250fa29286a4022b17ec045c6fe0c1f1_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

250fa29286a4022b17ec045c6fe0c1f1_JaffaCakes118
Size

240KB
MD5

250fa29286a4022b17ec045c6fe0c1f1
SHA1

c929993384c3c03a3e67fe0ea46c7620ace33e67
SHA256

f3a1b6ccf1574590fae51100bcfa8a11938f77abe40820cfc483cc8999c0e850
SHA512

d5623d5e67721577095e3c28165dbc740d123be28c84c08d6b34d837de4cea97fca06613338ad20d15f431b637a6181ddca0fb46da2c735d796b2945779a1b64
SSDEEP

6144:Pvcu4LE8Zz7gbDRx9+nBjLMijuOeNO4podOOw:Xcb4RxyjLv4IO5

Score

1^/10

Malware Config

Signatures

Files

250fa29286a4022b17ec045c6fe0c1f1_JaffaCakes118
.sys windows:5 windows x64 arch:x64

a72f7ac5707945c51bd79cee973c5b02

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:08:d9:61:1c:d6
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

28/01/1999, 12:00

Not After

27/01/2014, 11:00

Subject

CN=GlobalSign Primary Object Publishing CA,OU=Primary Object Publishing CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:08:d9:61:24:48
Certificate

Issuer

CN=GlobalSign Primary Object Publishing CA,OU=Primary Object Publishing CA,O=GlobalSign nv-sa,C=BE

Not Before

22/01/2004, 09:00

Not After

27/01/2014, 10:00

Subject

CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:00:00:00:00:01:0f:f1:b8:a0:0e
Certificate

Issuer

CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE

Not Before

05/01/2007, 10:05

Not After

05/01/2008, 10:05

Subject

CN=Magnetk LLC,O=Magnetk LLC,C=US,1.2.840.113549.1.9.1=#0c10696e666f406d61676e65746b2e636f6d

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageKeyEncipherment
KeyUsageDataEncipherment

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:00

Not After

23/05/2016, 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a4:be:99:1f:14:72:33:88:78:29:40:a7:20:6b:f7:94:36:b1:d3:4e
Signer

Actual PE Digest

a4:be:99:1f:14:72:33:88:78:29:40:a7:20:6b:f7:94:36:b1:d3:4e

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

c:\work\magnetk\sftpdr~1\redire~1\bin\amd64\SftpDrive.pdb

Imports

ntoskrnl.exe

ExInitializeNPagedLookasideList
KeInitializeEvent
IofCompleteRequest
ObfDereferenceObject
IoDeleteSymbolicLink
RtlInitUnicodeString
ExInitializeResourceLite
__C_specific_handler
IoCreateSymbolicLink
ExReleaseResourceLite
ExAcquireResourceExclusiveLite
KeSetEvent
KeLeaveCriticalRegion
KeEnterCriticalRegion
IoIsOperationSynchronous
IoSetTopLevelIrp
IoGetTopLevelIrp
ExpInterlockedPushEntrySList
ExQueryDepthSList
DbgPrint
ExpInterlockedPopEntrySList
RtlEqualUnicodeString
FsRtlIsNameInExpression
FsRtlDoesNameContainWildCards
IoReleaseCancelSpinLock
KeWaitForSingleObject
KeClearEvent
ZwQueryValueKey
ZwClose
ZwOpenKey
KeBugCheckEx
KeReleaseSpinLock
KeAcquireSpinLockRaiseToDpc
IoGetStackLimits
MmGetSystemRoutineAddress
KeReleaseMutex
ExReleaseFastMutexUnsafe
ExAcquireFastMutexUnsafe
IoCreateDevice
IoDeleteDevice
IoGetCurrentProcess
KeInitializeMutex
ExAllocatePoolWithTag
ExFreePool
IoWMIRegistrationControl
ExDeleteNPagedLookasideList
ExDeleteResourceLite
IoUnregisterFileSystem
FsRtlDeregisterUncProvider
IoRegisterFileSystem
FsRtlRegisterUncProvider
SeReleaseSubjectContext
SeCaptureSubjectContext
SeQueryAuthenticationIdToken
ExAcquireResourceSharedLite
IoCheckEaBufferValidity
FsRtlIsNtstatusExpected
CcUninitializeCacheMap
IoRemoveShareAccess
FsRtlFastUnlockAll
IoGetRequestorProcess
FsRtlFastUnlockSingle
ExSetResourceOwnerPointer
FsRtlProcessFileLock
RtlCreateUnicodeString
RtlPrefixUnicodeString
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
ZwOpenDirectoryObject
MmCanFileBeTruncated
ExFreePoolWithTag
RtlFreeUnicodeString
ProbeForWrite
ProbeForRead
RtlCompareMemory
ExConvertExclusiveToSharedLite
MmMapLockedPagesSpecifyCache
CcSetFileSizes
CcInitializeCacheMap
FsRtlNormalizeNtstatus
ExRaiseStatus
MmFlushImageSection
ExAcquireFastMutex
ExInterlockedAddUlong
KeResetEvent
CcPrepareMdlWrite
CcCopyWrite
CcSetReadAheadGranularity
FsRtlCheckLockForWriteAccess
CcPurgeCacheSection
CcFlushCache
ExIsResourceAcquiredExclusiveLite
ExIsResourceAcquiredSharedLite
CcDeferWrite
CcCanIWrite
CcMdlRead
CcCopyRead
CcSetAdditionalCacheAttributes
FsRtlCheckLockForReadAccess
FsRtlPostStackOverflow
MmForceSectionClosed
RtlLengthSecurityDescriptor
SeQuerySessionIdToken
RtlAppendUnicodeStringToString
RtlCopyUnicodeString
RtlIntegerToUnicodeString
IoUpdateShareAccess
IoSetShareAccess
IoCheckShareAccess
PsGetProcessImageFileName
IoRaiseInformationalHardError
ExQueueWorkItem
CcMdlReadComplete
CcMdlWriteComplete
ObReferenceObjectByHandle
IoFileObjectType
FsRtlFastCheckLockForWrite
FsRtlFastCheckLockForRead
IoWriteErrorLogEntry
IoAllocateErrorLogEntry
KeQueryTimeIncrement
FsRtlInitializeFileLock
SeTokenIsRestricted
SeQueryInformationToken
FsRtlUninitializeFileLock
IoFreeMdl
MmProbeAndLockPages
IoAllocateMdl
PsCreateSystemThread
PsTerminateSystemThread
ObReferenceObjectByPointer
PsThreadType
KeInsertQueue
KeRemoveQueue
KeInitializeQueue
KeRundownQueue
PsIsThreadTerminating
RtlGetVersion
ZwQuerySystemInformation
MmQuerySystemSize
ExAllocatePoolWithTagPriority
ExAcquireSharedWaitForExclusive
ExAcquireSharedStarveExclusive
RtlUpcaseUnicodeChar
MmUnlockPages
KeCancelTimer
KeSetTimer
KeReleaseSpinLockFromDpcLevel
KeAcquireSpinLockAtDpcLevel
KeInitializeTimer
KeInitializeDpc
LsaFreeReturnBuffer
IoAllocateIrp
IoFreeIrp
IoCancelIrp
IofCallDriver
RtlUnwindEx
RtlAnsiCharToUnicodeChar
CcFastCopyWrite
CcZeroData
IoGetRelatedDeviceObject
CcFastCopyRead
ExReleaseResourceForThreadLite
ExReleaseFastMutex

ksecdd.sys

GetSecurityUserInfo

Sections

.text
Size: 55KB - Virtual size: 55KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 123KB - Virtual size: 122KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.edata
Size: 512B - Virtual size: 54B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 872B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

�Z�oc
Size: 1024B - Virtual size: 828B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a72f7ac5707945c51bd79cee973c5b02

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:08:d9:61:1c:d6Certificate

Key Usages

04:00:00:00:00:01:08:d9:61:24:48Certificate

Key Usages

01:00:00:00:00:01:0f:f1:b8:a0:0eCertificate

Key Usages

61:0b:7f:6b:00:00:00:00:00:19Certificate

Key Usages

a4:be:99:1f:14:72:33:88:78:29:40:a7:20:6b:f7:94:36:b1:d3:4eSigner

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

ksecdd.sys

Sections

.text Size: 55KB - Virtual size: 55KB

.rdata Size: 19KB - Virtual size: 18KB

.data Size: 2KB - Virtual size: 19KB

.pdata Size: 8KB - Virtual size: 8KB

PAGE Size: 123KB - Virtual size: 122KB

.edata Size: 512B - Virtual size: 54B

INIT Size: 7KB - Virtual size: 6KB

.rsrc Size: 1024B - Virtual size: 872B

�Z�oc Size: 1024B - Virtual size: 828B

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

04:00:00:00:00:01:08:d9:61:1c:d6
Certificate

04:00:00:00:00:01:08:d9:61:24:48
Certificate

01:00:00:00:00:01:0f:f1:b8:a0:0e
Certificate

61:0b:7f:6b:00:00:00:00:00:19
Certificate

a4:be:99:1f:14:72:33:88:78:29:40:a7:20:6b:f7:94:36:b1:d3:4e
Signer

.text
Size: 55KB - Virtual size: 55KB

.rdata
Size: 19KB - Virtual size: 18KB

.data
Size: 2KB - Virtual size: 19KB

.pdata
Size: 8KB - Virtual size: 8KB

PAGE
Size: 123KB - Virtual size: 122KB

.edata
Size: 512B - Virtual size: 54B

INIT
Size: 7KB - Virtual size: 6KB

.rsrc
Size: 1024B - Virtual size: 872B

�Z�oc
Size: 1024B - Virtual size: 828B