4b380d8d7a6bfab3eda17640bfc4fee3_JaffaCakes118

General

Target

4b380d8d7a6bfab3eda17640bfc4fee3_JaffaCakes118
Size

56KB
MD5

4b380d8d7a6bfab3eda17640bfc4fee3
SHA1

7092c11fff60ffc5cdea59758caf411447257734
SHA256

de0ad054684d60b263d19d103b496c3898bd78375d11301d345045da1a89b34d
SHA512

dda5b9aae247fb52228e87ceea02bedc9e5f7402dbbe6d8d681c934407f1d5019ae13c510381a92cd762fa4eeea3f3c02e7b8b4fad6afd698cff86af11e9d389
SSDEEP

1536:Yoq9Mdmw0zs2K6CYgqsUCUsOqcmdP3Xpc:YGmzgqspPJc

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
4b380d8d7a6bfab3eda17640bfc4fee3_JaffaCakes118

Files

4b380d8d7a6bfab3eda17640bfc4fee3_JaffaCakes118
.sys windows:5 windows x86 arch:x86

d86d89738c9bf2d73d51bd3c13a060d3

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
ZwReadFile
ExGetPreviousMode
RtlUnicodeStringToAnsiString
ZwSetValueKey
ZwSaveKey
KeDelayExecutionThread
ZwCreateFile
PsCreateSystemThread
ZwQueryValueKey
ZwQueryDirectoryFile
ZwDeleteFile
ZwQueryInformationProcess
ZwCreateSection
ZwQueryInformationFile
ZwDeleteKey
DbgPrint
ZwEnumerateKey
ExFreePoolWithTag
ZwWriteFile
wcslen
KeDetachProcess
IoGetCurrentProcess
MmMapViewOfSection
ObReferenceObjectByHandle
KeAttachProcess
ZwOpenProcess
KeServiceDescriptorTable
PsGetCurrentProcessId
MmIsAddressValid
ObfDereferenceObject
MmSectionObjectType
ZwOpenKey
MmUnmapViewOfSection
ObQueryNameString
RtlCompareUnicodeString
ZwClose
IoCreateFile
_wcsnicmp
RtlInitUnicodeString
_except_handler3

Sections

.text
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 1024B - Virtual size: 750B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 448B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d86d89738c9bf2d73d51bd3c13a060d3

Headers

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 9KB - Virtual size: 9KB

.data Size: 22KB - Virtual size: 21KB

INIT Size: 1KB - Virtual size: 1KB

.vmp0 Size: 1024B - Virtual size: 750B

.vmp1 Size: 20KB - Virtual size: 20KB

.reloc Size: 512B - Virtual size: 448B

.text
Size: 9KB - Virtual size: 9KB

.data
Size: 22KB - Virtual size: 21KB

INIT
Size: 1KB - Virtual size: 1KB

.vmp0
Size: 1024B - Virtual size: 750B

.vmp1
Size: 20KB - Virtual size: 20KB

.reloc
Size: 512B - Virtual size: 448B