33221d549b7d5b1f11e07ee8acb5e304_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

33221d549b7d5b1f11e07ee8acb5e304_JaffaCakes118
Size

31KB
MD5

33221d549b7d5b1f11e07ee8acb5e304
SHA1

c09eba0f8c6b75a99c21c15b5726ed0ddbc93abe
SHA256

1a94f13b370899d7341006687969f92136e7e6048b869b516fedb38c570ac965
SHA512

6aa6978f37bc9f7814bf31d0d7cff533f6c1f56d8ee540bd6c5acc19f50d371f1f7ccfb29f2e88b2fd6b5e8d640786482c318a7f5eb7821cfd24986bcb58f12e
SSDEEP

768:k32/Nj6CArNLmMJKjg34D5B6foj3mfpqgCLJbCrMm+NF:k3qh4J/Rfoj3mxCNCrDyF

Score

1^/10

Malware Config

Signatures

Files

33221d549b7d5b1f11e07ee8acb5e304_JaffaCakes118
.dll windows:4 windows x86 arch:x86

8343ce6ea4eb925f8792d367ca8d960d

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:0f:11:f1:24:a7:3b:de:cc:41:25:98:45:a8:a7:73
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

09/04/2010, 00:00

Not After

09/04/2011, 23:59

Subject

CN=TrustPort,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=TrustPort,L=Brno,ST=Morava,C=CZ

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

21/05/2009, 00:00

Not After

20/05/2019, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7a:99:bd:ad:ee:a8:e7:da:49:78:95:77:5a:86:63:38:80:fc:83:06
Signer

Actual PE Digest

7a:99:bd:ad:ee:a8:e7:da:49:78:95:77:5a:86:63:38:80:fc:83:06

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

d:\project\rebels5\export\release\i386\tpsec.pdb

Imports

ntoskrnl.exe

RtlDeleteRegistryValue
RtlWriteRegistryValue
RtlQueryRegistryValues
_wcsicmp
ZwQueryInformationProcess
ZwOpenProcess
ZwQuerySystemInformation
PsGetProcessId
PsInitialSystemProcess
PsGetCurrentThreadId
PsGetVersion
RtlMapGenericMask
ZwOpenFile
ObReferenceObjectByPointer
KeUnstackDetachProcess
KeStackAttachProcess
KeDelayExecutionThread
PsSetCreateThreadNotifyRoutine
PsSetCreateProcessNotifyRoutine
RtlCreateRegistryKey
RtlCheckRegistryKey
RtlAppendUnicodeToString
RtlCopyUnicodeString
IoIsWdmVersionAvailable
IoFileObjectType
ZwClose
ObReferenceObjectByHandle
ObQueryNameString
memcpy
_wcsupr
memset
SeCreateClientSecurity
RtlSetDaclSecurityDescriptor
_except_handler3
wcschr
IoGetCurrentProcess
PsLookupThreadByThreadId
PsLookupProcessByProcessId
KeGetCurrentThread
ExAllocatePoolWithTag
IoGetDeviceObjectPointer
RtlEqualUnicodeString
ObfDereferenceObject
ExFreePoolWithTag
RtlCompareMemory
PsThreadType
IoThreadToProcess
PsProcessType
PsGetCurrentProcessId
RtlInitUnicodeString
KeGetPreviousMode
MmGetSystemRoutineAddress

hal

KfReleaseSpinLock
KfAcquireSpinLock

fltmgr.sys

FltGetFileNameInformation
FltReleaseFileNameInformation
FltRegisterFilter
FltBuildDefaultSecurityDescriptor
FltCreateCommunicationPort
FltStartFiltering
FltFreeSecurityDescriptor
FltGetInstanceContext
FltCbdqInsertIo
FltCbdqRemoveIo
FltCloseCommunicationPort
FltUnregisterFilter
FltAllocateGenericWorkItem
FltQueueGenericWorkItem
FltSetInformationFile
FltCompletePendedPreOperation
FltFreeGenericWorkItem
FltGetVolumeName
FltAllocateContext
FltSetInstanceContext
FltReleaseContext
FltCbdqInitialize
FltCloseClientPort
FltGetDestinationFileNameInformation

Sections

.text
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 412B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 872B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8343ce6ea4eb925f8792d367ca8d960d

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

04:0f:11:f1:24:a7:3b:de:cc:41:25:98:45:a8:a7:73Certificate

Extended Key Usages

Key Usages

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5cCertificate

Extended Key Usages

Key Usages

61:0c:12:06:00:00:00:00:00:1bCertificate

Key Usages

7a:99:bd:ad:ee:a8:e7:da:49:78:95:77:5a:86:63:38:80:fc:83:06Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

fltmgr.sys

Sections

.text Size: 15KB - Virtual size: 15KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 512B - Virtual size: 412B

INIT Size: 2KB - Virtual size: 2KB

.rsrc Size: 1024B - Virtual size: 872B

.reloc Size: 2KB - Virtual size: 1KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

04:0f:11:f1:24:a7:3b:de:cc:41:25:98:45:a8:a7:73
Certificate

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

7a:99:bd:ad:ee:a8:e7:da:49:78:95:77:5a:86:63:38:80:fc:83:06
Signer

.text
Size: 15KB - Virtual size: 15KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 512B - Virtual size: 412B

INIT
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 1024B - Virtual size: 872B

.reloc
Size: 2KB - Virtual size: 1KB