470d1f717f76dddd2311ca166d7acc58_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

470d1f717f76dddd2311ca166d7acc58_JaffaCakes118
Size

832KB
MD5

470d1f717f76dddd2311ca166d7acc58
SHA1

44749c9eab69e2e9edf58378c7b734072e280ed9
SHA256

18cd18c2d070ad1605595658f8bfa35417ed5c6e994ee332b95ef934d79f5c89
SHA512

6ff8fda7916d068fdf22b1591958e525092a6a9674b1a5528e7bfc240be45c33b7031a7f3942fa17a837b0c6e0053fdd7dc7aff5ab1d7b507b44294476adbbc6
SSDEEP

12288:FKHERWHDo5on6asr6AAWo+VwGSUyjvgkriZ94gGlPLnskCAfOsaLADncLPB:IHPDowsrxo+LSr4kriZ94TCkpfMAn4P

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
470d1f717f76dddd2311ca166d7acc58_JaffaCakes118

Files

470d1f717f76dddd2311ca166d7acc58_JaffaCakes118
.exe windows:5 windows x86 arch:x86

ae5e7fe758d252e03343f2916e0b82e4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

Process32NextW
TerminateProcess
LoadLibraryA
HeapValidate
WriteProcessMemory
WaitForMultipleObjects
OpenMutexA
ReadConsoleInputExW
GetLocaleInfoA
GetConsoleCursorInfo
GetCurrentProcessId
Module32FirstW
FreeEnvironmentStringsW
_llseek
GetSystemTimeAsFileTime
CreateMemoryResourceNotification
VirtualLock
FreeUserPhysicalPages
VirtualAlloc
CreateActCtxW
GetDiskFreeSpaceA
GetDiskFreeSpaceExW
RegisterWaitForInputIdle
GetConsoleAliasExesLengthA
ConnectNamedPipe
SetEndOfFile
DosDateTimeToFileTime
FindNextVolumeMountPointW
GetCommConfig
DelayLoadFailureHook
ResetEvent
InterlockedPopEntrySList
IsBadStringPtrA
FatalExit
GetCommTimeouts
FileTimeToDosDateTime
UTRegister
WaitCommEvent
RtlCaptureStackBackTrace
GlobalHandle
SetEnvironmentVariableA
RemoveLocalAlternateComputerNameA
GetCPInfo
BackupRead
IsProcessInJob

sqlunirl

_GetTextExtentPoint32@16
_CopyFile_@12
_PrivilegedServiceAuditAlarm_@20
_NDdeShareDel_@12
_GetMetaFile_@4
_ReadConsoleInput_@16
_CreateDialogIndirectParam@20
_NDdeIsValidShareName_@4
_GetCharacterPlacement_@24
_GetDefaultCommConfig_@12
_SearchPath_@24
_WriteConsoleInput_@16
_DlgDirSelectComboBoxEx_@16
_GetCharWidthFloat_@16
_ObjectPrivilegeAuditAlarm_@24
_GetDiskFreeSpace_@20
_SHFileOperation_@4
_OpenEventLog_@8
_BeginUpdateResource_@8
_DefineDosDevice_@12
_NDdeSetTrustedShare_@12
_DragQueryFile_@16
_CreateIC_@16
_GetProfileInt_@12
_SetEnvironmentVariable_@8
_GetCurrentHwProfile_@4
_IsCharUpper_@4
_LookupPrivilegeName_@16
_VerQueryValue_@16
_LoadString@16
_ExtractIcon_@12
_DefFrameProc_@20
_GetKeyboardLayoutName_@4
_DefDlgProc_@16
_GetSaveFileName@4
_DialogBoxParam_@20
_StartDoc@8
_GetOpenFileName@4
_RegQueryValueEx_@24
__hwrite_@12
_RegOpenKeyEx_@20
_SetWindowLong@12

msvcp60

?to_int_type@?$char_traits@G@std@@SAGABG@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z
?real@?$_Complex_base@M@std@@QAEMABM@Z
_Mbrtowc
??_Ftime_base@std@@QAEXXZ
?append@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IG@Z
??Hstd@@YA?AV?$complex@N@0@ABNABV10@@Z
?pubsetbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAEPAV12@PAGH@Z
?infinity@?$numeric_limits@C@std@@SACXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001@Z
_FXbig
?open@?$basic_fstream@DU?$char_traits@D@std@@@std@@QAEXPBDH@Z
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAE@W4_Uninitialized@1@@Z
?compare@?$char_traits@G@std@@SAHPBG0I@Z
??4?$numeric_limits@N@std@@QAEAAV01@ABV01@@Z
??_F?$num_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QAEXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
??_7?$num_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@6B@
?curr_symbol@?$_Mpunct@D@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
?denorm_min@?$numeric_limits@_N@std@@SA_NXZ
?rdstate@ios_base@std@@QBEHXZ
??_7ios_base@std@@6B@
?isfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QAEXXZ
_FDnorm
??0?$time_put@GV?$ostreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@QAE@I@Z
?fail@ios_base@std@@QBE_NXZ
?round_error@?$numeric_limits@G@std@@SAGXZ
?quiet_NaN@?$numeric_limits@K@std@@SAKXZ
?pbackfail@?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@MAEHH@Z
??_F?$ctype@G@std@@QAEXXZ
?osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
?round_error@?$numeric_limits@C@std@@SACXZ
?open@?$basic_filebuf@GU?$char_traits@G@std@@@std@@QAEPAV12@PBDF@Z
??_F?$numpunct@D@std@@QAEXXZ
??0strstream@std@@QAE@PADHH@Z

rtm

RtmGetNetworkCount
RtmDeregisterEntity
MgmRegisterMProtocol
MgmGroupEnumerationGetNext
RtmReleaseNextHops
MgmGetMfe
RtmGetDestInfo
MgmGroupEnumerationStart
MgmGetNextMfe
RtmGetEntityInfo
RtmAddRoute
RtmGetExactMatchRoute
RtmDeregisterClient
NextMatchInTable
MgmGetFirstMfe
RtmIgnoreChangedDests
CreateTable
RtmGetAddressFamilyInfo
RtmGetEnumDests
MgmReleaseInterfaceOwnership
RtmDeleteRouteList
RtmReleaseEntities
EnumOverTable
RtmDeleteEnumHandle
RtmMarkDestForChangeNotification
RtmBlockDeleteRoutes
DestroyTable
RtmCreateEnumerationHandle
MgmGetFirstMfeStats
RtmGetMostSpecificDestination
RtmLockDestination
RtmGetRegisteredEntities
MgmDeInitialize

query

LoadTextFilter
?GetPhysicalPath@CWebServer@@QAEKPBGPAGKK@Z
??0CPropListFile@@QAE@PAVCEmptyPropertyList@@HPBGK@Z
?Empty@CRcovStrmWriteTrans@@QAEXXZ
?DumpWorkId@@YGJPBGKPAEAAK00K@Z
??1?$XPtr@VCDbCmdTreeNode@@@@QAE@XZ
?AddChild@CNodeRestriction@@QAEXPAVCRestriction@@AAI@Z
?GetUserHdrInfo@CIndexTable@@QAEXAAIAAH@Z
?SetProperty@CDbColId@@QAEHPBG@Z
?SetCD@CCatState@@QAEXPBG@Z
??0CGenericCiProxy@@QAE@AAVCSharedNameGen@@KK@Z
?GetVPathAccess@CMetaDataMgr@@QAEKPBG@Z
?IsWaitingForDocument@CFilterDaemon@@QAEHXZ
??0CScopeRestriction@@QAE@PBGHH@Z
?Next@CStaticPropertyList@@UAEPBVCPropEntry@@XZ
?MakePath@CFullPath@@QAEXPBG@Z
?Remove@CSort@@QAEXI@Z
?FPSToPROPID@CPidConverter@@UAEJABVCFullPropSpec@@AAK@Z
?Close@CPipeClient@@IAEXXZ
CollectCIPerformanceData
?QuerySdidLookupTable@CiStorage@@QAEPAVPRcovStorageObj@@K@Z
?RefreshParams@CWorkQueue@@QAEXKK@Z
?Flush@CPropStoreManager@@QAEXXZ
?SetSZParam@CMachineAdmin@@QAEXPBG0K@Z
?SetProperty@CFullPropSpec@@QAEXK@Z
?Release@CEnumWorkid@@UAGKXZ
?AcqLine@CQueryScanner@@QAEPAGH@Z
?SetSecret@@YGXPBG00K@Z
??1?$XPtr@VCDbColumnNode@@@@QAE@XZ
SetupCacheEx
?WritePrimaryProperty@CPropStoreManager@@QAEJKKABVCStorageVariant@@@Z
?GetStringDbRestriction@@YGPAVCDbRestriction@@PBGKPAUIColumnMapper@@K@Z
?_pGlobalPropListFile@CLocalGlobalPropertyList@@0PAVCPropListFile@@A
?Clone@CEnumString@@UAGJPAPAUIEnumString@@@Z
DllCanUnloadNow
?My_wcstoui64@@YA_KPBGPAPAGH@Z
?AccessCheck@CSdidLookupTable@@QAEHKPAXKAAH@Z
??0CQueryScanner@@QAE@PBGHKH@Z
??0CLocalGlobalPropertyList@@QAE@PAVCEmptyPropertyList@@HPBGK@Z
?QueryInterface@CEmptyPropertyList@@UAGJABU_GUID@@PAPAX@Z
?Read@CRegAccess@@QAEPAGPBG0@Z

msvcrt40

??_8iostream@@7Bistream@@@
_wpopen
??5istream@@QAEAAV0@AAD@Z
_mbsdec
_setsystime
strftime
_findfirst
asin
fmod
?ipfx@istream@@QAEHH@Z
??1filebuf@@UAE@XZ
?str@strstream@@QAEPADXZ
??Bios@@QBEPAXXZ
signal
_inpw
??_8istrstream@@7B@
??5istream@@QAEAAV0@AAK@Z
_mtunlock
_safe_fprem1
wcsncmp
??4bad_cast@@QAEAAV0@ABV0@@Z
??_Estdiobuf@@UAEPAXI@Z
??_Dofstream@@QAEXXZ
??_8istream_withassign@@7B@
_lrotr
?open@ifstream@@QAEXPBDHH@Z
_wtempnam
??0strstream@@QAE@ABV0@@Z
??_Gstreambuf@@UAEPAXI@Z
?overflow@stdiobuf@@UAEHH@Z
_fgetwchar

gdi32

GetTextExtentPointA
GetColorSpace
CloseFigure
EnumFontsA
GetDCPenColor
EngFindResource
PolylineTo
SetSystemPaletteUse
SelectClipRgn
EndFormPage
GetCharacterPlacementA
GetRandomRgn
EudcUnloadLinkW
ScaleWindowExtEx
CreateRectRgnIndirect
NamedEscape
GdiGetPageHandle
Escape
GdiStartPageEMF
CreateDiscardableBitmap
SetDIBColorTable
GetWindowExtEx
ExtFloodFill
SetROP2
EngCreateDeviceSurface
DdEntry24
GdiGetCharDimensions
EndPath
EngGetCurrentCodePage
BeginPath
EngReleaseSemaphore
GetAspectRatioFilterEx

advapi32

LsaOpenPolicy
ConvertSecurityDescriptorToAccessA
SystemFunction033
PrivilegedServiceAuditAlarmA
SystemFunction030
ConvertSecurityDescriptorToAccessW
LsaLookupNames2
CancelOverlappedAccess
SystemFunction019
UpdateTraceW
SystemFunction003
AddAce
FindFirstFreeAce
NotifyChangeEventLog
GetMultipleTrusteeOperationA
BuildImpersonateTrusteeW
ConvertStringSecurityDescriptorToSecurityDescriptorA
CryptDuplicateKey
GetAce
ChangeServiceConfig2W
CloseEncryptedFileRaw
CommandLineFromMsiDescriptor
AccessCheck
LsaNtStatusToWinError
GetNamedSecurityInfoExA
RegCloseKey

msvcrt20

?getline@istream@@QAEAAV1@PAEHD@Z
_ismbblead
_chmod
iswupper
_c_exit
_execle
fwrite
??_Dostream_withassign@@QAEXXZ
strrchr
__wgetmainargs
??_Eofstream@@UAEPAXI@Z
??0streambuf@@IAE@PADH@Z
_local_unwind2
??_7istrstream@@6B@
?binary@filebuf@@2HB
_matherr
ftell
strspn
??_Gfstream@@UAEPAXI@Z
_wspawnve
_chgsign
??4stdiostream@@QAEAAV0@AAV0@@Z
??4ostream_withassign@@QAEAAV0@ABV0@@Z
iswspace
??0Iostream_init@@QAE@AAVios@@H@Z
_tcscspn
_mbsspnp
??0iostream@@QAE@PAVstreambuf@@@Z
?isfx@istream@@QAEXXZ
_ismbcl2
raise
iswcntrl
_wspawnle
_initterm
_wgetenv
_getmbcp

ntdll

RtlNewSecurityObjectEx
ZwSetUuidSeed
NtQueryPortInformationProcess
ZwOpenSemaphore
_aullshr
NtQueryIntervalProfile
RtlCreateTimerQueue
KiUserExceptionDispatcher
RtlUnicodeToMultiByteSize
ZwOpenProcess
RtlCreateSystemVolumeInformationFolder
RtlEqualDomainName
NtSetSystemPowerState
RtlLargeIntegerAdd
ZwSetHighWaitLowEventPair
ZwImpersonateAnonymousToken
NtIsProcessInJob
NtSetTimerResolution
NtQueryInformationAtom
NtSetBootOptions
NtSetUuidSeed
RtlSubAuthorityCountSid
_allshr
iswspace
RtlAddActionToRXact
RtlDeactivateActivationContext
RtlEnumerateGenericTable
NtQuerySystemEnvironmentValueEx
RtlRealPredecessor

Sections

.text
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 208KB - Virtual size: 208KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 588KB - Virtual size: 1.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 360B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ae5e7fe758d252e03343f2916e0b82e4

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

sqlunirl

msvcp60

rtm

query

msvcrt40

gdi32

advapi32

msvcrt20

ntdll

Sections

.text Size: 26KB - Virtual size: 26KB

.rdata Size: 208KB - Virtual size: 208KB

.data Size: 588KB - Virtual size: 1.9MB

.tls Size: 512B - Virtual size: 4B

.rsrc Size: 6KB - Virtual size: 6KB

.reloc Size: 512B - Virtual size: 360B

.text
Size: 26KB - Virtual size: 26KB

.rdata
Size: 208KB - Virtual size: 208KB

.data
Size: 588KB - Virtual size: 1.9MB

.tls
Size: 512B - Virtual size: 4B

.rsrc
Size: 6KB - Virtual size: 6KB

.reloc
Size: 512B - Virtual size: 360B