49f4ccb6a0aa1ba5c04be9e31789c11d_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

49f4ccb6a0aa1ba5c04be9e31789c11d_JaffaCakes118
Size

47KB
MD5

49f4ccb6a0aa1ba5c04be9e31789c11d
SHA1

01f3c56eaba88306fb77bef278ee8fb1d926506b
SHA256

ca46a4f80540547096aeb95cd860312a90468ede81002495130d399e1426216c
SHA512

0bfb2acfd29236f78a8ffe1cc1b1ddadbeb9f17e9f5300ea40ee0391ea17b32bf85c2c22214fc1d4961e8265ac38d8c7e436638617cb8de6a41e4c1dd8df9064
SSDEEP

768:Q+JdoKn4h5ZD0CM4GTLc1pjUlpszoPkN9pw6+7Cj3u6zkJ93OVNc:QaMbD7M4GTY1CvooQ9pCOjZzkjOV

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
49f4ccb6a0aa1ba5c04be9e31789c11d_JaffaCakes118

Files

49f4ccb6a0aa1ba5c04be9e31789c11d_JaffaCakes118
.sys windows:6 windows x86 arch:x86

3b0547014c1d54c182732fe361ffe164

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\docume~1\usuario\desktop\e!_uce\e!_uce\edrive~1\objfre_wxp_x86\i386\ajax.pdb

Imports

ntoskrnl.exe

PsSetCreateProcessNotifyRoutine
MmGetSystemRoutineAddress
RtlInitUnicodeString
ZwClose
IoAllocateWorkItem
IoCreateSymbolicLink
IoCreateDevice
ZwQueryValueKey
ExAllocatePool
ZwOpenKey
RtlAppendUnicodeToString
KeQueryActiveProcessors
KeGetCurrentThread
KeDelayExecutionThread
KeInsertQueueApc
KeInitializeApc
ZwOpenThread
KeDetachProcess
ZwAllocateVirtualMemory
KeAttachProcess
PsSetCreateThreadNotifyRoutine
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwOpenSection
MmGetPhysicalAddress
KeUnstackDetachProcess
IoDeleteDevice
ObReferenceObjectByHandle
ObOpenObjectByPointer
PsProcessType
ObfDereferenceObject
PsLookupProcessByProcessId
memset
memcpy
PsLookupThreadByThreadId
KeWaitForSingleObject
KeReleaseSemaphore
KeClearEvent
KeSetEvent
KeInitializeEvent
_allmul
PsGetCurrentThreadId
PsGetCurrentProcessId
MmAllocateContiguousMemory
ZwWaitForSingleObject
ZwReadFile
ZwQueryInformationFile
ZwCreateFile
KeTickCount
KeBugCheckEx
IoDeleteSymbolicLink
ExFreePoolWithTag
IofCompleteRequest
KeStackAttachProcess
DbgPrint
RtlUnwind

hal

KeGetCurrentIrql
KfAcquireSpinLock
KfReleaseSpinLock
KfRaiseIrql

Sections

.text
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 896B - Virtual size: 812B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3b0547014c1d54c182732fe361ffe164

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

Sections

.text Size: 26KB - Virtual size: 26KB

.rdata Size: 896B - Virtual size: 812B

.data Size: 14KB - Virtual size: 14KB

INIT Size: 1KB - Virtual size: 1KB

.reloc Size: 2KB - Virtual size: 2KB

.text
Size: 26KB - Virtual size: 26KB

.rdata
Size: 896B - Virtual size: 812B

.data
Size: 14KB - Virtual size: 14KB

INIT
Size: 1KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 2KB