15b1610b42bbfe5206ddcfc71edc3171_JaffaCakes118

General

Target

15b1610b42bbfe5206ddcfc71edc3171_JaffaCakes118
Size

31KB
MD5

15b1610b42bbfe5206ddcfc71edc3171
SHA1

601a217995709321d92ed3a0125f8e354886fea9
SHA256

5c45f90cebb9711894392e9d6a35b5e314d5eaf9fd387d166e95b51e7784032f
SHA512

937a9740fb9314ad4e5247b11e118f7c1b09e538e6be5b28c1e0155b26c94be13f15c69815bc5b1ff06301b07f19147375c0b463f49e549ae339519eb18b66be
SSDEEP

768:4Iwju/6RhgoUK0IqrFqSQ8zXMY7XyT+L:pwZ3goUK09rU/8AYz

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
15b1610b42bbfe5206ddcfc71edc3171_JaffaCakes118

Files

15b1610b42bbfe5206ddcfc71edc3171_JaffaCakes118
.sys windows:5 windows x86 arch:x86

605eb8db601fd2a13a769e2dd2a5ea1d

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

F:\gui-单一\addssdt_shado_Release_发行-不能卸载\objfre\i386\kll.pdb

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
KeServiceDescriptorTable
MmIsAddressValid
KeAddSystemServiceTable
ZwQuerySystemInformation
ExFreePoolWithTag
ZwClose
wcsncmp
ZwQueryObject
ZwDuplicateObject
NtOpenProcess
PsGetVersion
IofCompleteRequest
IoDeleteDevice
IoDeleteSymbolicLink
KeDetachProcess
KeAttachProcess
PsLookupProcessByProcessId
IoCreateSymbolicLink
IoCreateDevice
RtlInitUnicodeString
_except_handler3

Sections

.text
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 256B - Virtual size: 256B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 640B - Virtual size: 596B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 384B - Virtual size: 322B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 640B - Virtual size: 608B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

605eb8db601fd2a13a769e2dd2a5ea1d

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

Sections

.text Size: 2KB - Virtual size: 2KB

.rdata Size: 256B - Virtual size: 256B

.data Size: 2KB - Virtual size: 2KB

INIT Size: 640B - Virtual size: 596B

.vmp0 Size: 384B - Virtual size: 322B

.vmp1 Size: 23KB - Virtual size: 23KB

.reloc Size: 640B - Virtual size: 608B

.text
Size: 2KB - Virtual size: 2KB

.rdata
Size: 256B - Virtual size: 256B

.data
Size: 2KB - Virtual size: 2KB

INIT
Size: 640B - Virtual size: 596B

.vmp0
Size: 384B - Virtual size: 322B

.vmp1
Size: 23KB - Virtual size: 23KB

.reloc
Size: 640B - Virtual size: 608B