492f546ac10f3b7835aaab56492088f8_JaffaCakes118

General

Target

492f546ac10f3b7835aaab56492088f8_JaffaCakes118
Size

56KB
MD5

492f546ac10f3b7835aaab56492088f8
SHA1

3f1d50f02341a78eb4c7ef019ee2b9cbc5548866
SHA256

4f5772c12325592986030c9ad562ea53119292605f488f1e135d10fd3b78c319
SHA512

26ac0675737275a07d20fb57464fc10e605d0df66aae9a2e3d119a0280c2e285cca61cb1265be417561b463884c9cfb323527912baf3a5442e8df1c4d90f2da1
SSDEEP

1536:+oq9Mdmw0zs2K6CYgqsUCUoOqcmdP3Xpc:+GmzgqopPJc

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
492f546ac10f3b7835aaab56492088f8_JaffaCakes118

Files

492f546ac10f3b7835aaab56492088f8_JaffaCakes118
.sys windows:5 windows x86 arch:x86

d86d89738c9bf2d73d51bd3c13a060d3

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
ZwReadFile
ExGetPreviousMode
RtlUnicodeStringToAnsiString
ZwSetValueKey
ZwSaveKey
KeDelayExecutionThread
ZwCreateFile
PsCreateSystemThread
ZwQueryValueKey
ZwQueryDirectoryFile
ZwDeleteFile
ZwQueryInformationProcess
ZwCreateSection
ZwQueryInformationFile
ZwDeleteKey
DbgPrint
ZwEnumerateKey
ExFreePoolWithTag
ZwWriteFile
wcslen
KeDetachProcess
IoGetCurrentProcess
MmMapViewOfSection
ObReferenceObjectByHandle
KeAttachProcess
ZwOpenProcess
KeServiceDescriptorTable
PsGetCurrentProcessId
MmIsAddressValid
ObfDereferenceObject
MmSectionObjectType
ZwOpenKey
MmUnmapViewOfSection
ObQueryNameString
RtlCompareUnicodeString
ZwClose
IoCreateFile
_wcsnicmp
RtlInitUnicodeString
_except_handler3

Sections

.text
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 1024B - Virtual size: 750B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 448B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d86d89738c9bf2d73d51bd3c13a060d3

Headers

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 9KB - Virtual size: 9KB

.data Size: 22KB - Virtual size: 21KB

INIT Size: 1KB - Virtual size: 1KB

.vmp0 Size: 1024B - Virtual size: 750B

.vmp1 Size: 20KB - Virtual size: 20KB

.reloc Size: 512B - Virtual size: 448B

.text
Size: 9KB - Virtual size: 9KB

.data
Size: 22KB - Virtual size: 21KB

INIT
Size: 1KB - Virtual size: 1KB

.vmp0
Size: 1024B - Virtual size: 750B

.vmp1
Size: 20KB - Virtual size: 20KB

.reloc
Size: 512B - Virtual size: 448B