2848b11257508e411d5ec94a825a65e5_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

2848b11257508e411d5ec94a825a65e5_JaffaCakes118
Size

54KB
MD5

2848b11257508e411d5ec94a825a65e5
SHA1

a0449047639f23f961416bb721e225894e6c7f2a
SHA256

d96726ae6b23acb4e3d6903fdd4addcb2aea50e7433995a17273ec3cbeed2466
SHA512

fda8d50e29f46a217ed3a841775c5cb45838ee46920cc619af5a63c53c404eed172bd479ebc18bedff689fa036685f37c173764a7cc188720aeec1d3855b90d8
SSDEEP

768:LT2WKNh3H4gj0roW4kAOA91UtIApc0XZmuIPnBfoWZ1bx6UdAzfF6HLQPo89y:pozsv4LH9cpcyZ/IPiRtAF8

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2848b11257508e411d5ec94a825a65e5_JaffaCakes118

Files

2848b11257508e411d5ec94a825a65e5_JaffaCakes118
.sys windows:5 windows x86 arch:x86

0b3b48dd10decd593f160bf1ecf570a9

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

wcscat
strncmp
strlen
wcslen
ZwCreateFile
ZwQueryValueKey
ZwQueryDirectoryFile
IoGetCurrentProcess
KeServiceDescriptorTable
ZwCreateSection
wcscpy
ZwEnumerateKey
memcpy
ExAllocatePoolWithTag
ExFreePoolWithTag
_wcsnicmp
ZwWriteFile
ObReferenceObjectByHandle
ZwOpenProcess
ZwQueryInformationProcess
PsGetCurrentProcessId
ObfDereferenceObject
ZwReadFile
ObQueryNameString
RtlCompareUnicodeString
DbgPrint
ZwClose
IoCreateFile
ExGetPreviousMode
RtlInitUnicodeString
_except_handler3

hal

KeGetCurrentIrql
KfRaiseIrql
KfLowerIrql

Sections

.text
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1024B - Virtual size: 830B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 512B - Virtual size: 456B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 240B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ