metasploit | 2d98091c85e0c5184cc6651b883eb861_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

2d98091c85e0c5184cc6651b883eb861_JaffaCakes118
Size

1.4MB
MD5

2d98091c85e0c5184cc6651b883eb861
SHA1

e671fd1be7c539ee936f359b24b826ec3edaeb7a
SHA256

d2ce70f8257ab9550e53f8ff2ea10c93997fabbff1887863428f9ddcc7d732ba
SHA512

6071cfa44dcc5d7a122f8a78f8f73f46af8a8733ff8604b0d4ce78d46e69aa44445a4033c31e2d1a9d0c14bbfb12cee00e788ae2504d97cc8bb4fd8be86c882c
SSDEEP

24576:Uy0uuY3wt1uJE4L/1m0Dl0HAalavHrQHsmYE+XMNMd5tjo7lk:U/YmYL/h0a/rQHzYEEMKP65k

Score

10^/10

metasploit

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

77.49.1.3:1981

Signatures

Metasploit family
metasploit

Files

2d98091c85e0c5184cc6651b883eb861_JaffaCakes118
.exe windows:4 windows x86 arch:x86

159f387849f4d8d482c375833298a87f

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2b:22:25:2b:47:8a:1a:91:a8:bc:2b:8b:7f:2d:96:ea
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

09/05/2007, 00:00

Not After

08/06/2010, 23:59

Subject

CN=ESET\, spol. s r.o.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=ESET\, spol. s r.o.,L=Bratislava,ST=Slovakia,C=SK

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

f7:4a:17:60:34:fd:0a:b7:c3:34:a2:81:04:ab:db:4b:ae:92:a3:17
Signer

Actual PE Digest

f7:4a:17:60:34:fd:0a:b7:c3:34:a2:81:04:ab:db:4b:ae:92:a3:17

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\installbuild\ess_3_0_600\build\apps\work\release\egui\winnt32\egui.pdb

Imports

mfc80u

ord2365
ord1386
ord3752
ord1548
ord2261
ord280
ord4293
ord3395
ord2713
ord4588
ord1476
ord5485
ord3249
ord1172
ord5316
ord6282
ord635
ord395
ord4271
ord1297
ord2164
ord5144
ord3939
ord4013
ord2418
ord2419
ord2986
ord5352
ord940
ord4898
ord2933
ord4129
ord4303
ord5006
ord5003
ord2609
ord1904
ord2237
ord4244
ord4439
ord3983
ord6277
ord6279
ord1906
ord5524
ord2140
ord3642
ord5327
ord6293
ord5711
ord3155
ord1270
ord5633
ord783
ord745
ord578
ord557
ord310
ord3311
ord4234
ord1582
ord3990
ord602
ord1957
ord347
ord1959
ord3435
ord741
ord587
ord1006
ord2985
ord2086
ord3158
ord4226
ord1536
ord2077
ord4112
ord721
ord528
ord3288
ord4266
ord1512
ord4274
ord1573
ord1318
ord2027
ord3126
ord3064
ord4577
ord5208
ord4948
ord2422
ord3662
ord2340
ord1571
ord261
ord1271
ord1156
ord3331
ord3678
ord4558
ord1866
ord5965
ord3877
ord5864
ord2878
ord2861
ord3165
ord4228
ord1538
ord2080
ord4092
ord1474
ord1922
ord2893
ord1871
ord6040
ord977
ord4314
ord6251
ord651
ord1921
ord3390
ord6751
ord6749
ord1299
ord2167
ord2364
ord416
ord1555
ord2788
ord5484
ord4078
ord5863
ord1781
ord5399
ord2469
ord266
ord303
ord6699
ord4109
ord5209
ord3677
ord860
ord314
ord1067
ord757
ord3327
ord4475
ord2832
ord5562
ord5226
ord4562
ord3942
ord5222
ord5220
ord2925
ord1911
ord3826
ord5378
ord6215
ord5096
ord1007
ord3800
ord5579
ord2009
ord2054
ord4320
ord6274
ord3795
ord6272
ord4008
ord4032
ord2239
ord1168
ord566
ord5971
ord3824
ord371
ord1093
ord1121
ord3753
ord3082
ord1086
ord3296
ord5727
ord2255
ord709
ord6058
ord5884
ord2521
ord501
ord4100
ord1252
ord903
ord784
ord906
ord907
ord1962
ord5618
ord5982
ord3343
ord3344
ord5983
ord5981
ord2146
ord3342
ord5648
ord4882
ord3281
ord4117
ord3995
ord5637
ord502
ord1416
ord2877
ord5865
ord2066
ord3789
ord6140
ord2151
ord6002
ord3079
ord772
ord277
ord2932
ord2362
ord5638
ord4098
ord3590
ord3157
ord326
ord620
ord3189
ord287
ord4312
ord5712
ord2161
ord3570
ord5723
ord2046
ord332
ord6033
ord1632
ord2867
ord3645
ord3322
ord2981
ord754
ord2870
ord3793
ord2579
ord3674
ord642
ord2872
ord3301
ord1578
ord731
ord3208
ord4230
ord1549
ord1628
ord2081
ord1589
ord6053
ord2942
ord1021
ord1791
ord526
ord265
ord6111
ord4921
ord591
ord4946
ord5829
ord4902
ord4866
ord5201
ord4259
ord2260
ord283
ord5161
ord6059
ord1176
ord3460
ord2648
ord1005
ord356
ord563
ord753
ord2366
ord4347
ord1053
ord3661
ord4184
ord5869
ord1864
ord516
ord6744
ord5065
ord5066
ord5064
ord4791
ord4611
ord4861
ord4838
ord4207
ord4730
ord5207
ord4714
ord3287
ord718
ord2121
ord3032
ord894
ord6160
ord3051
ord6700
ord282
ord1479
ord5558
ord1883
ord1472
ord385
ord3050
ord2012
ord774
ord630
ord776
ord2860
ord5742
ord6232
ord2489
ord1784
ord5862
ord2159
ord4574
ord6061
ord6086
ord2155
ord3869
ord5609
ord2310
ord2651
ord4026
ord2468
ord5398
ord6063
ord3756
ord3635
ord5867
ord2876
ord3927
ord899
ord896
ord458
ord2895
ord1331
ord5755
ord2306
ord1785
ord5178
ord4206
ord4729
ord4884
ord2011
ord1662
ord1661
ord1542
ord6720
ord5908
ord1392
ord4238
ord5199
ord4256
ord3176
ord354
ord605
ord3873
ord658
ord2083
ord6721
ord5911
ord1611
ord1608
ord3940
ord1393
ord4232
ord5148
ord1899
ord5067
ord6271
ord4179
ord5210
ord3397
ord4716
ord4276
ord1591
ord5956
ord5231
ord5229
ord920
ord925
ord929
ord927
ord931
ord2384
ord2404
ord2388
ord2394
ord2392
ord2390
ord2407
ord2402
ord2386
ord2409
ord2397
ord2379
ord2381
ord2399
ord2169
ord2163
ord1513
ord6273
ord3796
ord6275
ord3339
ord4961
ord1353
ord5171
ord1955
ord1647
ord1646
ord1590
ord5196
ord2531
ord2725
ord2829
ord4301
ord2708
ord2856
ord2534
ord2640
ord2527
ord2952
ord3712
ord3713
ord3703
ord2638
ord3943
ord4480
ord4255
ord3224
ord572
ord760
ord1894
ord2361
ord1058
ord1274
ord1946
ord4094
ord2085
ord3238
ord3198
ord1925
ord293
ord2311
ord870
ord1118
ord577
ord3204
ord1079
ord762
ord1178
ord1182
ord1473
ord764
ord1198

msvcr80

_controlfp_s
_invoke_watson
_except_handler4_common
__CxxFrameHandler3
free
malloc
wcschr
memcpy_s
memmove_s
memset
qsort
realloc
_wcsicmp
_wcsnicmp
swscanf_s
memcpy
_difftime64
_time64
_localtime64_s
_tzset
wcsrchr
_wcsdup
qsort_s
_wcstoi64
wcscpy_s
?_type_info_dtor_internal_method@type_info@@QAEXXZ
memmove
wcsncpy_s
wcscat_s
wcsstr
strncmp
_wcsupr_s
wcsncmp
_snwprintf_s
towupper
_mktime64
_stricmp
_wtol
_purecall
wcspbrk
srand
wcstol
_wtoi
_amsg_exit
__wgetmainargs
_cexit
_exit
_XcptFilter
exit
_wcmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
_encode_pointer
__set_app_type
?terminate@@YAXXZ
_unlock
__dllonexit
_lock
_onexit
_decode_pointer
_crt_debugger_hook

kernel32

LockResource
SizeofResource
FreeResource
DeleteFileW
ResetEvent
FindFirstChangeNotificationW
WideCharToMultiByte
CreateEventW
CreateThread
SetEvent
TerminateThread
FindCloseChangeNotification
WaitForSingleObject
FindNextChangeNotification
FileTimeToLocalFileTime
FileTimeToSystemTime
MulDiv
GetLogicalDriveStringsW
GetCommandLineW
GetCurrentProcessId
GetModuleFileNameW
GetLastError
SetLastError
GetModuleHandleW
FindFirstFileW
FindNextFileW
LoadResource
GetVersion
GetCurrentThreadId
InitializeCriticalSection
DeleteCriticalSection
WriteFile
CreateFileW
GetFileSize
ReadFile
CloseHandle
EnterCriticalSection
LeaveCriticalSection
LoadLibraryW
GetProcAddress
FreeLibrary
GetTickCount
InterlockedIncrement
InterlockedDecrement
GlobalAlloc
GlobalLock
GlobalUnlock
GetStartupInfoW
SetUnhandledExceptionFilter
QueryPerformanceCounter
TerminateProcess
UnhandledExceptionFilter
FindResourceW
MultiByteToWideChar
SetFilePointer
GetFileTime
Sleep
SetEndOfFile
lstrcpynW
lstrlenW
GetFullPathNameW
GetFileAttributesW
lstrcpynA
lstrlenA
AreFileApisANSI
GetFullPathNameA
GetFileAttributesA
GetDateFormatW
GetTimeFormatW
WaitForMultipleObjects
GetCurrentProcess
ExpandEnvironmentStringsW
UnmapViewOfFile
CreateMutexW
ReleaseMutex
VirtualAlloc
MapViewOfFile
CreateFileMappingW
OpenFileMappingW
DuplicateHandle
OpenProcess
OpenMutexW
LocalFree
LocalAlloc
lstrcmpA
GetModuleHandleA
GetVersionExW
SetThreadPriority
GetCurrentThread
GetSystemTimeAsFileTime
GetPrivateProfileStringW
GetPrivateProfileIntW
GetLocaleInfoW
LoadLibraryExW
FlushFileBuffers
FindClose
InterlockedCompareExchange
GetACP
GetLocaleInfoA
GetThreadLocale
GetVersionExA
InterlockedExchange

user32

RedrawWindow
LoadImageW
FrameRect
GetMenuItemCount
AppendMenuW
CreatePopupMenu
DestroyCursor
GetWindowTextW
ReleaseCapture
SetCapture
IsZoomed
ClientToScreen
GetMenuState
CheckMenuItem
GetCursorPos
DestroyWindow
ScreenToClient
SetWindowRgn
EqualRect
GetSubMenu
SetMenuDefaultItem
InvalidateRect
GetUpdateRgn
DrawFocusRect
InflateRect
SetRectEmpty
IsRectEmpty
UpdateWindow
GetDlgCtrlID
SetWindowPos
ShowWindow
SetWindowsHookExW
GetParent
GetFocus
UnhookWindowsHookEx
WindowFromPoint
OffsetRect
MsgWaitForMultipleObjects
LoadIconW
GetWindowLongW
GetDesktopWindow
GetDC
DrawIconEx
DestroyIcon
CopyRect
SetRect
RegisterWindowMessageW
IsWindow
AdjustWindowRectEx
GetClassInfoW
RegisterClassW
SystemParametersInfoW
IsWindowVisible
IsIconic
GetSystemMenu
SetMenu
PostMessageW
RemoveMenu
ModifyMenuW
InsertMenuW
LoadCursorW
SetCursor
FindWindowW
SetActiveWindow
GetWindow
GetNextDlgTabItem
KillTimer
SetTimer
GetSystemMetrics
GetAsyncKeyState
SendMessageW
EnableWindow
SetForegroundWindow
ReleaseDC
CreateIconFromResourceEx
GetSysColor
GetScrollPos
DrawTextW
FillRect
CallNextHookEx
GetMenuItemID
GetWindowDC
GetClientRect
PtInRect
EnableMenuItem
PeekMessageW
TranslateMessage
MessageBeep
DispatchMessageW
GetWindowRect
LoadMenuW

gdi32

GetDIBits
SetDIBits
GetPixel
CreateICW
GetDeviceCaps
DeleteDC
CreateDIBitmap
ExtTextOutW
SetTextColor
GetTextColor
EnumFontFamiliesW
GetBkColor
GetCurrentObject
SelectObject
CombineRgn
LPtoDP
DPtoLP
GetMapMode
RectInRegion
CreateRectRgn
DeleteObject
CreateCompatibleBitmap
CreateFontIndirectW
GetTextMetricsW
BitBlt
CreateCompatibleDC
GetObjectW
GetTextExtentPoint32W

advapi32

GetSecurityDescriptorDacl
RegOpenKeyA
RegQueryValueExA
RegEnumKeyW
OpenProcessToken
GetTokenInformation
AllocateAndInitializeSid
FreeSid
InitializeSecurityDescriptor
RegEnumKeyExW
RegQueryInfoKeyW
RegEnumValueW
RegOpenKeyExW
RegCreateKeyExW
SetSecurityDescriptorDacl
RegDeleteValueW
RegSetValueExW
RegQueryValueExW
RegCloseKey
RegDeleteKeyW
RegDeleteKeyA

shell32

SHGetPathFromIDListA
SHGetDesktopFolder
Shell_NotifyIconW
SHGetSpecialFolderLocation
SHGetMalloc
SHGetFileInfoW
ShellExecuteW
SHBrowseForFolderW
SHGetPathFromIDListW

comctl32

ord17

ole32

CoTaskMemFree

oleaut32

SystemTimeToVariantTime
VariantTimeToSystemTime

Sections

.text
Size: 652KB - Virtual size: 649KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 176KB - Virtual size: 174KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 560KB - Virtual size: 556KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

159f387849f4d8d482c375833298a87f

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

2b:22:25:2b:47:8a:1a:91:a8:bc:2b:8b:7f:2d:96:eaCertificate

Extended Key Usages

Key Usages

f7:4a:17:60:34:fd:0a:b7:c3:34:a2:81:04:ab:db:4b:ae:92:a3:17Signer

Headers

File Characteristics

PDB Paths

Imports

mfc80u

msvcr80

kernel32

user32

gdi32

advapi32

shell32

comctl32

ole32

oleaut32

Sections

.text Size: 652KB - Virtual size: 649KB

.rdata Size: 176KB - Virtual size: 174KB

.data Size: 12KB - Virtual size: 35KB

.rsrc Size: 560KB - Virtual size: 556KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

2b:22:25:2b:47:8a:1a:91:a8:bc:2b:8b:7f:2d:96:ea
Certificate

f7:4a:17:60:34:fd:0a:b7:c3:34:a2:81:04:ab:db:4b:ae:92:a3:17
Signer

.text
Size: 652KB - Virtual size: 649KB

.rdata
Size: 176KB - Virtual size: 174KB

.data
Size: 12KB - Virtual size: 35KB

.rsrc
Size: 560KB - Virtual size: 556KB