Static task
static1
General
-
Target
0f4749ff6cd16f1c8f62f111eb04e926_JaffaCakes118
-
Size
824KB
-
MD5
0f4749ff6cd16f1c8f62f111eb04e926
-
SHA1
22aab3c0c04a80ca51a8c9ea2c227ff46193d43a
-
SHA256
0f89929967b8978e85a506c43cab5c9d149dafc89cd001e502489fa20adddd57
-
SHA512
675a20f3b67d43ec77c5a3c444b10ffb3790026235d0e53e153988d5126372541dcdd652bf4549c064016bca344c728283dd934d40eeb1cc90e85a6efcc03657
-
SSDEEP
12288:gNzUzgsgce8DaQtdEn1/wnhBiauqxwRDrxI+A0Z2oIrcBxbCz6HRMuT9loO3UNLN:gNzUzeoBO14n/ixkQDNIwarW+zG/PUf
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 0f4749ff6cd16f1c8f62f111eb04e926_JaffaCakes118
Files
-
0f4749ff6cd16f1c8f62f111eb04e926_JaffaCakes118.sys windows:4 windows x86 arch:x86
4ff73cb2e1c69eb4a4a6d07a736c399c
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntoskrnl.exe
ExAllocatePoolWithTag
sprintf
ZwQuerySystemInformation
ExFreePoolWithTag
memmove
RtlFindMessage
IoCreateDevice
LsaLookupAuthenticationPackage
ObQueryObjectAuditingByHandle
MmRemovePhysicalMemory
FsRtlMdlReadDev
RtlFindClearBits
NtDuplicateObject
MmFlushImageSection
InterlockedExchangeAdd
IoBuildPartialMdl
ZwOpenProcess
RtlGetElementGenericTable
KeSetSystemAffinityThread
MmSecureVirtualMemory
IofCompleteRequest
RtlxUnicodeStringToOemSize
RtlUpcaseUnicodeStringToAnsiString
InbvInstallDisplayStringFilter
ExInitializeNPagedLookasideList
RtlAreAnyAccessesGranted
RtlGetCompressionWorkSpaceSize
InbvSetScrollRegion
FsRtlIsFatDbcsLegal
RtlWalkFrameChain
RtlDeleteRegistryValue
RtlDeleteAce
ZwQuerySymbolicLinkObject
SeSystemDefaultDacl
RtlTimeToSecondsSince1970
IoDeleteDevice
KeRemoveByKeyDeviceQueue
RtlInitString
InbvDisplayString
ExUuidCreate
IoIsValidNameGraftingBuffer
SeDeassignSecurity
ZwRequestWaitReplyPort
FsRtlLookupLastMcbEntry
MmProbeAndLockProcessPages
CcSetLogHandleForFile
NtLockFile
FsRtlCopyRead
FsRtlSyncVolumes
RtlImageDirectoryEntryToData
IoGetStackLimits
IoCancelFileOpen
MmUnsecureVirtualMemory
CcSetReadAheadGranularity
KeTickCount
IoGetDeviceObjectPointer
KeReleaseSemaphore
ZwYieldExecution
FsRtlPrepareMdlWrite
RtlCopyUnicodeString
IoIsSystemThread
KeRestoreFloatingPointState
FsRtlFastUnlockAll
RtlIsValidOemCharacter
ZwOpenEvent
MmSetBankedSection
IoDeviceHandlerObjectType
ZwClearEvent
RtlLookupElementGenericTable
ZwOpenThread
KeI386AbiosCall
RtlAddRange
READ_REGISTER_BUFFER_USHORT
RtlCharToInteger
PsLookupProcessThreadByCid
KeInsertDeviceQueue
ExInterlockedIncrementLong
ZwSetInformationThread
FsRtlNotifyReportChange
ExInterlockedExtendZone
NtDeviceIoControlFile
MmSystemRangeStart
FsRtlNotifyFullReportChange
SeMarkLogonSessionForTerminationNotification
PoCallDriver
wcstombs
HalDispatchTable
KeReadStateEvent
CcSetDirtyPinnedData
MmMapLockedPagesSpecifyCache
FsRtlTruncateLargeMcb
KiBugCheckData
PsGetProcessExitTime
MmIsDriverVerifying
KeSetTimerEx
FsRtlLegalAnsiCharacterArray
LsaRegisterLogonProcess
ExInterlockedFlushSList
KeReleaseSpinLockFromDpcLevel
FsRtlCheckOplock
FsRtlPrivateLock
IoCreateSymbolicLink
FsRtlNormalizeNtstatus
NtAllocateLocallyUniqueId
strcpy
ZwDisplayString
KeI386ReleaseLid
RtlCopyLuid
ExSystemTimeToLocalTime
RtlPrefetchMemoryNonTemporal
FsRtlPostPagingFileStackOverflow
PsGetCurrentProcessId
NtWaitForSingleObject
ExAllocatePoolWithTagPriority
ZwSetInformationObject
Sections
.text Size: 385KB - Virtual size: 385KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 512B - Virtual size: 484B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 14KB - Virtual size: 23KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
INIT Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 419KB - Virtual size: 418KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ