NtAccessCheckAndAuditAlarm
NtAccessCheck
NtAccessCheckByTypeResultList
RtlGetControlSecurityDescriptor
RtlEqualSid
RtlEqualUnicodeString
RtlInitUnicodeString
RtlCompareUnicodeString
RtlInitString
RtlEqualDomainName
RtlLengthSid
RtlCopySid
RtlValidSecurityDescriptor
RtlUpcaseUnicodeStringToOemString
RtlOemStringToUnicodeString
RtlEqualComputerName
RtlDnsHostNameToComputerName
RtlTimeToTimeFields
RtlExtendedIntegerMultiply
RtlExtendedLargeIntegerDivide
NtDelayExecution
NtRestoreKey
RtlUnicodeToOemN
RtlxUnicodeStringToOemSize
NlsMbOemCodePageTag
RtlIntegerToUnicodeString
NtPrivilegedServiceAuditAlarm
NtPrivilegeCheck
NtOpenThread
NtOpenProcess
NtCreateEvent
NtSetEvent
NtEnumerateKey
NtQuerySecurityObject
NtSetSecurityObject
NtDeleteValueKey
RtlCreateUnicodeString
NtConnectPort
NtRequestWaitReplyPort
NtOpenEvent

rpcrt4

RpcBindingFree
RpcStringBindingParseA
RpcBindingToStringBindingA
RpcSsGetContextBinding
I_RpcBindingIsClientLocal
I_RpcMapWin32Status
RpcImpersonateClient
RpcRevertToSelf
RpcServerRegisterAuthInfoW
RpcServerUseProtseqExW
RpcServerUseProtseqW
RpcServerInqBindings
RpcEpRegisterW
RpcBindingVectorFree
NdrServerCall2
UuidToStringA
RpcStringFreeA
RpcMgmtStopServerListening
RpcBindingServerFromClient
RpcBindingToStringBindingW
RpcStringBindingParseW
RpcStringFreeW
RpcServerRegisterIf
RpcServerUseProtseqEpW

kernel32

lstrcpyW
GetModuleFileNameW
GetModuleHandleW
CompareStringW
GetSystemDefaultLCID
InterlockedExchange
FormatMessageW
GetLastError
LocalFree
InterlockedIncrement
InterlockedDecrement
GetTickCount
GetComputerNameExW
GetComputerNameW
GetVersionExW
MultiByteToWideChar
GetLocalTime
DeleteCriticalSection
LoadLibraryW
DelayLoadFailureHook
CloseHandle
SetFilePointer
CreateFileW
GetWindowsDirectoryW
FlushFileBuffers
WaitForSingleObject
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
DisableThreadLibraryCalls
LoadLibraryA
InterlockedCompareExchange
CompareFileTime
GetEnvironmentVariableW
FindFirstFileW
DeleteFileW
FindNextFileW
FindClose
RemoveDirectoryW
GetCurrentProcessId
GetCurrentThreadId
QueryPerformanceCounter
GlobalMemoryStatus
GetDiskFreeSpaceA
GetComputerNameA
GetProcAddress
LocalAlloc
lstrlenW
GetTimeZoneInformation
GetSystemTimeAsFileTime
GetStringTypeW
Sleep
SetConsoleCtrlHandler
SetProcessShutdownParameters
SetErrorMode
FreeLibrary
InitializeCriticalSection
CreateThread
WriteFile

advapi32

TraceEvent
RegCloseKey
RegSetValueExW
RegCreateKeyExW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
RegisterTraceGuidsW
RegQueryValueExW
RegOpenKeyW
ConvertSidToStringSidW
GetSecurityDescriptorLength
LsaFreeMemory
GetLengthSid
GetSidSubAuthority
InitializeSid
GetSidIdentifierAuthority
GetSidSubAuthorityCount
GetWindowsAccountDomainSid
RegQueryValueExA
ConvertSidToStringSidA
RegSetValueExA
RegCreateKeyA
SystemFunction007
SystemFunction006
CheckTokenMembership
MapGenericMask
GetSecurityDescriptorDacl
GetSecurityDescriptorSacl
RegSaveKeyW
RegReplaceKeyW
RegLoadKeyW
LsaOpenPolicy
LsaStorePrivateData
LsaClose
RegUnLoadKeyW
A_SHAInit
A_SHAUpdate
A_SHAFinal
GetUserNameA
ElfRegisterEventSourceW
ElfReportEventW
ElfDeregisterEventSource
ImpersonateLoggedOnUser
RevertToSelf
SystemFunction030
SystemFunction021
SystemFunction023
SystemFunction024
SystemFunction026
SystemFunction015
SystemFunction013
SystemFunction036
RegOpenKeyExW
SystemFunction025
SystemFunction027
SystemFunction031
SystemFunction029
MD5Init
MD5Update
MD5Final
InitializeAcl
AddAuditAccessAce
InitializeSecurityDescriptor
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
SetSecurityDescriptorDacl
SetSecurityDescriptorSacl
MakeSelfRelativeSD
AddAccessDeniedObjectAce
AddAccessDeniedAce
AddAccessAllowedObjectAce
AddAccessAllowedAce
FindFirstFreeAce
GetAce
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
TraceMessage

user32

wsprintfW
wsprintfA
GetMessageTime
GetCursorPos
GetSystemMetrics

lsasrv

LsarQueryInformationPolicy
LsaIFree_LSAPR_POLICY_INFORMATION
LsaIHealthCheck
LsaIGetBootOption
LsaISetBootOption
LsaIChangeSecretCipherKey
LsaILookupWellKnownName
LsarSetInformationPolicy
LsaIRegisterPolicyChangeNotificationCallback
LsaISafeMode
LsaISamIndicatedDsStarted
LsaIQueryInformationPolicyTrusted
LsaIAuditSamEvent
LsaIAuditNotifyPackageLoad
LsaISetSerialNumberPolicy
LsaINotifyChangeNotification
LsarClose
LsaIOpenPolicyTrusted
LsaIRegisterNotification

cryptdll

CDGenerateRandomBits

dnsapi

DnsValidateName_W
DnsNameCompare_W

Exports

Exports

SamIAccountRestrictions
SamIAddDSNameToAlias
SamIAddDSNameToGroup
SamIAmIGC
SamIChangePasswordForeignUser
SamIChangePasswordForeignUser2
SamIConnect
SamICreateAccountByRid
SamIDemote
SamIDemoteUndo
SamIDoFSMORoleChange
SamIDsCreateObjectInDomain
SamIDsSetObjectInformation
SamIEnumerateAccountRids
SamIEnumerateInterdomainTrustAccountsForUpgrade
SamIFloatingSingleMasterOpEx
SamIFreeSidAndAttributesList
SamIFreeSidArray
SamIFreeVoid
SamIFree_SAMPR_ALIAS_INFO_BUFFER
SamIFree_SAMPR_DISPLAY_INFO_BUFFER
SamIFree_SAMPR_DOMAIN_INFO_BUFFER
SamIFree_SAMPR_ENUMERATION_BUFFER
SamIFree_SAMPR_GET_GROUPS_BUFFER
SamIFree_SAMPR_GET_MEMBERS_BUFFER
SamIFree_SAMPR_GROUP_INFO_BUFFER
SamIFree_SAMPR_PSID_ARRAY
SamIFree_SAMPR_RETURNED_USTRING_ARRAY
SamIFree_SAMPR_SR_SECURITY_DESCRIPTOR
SamIFree_SAMPR_ULONG_ARRAY
SamIFree_SAMPR_USER_INFO_BUFFER
SamIFree_UserInternal6Information
SamIGCLookupNames
SamIGCLookupSids
SamIGetAliasMembership
SamIGetBootKeyInformation
SamIGetDefaultAdministratorName
SamIGetFixedAttributes
SamIGetInterdomainTrustAccountPasswordsForUpgrade
SamIGetPrivateData
SamIGetResourceGroupMembershipsTransitive
SamIGetSerialNumberDomain
SamIGetUserLogonInformation
SamIGetUserLogonInformation2
SamIGetUserLogonInformationEx
SamIImpersonateNullSession
SamIIncrementPerformanceCounter
SamIInitialize
SamIIsDownlevelDcUpgrade
SamIIsExtendedSidMode
SamIIsRebootAfterPromotion
SamIIsSetupInProgress
SamILoadDownlevelDatabase
SamILoopbackConnect
SamIMixedDomain
SamIMixedDomain2
SamINT4UpgradeInProgress
SamINetLogonPing
SamINotifyDelta
SamINotifyRoleChange
SamINotifyServerDelta
SamIOpenAccount
SamIOpenUserByAlternateId
SamIPromote
SamIPromoteUndo
SamIQueryServerRole
SamIQueryServerRole2
SamIRemoveDSNameFromAlias
SamIRemoveDSNameFromGroup
SamIReplaceDownlevelDatabase
SamIResetBadPwdCountOnPdc
SamIRetrievePrimaryCredentials
SamIRevertNullSession
SamISameSite
SamISetAuditingInformation
SamISetMixedDomainFlag
SamISetPasswordForeignUser
SamISetPasswordForeignUser2
SamISetPasswordInfoOnPdc
SamISetPrivateData
SamISetSerialNumberDomain
SamIStorePrimaryCredentials
SamIUPNFromUserHandle
SamIUnLoadDownlevelDatabase
SamIUpdateLogonStatistics
SampAbortSingleLoopbackTask
SampAccountControlToFlags
SampAcquireSamLockExclusive
SampAcquireWriteLock
SampCommitBufferedWrites
SampConvertNt4SdToNt5Sd
SampDsChangePasswordUser
SampFlagsToAccountControl
SampGetDefaultSecurityDescriptorForClass
SampGetSerialNumberDomain2
SampInitializeRegistry
SampInitializeSdConversion
SampInvalidateDomainCache
SampInvalidateRidRange
SampNetLogonNotificationRequired
SampNotifyReplicatedInChange
SampProcessSingleLoopbackTask
SampReleaseSamLockExclusive
SampReleaseWriteLock
SampRtlConvertUlongToUnicodeString
SampSetSerialNumberDomain2
SampUsingDsData
SampWriteGroupType
SamrAddMemberToAlias
SamrAddMemberToGroup
SamrAddMultipleMembersToAlias
SamrChangePasswordUser
SamrCloseHandle
SamrCreateAliasInDomain
SamrCreateGroupInDomain
SamrCreateUser2InDomain
SamrCreateUserInDomain
SamrDeleteAlias
SamrDeleteGroup
SamrDeleteUser
SamrEnumerateAliasesInDomain
SamrEnumerateDomainsInSamServer
SamrEnumerateGroupsInDomain
SamrEnumerateUsersInDomain
SamrGetAliasMembership
SamrGetGroupsForUser
SamrGetMembersInAlias
SamrGetMembersInGroup
SamrGetUserDomainPasswordInformation
SamrLookupDomainInSamServer
SamrLookupIdsInDomain
SamrLookupNamesInDomain
SamrOpenAlias
SamrOpenDomain
SamrOpenGroup
SamrOpenUser
SamrQueryDisplayInformation
SamrQueryInformationAlias
SamrQueryInformationDomain
SamrQueryInformationGroup
SamrQueryInformationUser
SamrQuerySecurityObject
SamrRemoveMemberFromAlias
SamrRemoveMemberFromForeignDomain
SamrRemoveMemberFromGroup
SamrRemoveMultipleMembersFromAlias
SamrRidToSid
SamrSetInformationAlias
SamrSetInformationDomain
SamrSetInformationGroup
SamrSetInformationUser
SamrSetMemberAttributesOfGroup
SamrSetSecurityObject
SamrShutdownSamServer
SamrTestPrivateFunctionsDomain
SamrTestPrivateFunctionsUser
SamrUnicodeChangePasswordUser2

Sections

.text
Size: 335KB - Virtual size: 334KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 74KB - Virtual size: 83KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

68f9369a0dec1075c6d2685ea2dfdfa9

Headers

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

rpcrt4

kernel32

advapi32

user32

lsasrv

cryptdll

dnsapi

Exports

Exports

Sections

.text Size: 335KB - Virtual size: 334KB

.data Size: 74KB - Virtual size: 83KB

.rsrc Size: 47KB - Virtual size: 47KB

.reloc Size: 12KB - Virtual size: 12KB

.text
Size: 335KB - Virtual size: 334KB

.data
Size: 74KB - Virtual size: 83KB

.rsrc
Size: 47KB - Virtual size: 47KB

.reloc
Size: 12KB - Virtual size: 12KB