160ac2efaea20e227daf95fa1702e179_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

160ac2efaea20e227daf95fa1702e179_JaffaCakes118
Size

339KB
MD5

160ac2efaea20e227daf95fa1702e179
SHA1

b3311fac40ba15f006aa80326e7b2a3a8056c254
SHA256

74621c120a2c53b78ae4872e0bded05a33f18ff6486696795c85435ad277ab8d
SHA512

b5046523ad3daaf5cc4e80918c1b3fac8d08fb6ddc7987721923198846d756b53941fec45674830c1de6fc87267f17a2f0ab78d56da8739a27a2e530e1f3fd86
SSDEEP

6144:8IwQZ1gDKQspgRvB3375yZbIVflFEdiWPCK34+Jb7tPcmNb+6hBC:9gDYgBB339GCKLCvydx4wc

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/NTIllusion/Release/tools/others/upx.exe	upx

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
unpack001/NTIllusion/Release/kNTIllusion.dll
unpack001/NTIllusion/Release/tools/Dbgview.exe
unpack001/NTIllusion/Release/tools/kNtiLoader.exe
unpack001/NTIllusion/Release/tools/kinject.exe
unpack001/NTIllusion/Release/tools/others/upx.exe

Files

160ac2efaea20e227daf95fa1702e179_JaffaCakes118
.zip
NTIllusion/COPYING
NTIllusion/README
NTIllusion/Release/kNTIllusion.dll
.dll windows:4 windows x86 arch:x86

c05b5c74764dff2780491ab08f196bc1

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

ExitProcess
GetProcAddress
GetModuleHandleA
FreeLibrary
LoadLibraryA
IsBadReadPtr
VirtualProtect
CloseHandle
ResumeThread
VirtualFreeEx
WaitForSingleObject
CreateRemoteThread
WriteProcessMemory
VirtualAllocEx
WideCharToMultiByte
GetModuleFileNameA
WriteFile
SetFilePointer
CreateFileA
ExpandEnvironmentStringsA
GetSystemTime
GetCurrentProcessId
LocalFree
FormatMessageA
GetLastError
GlobalFree
GlobalAlloc
TlsFree
TlsAlloc
HeapAlloc
HeapFree
InterlockedDecrement
InterlockedIncrement
GetCommandLineA
GetVersion
HeapDestroy
HeapCreate
VirtualFree
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
OutputDebugStringA
VirtualAlloc
HeapReAlloc
MultiByteToWideChar
LCMapStringA
LCMapStringW
TerminateProcess
GetCurrentProcess
GetCurrentThreadId
TlsSetValue
TlsGetValue
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
GetCPInfo
GetACP
RtlUnwind
GetOEMCP
GetStringTypeA
GetStringTypeW

user32

wsprintfA
wvsprintfA

Exports

Exports

InstallHook
SetUpHook
_HookProc@12

Sections

.text
Size: 24KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
NTIllusion/Release/tools/Dbgview.exe
.exe windows:4 windows x86 arch:x86

b1c82472ef00938804b6e3364b236ddb

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SizeofResource
LoadResource
FindResourceA
RaiseException
GetTickCount
GlobalReAlloc
GlobalUnlock
GlobalLock
GlobalAlloc
lstrcatA
HeapFree
lstrcpyA
HeapAlloc
GetProcessHeap
GetTimeFormatA
DosDateTimeToFileTime
FileTimeToSystemTime
FileTimeToLocalFileTime
GetFileSize
GlobalFree
WriteFileEx
QueueUserAPC
SleepEx
SetEndOfFile
GetOEMCP
GetACP
GetCPInfo
SetStdHandle
LockResource
GetFileType
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
FlushFileBuffers
LCMapStringW
LCMapStringA
WideCharToMultiByte
GetStringTypeW
GetStringTypeA
MultiByteToWideChar
UnhandledExceptionFilter
TerminateProcess
TlsGetValue
TlsAlloc
DeleteCriticalSection
HeapReAlloc
VirtualAlloc
VirtualFree
HeapCreate
HeapDestroy
GetVersionExA
GetModuleFileNameA
ExitProcess
GetStartupInfoA
InterlockedDecrement
ExitThread
TlsSetValue
CreateThread
ResumeThread
RtlUnwind
GetCurrentProcess
ReadFile
WaitForMultipleObjects
ResetEvent
WriteFile
GetOverlappedResult
GetVersion
GetCommandLineA
GetFullPathNameA
GetComputerNameA
GetCurrentProcessId
InitializeCriticalSection
lstrlenA
FindFirstFileA
SearchPathA
FindClose
GlobalMemoryStatus
LoadLibraryA
FreeLibrary
GetSystemDirectoryA
GetCurrentDirectoryA
CreateFileA
DeleteFileA
QueryPerformanceFrequency
DeviceIoControl
GetCurrentThreadId
CopyFileA
WaitForSingleObject
SetLastError
OpenMutexA
CreateMutexA
CreateFileMappingA
MapViewOfFile
CreateEventA
UnmapViewOfFile
GetSystemTime
SystemTimeToFileTime
QueryPerformanceCounter
SetEvent
InterlockedIncrement
CloseHandle
lstrcpynA
GetLastError
FormatMessageA
LocalFree
EnterCriticalSection
TerminateThread
LeaveCriticalSection
GetModuleHandleA
GetProcAddress
GetEnvironmentVariableA
SetFilePointer

user32

CheckMenuItem
GetMenu
MessageBoxA
InsertMenuItemA
GetMenuItemCount
GetSubMenu
SetCursor
InvalidateRect
ChildWindowFromPoint
GetSysColor
GetSysColorBrush
LoadCursorA
GetDlgItem
EndDialog
ShowWindow
SetWindowTextA
CloseClipboard
SetClipboardData
EmptyClipboard
BeginPaint
DrawTextA
GetFocus
PostQuitMessage
OpenClipboard
GetMenuCheckMarkDimensions
GetDC
GetWindowTextA
LoadIconA
SendMessageA
GetSystemMetrics
ClientToScreen
ScreenToClient
GetDialogBaseUnits
DrawFocusRect
GetParent
IsDlgButtonChecked
PostMessageA
CheckRadioButton
RegisterClassExA
FindWindowA
LoadAcceleratorsA
RegisterWindowMessageA
PeekMessageA
MsgWaitForMultipleObjects
TranslateAcceleratorA
IsWindow
IsDialogMessageA
TranslateMessage
DispatchMessageA
GetMessageA
CallWindowProcA
GetWindowThreadProcessId
SetWindowLongA
EnableWindow
CheckDlgButton
ReleaseDC
CreateWindowExA
UpdateWindow
RegisterClassA
LoadBitmapA
SetTimer
ModifyMenuA
MoveWindow
KillTimer
DefWindowProcA
LoadStringA
SetWindowPos
InvalidateRgn
CreateDialogParamA
GetClientRect
GetCursorPos
DestroyWindow
SetForegroundWindow
TrackPopupMenu
SetDlgItemTextA
SendDlgItemMessageA
AttachThreadInput
AppendMenuA
SetMenuItemBitmaps
DialogBoxParamA
SetFocus
GetDlgItemTextA
SetCapture
ReleaseCapture
EnableMenuItem
DeleteMenu
GetWindowRect
IsIconic
IsZoomed
EndPaint

gdi32

GetTextExtentPointA
StartDocA
GetDeviceCaps
CreateFontA
StartPage
TextOutA
EndPage
AbortDoc
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectA
GetObjectA
GetStockObject
DeleteDC
StretchBlt
CreateCompatibleBitmap
CreateCompatibleDC
CreateSolidBrush
GetTextMetricsA
DeleteObject
SetBkColor
ExtTextOutA
GetTextExtentPoint32A
SetAbortProc
EndDoc

ws2_32

closesocket
WSAGetLastError
connect
socket
gethostbyname
htons
htonl
bind
getsockname
listen
accept
WSAStartup
inet_addr
gethostbyaddr

mpr

WNetCancelConnection2A
WNetAddConnection2A

comctl32

ord17
CreateToolbarEx

comdlg32

ChooseColorA
GetOpenFileNameA
GetSaveFileNameA
FindTextA
PrintDlgA
ChooseFontA

advapi32

RegOpenKeyExA
OpenSCManagerA
DeleteService
ControlService
OpenServiceA
StartServiceA
QueryServiceStatus
CreateServiceA
CloseServiceHandle
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
RegOpenKeyA
RegQueryValueExA
RegCreateKeyA
RegDeleteValueA
RegSetValueExA
RegCloseKey
RegDeleteKeyA

shell32

SHGetMalloc
ShellExecuteA
ShellExecuteExA
Shell_NotifyIconA
SHGetSpecialFolderLocation
SHBrowseForFolderA

Sections

.text
Size: 100KB - Virtual size: 96KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 24KB - Virtual size: 97KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 88KB - Virtual size: 85KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
NTIllusion/Release/tools/dgview-reset.reg
NTIllusion/Release/tools/kNtiLoader.exe
.exe windows:4 windows x86 arch:x86

fc2b8eb9d0edad03db5d919a0e665228

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetStdHandle
GetProcAddress
LoadLibraryA
OutputDebugStringA
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
Sleep
GetFileType
HeapDestroy
HeapCreate
VirtualFree
HeapFree
RtlUnwind
WriteFile
GetCPInfo
GetACP
GetOEMCP
HeapAlloc
VirtualAlloc
HeapReAlloc
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW

Sections

.text
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
NTIllusion/Release/tools/kinject.exe
.exe windows:4 windows x86 arch:x86

0b50038070d9555efb9cd8a683930dbd

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_DEBUG_STRIPPED

Imports

advapi32

AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken

kernel32

CloseHandle
CreateProcessA
CreateRemoteThread
ExitProcess
FreeLibrary
GetCurrentProcess
GetLastError
GetModuleHandleA
GetProcAddress
LoadLibraryA
OpenProcess
SetUnhandledExceptionFilter
Sleep
VirtualAllocEx
WaitForSingleObject
WriteProcessMemory

msvcrt

__getmainargs
__p__environ
__set_app_type
_cexit
_fileno
_fmode
_fpreset
_iob
_setmode
atexit
atol
getchar
memset
printf
signal
strcmp
strlen

Sections

.text
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 360B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
NTIllusion/Release/tools/others/dgview-reset.reg
NTIllusion/Release/tools/others/upx.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 90KB - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
NTIllusion/Release/tools/others/upxDLL.bat
NTIllusion/Src/Core/Engine/Hijacking/kDisAsm/ZDisasm.c
NTIllusion/Src/Core/Engine/Hijacking/kDisAsm/ZDisasm.h
NTIllusion/Src/Core/Engine/Hijacking/kDisAsm/kEPhook.c
NTIllusion/Src/Core/Engine/Hijacking/kDisAsm/kEPhook.h
NTIllusion/Src/Core/Engine/Hijacking/kHijackEng.c
NTIllusion/Src/Core/Engine/Hijacking/kHijackEng.h
NTIllusion/Src/Core/Engine/Injection/kInjectEng.c
NTIllusion/Src/Core/Engine/Injection/kInjectEng.h
NTIllusion/Src/Core/Engine/Injection/kSetWindowsHook.c
NTIllusion/Src/Core/Engine/Injection/kSetWindowsHook.h
NTIllusion/Src/Core/Engine/Stealth/kDllHideEng.c
NTIllusion/Src/Core/Engine/Stealth/kDllHideEng.h
NTIllusion/Src/Core/Engine/Stealth/kPEBStruct.h
NTIllusion/Src/Core/Misc/AggressiveOptimize.h
NTIllusion/Src/Core/Misc/LIBCTINY.LIB
NTIllusion/Src/Core/Misc/kNTIConfig.h
NTIllusion/Src/Core/Misc/kNTILib.c
.vbs
NTIllusion/Src/Core/Misc/kNTILib.h
NTIllusion/Src/Core/Misc/kdbg_IAT.c
NTIllusion/Src/Core/Misc/kdbg_IAT.h
NTIllusion/Src/Core/Replacements/Files/kNTIFiles.c
NTIllusion/Src/Core/Replacements/Files/kNTIFiles.h
NTIllusion/Src/Core/Replacements/Network/kNTIFlow.c
NTIllusion/Src/Core/Replacements/Network/kNTIFlow.h
NTIllusion/Src/Core/Replacements/Network/kNTINetHide.c
NTIllusion/Src/Core/Replacements/Network/kNTINetHide.h
NTIllusion/Src/Core/Replacements/Process/kNTIProcess.c
NTIllusion/Src/Core/Replacements/Process/kNTIProcess.h
NTIllusion/Src/Core/Replacements/Registry/kNTIReg.c
NTIllusion/Src/Core/Replacements/Registry/kNTIReg.h
NTIllusion/Src/Core/Replacements/Spawning/kNTISpawn.c
NTIllusion/Src/Core/Replacements/Spawning/kNTISpawn.h
NTIllusion/Src/Core/kNTIllusion.c
NTIllusion/Src/Core/kNTIllusion.h
NTIllusion/Src/kNTIllusion.dsp
NTIllusion/Src/kNTIllusion.dsw
NTIllusion/Src/kNTIllusion.ncb
NTIllusion/Src/kNTIllusion.opt
NTIllusion/TODO
NTIllusion/VERSION

Sharing

General

Malware Config

Signatures

Files

c05b5c74764dff2780491ab08f196bc1

Headers

File Characteristics

Imports

kernel32

user32

Exports

Exports

Sections

.text Size: 24KB - Virtual size: 22KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 8KB - Virtual size: 27KB

.reloc Size: 4KB - Virtual size: 3KB

b1c82472ef00938804b6e3364b236ddb

Headers

File Characteristics

Imports

kernel32

user32

gdi32

ws2_32

mpr

comctl32

comdlg32

advapi32

shell32

Sections

.text Size: 100KB - Virtual size: 96KB

.rdata Size: 12KB - Virtual size: 8KB

.data Size: 24KB - Virtual size: 97KB

.rsrc Size: 88KB - Virtual size: 85KB

fc2b8eb9d0edad03db5d919a0e665228

Headers

File Characteristics

Imports

kernel32

Sections

.text Size: 12KB - Virtual size: 10KB

.rdata Size: 4KB - Virtual size: 1KB

.data Size: 4KB - Virtual size: 2KB

0b50038070d9555efb9cd8a683930dbd

Headers

File Characteristics

Imports

advapi32

kernel32

msvcrt

Sections

.text Size: 3KB - Virtual size: 3KB

.data Size: 512B - Virtual size: 360B

.idata Size: 1KB - Virtual size: 1KB

Headers

File Characteristics

Sections

UPX0 Size: - Virtual size: 132KB

UPX1 Size: 90KB - Virtual size: 92KB

.rsrc Size: 1024B - Virtual size: 4KB

.text
Size: 24KB - Virtual size: 22KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 8KB - Virtual size: 27KB

.reloc
Size: 4KB - Virtual size: 3KB

.text
Size: 100KB - Virtual size: 96KB

.rdata
Size: 12KB - Virtual size: 8KB

.data
Size: 24KB - Virtual size: 97KB

.rsrc
Size: 88KB - Virtual size: 85KB

.text
Size: 12KB - Virtual size: 10KB

.rdata
Size: 4KB - Virtual size: 1KB

.data
Size: 4KB - Virtual size: 2KB

.text
Size: 3KB - Virtual size: 3KB

.data
Size: 512B - Virtual size: 360B

.idata
Size: 1KB - Virtual size: 1KB

UPX0
Size: - Virtual size: 132KB

UPX1
Size: 90KB - Virtual size: 92KB

.rsrc
Size: 1024B - Virtual size: 4KB