82f792a1a4abab93058f916e70283252_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

82f792a1a4abab93058f916e70283252_JaffaCakes118
Size

163KB
MD5

82f792a1a4abab93058f916e70283252
SHA1

e3f6d29a1c8db005f032b4dd52c7c7711e8f4fa0
SHA256

29730548ef5cbd722c86f4cfcabb29173d38a7c538befc281cab8f96154b4655
SHA512

656f19005eab4d4d27b549f72d6ac2e190139a81beb94baec2224e0d4c51502aa141bfb0da8d1326871e88a186c204113dddd7792c4a90e1793f609238ea9422
SSDEEP

3072:oCPRY8ZGXZglH0b0seMSwiJ7ve4b75jhbB/ng:owRVllH0b0KQhnbVng

Score

1^/10

Malware Config

Signatures

Files

82f792a1a4abab93058f916e70283252_JaffaCakes118
.sys windows:5 windows x64 arch:x64

736e5f95a49cc4ddf74dde5c662c72f0

Code Sign

04:00:00:00:00:01:1e:44:a5:e2:4e
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

28/01/1999, 13:00

Not After

27/01/2017, 12:00

Subject

CN=GlobalSign Primary Object Publishing CA,OU=Primary Object Publishing CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:1e:44:a5:ec:be
Certificate

Issuer

CN=GlobalSign Primary Object Publishing CA,OU=Primary Object Publishing CA,O=GlobalSign nv-sa,C=BE

Not Before

22/01/2004, 10:00

Not After

27/01/2017, 11:00

Subject

CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:00:00:00:00:01:2a:38:84:8f:ca
Certificate

Issuer

CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE

Not Before

03/08/2010, 14:15

Not After

11/10/2011, 15:28

Subject

CN=Datpol Janusz Siemienowicz,OU=Datpol Janusz Siemienowicz,O=Datpol Janusz Siemienowicz,L=Olkusz,ST=malopolskie,C=PL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:00

Not After

23/05/2016, 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

47:a1:16:da:8b:ba:84:0e:22:ab:6d:76:03:91:bd:06:df:e3:95:fd
Signer

Actual PE Digest

47:a1:16:da:8b:ba:84:0e:22:ab:6d:76:03:91:bd:06:df:e3:95:fd

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

PsGetVersion
PsGetCurrentThreadId
PsGetCurrentProcessId
__C_specific_handler
ProbeForWrite
KeDelayExecutionThread
ProbeForRead
_wcsnicmp
_stricmp
RtlDeleteRegistryValue
strstr
strrchr
ExFreePoolWithTag
strncpy
_strnicmp
PsDereferencePrimaryToken
RtlEqualSid
SeQueryInformationToken
PsReferencePrimaryToken
PsSetCreateProcessNotifyRoutine
RtlInitUnicodeString
IofCompleteRequest
__chkstk
IoCreateSymbolicLink
IoCreateDevice
PsSetLoadImageNotifyRoutine
ZwClose
ExReleaseFastMutex
ExAcquireFastMutex
ZwCreateFile
KeInitializeEvent
ExAllocatePoolWithTag
ZwQuerySystemInformation
MmIsAddressValid
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
_vsnwprintf
_wcsicmp
ZwOpenFile
MmUnmapViewInSystemSpace
MmMapViewInSystemSpace
MmCreateSection
ZwQueryInformationThread
ZwOpenThread
PsGetProcessInheritedFromUniqueProcessId
ObReferenceObjectByHandle
PsGetProcessImageFileName
ObQueryNameString
IoGetDeviceObjectPointer
KeStackAttachProcess
KeUnstackDetachProcess
PsGetProcessCreateTimeQuadPart
KeQueryTimeIncrement
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
ZwQueryInformationProcess
PsIsThreadTerminating
MmGetSystemRoutineAddress
PsGetProcessId
PsGetThreadProcess
ZwOpenProcess
ZwOpenDirectoryObject
RtlAppendUnicodeStringToString
PsLookupProcessByProcessId
strchr
PsGetProcessWin32Process
ZwQueryInformationToken
ObOpenObjectByPointer
PsGetProcessSectionBaseAddress
ZwOpenProcessTokenEx
wcschr
RtlCompareUnicodeString
ZwQueryObject
PsGetCurrentProcessSessionId
CmRegisterCallback
PsGetThreadTeb
PsLookupThreadByThreadId
RtlNtStatusToDosError
PsGetProcessPeb
RtlFreeUnicodeString
RtlWriteRegistryValue
RtlAnsiStringToUnicodeString
RtlInitAnsiString
RtlCreateUnicodeString
RtlQueryRegistryValues
wcsncpy
RtlPrefixUnicodeString
ZwQueryValueKey
ZwOpenKey
ZwSetInformationProcess
RtlLengthSid
ZwAssignProcessToJobObject
ZwSetInformationJobObject
ZwCreateJobObject
PsGetProcessJob
ZwTerminateProcess
RtlAddAccessAllowedAceEx
RtlAddAce
RtlCreateAcl
RtlGetAce
ZwSetSecurityObject
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RtlGetDaclSecurityDescriptor
ZwQuerySecurityObject
SeTokenIsRestricted
SeFilterToken
ObfReferenceObject
ZwCreateKey
ZwEnumerateValueKey
ZwSetValueKey
ZwDeleteValueKey
RtlCompareMemory
RtlAppendUnicodeToString
RtlFormatCurrentUserKeyPath
IoGetCurrentProcess
IoQueryFileDosDeviceName
ZwConnectPort
LpcRequestWaitReplyPort
KeBugCheckEx
ObfDereferenceObject
tolower
_vsnprintf
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
ExAllocatePool
ExFreePool
NtQuerySystemInformation

hal

HalMakeBeep

Sections

.text
Size: - Virtual size: 107KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.Shltr1
Size: 1024B - Virtual size: 816B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.Shltr0
Size: - Virtual size: 790B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.Shltr2
Size: - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.Shltr3
Size: 154KB - Virtual size: 154KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 808B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

736e5f95a49cc4ddf74dde5c662c72f0

Code Sign

04:00:00:00:00:01:1e:44:a5:e2:4eCertificate

Key Usages

04:00:00:00:00:01:1e:44:a5:ec:beCertificate

Key Usages

01:00:00:00:00:01:2a:38:84:8f:caCertificate

Extended Key Usages

Key Usages

61:0b:7f:6b:00:00:00:00:00:19Certificate

Key Usages

47:a1:16:da:8b:ba:84:0e:22:ab:6d:76:03:91:bd:06:df:e3:95:fdSigner

Headers

File Characteristics

Imports

ntoskrnl.exe

hal

Sections

.text Size: - Virtual size: 107KB

.rdata Size: - Virtual size: 20KB

.data Size: - Virtual size: 7KB

.pdata Size: - Virtual size: 6KB

INIT Size: - Virtual size: 3KB

.Shltr1 Size: 1024B - Virtual size: 816B

.Shltr0 Size: - Virtual size: 790B

.Shltr2 Size: - Virtual size: 57KB

.Shltr3 Size: 154KB - Virtual size: 154KB

.reloc Size: 512B - Virtual size: 24B

.rsrc Size: 1024B - Virtual size: 808B

04:00:00:00:00:01:1e:44:a5:e2:4e
Certificate

04:00:00:00:00:01:1e:44:a5:ec:be
Certificate

01:00:00:00:00:01:2a:38:84:8f:ca
Certificate

61:0b:7f:6b:00:00:00:00:00:19
Certificate

47:a1:16:da:8b:ba:84:0e:22:ab:6d:76:03:91:bd:06:df:e3:95:fd
Signer

.text
Size: - Virtual size: 107KB

.rdata
Size: - Virtual size: 20KB

.data
Size: - Virtual size: 7KB

.pdata
Size: - Virtual size: 6KB

INIT
Size: - Virtual size: 3KB

.Shltr1
Size: 1024B - Virtual size: 816B

.Shltr0
Size: - Virtual size: 790B

.Shltr2
Size: - Virtual size: 57KB

.Shltr3
Size: 154KB - Virtual size: 154KB

.reloc
Size: 512B - Virtual size: 24B

.rsrc
Size: 1024B - Virtual size: 808B