mimikatz | 7f00ccc0a3b7a734501e8aa3d9cd7ce4_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

7f00ccc0a3b7a734501e8aa3d9cd7ce4_JaffaCakes118
Size

908KB
MD5

7f00ccc0a3b7a734501e8aa3d9cd7ce4
SHA1

2d118661547ccb4a4ea3a03e082d7b7a8ca63686
SHA256

e8ebb095b5681c6c7ec7125a8767746059c4a33807de68364f52856b0f6057ee
SHA512

7d9b1157b090f4d02e0472ad63cbdd0e8701fd3109f91be7ba48890d2c799117cfb91fbe055de1f313bf795e698ba6946c42ec8938108b17abc4c91e823a4854
SSDEEP

24576:9l8JvU4v7QjXxNuv+W9meLPagwarr2eMAX:9OJvU4v7gBsVmeLPpj+ej

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
sample	mimikatz

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
7f00ccc0a3b7a734501e8aa3d9cd7ce4_JaffaCakes118

Files

7f00ccc0a3b7a734501e8aa3d9cd7ce4_JaffaCakes118
.dll windows:5 windows x86 arch:x86

2d6f47a3b830f8acea40310e8e8b331f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

ncrypt

BCryptDecrypt
BCryptEncrypt
BCryptGenerateSymmetricKey
BCryptSetProperty
BCryptGetProperty
NCryptExportKey
NCryptImportKey
NCryptSetProperty
NCryptGetProperty
NCryptOpenKey
NCryptFreeBuffer
NCryptEnumKeys
BCryptEnumRegisteredProviders
NCryptOpenStorageProvider
BCryptFreeBuffer
BCryptDestroyKey
BCryptImportKeyPair
BCryptExportKey
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider
NCryptFreeObject

fltlib

FilterFindNext
FilterFindFirst

cabinet

ord14
ord13
ord11
ord10

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

winscard

SCardListCardsW
SCardControl
SCardGetAttrib
SCardConnectW
SCardFreeMemory
SCardGetCardTypeProviderNameW
SCardEstablishContext
SCardReleaseContext
SCardListReadersW
SCardTransmit
SCardDisconnect

advapi32

CryptGetKeyParam
QueryServiceObjectSecurity
OpenServiceW
OpenSCManagerW
DeleteService
CreateServiceW
ControlService
CloseServiceHandle
FreeSid
AllocateAndInitializeSid
RegSetValueExW
RegQueryInfoKeyW
RegEnumValueW
RegEnumKeyExW
CreateProcessWithLogonW
CreateWellKnownSid
CopySid
CryptDuplicateKey
CryptEncrypt
CryptSetHashParam
CryptAcquireContextA
CredIsMarshaledCredentialW
CredUnmarshalCredentialW
SystemFunction025
SystemFunction024
ConvertStringSecurityDescriptorToSecurityDescriptorW
CredFree
CredEnumerateW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
LookupPrivilegeNameW
OpenThreadToken
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
CreateProcessAsUserW
OpenProcessToken
LookupPrivilegeValueW
LsaQuerySecret
LsaOpenSecret
CheckTokenMembership
LookupAccountNameW
LookupAccountSidW
IsTextUnicode
BuildSecurityDescriptorW
StartServiceW
SetServiceObjectSecurity
CryptAcquireContextW
CryptReleaseContext
CryptGenKey
CryptDestroyKey
CryptSetKeyParam
CryptSetProvParam
CryptGetProvParam
CryptEnumProvidersW
ConvertSidToStringSidW
ConvertStringSidToSidW
LsaFreeMemory
IsValidSid
GetSidSubAuthority
GetSidSubAuthorityCount
CryptDecrypt
SetThreadToken
GetTokenInformation
DuplicateTokenEx
QueryServiceStatusEx
CryptGetUserKey
CryptExportKey
CryptImportKey
CryptEnumProviderTypesW
SystemFunction006
SystemFunction007
ClearEventLogW
GetNumberOfEventLogRecords
OpenEventLogW
GetLengthSid
CryptDeriveKey
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptSignHashW
LsaClose
LsaOpenPolicy
LsaQueryInformationPolicy
LsaQueryTrustedDomainInfoByName
LsaEnumerateTrustedDomainsEx
LsaRetrievePrivateData
SystemFunction001
SystemFunction005
SystemFunction013
SystemFunction032
A_SHAUpdate
A_SHAFinal
A_SHAInit

crypt32

CryptEncodeObject
CertOpenStore
CertCloseStore
CertFindCertificateInStore
CertFreeCertificateContext
CertGetCertificateContextProperty
CryptSignAndEncodeCertificate
CryptStringToBinaryW
CryptUnprotectData
PFXExportCertStoreEx
CertAddEncodedCertificateToStore
CertSetCertificateContextProperty
CertGetNameStringW
CertEnumSystemStore
CryptExportPublicKeyInfo
CryptAcquireCertificatePrivateKey
CertNameToStrW
CertAddCertificateContextToStore
CryptBinaryToStringW
CertEnumCertificatesInStore
CryptProtectData

cryptdll

CDGenerateRandomBits
MD5Final
MD5Update
MD5Init
CDLocateCheckSum
CDLocateCSystem

dnsapi

DnsQuery_A
DnsFree

netapi32

NetRemoteTOD
DsEnumerateDomainTrustsW
NetApiBufferFree
NetSessionEnum
NetWkstaUserEnum
NetShareEnum
NetStatisticsGet
DsGetDcNameW
NetServerGetInfo
I_NetServerTrustPasswordsGet
I_NetServerAuthenticate2
I_NetServerReqChallenge

ole32

CoCreateInstance
CoUninitialize
CoInitializeEx

oleaut32

SysFreeString
SysAllocString
VariantInit

rpcrt4

RpcBindingSetAuthInfoExW
RpcBindingFree
RpcBindingToStringBindingW
RpcBindingVectorFree
RpcStringFreeW
RpcServerInqBindings
RpcServerListen
RpcServerRegisterIf2
RpcServerUnregisterIfEx
RpcServerUseProtseqEpW
RpcMgmtStopServerListening
RpcEpResolveBinding
RpcServerRegisterAuthInfoW
RpcEpRegisterW
RpcEpUnregister
RpcMgmtEpEltInqBegin
RpcMgmtEpEltInqDone
RpcMgmtEpEltInqNextW
UuidCreate
I_RpcGetCurrentCallHandle
I_RpcBindingInqSecurityContext
RpcBindingSetOption
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcImpersonateClient
RpcRevertToSelf
RpcBindingInqAuthClientW
NdrMesTypeFree2
RpcMgmtWaitServerListen
UuidToStringW
NdrServerCall2
NdrClientCall2
NdrMesTypeEncode2
NdrMesTypeAlignSize2
MesHandleFree
MesIncrementalHandleReset
MesDecodeIncrementalHandleCreate
MesEncodeIncrementalHandleCreate
NdrMesTypeDecode2

shlwapi

PathCombineW
PathIsDirectoryW
PathFindFileNameW
PathCanonicalizeW
PathIsRelativeW

samlib

SamLookupNamesInDomain
SamEnumerateUsersInDomain
SamiChangePasswordUser
SamSetInformationUser
SamQueryInformationUser
SamOpenUser
SamOpenDomain
SamLookupDomainInSamServer
SamEnumerateDomainsInSamServer
SamConnect
SamCloseHandle
SamFreeMemory
SamOpenGroup
SamOpenAlias
SamGetGroupsForUser
SamGetAliasMembership
SamGetMembersInGroup
SamGetMembersInAlias
SamEnumerateGroupsInDomain
SamEnumerateAliasesInDomain
SamRidToSid
SamLookupIdsInDomain

secur32

InitializeSecurityContextW
DeleteSecurityContext
FreeContextBuffer
EnumerateSecurityPackagesW
QueryContextAttributesW
FreeCredentialsHandle
AcquireCredentialsHandleW
LsaFreeReturnBuffer
LsaCallAuthenticationPackage
LsaConnectUntrusted
LsaDeregisterLogonProcess
LsaLookupAuthenticationPackage

shell32

CommandLineToArgvW

user32

PostMessageW
DefWindowProcW
UnregisterClassW
SendMessageW
CreateWindowExW
DestroyWindow
OpenClipboard
CloseClipboard
GetClipboardSequenceNumber
SetClipboardViewer
ChangeClipboardChain
GetClipboardData
EnumClipboardFormats
GetUserObjectInformationW
IsCharAlphaNumericW
DispatchMessageW
GetMessageW
GetKeyboardLayout
RegisterClassExW
TranslateMessage

hid

HidD_GetHidGuid
HidP_GetCaps
HidD_GetAttributes
HidD_GetPreparsedData
HidD_FreePreparsedData
HidD_SetFeature
HidD_GetFeature

setupapi

SetupDiGetClassDevsW
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailW
SetupDiDestroyDeviceInfoList

wldap32

ord79
ord54
ord301
ord304
ord309
ord310
ord13
ord208
ord41
ord26
ord27
ord36
ord127
ord167
ord142
ord73
ord133
ord147
ord145
ord88
ord12
ord14
ord203
ord157
ord69
ord113
ord140
ord139
ord97
ord96
ord77
ord224
ord223
ord122

ntdll

NtCompareTokens
RtlCreateUserThread
RtlGetCurrentPeb
NtQueryInformationProcess
RtlDecompressBuffer
RtlCompressBuffer
RtlGetCompressionWorkSpaceSize
RtlDowncaseUnicodeString
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
NtQuerySystemInformation
NtQueryObject
RtlIpv6AddressToStringW
RtlIpv4AddressToStringW
NtEnumerateSystemEnvironmentValuesEx
NtSetSystemEnvironmentValueEx
NtQuerySystemEnvironmentValueEx
NtTerminateProcess
NtSuspendProcess
RtlAdjustPrivilege
NtResumeProcess
RtlStringFromGUID
RtlFreeUnicodeString
RtlFreeOemString
RtlUpcaseUnicodeStringToOemString
RtlEqualUnicodeString
RtlGetNtVersionNumbers
RtlEqualString
RtlGUIDFromString
RtlInitUnicodeString
RtlUpcaseUnicodeString
RtlAppendUnicodeStringToString
RtlAnsiStringToUnicodeString

msasn1

ASN1_CreateModule
ASN1BERDotVal2Eoid
ASN1_CloseModule
ASN1_CreateEncoder
ASN1BEREoid2DotVal
ASN1_CreateDecoder
ASN1_CloseDecoder
ASN1_FreeEncoded
ASN1_CloseEncoder
ASN1Free

winsta

WinStationConnectW
WinStationFreeMemory
WinStationEnumerateW
WinStationQueryInformationW
WinStationOpenServerW
WinStationCloseServer

kernel32

GetModuleHandleExW
GetCommandLineA
GetCurrentThreadId
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
RtlUnwind
GetModuleFileNameW
GetStringTypeW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
LoadLibraryExW
GetConsoleCP
GetConsoleMode
GetFileType
GetModuleFileNameA
GetEnvironmentStringsW
FreeEnvironmentStringsW
ExitProcess
TryEnterCriticalSection
GetFullPathNameW
GetFullPathNameA
HeapReAlloc
GetFileSize
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
CreateProcessW
CreatePipe
SetHandleInformation
ReadFile
WaitForSingleObject
SystemTimeToFileTime
SetConsoleCtrlHandler
CreateMutexW
HeapCompact
SetEndOfFile
HeapAlloc
GetModuleHandleW
GlobalSize
SetLastError
Sleep
CreateThread
CreateFileW
LoadLibraryW
lstrlenA
GetProcAddress
FreeLibrary
GetSystemTimeAsFileTime
GetLastError
CloseHandle
GetCurrentProcessId
OpenProcess
AllocConsole
lstrlenW
RaiseException
LocalFree
LocalAlloc
InterlockedDecrement
InterlockedIncrement
SetEvent
CreateEventW
GetCurrentProcess
GetStdHandle
GetTimeZoneInformation
GetSystemDirectoryW
SetCurrentDirectoryW
IsWow64Process
DeleteCriticalSection
FillConsoleOutputCharacterW
GetConsoleScreenBufferInfo
SetConsoleCursorPosition
GetCurrentThread
ProcessIdToSessionId
GetComputerNameW
GetProcessId
FileTimeToSystemTime
TerminateThread
WriteFile
GetFileInformationByHandle
SetFilePointer
FileTimeToLocalFileTime
FileTimeToDosDateTime
GetTempPathA
GetTempFileNameA
GetCurrentDirectoryA
CreateFileA
DeleteFileA
GetFileSizeEx
FlushFileBuffers
FindClose
ExpandEnvironmentStringsW
GetCurrentDirectoryW
GetFileAttributesW
FindFirstFileW
FindNextFileW
DuplicateHandle
DeviceIoControl
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
VirtualAllocEx
VirtualFreeEx
VirtualProtectEx
VirtualQueryEx
ReadProcessMemory
WriteProcessMemory
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
GetComputerNameExW
ConnectNamedPipe
DisconnectNamedPipe
SetNamedPipeHandleState
GetNamedPipeInfo
CreateNamedPipeW
WaitNamedPipeW
CreateRemoteThread
ClearCommError
PurgeComm
WideCharToMultiByte
GetTimeFormatW
GetDateFormatW
AreFileApisANSI
GetSystemTime
DeleteFileW
GetVersionExA
OutputDebugStringA
GetFileAttributesExW
GetSystemInfo
GetDiskFreeSpaceA
CreateFileMappingA
GetDiskFreeSpaceW
LockFileEx
HeapSize
GetTempPathW
MultiByteToWideChar
HeapValidate
HeapCreate
GetFileAttributesA
HeapDestroy
GetVersionExW
FormatMessageW
FormatMessageA
GetProcessHeap
UnlockFileEx
CompareStringW
LCMapStringW
SetFilePointerEx
SetStdHandle
WriteConsoleW
ReadConsoleW
SetEnvironmentVariableA
GetTickCount
OutputDebugStringW
WaitForSingleObjectEx
LockFile
FlushViewOfFile
QueryPerformanceCounter
HeapFree
InterlockedCompareExchange
UnlockFile

Exports

Exports

DeinitServerExtension
GetExtensionName
InitServerExtension
_ReflectiveLoader@0
powershell_reflective_mimikatz

Sections

.text
Size: 565KB - Virtual size: 565KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 294KB - Virtual size: 294KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 18KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

2d6f47a3b830f8acea40310e8e8b331f

Headers

DLL Characteristics

File Characteristics

Imports

version

ncrypt

fltlib

cabinet

userenv

winscard

advapi32

crypt32

cryptdll

dnsapi

netapi32

ole32

oleaut32

rpcrt4

shlwapi

samlib

secur32

shell32

user32

hid

setupapi

wldap32

ntdll

msasn1

winsta

kernel32

Exports

Exports

Sections

.text Size: 565KB - Virtual size: 565KB

.rdata Size: 294KB - Virtual size: 294KB

.data Size: 18KB - Virtual size: 28KB

.reloc Size: 28KB - Virtual size: 28KB

.text
Size: 565KB - Virtual size: 565KB

.rdata
Size: 294KB - Virtual size: 294KB

.data
Size: 18KB - Virtual size: 28KB

.reloc
Size: 28KB - Virtual size: 28KB