47b8f724961e360ad97be6f784b6c839_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

47b8f724961e360ad97be6f784b6c839_JaffaCakes118
Size

445KB
MD5

47b8f724961e360ad97be6f784b6c839
SHA1

a115d89aa6055c52219dddd64784e5bc04d2c013
SHA256

7b8def13d3c50b13a505ea19e0617dd7354637eb12910d4489959b0daff421a4
SHA512

1c295782252367aa9207e737c3398064d5b46f55714a120c3cda8080418aee669db33ce70423a8f99d8bb237f5a2173077f1e96fc751fb4c1e8442d065c85726
SSDEEP

6144:MrTe8uajxHZEKTHAJiKXi4LE4wxHObJ2LG24z/3nZr26tVrl/tg5o8jOcfDvecdX:YjrBtKy4LE4wxubJ2Li73ZpjgRdKWQ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
47b8f724961e360ad97be6f784b6c839_JaffaCakes118

Files

47b8f724961e360ad97be6f784b6c839_JaffaCakes118
.dll windows:5 windows x86 arch:x86

ee0a569e0e9c1ee5970dd8eb5e465c36

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

G:\eFddorwiNniw\WtzDFFZZbgSa\LjLIryzmye\Znpugsirqd\jecxDEbOmwD.pdb

Imports

ntoskrnl.exe

SeCreateClientSecurity
IoWritePartitionTableEx
RtlSecondsSince1980ToTime
KeWaitForMultipleObjects
ZwCreateFile
RtlAnsiCharToUnicodeChar
RtlFreeUnicodeString
RtlSetAllBits
ZwClose
KeInsertHeadQueue
RtlSecondsSince1970ToTime
IofCallDriver
KeFlushQueuedDpcs
IoThreadToProcess
ZwCreateEvent
ExFreePoolWithTag
RtlAddAccessAllowedAceEx
PsLookupThreadByThreadId
MmUnlockPages
CcMdlReadComplete
WmiQueryTraceInformation
ZwOpenSection
RtlLengthSecurityDescriptor
IoGetDeviceProperty
FsRtlNotifyInitializeSync
ExQueueWorkItem
ExRaiseAccessViolation
MmMapIoSpace
MmGetSystemRoutineAddress
PsGetCurrentThreadId
MmBuildMdlForNonPagedPool
CcSetDirtyPinnedData
KeRemoveEntryDeviceQueue
IoBuildPartialMdl
IoGetDeviceInterfaces
ZwNotifyChangeKey
IoWMIWriteEvent
PsGetCurrentProcess
KeSynchronizeExecution
ZwQueryInformationFile
KeUnstackDetachProcess
ZwFlushKey
PsGetCurrentThread
IoInvalidateDeviceState
RtlNtStatusToDosError
IoInitializeTimer
RtlTimeToSecondsSince1970
RtlEnumerateGenericTable
IoCreateDisk
MmFlushImageSection
IoIsSystemThread
PsIsThreadTerminating
IoCreateSynchronizationEvent
IoBuildSynchronousFsdRequest
IoGetRelatedDeviceObject
PsLookupProcessByProcessId
KeBugCheckEx
IoReleaseCancelSpinLock
CcCanIWrite
SeImpersonateClientEx
ExUuidCreate
ZwSetValueKey
RtlHashUnicodeString
FsRtlLookupLastLargeMcbEntry
CcMdlWriteComplete
KeInsertByKeyDeviceQueue
CcUnpinRepinnedBcb
RtlAnsiStringToUnicodeString
IoVerifyVolume
PsReferencePrimaryToken
PoUnregisterSystemState
IoInvalidateDeviceRelations
KeAttachProcess
CcSetBcbOwnerPointer
RtlCopyUnicodeString
CcPurgeCacheSection
ZwQueryValueKey
RtlFindClearRuns
KeRemoveByKeyDeviceQueue
ProbeForWrite
RtlLengthSid
ZwPowerInformation
IoReportResourceForDetection
IoGetLowerDeviceObject
IoGetDeviceObjectPointer
SeReleaseSubjectContext
RtlInt64ToUnicodeString
IoGetRequestorProcessId
RtlAreBitsClear
MmUnlockPagableImageSection
IoCsqRemoveIrp
ObCreateObject
RtlFindNextForwardRunClear
IoStopTimer
FsRtlIsDbcsInExpression
CcZeroData
ZwQueryObject
IoAcquireRemoveLockEx
ExReleaseFastMutexUnsafe
CcPinRead
MmMapLockedPages
IoAllocateController
IoCreateSymbolicLink
ExAllocatePool
IoReleaseRemoveLockEx
RtlFillMemoryUlong
MmUnsecureVirtualMemory
CcPreparePinWrite
IoRaiseHardError
CcIsThereDirtyData
IoSetShareAccess
ZwOpenKey
MmLockPagableSectionByHandle
RtlVerifyVersionInfo
RtlUnicodeToOemN
MmFreePagesFromMdl
RtlPrefixUnicodeString
IoAllocateWorkItem
RtlGetCallersAddress
ZwOpenFile
MmAllocateMappingAddress
CcUninitializeCacheMap
IofCompleteRequest
MmUnmapReservedMapping
SeDeleteObjectAuditAlarm
SeSinglePrivilegeCheck
MmAllocateContiguousMemory
SeDeassignSecurity
RtlFindClearBitsAndSet
IoEnumerateDeviceObjectList
IoFreeController
RtlLengthRequiredSid
IoCreateFile
RtlMultiByteToUnicodeN
MmAllocateNonCachedMemory
SeUnlockSubjectContext
RtlCompareString
RtlValidSecurityDescriptor
IoSetTopLevelIrp
RtlSubAuthoritySid
FsRtlIsHpfsDbcsLegal
KeDelayExecutionThread
PoRegisterSystemState
RtlCreateSecurityDescriptor
KeReleaseSemaphore
IoSetSystemPartition
KeSaveFloatingPointState
CcMdlRead
ZwFsControlFile
IoFreeWorkItem
IoGetDmaAdapter
RtlUpcaseUnicodeChar
KeInitializeDeviceQueue
SeSetSecurityDescriptorInfo
RtlDeleteNoSplay
KeRegisterBugCheckCallback
ZwOpenSymbolicLinkObject
SeQueryInformationToken
RtlCompareMemory
IoAllocateErrorLogEntry
RtlInitAnsiString
FsRtlAllocateFileLock
KeEnterCriticalRegion
IoVolumeDeviceToDosName
IoSetStartIoAttributes
IoCreateStreamFileObjectLite
RtlAreBitsSet
FsRtlCheckLockForReadAccess
RtlEqualSid
PsChargeProcessPoolQuota
IoCheckQuotaBufferValidity
RtlIsNameLegalDOS8Dot3
KeSetTimer
MmHighestUserAddress
RtlInitString
IoDetachDevice
IoCreateStreamFileObject
ExGetPreviousMode
RtlTimeToTimeFields
MmQuerySystemSize
ZwCreateKey
CcMapData
MmProbeAndLockPages
ExIsProcessorFeaturePresent
RtlRandom
IoAllocateAdapterChannel
KeRemoveDeviceQueue
FsRtlGetNextFileLock
RtlEqualUnicodeString
RtlFindUnicodePrefix
KeQuerySystemTime
RtlSplay
RtlTimeToSecondsSince1980
IoGetRequestorProcess
RtlFindClearBits
KeDeregisterBugCheckCallback
IoCancelIrp
RtlCopyString
PsGetThreadProcessId
KeSetKernelStackSwapEnable
CcRemapBcb
IoGetBootDiskInformation
ObReferenceObjectByHandle
FsRtlMdlWriteCompleteDev
PsGetProcessExitTime
ZwLoadDriver
KeLeaveCriticalRegion
IoGetAttachedDeviceReference
IoQueryFileInformation
RtlFindMostSignificantBit
IoRemoveShareAccess
CcUnpinData
KeQueryInterruptTime
RtlxUnicodeStringToAnsiSize
HalExamineMBR
RtlUnicodeStringToInteger
VerSetConditionMask
KeInitializeMutex
KeInitializeApc
ObfDereferenceObject
IoCheckEaBufferValidity
ExRaiseDatatypeMisalignment
RtlxOemStringToUnicodeSize
RtlCharToInteger
IoUpdateShareAccess
ExFreePool
ZwAllocateVirtualMemory
CcDeferWrite
IoDeviceObjectType
ProbeForRead
KdEnableDebugger
IoReadPartitionTableEx
ExSetResourceOwnerPointer
KeSetBasePriorityThread
SeAccessCheck
IoAllocateMdl
RtlUpcaseUnicodeToOemN
SeFreePrivileges
KeReadStateMutex
KeSetEvent
ZwOpenProcess
KeInsertDeviceQueue
RtlClearBits
PoSetPowerState
ObMakeTemporaryObject
FsRtlFastUnlockSingle
KeStackAttachProcess
ZwCreateDirectoryObject
IoDeleteDevice
MmIsDriverVerifying
ObOpenObjectByPointer
ExCreateCallback
ZwEnumerateValueKey
FsRtlCheckLockForWriteAccess
RtlDeleteElementGenericTable
IoGetCurrentProcess
RtlVolumeDeviceToDosName
KeSetSystemAffinityThread
RtlFreeOemString
IoConnectInterrupt
RtlDelete
RtlUpperString
RtlDowncaseUnicodeString

Exports

Exports

?FindListItemA@@YGFHFFPAM@Z
?CloseWindowInfoOld@@YGID@Z
?IncrementOptionOld@@YGPADMIJI@Z
?KillThread@@YGJGPAJ@Z
?GetMemoryExA@@YGEG@Z
?DecrementDialogOriginal@@YGPAX_NIJ@Z
?InsertFolderExA@@YGFHPAEG@Z
?HideDataW@@YGGPAEHIE@Z
?SetWindowW@@YGPAHPANPAG@Z
?CloseArgumentW@@YGEPAMPAF@Z
?HideFileOld@@YGJHE@Z
?GenerateAnchorOld@@YGGDPADEH@Z
?SetWindowInfoExW@@YGPAFGEJPAM@Z
?IsFilePathNew@@YGPAKFJ@Z
?CallSystemOriginal@@YGXIJ@Z
?FormatProviderNew@@YGJPAKKE@Z
?IsTextNew@@YGIJPAKIPAM@Z
?HideArgumentW@@YGPAFPADK@Z
?RtlFileA@@YGXG@Z
?CancelStringOriginal@@YGMHPAI@Z
?KillDateTimeEx@@YGPAED@Z
?ValidateSemaphoreOriginal@@YGXPAJ@Z
?DecrementCharEx@@YGKPADPAGIJ@Z
?OnKeyNameOriginal@@YGPAFGPAND@Z
?CopyModuleW@@YGPAJNE@Z
?PutFolderExW@@YGEHPA_NDPAN@Z
?InvalidateFunctionEx@@YGPADK@Z
?ModifyMutantEx@@YGKGHJ@Z
?CancelCharA@@YGJPAIIPAH_N@Z
?InvalidateWindowInfoOriginal@@YGPAEJH@Z
?AddWindowInfoExW@@YGPAX_N@Z
?LoadClassExW@@YGXPAIJI@Z
?GlobalMutantOriginal@@YGGE@Z
?ShowListOld@@YGXDMPAI@Z

Sections

.text
Size: 24KB - Virtual size: 50KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.i_data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.e_data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.hostc
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.hosta
Size: 512B - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.hostb
Size: 512B - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.hostd
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 648B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ee0a569e0e9c1ee5970dd8eb5e465c36

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

Exports

Exports

Sections

.text Size: 24KB - Virtual size: 50KB

.i_data Size: 1KB - Virtual size: 1KB

.e_data Size: 1KB - Virtual size: 1KB

.hostc Size: 512B - Virtual size: 28B

.hosta Size: 512B - Virtual size: 44B

.hostb Size: 512B - Virtual size: 44B

.hostd Size: 512B - Virtual size: 348B

.data Size: 28KB - Virtual size: 27KB

.rsrc Size: 512B - Virtual size: 16B

.reloc Size: 1024B - Virtual size: 648B

.text
Size: 24KB - Virtual size: 50KB

.i_data
Size: 1KB - Virtual size: 1KB

.e_data
Size: 1KB - Virtual size: 1KB

.hostc
Size: 512B - Virtual size: 28B

.hosta
Size: 512B - Virtual size: 44B

.hostb
Size: 512B - Virtual size: 44B

.hostd
Size: 512B - Virtual size: 348B

.data
Size: 28KB - Virtual size: 27KB

.rsrc
Size: 512B - Virtual size: 16B

.reloc
Size: 1024B - Virtual size: 648B