General
-
Target
64d39a9bb494a51370ab166324dbd1c5_JaffaCakes118
-
Size
848KB
-
MD5
64d39a9bb494a51370ab166324dbd1c5
-
SHA1
5851acbf85e7c0e8a14dd393e5b5c8935ac762c3
-
SHA256
365db2fd042f8c8afd96eef809b7f3b6fff7d37083f5ab1b1dada98689381c2b
-
SHA512
925132a9553736f5e4284be4870fc14bc457e6fc581229f0af2550f52717c8bc374bb523ed714b4f9b3f2fac2e4731cb5f5d857a0ac08747c6c4a39e17fa3469
-
SSDEEP
24576:0hCO6H5OE+3VER9CbUzvBQWvT+Y3nZV05:0kOyOnlER9CbY+AZi5
Malware Config
Signatures
-
resource yara_rule sample vmprotect -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 64d39a9bb494a51370ab166324dbd1c5_JaffaCakes118
Files
-
64d39a9bb494a51370ab166324dbd1c5_JaffaCakes118.sys windows:5 windows x86 arch:x86
dfd27743774d1d7dad3daf28d4bfcb1b
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntoskrnl.exe
MmMapIoSpace
MmGetPhysicalAddress
IoDeleteSymbolicLink
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
KeGetCurrentThread
IofCompleteRequest
RtlAssert
KeDelayExecutionThread
KeSetPriorityThread
MmUnmapIoSpace
KeInitializeEvent
memset
IoAttachDeviceToDeviceStack
ObfDereferenceObject
ObReferenceObjectByName
IoDriverObjectType
IoDetachDevice
_except_handler3
PoCallDriver
PoStartNextPowerIrp
IofCallDriver
memcpy
ZwSetInformationFile
ZwFsControlFile
ZwCreateFile
RtlInitUnicodeString
IoRegisterBootDriverReinitialization
KeSetEvent
KeWaitForSingleObject
ZwWriteFile
ZwReadFile
ExAllocatePoolWithTag
ExAllocatePool
ExfInterlockedRemoveHeadList
PsTerminateSystemThread
ZwClose
ObReferenceObjectByHandle
PsCreateSystemThread
IoFreeIrp
IoBuildAsynchronousFsdRequest
_allmul
IoVolumeDeviceToDosName
_alldiv
ExfInterlockedInsertTailList
IoGetCurrentProcess
PsGetVersion
KeUnstackDetachProcess
KeStackAttachProcess
PsLookupProcessByProcessId
RtlAppendUnicodeToString
wcslen
RtlFreeUnicodeString
RtlAppendUnicodeStringToString
RtlAnsiStringToUnicodeString
RtlInitAnsiString
DbgPrint
PsGetCurrentThreadId
PsGetCurrentProcessId
ZwQuerySystemInformation
RtlCompareString
strncpy
strlen
MmGetSystemRoutineAddress
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
strcpy
KeInitializeApc
KeInsertQueueApc
MmMapLockedPagesSpecifyCache
ExFreePoolWithTag
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
ExAllocatePool
ExFreePool
NtQuerySystemInformation
hal
KfLowerIrql
KfRaiseIrql
KeGetCurrentIrql
HalMakeBeep
Sections
.text Size: - Virtual size: 19KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: - Virtual size: 460B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
INIT Size: - Virtual size: 1KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.vmp0 Size: - Virtual size: 1KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.vmp1 Size: - Virtual size: 746KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.vmp2 Size: 833KB - Virtual size: 833KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 512B - Virtual size: 168B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ