2d1a873cf173b76ceb9e500b734bf544_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

2d1a873cf173b76ceb9e500b734bf544_JaffaCakes118
Size

812KB
MD5

2d1a873cf173b76ceb9e500b734bf544
SHA1

98dc4ec00622e88af0c103001cea286c6e75a7c7
SHA256

1406ac297968bb5f0d206f5e7cf60ba64dafeab741f7e640b428c2b3ca1f5888
SHA512

761c9f7c403461273e983c67c9c1ff09e2920de473376d78a60442454da1850f2a01449a4a7655e59f132953daea774e1f21dbdbbee7f14128db47ea692a84f0
SSDEEP

24576:w0/AVqakrZm1KmCHPW1zjZ6nsX4gnStpME:/IVUrZm1lCHPW1jknGwME

Score

3^/10

Malware Config

Signatures

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/LDAPSearch/LdapSearch.exe
unpack001/LDAPSearch/ldapsdk.dll
unpack001/LDAPSearch/ldapssl.dll

Files

2d1a873cf173b76ceb9e500b734bf544_JaffaCakes118
.rar
LDAPSearch/LdapSearch.exe
.exe windows:5 windows x86 arch:x86

a7ef0677e743a7acfe867286afc8d8fc

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RaiseException
ExitThread
GetCommandLineA
GetStartupInfoA
Sleep
ExitProcess
VirtualAlloc
HeapReAlloc
HeapSize
GetConsoleCP
GetConsoleMode
HeapCreate
VirtualFree
GetStdHandle
GetACP
IsValidCodePage
GetStringTypeA
GetStringTypeW
TerminateProcess
GetFileType
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
LCMapStringA
LCMapStringW
GetProcessHeap
RtlUnwind
HeapAlloc
HeapFree
SetErrorMode
GetOEMCP
GetCPInfo
GetModuleHandleW
InterlockedIncrement
GlobalFlags
WritePrivateProfileStringA
TlsFree
DeleteCriticalSection
LocalReAlloc
TlsSetValue
TlsAlloc
InitializeCriticalSection
GlobalHandle
GlobalReAlloc
EnterCriticalSection
TlsGetValue
LeaveCriticalSection
LocalAlloc
GetCurrentProcess
SetEndOfFile
FlushFileBuffers
SetFilePointer
ReadFile
GlobalGetAtomNameA
GlobalFindAtomA
lstrcmpW
GetVersionExA
FreeResource
FormatMessageA
LocalFree
MultiByteToWideChar
lstrlenA
GetCurrentProcessId
GlobalAddAtomA
GlobalDeleteAtom
GetCurrentThread
GetCurrentThreadId
ConvertDefaultLocale
EnumResourceLanguagesA
GetModuleFileNameA
GetLocaleInfoA
LoadLibraryA
CompareStringA
InterlockedExchange
lstrcmpA
FreeLibrary
InterlockedDecrement
GetModuleFileNameW
SetLastError
GetProcAddress
GlobalLock
GlobalUnlock
GlobalFree
MulDiv
ResumeThread
GlobalAlloc
ResetEvent
CreateFileA
WriteFile
CreateEventA
CreateThread
SetEvent
WideCharToMultiByte
WaitForSingleObject
CloseHandle
FindResourceA
GetLastError
SizeofResource
GetModuleHandleA
LoadResource
LockResource
SetHandleCount

user32

DefWindowProcA
CallWindowProcA
GetMenu
SystemParametersInfoA
IsIconic
GetWindowPlacement
GetSystemMetrics
GetWindowTextLengthA
GetWindowTextA
SetWindowPos
SetFocus
ShowWindow
GetDlgCtrlID
SetWindowTextA
IsDialogMessageA
SetDlgItemTextA
SendDlgItemMessageA
GetWindow
GetDesktopWindow
SetActiveWindow
CreateDialogIndirectParamA
DestroyWindow
IsWindow
GetDlgItem
GetNextDlgTabItem
EndDialog
EndPaint
BeginPaint
ScreenToClient
GrayStringA
DrawTextExA
DrawTextA
TabbedTextOutA
GetMenuItemID
GetMenuItemCount
GetSubMenu
GetWindowThreadProcessId
GetLastActivePopup
IsWindowEnabled
MessageBoxA
CallNextHookEx
GetMessageA
TranslateMessage
DispatchMessageA
GetActiveWindow
IsWindowVisible
GetKeyState
PeekMessageA
ValidateRect
SetMenuItemBitmaps
GetMenuCheckMarkDimensions
LoadBitmapA
GetFocus
ModifyMenuA
GetMenuState
EnableMenuItem
CheckMenuItem
PostQuitMessage
UnhookWindowsHookEx
SetRect
GetDC
GetSysColor
AppendMenuA
SendMessageA
GetSystemMenu
ReleaseDC
FillRect
GetCursorPos
GetNextDlgGroupItem
PostMessageA
ClientToScreen
WindowFromPoint
DestroyIcon
GetIconInfo
GetWindowLongA
GetWindowRect
DrawEdge
OffsetRect
AdjustWindowRectEx
RegisterClassA
GetClassInfoA
CreateWindowExA
SetRectEmpty
GetCapture
SetForegroundWindow
GetClientRect
UpdateWindow
EnableWindow
LoadIconA
PtInRect
InvalidateRect
RedrawWindow
SetCapture
GetParent
ReleaseCapture
SetCursor
LoadCursorA
SetWindowLongA
DrawStateA
CopyRect
InflateRect
LoadImageA
GetSysColorBrush
UnregisterClassA
DestroyMenu
RegisterWindowMessageA
WinHelpA
GetClassLongA
GetClassNameA
SetPropA
GetPropA
RemovePropA
GetForegroundWindow
GetTopWindow
GetMessageTime
GetMessagePos
MapWindowPoints
SetMenu
SetWindowsHookExA
GetClassInfoExA

gdi32

PtVisible
RectVisible
TextOutA
ExtTextOutA
Escape
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
GetClipBox
SetMapMode
SetTextColor
GetStockObject
SetBkColor
RestoreDC
SaveDC
CreateBitmap
GetDeviceCaps
CreateSolidBrush
DeleteDC
SelectObject
SetStretchBltMode
SetDIBitsToDevice
DeleteObject
GetObjectA
CreateFontIndirectA
BitBlt
CreateCompatibleDC
CreateCompatibleBitmap
CreateFontA
SetBkMode

winspool.drv

ClosePrinter
OpenPrinterA
DocumentPropertiesA

advapi32

RegEnumKeyA
RegSetValueExA
RegQueryValueA
RegOpenKeyA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
RegQueryValueExA
RegCreateKeyExA

shell32

ShellExecuteA

comctl32

_TrackMouseEvent

shlwapi

PathFindFileNameA
PathRemoveFileSpecW
PathFindExtensionA

ole32

CoCreateInstance
CoUninitialize
CoTaskMemFree
CreateStreamOnHGlobal
CoInitializeEx

oleaut32

VariantInit
VariantChangeType
VariantClear
OleLoadPicture

ws2_32

WSASetLastError
WSACleanup
WSAStartup

ldapsdk

ord2001
ord1038
ord2033
ord2005
ord1141
ord1145
ord3014
ord1144
ord2040
ord1059
ord1046
ord1127
ord1056
ord1047
ord1169
ord1064

ldapssl

ord1005
ord1008
ord1002
ord1010
ord1001
ord1004

Sections

.text
Size: 189KB - Virtual size: 189KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 46KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
LDAPSearch/Readme.html
.html
LDAPSearch/ldapsdk.dll
.dll windows:4 windows x86 arch:x86

44fbc92a0b90aa60dcc9e4f895618498

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

secur32

DeleteSecurityContext
AcquireCredentialsHandleA
InitializeSecurityContextA
FreeContextBuffer
DecryptMessage
QueryContextAttributesA
EncryptMessage
FreeCredentialsHandle

wsock32

gethostbyname
setsockopt
inet_ntoa
select
socket
closesocket
send
connect
recv
WSAGetLastError
ntohs
inet_addr
ioctlsocket
htons
htonl
WSAStartup
WSACleanup
getpeername
getsockname
__WSAFDIsSet

kernel32

GetCurrentThreadId
EnterCriticalSection
LeaveCriticalSection
SetFilePointer
SetStdHandle
RtlUnwind
SetEnvironmentVariableA
CompareStringW
CompareStringA
GetOEMCP
GetACP
GetCPInfo
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
LCMapStringW
LCMapStringA
WideCharToMultiByte
CreateMutexA
CloseHandle
WaitForSingleObject
ReleaseMutex
FreeLibrary
LoadLibraryA
GetLocaleInfoA
GetCurrentProcessId
GlobalMemoryStatus
GetProcAddress
GetVersionExA
GetTickCount
QueryPerformanceCounter
MultiByteToWideChar
VirtualAlloc
HeapFree
HeapAlloc
HeapReAlloc
GetTimeZoneInformation
GetSystemTime
GetLocalTime
GetModuleFileNameA
InterlockedDecrement
InterlockedIncrement
GetCommandLineA
GetVersion
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
GetLastError
GetStartupInfoA
FlushFileBuffers
WriteFile
InitializeCriticalSection
DeleteCriticalSection
ExitProcess
GetStringTypeA
SetHandleCount
GetStdHandle
GetFileType
GetModuleHandleA
TerminateProcess
GetCurrentProcess
GetStringTypeW
HeapCreate
GetEnvironmentVariableA
HeapDestroy
VirtualFree

user32

LoadStringA

Exports

Exports

ber_alloc
ber_alloc_t
ber_bvdup
ber_bvecfree
ber_bvfree
ber_first_element
ber_flatten
ber_free
ber_get_option
ber_init
ber_memfree
ber_next_element
ber_peek_tag
ber_printf
ber_pvt_log_printf
ber_scanf
ber_set_option
ber_skip_tag
der_alloc
ldap_abandon
ldap_abandon_ext
ldap_add
ldap_add_ext
ldap_add_ext_s
ldap_add_request_to_cache
ldap_add_s
ldap_alloc_ber_with_options
ldap_bind
ldap_bind_digest_md5_finish
ldap_bind_digest_md5_start
ldap_bind_nmas_s
ldap_bind_s
ldap_build_chain_search_req
ldap_cancel_ext
ldap_cancel_ext_s
ldap_chain_free
ldap_chained_add_ext
ldap_chained_compare_ext
ldap_chained_delete_ext
ldap_chained_extended_operation
ldap_chained_modify_ext
ldap_chained_rename
ldap_chained_search_ext
ldap_chained_simple_bind
ldap_check_cache
ldap_compare
ldap_compare_ext
ldap_compare_ext_s
ldap_compare_s
ldap_control_free
ldap_controls_free
ldap_count_entries
ldap_count_messages
ldap_count_references
ldap_count_values
ldap_count_values_len
ldap_create_geteffective_control
ldap_create_persistentsearch_control
ldap_create_reference_control
ldap_create_sort_control
ldap_create_sort_keylist
ldap_create_sstatus_control
ldap_create_vlv_control
ldap_delete
ldap_delete_ext
ldap_delete_ext_s
ldap_delete_s
ldap_destroy
ldap_dn2ufn
ldap_dup
ldap_err2string
ldap_explode_dn
ldap_explode_rdn
ldap_extended_operation
ldap_extended_operation_s
ldap_first_attribute
ldap_first_entry
ldap_first_message
ldap_first_reference
ldap_free_sort_keylist
ldap_free_urldesc
ldap_get_digest_md5_realms
ldap_get_dn
ldap_get_entry_controls
ldap_get_lderrno
ldap_get_option
ldap_get_values
ldap_get_values_len
ldap_gss_error
ldap_gssbind
ldap_init
ldap_int_put_chain
ldap_int_put_controls
ldap_int_put_filter
ldap_is_ldap_url
ldap_is_ldaps_url
ldap_log_printf
ldap_memfree
ldap_modify
ldap_modify_ext
ldap_modify_ext_s
ldap_modify_s
ldap_modrdn
ldap_modrdn2
ldap_modrdn2_s
ldap_modrdn_s
ldap_msgfree
ldap_msgid
ldap_msgtype
ldap_multisort_entries
ldap_next_attribute
ldap_next_entry
ldap_next_message
ldap_next_reference
ldap_nmas_err2string
ldap_nmas_get_errcode
ldap_open
ldap_parse_chain
ldap_parse_chain_intermediate
ldap_parse_entrychange_control
ldap_parse_extended_result
ldap_parse_intermediate
ldap_parse_reference
ldap_parse_reference_control
ldap_parse_result
ldap_parse_sasl_bind_result
ldap_parse_sort_control
ldap_parse_sstatus_control
ldap_parse_vlv_control
ldap_perror
ldap_pvt_hex_unescape
ldap_pvt_thread_mutex_lock
ldap_pvt_thread_mutex_unlock
ldap_rename
ldap_rename_s
ldap_result
ldap_result2error
ldap_sasl_bind
ldap_sasl_bind_s
ldap_schema_add
ldap_schema_delete
ldap_schema_fetch
ldap_schema_free
ldap_schema_get_by_index
ldap_schema_get_by_name
ldap_schema_get_count
ldap_schema_get_field_names
ldap_schema_get_field_values
ldap_schema_modify
ldap_schema_save
ldap_search
ldap_search_ext
ldap_search_ext_s
ldap_search_s
ldap_search_st
ldap_set_lderrno
ldap_set_msgid
ldap_set_option
ldap_set_rebind_proc
ldap_simple_bind
ldap_simple_bind_s
ldap_sort_entries
ldap_sort_strcasecmp
ldap_sort_values
ldap_unbind
ldap_unbind_ext
ldap_unbind_ext_s
ldap_unbind_s
ldap_url_desc2str
ldap_url_parse
ldap_url_parse_ext
ldap_url_search
ldap_url_search_s
ldap_url_search_st
ldap_value_free
ldap_value_free_len
ldap_x_utf8_charlen
ldap_x_utf8_charlen2
ldap_x_utf8_chars
ldap_x_utf8_copy
ldap_x_utf8_next
ldap_x_utf8_prev
ldap_x_utf8_strchr
ldap_x_utf8_strcspn
ldap_x_utf8_strpbrk
ldap_x_utf8_strspn
ldap_x_utf8_strtok
ldap_x_utf8_to_wc
ldap_x_utf8s_to_wcs
ldap_x_wc_to_utf8
ldap_x_wcs_to_utf8s

Sections

.text
Size: 204KB - Virtual size: 200KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 32KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 848B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
LDAPSearch/ldapssl.dll
.dll windows:4 windows x86 arch:x86

9e65c2883d85a66d39b97c30b7d2b82d

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

advapi32

ReportEventA
RegisterEventSourceA
DeregisterEventSource

ldapsdk

ord1044
ord3006
ord1058
ord1127
ord1064
ord2001
ord2029

ws2_32

recv
send
socket
ioctlsocket
WSASetLastError
shutdown
__WSAFDIsSet
closesocket
connect
WSAGetLastError
select

kernel32

RtlUnwind
SetHandleCount
GetCurrentProcess
GetCurrentDirectoryA
GetFullPathNameA
DeleteCriticalSection
InitializeCriticalSection
ReleaseMutex
WaitForSingleObject
CreateMutexA
CloseHandle
LeaveCriticalSection
EnterCriticalSection
GetLastError
SetLastError
GetCurrentThreadId
GetVersion
GetFileType
GetStdHandle
GetCurrentProcessId
GlobalMemoryStatus
QueryPerformanceCounter
GetTickCount
FreeLibrary
GetProcAddress
LoadLibraryA
GetVersionExA
FindFirstFileA
FindClose
FlushConsoleInputBuffer
HeapAlloc
HeapFree
HeapReAlloc
GetCommandLineA
GetTimeZoneInformation
GetSystemTime
GetLocalTime
InterlockedDecrement
InterlockedIncrement
SetConsoleCtrlHandler
GetModuleHandleA
GetModuleFileNameA
GetEnvironmentVariableA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
ExitProcess
CompareStringW
TlsSetValue
TlsAlloc
TlsFree
TlsGetValue
TerminateProcess
SetConsoleMode
GetConsoleMode
GetStartupInfoA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
WriteFile
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
ReadFile
FlushFileBuffers
SetStdHandle
SetFilePointer
GetCPInfo
GetACP
GetOEMCP
CompareStringA
CreateFileA
SetEnvironmentVariableA
FileTimeToSystemTime
SetEndOfFile
ReadConsoleInputA
GetDriveTypeA
FileTimeToLocalFileTime

user32

GetProcessWindowStation
GetDesktopWindow
MessageBoxA
GetUserObjectInformationW

Exports

Exports

ldapssl_add_trusted_cert
ldapssl_client_deinit
ldapssl_client_init
ldapssl_get_cert
ldapssl_get_cert_attribute
ldapssl_get_verify_mode
ldapssl_init
ldapssl_install_routines
ldapssl_set_client_cert
ldapssl_set_client_private_key
ldapssl_set_verify_callback
ldapssl_set_verify_mode
ldapssl_start_tls
ldapssl_stop_tls

Sections

.text
Size: 548KB - Virtual size: 545KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 124KB - Virtual size: 122KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 64KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 856B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 40KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a7ef0677e743a7acfe867286afc8d8fc

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

winspool.drv

advapi32

shell32

comctl32

shlwapi

ole32

oleaut32

ws2_32

ldapsdk

ldapssl

Sections

.text Size: 189KB - Virtual size: 189KB

.rdata Size: 46KB - Virtual size: 45KB

.data Size: 9KB - Virtual size: 27KB

.rsrc Size: 1.1MB - Virtual size: 1.1MB

44fbc92a0b90aa60dcc9e4f895618498

Headers

File Characteristics

Imports

secur32

wsock32

kernel32

user32

Exports

Exports

Sections

.text Size: 204KB - Virtual size: 200KB

.rdata Size: 20KB - Virtual size: 19KB

.data Size: 32KB - Virtual size: 35KB

.rsrc Size: 4KB - Virtual size: 848B

.reloc Size: 12KB - Virtual size: 9KB

9e65c2883d85a66d39b97c30b7d2b82d

Headers

File Characteristics

Imports

advapi32

ldapsdk

ws2_32

kernel32

user32

Exports

Exports

Sections

.text Size: 548KB - Virtual size: 545KB

.rdata Size: 124KB - Virtual size: 122KB

.data Size: 64KB - Virtual size: 74KB

.rsrc Size: 4KB - Virtual size: 856B

.reloc Size: 40KB - Virtual size: 38KB

.text
Size: 189KB - Virtual size: 189KB

.rdata
Size: 46KB - Virtual size: 45KB

.data
Size: 9KB - Virtual size: 27KB

.rsrc
Size: 1.1MB - Virtual size: 1.1MB

.text
Size: 204KB - Virtual size: 200KB

.rdata
Size: 20KB - Virtual size: 19KB

.data
Size: 32KB - Virtual size: 35KB

.rsrc
Size: 4KB - Virtual size: 848B

.reloc
Size: 12KB - Virtual size: 9KB

.text
Size: 548KB - Virtual size: 545KB

.rdata
Size: 124KB - Virtual size: 122KB

.data
Size: 64KB - Virtual size: 74KB

.rsrc
Size: 4KB - Virtual size: 856B

.reloc
Size: 40KB - Virtual size: 38KB