4d8586dc68863e5d48d76295e3121cc3_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

4d8586dc68863e5d48d76295e3121cc3_JaffaCakes118
Size

2.8MB
MD5

4d8586dc68863e5d48d76295e3121cc3
SHA1

bf4a1a2198581351a5fe964eddaf879f8e68e604
SHA256

1852175896eb5ce47fdc0f01658f0decf35f6d5806c3523f0966ff41681f9eef
SHA512

beab23c7eaaa51726acaa7ad8284f6bddb027e3c79df7804f65aa116aab69711c6759b2c3ff8e58f34f9a0778a099e730874135a9d5c2912844c8b899b8f4c51
SSDEEP

49152:K2PIJHADJ4Bq+gNxQbdmV8P5c/kHorLsUvH1T7eqJsMxGsHvOCSDKGXxTyHP2X5Q:HHJ4Dg58htH8LJ137JpxzHvOC+BTyHuW

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

resource	yara_rule
static1/unpack001/XolessumStory.exe	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/XolessumStory.exe

Files

4d8586dc68863e5d48d76295e3121cc3_JaffaCakes118
.rar
XolessumStory.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Exports

Exports

ZtlTaskMemAllocImp
ZtlTaskMemFreeImp
ZtlTaskMemReallocImp

Sections

Size: 5.5MB - Virtual size: 5.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 548KB - Virtual size: 548KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Themida
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.mackt
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE