8d66746fbd2d1922667618c53b72c15d_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

8d66746fbd2d1922667618c53b72c15d_JaffaCakes118
Size

150KB
MD5

8d66746fbd2d1922667618c53b72c15d
SHA1

47ffda6eb62945ca7c471b60b4657d88646541f4
SHA256

72dc3d789be4e3a05a3e3cafa6f9ce34179fa84fd1dcbfc6ae92f0f3caa1a6e0
SHA512

324933d27a039133f6bc72fd3692489c6aefc3d753fed265b7b7cd056c724fe5895eaf3cde0459e0014bc11236dc8ea367b4cac3ae31c9c727773063695a147b
SSDEEP

3072:wpH6Op8EM+b0qcrIgVyRpNkY/5mutAxzP6TwQnn/84MU21aq:Mp8EMy0qccQyRpNktusPq/n/Fvpq

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
8d66746fbd2d1922667618c53b72c15d_JaffaCakes118

Files

8d66746fbd2d1922667618c53b72c15d_JaffaCakes118
.exe windows:5 windows x86 arch:x86

99250b7f2f051041953ad2d17bd56c6f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

WmiApSrv.pdb

Imports

msvcrt

_wcsicmp
wcsrchr
_vsnwprintf
_CxxThrowException
_wtol
realloc
_wtoi
wcslen
wcscmp
_controlfp
_onexit
__dllonexit
??1type_info@@UAE@XZ
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
wcscspn
wcsspn
iswdigit
wcschr
?terminate@@YAXXZ
vswprintf
memmove
_wcsrev
_wcslwr
_wcsupr
wcsstr
wcspbrk
mbstowcs
wcscoll
_acmdln
exit
_cexit
_XcptFilter
_exit
_c_exit
memset
free
memcpy
__CxxFrameHandler
??2@YAPAXI@Z
??3@YAXPAX@Z
malloc

advapi32

RegCreateKeyExA
RegSetValueExA
RegQueryValueExA
RegDeleteValueA
RegDeleteKeyA
RegEnumValueW
RegEnumKeyA
RegQueryInfoKeyW
RegOpenKeyW
RegQueryValueExW
RegEnumKeyW
RegEnumValueA
RegCloseKey
RegDeleteKeyW
RegEnumKeyExW
RegOpenKeyExW
RegDeleteValueW
RegSetValueExW
RegCreateKeyExW
CloseServiceHandle
QueryServiceStatus
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
ConvertStringSecurityDescriptorToSecurityDescriptorW
InitializeSecurityDescriptor
MakeAbsoluteSD
SetServiceStatus
RegisterServiceCtrlHandlerW
DeleteService
ControlService
StartServiceCtrlDispatcherW
ChangeServiceConfig2W
CreateServiceW
RegOpenCurrentUser
RegQueryInfoKeyA
RegOpenKeyExA

kernel32

lstrlenW
ReleaseSemaphore
WaitForSingleObject
SwitchToThread
GetLastError
GetCurrentProcess
InterlockedIncrement
InterlockedDecrement
InitializeCriticalSection
SetEvent
ResetEvent
EnterCriticalSection
TryEnterCriticalSection
LocalAlloc
lstrcmpiW
GetCommandLineW
CreateMutexW
CreateEventW
DeleteCriticalSection
ReleaseMutex
InterlockedCompareExchange
GetModuleHandleW
GetModuleFileNameW
Sleep
WaitForMultipleObjects
UnmapViewOfFile
lstrcmpW
FlushViewOfFile
MapViewOfFile
CreateFileMappingW
GetExitCodeProcess
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoA
CreateFileW
WriteFile
WideCharToMultiByte
GetSystemDefaultLCID
GetSystemDirectoryW
GetProcAddress
LeaveCriticalSection
CloseHandle
FormatMessageW
FormatMessageA
OpenEventW
SetLastError
OpenProcess
FreeLibrary
LoadLibraryW
ExpandEnvironmentStringsW
RaiseException
MultiByteToWideChar
GetVersionExA
CreateSemaphoreW
CreateDirectoryW
DeleteFileW
MoveFileExW
GetLocaleInfoW
lstrlenA
GetVersionExW
LocalFree

user32

CharNextW
LoadStringW

ntdll

NtQueryObject
RtlGetAce
RtlGetDaclSecurityDescriptor
RtlEqualSid
RtlGetOwnerSecurityDescriptor
NtQuerySecurityObject
iswspace
atol

oleaut32

SysFreeString
SysAllocString
VariantChangeType
SysStringLen
VariantClear
SafeArrayDestroy
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetLBound
SafeArrayGetUBound
SysAllocStringLen

ole32

CoInitializeEx
CoUninitialize
CoCreateInstance
CoInitializeSecurity
CoFreeUnusedLibraries
CoSetProxyBlanket

wbemcomn

?Enter@CStaticCritSec@@QAEXXZ
?Leave@CStaticCritSec@@QAEXXZ
?Throttle@@YGJKKKKK@Z
??1CStaticCritSec@@QAE@XZ
??0CStaticCritSec@@QAE@XZ
?anyFailure@CStaticCritSec@@SGHXZ

loadperf

LoadPerfCounterTextStringsW
UnloadPerfCounterTextStringsW

Exports

Exports

??0CHPtrArray@@QAE@XZ
??0CHString@@QAE@ABV0@@Z
??0CHString@@QAE@GH@Z
??0CHString@@QAE@PBD@Z
??0CHString@@QAE@PBE@Z
??0CHString@@QAE@PBG@Z
??0CHString@@QAE@PBGH@Z
??0CHString@@QAE@XZ
??0CHStringArray@@QAE@XZ
??0CRegistry@@QAE@ABV0@@Z
??0CRegistry@@QAE@XZ
??0CRegistrySearch@@QAE@ABV0@@Z
??0CRegistrySearch@@QAE@XZ
??1CHPtrArray@@QAE@XZ
??1CHString@@QAE@XZ
??1CHStringArray@@QAE@XZ
??1CRegistry@@QAE@XZ
??1CRegistrySearch@@QAE@XZ
??4CHPtrArray@@QAEAAV0@ABV0@@Z
??4CHString@@QAEABV0@ABV0@@Z
??4CHString@@QAEABV0@D@Z
??4CHString@@QAEABV0@G@Z
??4CHString@@QAEABV0@PAV0@@Z
??4CHString@@QAEABV0@PBD@Z
??4CHString@@QAEABV0@PBE@Z
??4CHString@@QAEABV0@PBG@Z
??4CHStringArray@@QAEAAV0@ABV0@@Z
??4CRegistry@@QAEAAV0@ABV0@@Z
??4CRegistrySearch@@QAEAAV0@ABV0@@Z
??ACHPtrArray@@QAEAAPAXH@Z
??ACHPtrArray@@QBEPAXH@Z
??ACHString@@QBEGH@Z
??ACHStringArray@@QAEAAVCHString@@H@Z
??ACHStringArray@@QBE?AVCHString@@H@Z
??BCHString@@QBEPBGXZ
??H@YG?AVCHString@@ABV0@0@Z
??H@YG?AVCHString@@ABV0@G@Z
??H@YG?AVCHString@@ABV0@PBG@Z
??H@YG?AVCHString@@GABV0@@Z
??H@YG?AVCHString@@PBGABV0@@Z
??YCHString@@QAEABV0@ABV0@@Z
??YCHString@@QAEABV0@D@Z
??YCHString@@QAEABV0@G@Z
??YCHString@@QAEABV0@PBG@Z
?Add@CHPtrArray@@QAEHPAX@Z
?Add@CHStringArray@@QAEHPBG@Z
?AllocBeforeWrite@CHString@@IAEXH@Z
?AllocBuffer@CHString@@IAEXH@Z
?AllocCopy@CHString@@IBEXAAV1@HHH@Z
?AllocSysString@CHString@@QBEPAGXZ
?Append@CHPtrArray@@QAEHABV1@@Z
?Append@CHStringArray@@QAEHABV1@@Z
?AssignCopy@CHString@@IAEXHPBG@Z
?CheckAndAddToList@CRegistrySearch@@AAEXPAVCRegistry@@VCHString@@1AAVCHPtrArray@@11H@Z
?Close@CRegistry@@QAEXXZ
?CloseSubKey@CRegistry@@AAEXXZ
?Collate@CHString@@QBEHPBG@Z
?Compare@CHString@@QBEHPBG@Z
?CompareNoCase@CHString@@QBEHPBG@Z
?ConcatCopy@CHString@@IAEXHPBGH0@Z
?ConcatInPlace@CHString@@IAEXHPBG@Z
?Copy@CHPtrArray@@QAEXABV1@@Z
?Copy@CHStringArray@@QAEXABV1@@Z
?CopyBeforeWrite@CHString@@IAEXXZ
?CreateOpen@CRegistry@@QAEJPAUHKEY__@@PBGPAGKKPAU_SECURITY_ATTRIBUTES@@PAK@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBG@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPBG@Z
?DeleteKey@CRegistry@@QAEJPAVCHString@@@Z
?DeleteValue@CRegistry@@QAEJPBG@Z
?ElementAt@CHPtrArray@@QAEAAPAXH@Z
?ElementAt@CHStringArray@@QAEAAVCHString@@H@Z
?Empty@CHString@@QAEXXZ
?EnumerateAndGetValues@CRegistry@@QAEJAAKAAPAGAAPAE@Z
?Find@CHString@@QBEHG@Z
?Find@CHString@@QBEHPBG@Z
?FindOneOf@CHString@@QBEHPBG@Z
?Format@CHString@@QAAXIZZ
?Format@CHString@@QAAXPBGZZ
?FormatMessageW@CHString@@QAAXIZZ
?FormatMessageW@CHString@@QAAXPBGZZ
?FormatV@CHString@@QAEXPBGPAD@Z
?FreeExtra@CHPtrArray@@QAEXXZ
?FreeExtra@CHString@@QAEXXZ
?FreeExtra@CHStringArray@@QAEXXZ
?FreeSearchList@CRegistrySearch@@QAEHHAAVCHPtrArray@@@Z
?GetAllocLength@CHString@@QBEHXZ
?GetAt@CHPtrArray@@QBEPAXH@Z
?GetAt@CHString@@QBEGH@Z
?GetAt@CHStringArray@@QBE?AVCHString@@H@Z
?GetBuffer@CHString@@QAEPAGH@Z
?GetBufferSetLength@CHString@@QAEPAGH@Z
?GetClassNameW@CRegistry@@QAEPAGXZ
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGPAEPAK@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGPAEPAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?GetCurrentRawKeyValue@CRegistry@@AAEKPAUHKEY__@@PBGPAXPAK3@Z
?GetCurrentRawSubKeyValue@CRegistry@@AAEKPBGPAXPAK2@Z
?GetCurrentSubKeyCount@CRegistry@@QAEKXZ
?GetCurrentSubKeyName@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyPath@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGPAXPAK@Z
?GetData@CHPtrArray@@QAEPAPAXXZ
?GetData@CHPtrArray@@QBEPAPBXXZ
?GetData@CHString@@IBEPAUCHStringData@@XZ
?GetData@CHStringArray@@QAEPAVCHString@@XZ
?GetData@CHStringArray@@QBEPBVCHString@@XZ
?GetLength@CHString@@QBEHXZ
?GetLongestClassStringSize@CRegistry@@QAEKXZ
?GetLongestSubKeySize@CRegistry@@QAEKXZ
?GetLongestValueData@CRegistry@@QAEKXZ
?GetLongestValueName@CRegistry@@QAEKXZ
?GetSize@CHPtrArray@@QBEHXZ
?GetSize@CHStringArray@@QBEHXZ
?GetUpperBound@CHPtrArray@@QBEHXZ
?GetUpperBound@CHStringArray@@QBEHXZ
?GetValueCount@CRegistry@@QAEKXZ
?GethKey@CRegistry@@QAEPAUHKEY__@@XZ
?Init@CHString@@IAEXXZ
?InsertAt@CHPtrArray@@QAEXHPAV1@@Z
?InsertAt@CHPtrArray@@QAEXHPAXH@Z
?InsertAt@CHStringArray@@QAEXHPAV1@@Z
?InsertAt@CHStringArray@@QAEXHPBGH@Z
?IsEmpty@CHString@@QBEHXZ
?Left@CHString@@QBE?AV1@H@Z
?LoadStringW@CHString@@IAEHIPAGI@Z
?LoadStringW@CHString@@QAEHI@Z
?LocateKeyByNameOrValueName@CRegistrySearch@@QAEHPAUHKEY__@@PBG1PAPBGKAAVCHString@@3@Z
?LockBuffer@CHString@@QAEPAGXZ
?MakeLower@CHString@@QAEXXZ
?MakeReverse@CHString@@QAEXXZ
?MakeUpper@CHString@@QAEXXZ
?Mid@CHString@@QBE?AV1@H@Z
?Mid@CHString@@QBE?AV1@HH@Z
?NextSubKey@CRegistry@@QAEKXZ
?Open@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenAndEnumerateSubKeys@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenCurrentUser@CRegistry@@QAEKPBGK@Z
?OpenLocalMachineKeyAndReadValue@CRegistry@@QAEJPBG0AAVCHString@@@Z
?OpenSubKey@CRegistry@@AAEKXZ
?PrepareToReOpen@CRegistry@@AAEXXZ
?Release@CHString@@IAEXXZ
?Release@CHString@@KGXPAUCHStringData@@@Z
?ReleaseBuffer@CHString@@QAEXH@Z
?RemoveAll@CHPtrArray@@QAEXXZ
?RemoveAll@CHStringArray@@QAEXXZ
?RemoveAt@CHPtrArray@@QAEXHH@Z
?RemoveAt@CHStringArray@@QAEXHH@Z
?ReverseFind@CHString@@QBEHG@Z
?RewindSubKeys@CRegistry@@QAEXXZ
?Right@CHString@@QBE?AV1@H@Z
?SafeStrlen@CHString@@KGHPBG@Z
?SearchAndBuildList@CRegistrySearch@@QAEHVCHString@@AAVCHPtrArray@@00HPAUHKEY__@@@Z
?SetAt@CHPtrArray@@QAEXHPAX@Z
?SetAt@CHString@@QAEXHG@Z
?SetAt@CHStringArray@@QAEXHPBG@Z
?SetAtGrow@CHPtrArray@@QAEXHPAX@Z
?SetAtGrow@CHStringArray@@QAEXHPBG@Z
?SetCHStringResourceHandle@@YGXPAUHINSTANCE__@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?SetCurrentKeyValueExpand@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?SetDefaultValues@CRegistry@@AAEXXZ
?SetPlatformID@CRegistry@@CGHXZ
?SetSize@CHPtrArray@@QAEXHH@Z
?SetSize@CHStringArray@@QAEXHH@Z
?SpanExcluding@CHString@@QBE?AV1@PBG@Z
?SpanIncluding@CHString@@QBE?AV1@PBG@Z
?TrimLeft@CHString@@QAEXXZ
?TrimRight@CHString@@QAEXXZ
?UnlockBuffer@CHString@@QAEXXZ
?myRegCreateKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKPAGKKPAU_SECURITY_ATTRIBUTES@@PAPAU2@PAK@Z
?myRegDeleteKey@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegDeleteValue@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegEnumKey@CRegistry@@AAEJPAUHKEY__@@KPAGK@Z
?myRegEnumValue@CRegistry@@AAEJPAUHKEY__@@KPAGPAK22PAE2@Z
?myRegOpenKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPAPAU2@@Z
?myRegQueryInfoKey@CRegistry@@AAEJPAUHKEY__@@PAGPAK22222222PAU_FILETIME@@@Z
?myRegQueryValueEx@CRegistry@@AAEJPAUHKEY__@@PBGPAK2PAE2@Z
?myRegSetValueEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPBEK@Z
?s_dwPlatform@CRegistry@@0KA
?s_fPlatformSet@CRegistry@@0HA

Sections

.text
Size: 117KB - Virtual size: 116KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 27KB - Virtual size: 30KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

99250b7f2f051041953ad2d17bd56c6f

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

advapi32

kernel32

user32

ntdll

oleaut32

ole32

wbemcomn

loadperf

Exports

Exports

Sections

.text Size: 117KB - Virtual size: 116KB

.data Size: 4KB - Virtual size: 6KB

.rsrc Size: 27KB - Virtual size: 30KB

.text
Size: 117KB - Virtual size: 116KB

.data
Size: 4KB - Virtual size: 6KB

.rsrc
Size: 27KB - Virtual size: 30KB