30a1d4ae050b0a744f89d2c9ce38bed7_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

30a1d4ae050b0a744f89d2c9ce38bed7_JaffaCakes118
Size

221KB
MD5

30a1d4ae050b0a744f89d2c9ce38bed7
SHA1

3d3951d5e1bbc3cd152db0461afd2eb53ab86a66
SHA256

8a5b040e5088490134d07e28d121b358ef43ea5196f06a7e7160ff39854642fe
SHA512

8749ce4a38b7dea0d5ab6ff0df204122fc774a6b8d9b3fc4fb99b77ef44039aba5faa932bf303a739ace3155e2e3385a39bd53f38caaf5936b01de5dbd1d7828
SSDEEP

3072:/soMMxkoZLA9KncitAgSeDuA8QsseRLPjA/JcSPM4OMQkLBYdYS1:UoMOFJDwxKOSPM4OMQkLBYdt

Score

1^/10

Malware Config

Signatures

Files

30a1d4ae050b0a744f89d2c9ce38bed7_JaffaCakes118
.exe windows:6 windows x86 arch:x86

9f5f56a7192df4995e65c1c996eec84f

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

56:4a:36:1e:16:8a:81:a8:f3:ef:aa:da:33:25:08:e1
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

13/09/2008, 00:00

Not After

09/10/2011, 23:59

Subject

CN=McAfee\, Inc.,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=IIS,O=McAfee\, Inc.,L=Santa Clara,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

63:f5:6c:ef:2d:79:e0:17:ea:a2:d3:f0:be:33:00:7c:d6:03:64:5f
Signer

Actual PE Digest

63:f5:6c:ef:2d:79:e0:17:ea:a2:d3:f0:be:33:00:7c:d6:03:64:5f

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\sae5\build\sae\build\win32\release\McSACore.pdb

Imports

urlmon

CoInternetParseUrl

userenv

CreateEnvironmentBlock

wtsapi32

WTSEnumerateProcessesW
WTSFreeMemory

secur32

GetUserNameExW

sacore

sa_option_setbinary
sa_releasepool_push
sa_dss_lookupchecksums
sa_releasepool_pop
sa_list_destroy
sa_option_getbool
sa_option_getstring
sacore_free
sa_option_getdouble
sa_map_next
sa_list_freeitembycopy
sa_list_cloneitembycopy
sa_list_create
sa_list_set
sa_option_getint
sa_dss_maintenance
sa_buffer_length
sa_buffer_string
sa_option_setdouble
SA_OPTION_CLIENTTYPE
SA_OPTION_CLIENTVERSION
SA_OPTION_AFFID
SA_OPTION_LOCALE
SA_OPTION_PIP
SA_OPTION_PASSWD
SA_OPTION_USESSL
SA_OPTION_PROXYTYPE
SA_OPTION_PROXYHOST
SA_OPTION_PROXYPORT
SA_OPTION_PROXYUSER
SA_OPTION_PROXYPASSWORD
SA_OPTION_PROXYCONFIGURL
SA_OPTION_PROXYBYPASS
sa_initialize
sa_checksum_create
sa_checksum_update
sa_checksum_final
sa_checksum_destroy
sa_finalize
sa_option_setstring
sa_option_setbool
sa_option_setint
sa_http_request_destroy
sa_http_request_setfordss
sa_http_request_seturl
sa_http_request_get
sa_http_request_create
SA_OPTION_PRIVATEDIRECTORY
SA_OPTION_SHAREDDIRECTORY
sa_sethttphooks
sa_setcachehooks
sa_setmblhooks
sa_setstorehooks
sa_setloghooks
sa_list_count
sa_regex_execute
sa_regex_release
sa_list_next
sa_map_get
sa_list_get
SA_OPTION_DSSURL
sa_dss_lookupurls
sa_regex_create

sa_store_sqlite

store_setvalues_sqlite
store_getkeysvalues_sqlite
store_setvalue_sqlite
store_getvalue_sqlite
store_getkeys_sqlite
store_finalize_sqlite
store_initialize_sqlite
SA_STORE_SQLITE_OPTION_SHAREDFILE
SA_STORE_SQLITE_OPTION_PRIVATEFILE

sa_mbl

sa_mbl_authenticate_hook
sa_mbl_lookup_hook

sa_http_win32

sa_http_cancel_win32
sa_http_post_win32
sa_http_get_win32
SA_OPTION_HTTPWIN32_USERTOKEN

sa_cache_sqlite

cache_getvalue_sqlite
cache_flush_sqlite
cache_finalize_sqlite
cache_initialize_sqlite
SA_CACHE_SQLITE_OPTION_CACHEFILE
cache_setvalue_sqlite

kernel32

GetACP
InterlockedExchange
GetThreadLocale
GetVersionExA
HeapDestroy
HeapReAlloc
HeapSize
InterlockedCompareExchange
GetStartupInfoW
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetLocaleInfoA
VirtualQuery
CreateMutexW
GetLocalTime
ReleaseMutex
GetShortPathNameW
WaitForMultipleObjects
LoadLibraryW
HeapAlloc
IsBadReadPtr
IsBadCodePtr
GetProcessHeap
HeapFree
SetCurrentDirectoryW
CreateProcessW
GetExitCodeProcess
CreateDirectoryW
GetSystemTime
SystemTimeToFileTime
OpenProcess
lstrcmpW
GetProcAddress
LocalFree
lstrlenW
RaiseException
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
GetLastError
InterlockedIncrement
InterlockedDecrement
CloseHandle
lstrcmpiW
WaitForSingleObject
Sleep
GetModuleHandleW
GetCurrentThreadId
CreateThread
CreateEventW
GetModuleFileNameW
SetEvent
FreeLibrary
MultiByteToWideChar
SizeofResource
LoadResource
FindResourceW
LoadLibraryExW
GetCommandLineW
WideCharToMultiByte
LockResource
FindResourceExW
GetSystemDefaultLCID
GetUserDefaultLCID
GetSystemDefaultLangID
GetUserDefaultLangID
OpenEventW
lstrlenA
GetTickCount
ReadFile
SetFilePointer
CreateFileW
WriteFile
GetVersionExW
GetCurrentProcess
GetCurrentThread

user32

DispatchMessageW
GetMessageW
UnregisterClassA
LoadStringW
TranslateMessage
CharUpperW
MessageBoxW
MsgWaitForMultipleObjects
PeekMessageW
CharNextW
PostThreadMessageW
CharLowerBuffW

advapi32

CloseServiceHandle
RegDeleteValueW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RegQueryInfoKeyW
DeregisterEventSource
ReportEventW
RegisterEventSourceW
SetServiceStatus
RegEnumKeyExW
StartServiceCtrlDispatcherW
CopySid
GetLengthSid
IsValidSid
InitializeSecurityDescriptor
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
GetTokenInformation
LookupAccountNameW
GetAce
AddAce
GetAclInformation
AddAccessAllowedAce
InitializeAcl
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegSetValueExA
GetSecurityDescriptorLength
RegCreateKeyW
RegEnumValueW
CreateProcessAsUserW
DuplicateTokenEx
ImpersonateLoggedOnUser
ConvertSidToStringSidW
RegisterServiceCtrlHandlerExW
ChangeServiceConfigW
ChangeServiceConfig2W
OpenThreadToken
OpenProcessToken
SetSecurityDescriptorDacl
ControlService
DeleteService
CreateServiceW
OpenSCManagerW
OpenServiceW
RegOpenKeyW
RegDeleteKeyW

shell32

SHGetSpecialFolderPathW

ole32

StringFromGUID2
CoCreateInstance
CoResumeClassObjects
CoInitializeSecurity
CoInitializeEx
CoUninitialize
CoTaskMemFree
CoRegisterClassObject
CoRevokeClassObject
CoTaskMemRealloc
CoSuspendClassObjects
CoImpersonateClient
CoTaskMemAlloc
CoRevertToSelf

oleaut32

SysFreeString
SysStringLen
VarUI4FromStr
LoadRegTypeLi
SysAllocStringByteLen
RegisterTypeLi
UnRegisterTypeLi
VariantCopy
VarCmp
VariantClear
VariantInit
SysAllocStringLen
SysAllocString
LoadTypeLi

shlwapi

UrlGetPartW
StrRChrW

msvcp80

??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
?find@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIPB_WI@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
?substr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE?AV12@II@Z
?erase@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE?AV?$_String_iterator@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@2@V32@0@Z
?begin@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE?AV?$_String_iterator@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@2@XZ
?end@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE?AV?$_String_iterator@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@2@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
?find@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIABV12@I@Z
?erase@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@II@Z
?_Xran@_String_base@std@@SAXXZ
??$?9_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@0@Z
?npos@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@2IB
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??$?8DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??$?M_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@0@Z
?append@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@PB_W@Z

msvcr80

memset
_recalloc
??2@YAPAXI@Z
__CxxFrameHandler3
_purecall
_vsnwprintf_s
_putws
??_V@YAXPAX@Z
wcsncpy_s
wcsstr
_vscwprintf
vswprintf_s
realloc
_wtoi64
wcstombs_s
_vsnprintf
_vsnwprintf
_mbscmp
vfwprintf
fwprintf
_wtoi
_except_handler4_common
?terminate@@YAXXZ
_unlock
__dllonexit
_encode_pointer
_lock
_onexit
_decode_pointer
_amsg_exit
__wgetmainargs
_cexit
_exit
_XcptFilter
exit
_wcmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_crt_debugger_hook
_invoke_watson
_controlfp_s
memcpy_s
free
malloc
??3@YAXPAX@Z
wcstok
_wcsdup
_invalid_parameter_noinfo
wcscat_s
wcscpy_s
__RTDynamicCast
_wcsicmp
_itow_s
_time64
??0exception@std@@QAE@ABV01@@Z
calloc
??0exception@std@@QAE@XZ
??1exception@std@@UAE@XZ
_wtol
wcsrchr
wcstok_s
_CxxThrowException
_wcslwr_s
wcscspn
wcsspn
wcschr
memcpy
_wstat64
_wfopen_s
fread
fclose
memmove_s
_mbsrev
tolower

crypt32

CryptMsgClose
CertFreeCertificateContext
CertCloseStore
CryptDecodeObject
CertGetCertificateContextProperty
CertVerifyCertificateChainPolicy
CertGetCertificateChain
CertGetNameStringW
CertGetSubjectCertificateFromStore
CryptMsgGetParam
CryptQueryObject
CertFreeCertificateChain

wintrust

WinVerifyTrust

Sections

.text
Size: 120KB - Virtual size: 118KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 40KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 44KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9f5f56a7192df4995e65c1c996eec84f

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

56:4a:36:1e:16:8a:81:a8:f3:ef:aa:da:33:25:08:e1Certificate

Extended Key Usages

Key Usages

63:f5:6c:ef:2d:79:e0:17:ea:a2:d3:f0:be:33:00:7c:d6:03:64:5fSigner

Headers

File Characteristics

PDB Paths

Imports

urlmon

userenv

wtsapi32

secur32

sacore

sa_store_sqlite

sa_mbl

sa_http_win32

sa_cache_sqlite

kernel32

user32

advapi32

shell32

ole32

oleaut32

shlwapi

msvcp80

msvcr80

crypt32

wintrust

Sections

.text Size: 120KB - Virtual size: 118KB

.rdata Size: 40KB - Virtual size: 36KB

.data Size: 8KB - Virtual size: 6KB

.rsrc Size: 44KB - Virtual size: 42KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

56:4a:36:1e:16:8a:81:a8:f3:ef:aa:da:33:25:08:e1
Certificate

63:f5:6c:ef:2d:79:e0:17:ea:a2:d3:f0:be:33:00:7c:d6:03:64:5f
Signer

.text
Size: 120KB - Virtual size: 118KB

.rdata
Size: 40KB - Virtual size: 36KB

.data
Size: 8KB - Virtual size: 6KB

.rsrc
Size: 44KB - Virtual size: 42KB