0f218075ff691f51bb584af26d9b43f7_JaffaCakes118

General

Target

0f218075ff691f51bb584af26d9b43f7_JaffaCakes118
Size

18KB
MD5

0f218075ff691f51bb584af26d9b43f7
SHA1

69440da61fd36fd95673733c3c0d2cf9b0b54b5b
SHA256

e9fd94e4efe9a193baae77971e0c371972ca36a7d831489de089b2fccdb7d33f
SHA512

30c141e6771227b3c8502805ed9685d507da1a18bd0f2ccc20c8d31d677f3407c6ed0e71bcbbc3a34274cff5aad56267b1dd29c4dff72239ee0791f134a91f25
SSDEEP

384:VSiuXGByd86/ehNsX9qDyQUi+rpxyYrb:VSi+xztqDyJi+lx3r

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
0f218075ff691f51bb584af26d9b43f7_JaffaCakes118

Files

0f218075ff691f51bb584af26d9b43f7_JaffaCakes118
.sys windows:6 windows x86 arch:x86

80d17ab5beb9002869985594215404b5

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\informatyka\rootkit\hybridxp2\objchk_win7_x86\i386\cpu2.pdb

Imports

ntoskrnl.exe

DbgPrint
IoCreateSymbolicLink
IoCreateDevice
RtlInitUnicodeString
IoDeleteDevice
IoDeleteSymbolicLink
IofCompleteRequest
RtlAssert
atoi
RtlAnsiStringToUnicodeString
RtlInitAnsiString
MmMapLockedPagesSpecifyCache
memcpy
ExInitializePagedLookasideList
ExDeletePagedLookasideList
InterlockedPopEntrySList
ExFreePoolWithTag
ObReferenceObjectByHandle
ZwCreateFile
InterlockedPushEntrySList
ExAllocatePool
ZwClose
ObfDereferenceObject
IoCancelIrp
KeWaitForSingleObject
IofCallDriver
IoAllocateIrp
KeInitializeEvent
KeSetEvent
IoFreeIrp
IoFreeMdl
MmUnlockPages
MmProbeAndLockPages
IoAllocateMdl
PsGetVersion
RtlGetVersion
IoGetCurrentProcess
ZwSetValueKey
ZwOpenKey
ZwWriteFile
ZwReadFile
ZwQueryInformationFile
KeTickCount
KeBugCheckEx
RtlUnwind

Sections

.text
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 452B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGEboom
Size: 512B - Virtual size: 80B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 802B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

80d17ab5beb9002869985594215404b5

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

Sections

.text Size: 9KB - Virtual size: 8KB

.rdata Size: 512B - Virtual size: 452B

.data Size: 512B - Virtual size: 6KB

PAGE Size: 4KB - Virtual size: 4KB

PAGEboom Size: 512B - Virtual size: 80B

INIT Size: 1KB - Virtual size: 1KB

.reloc Size: 1024B - Virtual size: 802B

.text
Size: 9KB - Virtual size: 8KB

.rdata
Size: 512B - Virtual size: 452B

.data
Size: 512B - Virtual size: 6KB

PAGE
Size: 4KB - Virtual size: 4KB

PAGEboom
Size: 512B - Virtual size: 80B

INIT
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 802B