6a84f185b902b8fc97c139f096c1fd33_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

6a84f185b902b8fc97c139f096c1fd33_JaffaCakes118
Size

175KB
MD5

6a84f185b902b8fc97c139f096c1fd33
SHA1

3d9b3970cae258d1af295186f045338fc3cdbe20
SHA256

5edd9e5338291dda1b4bba7ba5c6e7c7698568ba411ef3c0972bf96a48308dd0
SHA512

711e3132ee28db5f2b7281392cb73a829c142483a73c5322cf974e60fa354dadad6fe02cf45fef4231964fa30bccb9f52815e3fd1a1267f5a2aa569e217ab39e
SSDEEP

3072:ABzdo+mLFyFTYvatoroaaYJzzQQzX66UNxyjZNIwEtyBYAYI+AUmdWcGl:AJdo+mLa8NrZzfzKtN0ut1kg/

Score

1^/10

Malware Config

Signatures

Files

6a84f185b902b8fc97c139f096c1fd33_JaffaCakes118
.sys windows:5 windows x64 arch:x64

459cbc65ecc01f1e1552b1b576aa3f8e

Code Sign

04:00:00:00:00:01:1e:44:a5:e2:4e
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

28/01/1999, 13:00

Not After

27/01/2017, 12:00

Subject

CN=GlobalSign Primary Object Publishing CA,OU=Primary Object Publishing CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:1e:44:a5:ec:be
Certificate

Issuer

CN=GlobalSign Primary Object Publishing CA,OU=Primary Object Publishing CA,O=GlobalSign nv-sa,C=BE

Not Before

22/01/2004, 10:00

Not After

27/01/2017, 11:00

Subject

CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:00:00:00:00:01:2a:38:84:8f:ca
Certificate

Issuer

CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE

Not Before

03/08/2010, 14:15

Not After

11/10/2011, 15:28

Subject

CN=Datpol Janusz Siemienowicz,OU=Datpol Janusz Siemienowicz,O=Datpol Janusz Siemienowicz,L=Olkusz,ST=malopolskie,C=PL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:00

Not After

23/05/2016, 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d7:b0:9a:76:78:65:84:0a:30:78:c1:18:f1:1c:28:4f:49:8c:c5:12
Signer

Actual PE Digest

d7:b0:9a:76:78:65:84:0a:30:78:c1:18:f1:1c:28:4f:49:8c:c5:12

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

PsGetVersion
PsGetCurrentThreadId
PsGetCurrentProcessId
__C_specific_handler
ProbeForWrite
KeDelayExecutionThread
ProbeForRead
_wcsnicmp
_stricmp
RtlDeleteRegistryValue
strstr
strrchr
strncpy
_strnicmp
PsDereferencePrimaryToken
RtlEqualSid
SeQueryInformationToken
PsReferencePrimaryToken
PsSetCreateProcessNotifyRoutine
RtlInitUnicodeString
IofCompleteRequest
__chkstk
IoCreateSymbolicLink
IoCreateDevice
PsSetLoadImageNotifyRoutine
ZwQueryInformationThread
ExReleaseFastMutex
ExAcquireFastMutex
ZwClose
ZwCreateFile
KeInitializeEvent
ZwQuerySystemInformation
MmIsAddressValid
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
_vsnwprintf
_wcsicmp
ZwOpenFile
MmUnmapViewInSystemSpace
MmMapViewInSystemSpace
MmCreateSection
ZwOpenThread
PsGetProcessInheritedFromUniqueProcessId
ObReferenceObjectByHandle
PsGetProcessImageFileName
ObQueryNameString
IoGetDeviceObjectPointer
KeStackAttachProcess
KeUnstackDetachProcess
PsGetProcessCreateTimeQuadPart
KeQueryTimeIncrement
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
ZwQueryInformationProcess
PsIsThreadTerminating
MmGetSystemRoutineAddress
PsGetProcessId
PsGetThreadProcess
ZwOpenProcess
ZwOpenDirectoryObject
RtlAppendUnicodeStringToString
tolower
strchr
PsGetProcessWin32Process
ZwQueryInformationToken
PsLookupProcessByProcessId
PsGetProcessSectionBaseAddress
ZwOpenProcessTokenEx
wcschr
RtlCompareUnicodeString
ZwQueryObject
wcsncpy
IoQueryFileDosDeviceName
wcsrchr
PsGetCurrentProcessSessionId
IoFreeMdl
MmMapLockedPages
MmBuildMdlForNonPagedPool
IoAllocateMdl
MmUnmapLockedPages
CmRegisterCallback
PsGetThreadTeb
PsLookupThreadByThreadId
RtlNtStatusToDosError
PsGetProcessPeb
RtlFreeUnicodeString
RtlWriteRegistryValue
RtlAnsiStringToUnicodeString
RtlInitAnsiString
RtlCreateUnicodeString
RtlQueryRegistryValues
RtlPrefixUnicodeString
ZwQueryValueKey
ZwOpenKey
ZwSetInformationProcess
RtlLengthSid
ZwAssignProcessToJobObject
ZwSetInformationJobObject
ZwCreateJobObject
PsGetProcessJob
ZwTerminateProcess
RtlAddAccessAllowedAceEx
RtlAddAce
RtlCreateAcl
RtlGetAce
ZwSetSecurityObject
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RtlGetDaclSecurityDescriptor
ZwQuerySecurityObject
SeTokenIsRestricted
SeFilterToken
ObfReferenceObject
ZwCreateKey
ZwEnumerateValueKey
ZwSetValueKey
ZwDeleteValueKey
RtlCompareMemory
RtlAppendUnicodeToString
RtlFormatCurrentUserKeyPath
IoGetCurrentProcess
ExAllocatePoolWithTag
KeBugCheckEx
ExFreePoolWithTag
ZwConnectPort
LpcRequestWaitReplyPort
LpcRequestPort
ObfDereferenceObject
ObOpenObjectByPointer
_vsnprintf
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
ExAllocatePool
ExFreePool
NtQuerySystemInformation

hal

HalMakeBeep

Sections

.text
Size: - Virtual size: 118KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.Shltr1
Size: 1024B - Virtual size: 816B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.Shltr0
Size: - Virtual size: 918B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.Shltr2
Size: - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.Shltr3
Size: 166KB - Virtual size: 166KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 808B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

459cbc65ecc01f1e1552b1b576aa3f8e

Code Sign

04:00:00:00:00:01:1e:44:a5:e2:4eCertificate

Key Usages

04:00:00:00:00:01:1e:44:a5:ec:beCertificate

Key Usages

01:00:00:00:00:01:2a:38:84:8f:caCertificate

Extended Key Usages

Key Usages

61:0b:7f:6b:00:00:00:00:00:19Certificate

Key Usages

d7:b0:9a:76:78:65:84:0a:30:78:c1:18:f1:1c:28:4f:49:8c:c5:12Signer

Headers

File Characteristics

Imports

ntoskrnl.exe

hal

Sections

.text Size: - Virtual size: 118KB

.rdata Size: - Virtual size: 21KB

.data Size: - Virtual size: 37KB

.pdata Size: - Virtual size: 6KB

INIT Size: - Virtual size: 4KB

.Shltr1 Size: 1024B - Virtual size: 816B

.Shltr0 Size: - Virtual size: 918B

.Shltr2 Size: - Virtual size: 58KB

.Shltr3 Size: 166KB - Virtual size: 166KB

.reloc Size: 512B - Virtual size: 24B

.rsrc Size: 1024B - Virtual size: 808B

04:00:00:00:00:01:1e:44:a5:e2:4e
Certificate

04:00:00:00:00:01:1e:44:a5:ec:be
Certificate

01:00:00:00:00:01:2a:38:84:8f:ca
Certificate

61:0b:7f:6b:00:00:00:00:00:19
Certificate

d7:b0:9a:76:78:65:84:0a:30:78:c1:18:f1:1c:28:4f:49:8c:c5:12
Signer

.text
Size: - Virtual size: 118KB

.rdata
Size: - Virtual size: 21KB

.data
Size: - Virtual size: 37KB

.pdata
Size: - Virtual size: 6KB

INIT
Size: - Virtual size: 4KB

.Shltr1
Size: 1024B - Virtual size: 816B

.Shltr0
Size: - Virtual size: 918B

.Shltr2
Size: - Virtual size: 58KB

.Shltr3
Size: 166KB - Virtual size: 166KB

.reloc
Size: 512B - Virtual size: 24B

.rsrc
Size: 1024B - Virtual size: 808B