93ae65b293add39ecb9d22d5d3076323_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

93ae65b293add39ecb9d22d5d3076323_JaffaCakes118
Size

1.1MB
MD5

93ae65b293add39ecb9d22d5d3076323
SHA1

82fa8d5cc2cf472b7179813df12a339e98ad75f7
SHA256

ba8a63572a5a6aec424141662a792202d8eb1067786e3fd733e3d5aed97c16e9
SHA512

4797aee3d3f22ffdd8239208887047d55fd683057921bdd098383293ce56290ab209f279cf38bbf9601e807d6d7f67e68731767d29f79e9fe8f9f7005578d0b3
SSDEEP

12288:nKQCH1G8ATWWUPbmJOmyqN0LL324N+PXRilaLrfSmTtR13li:KQCH1XhRyJOmyqrPXPtR13U

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
93ae65b293add39ecb9d22d5d3076323_JaffaCakes118

Files

93ae65b293add39ecb9d22d5d3076323_JaffaCakes118
.exe windows:5 windows x86 arch:x86

081564781e960a383383262793dcd279

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\depot\bas\720_REL\fes_720_REL\src\opt\ntintel\saplogon.pdb

Imports

sapfewcb

?DestroyWindow@CBubble@@UAEHXZ
?GetMessageMap@CBubble@@MBEPBUAFX_MSGMAP@@XZ
?GetRuntimeClass@CBubble@@UBEPAUCRuntimeClass@@XZ
??0CBubble@@QAE@XZ
?Create@CBubble@@QAEHPAVCWnd@@@Z
??1CBubble@@UAE@XZ
?Track@CBubble@@QAEXVCPoint@@ABV?$CStringT@DV?$StrTraitMFC_DLL@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@HVCRect@@HPAVCWnd@@H@Z

sapfewrm

IsAnimatedFocus
RmIsHighContrastTheme

saplgmgr

SlgDataManGetSubFolderKeys
SlgDataManSetFolderAttribute
SlgDataManGetFolderAttributes
SlgDataManGetLogonParamtersByProperties
SlgDataManAddVariableEntry
SlgDataManRenameFolder
SlgDataManGetFolderAttribute
SlgDataManGetDataFile
SlgDataManInit
SlgDataManExit
SlgDataManGetEntryData
SlgDataManGetEntryAttribute
SlgDataManAddEntryToFolder
SlgDataManGetEntryKeys
SlgDataManDeleteEntry
SlgDataManDeleteFolder
SlgDataManAddFolder
SlgDataManGetLogonParamtersByKey
SlgDataManGetSapLogonObject
SlgDataManMoveEntry
SlgDataManAddEntryLinkToFolder
SlgDataManMoveFolder
SlgDataManSetEntryAttribute
SlgDataManChangeEntry

saplgnui

SLU_StartSysPropDlg
SLU_InitSapLogonUI
SLU_StartConnectionWizard
SLU_ExitSapLogonUI

sapthmcust

SapThemeSystemSettinsDlg

sapshlib

EditShortcut
LoadShortcutFromFile
CreateShortcut
GetShortcutProperty
ExitShortcut
OperateShortcut
InitShortcut
SetShortcutProperty
LoadShortcutFromCommandLine
GetShortcutProperties
SetShortcutProperties
GetShortcutCommandLine

sapguilib

FewGuiRun
FewGuiExit
FewGuiTerminateFront
FewGuiCreate
FewGuiGetProperty
FewGuiGetFrontHandles
FewGuiInit
FewGuiDelete
FewGuiSetProperty
FewGuiGetFrontProperty

saplgdll

?DllGetClassFactoryObject@@YAJPAPAVICSLFactory@@@Z

sapfewut

Empty_Folder
GetRegValInt
Secure_Dll_Load
GetTmpDir
SAPLoadLibrary
SAPFreeLibrary
Use720SapLogonAndUnifiedOptionsDlg
InitTraceDir
InitBuffer
ShowSapguiHelp
ScriptingEnabledByUser
ScriptingEnabledByAdmin

sappctxt

SapPcTxtGetInfo
SapPcTxtRead
SapPcTxtUnLoad
SapPcTxtLoad
SapPcTxtSetDefaultLanguage
SapPcTxtGetDefaultLanguage

version

VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA

sapfhook

SapHookExit
SapHookInit

sapfewed

SapRaiseGlobalEvent
SapUnregisterGlobalEvent
SapRegisterGlobalEvent

sapfdraw

SapDrw32DrawOuterFrame
SapGetIDrawing
ShowShadowBorder
SapIsThemeActive
UseSMCRendering
GetMainframeScalePercentage
SapGetFontFromIndex
SetAnimatedFocusScreenPos
SapDrawPushbutton
SapDrw32DrawLogonToolBar
SapGetTextRect
SapDrw32SetFontScale
SapGetSystemMetrics

sapthmdrw

?CloseMsThemeDataHandles@@YAXXZ
?SapDrawThemePushbutton@@YAXPAUHDC__@@PBDPAUtagRECT@@2PAUHFONT__@@KPAUHBITMAP__@@PAU_IMAGELIST@@H@Z
?SapIsXPThemeActive@@YAHXZ
?OpenMsThemeDataHandles@@YAXXZ

gdiplus

GdiplusStartup
GdipCreateBitmapFromFile
GdipCreateBitmapFromFileICM
GdipFree
GdipDisposeImage
GdipCloneImage
GdipAlloc
GdipGetImageGraphicsContext
GdipDeleteGraphics
GdipDrawImageI
GdipGetImageWidth
GdipGetImageHeight
GdipGetImagePixelFormat
GdipGetImagePaletteSize
GdipGetImagePalette
GdipCreateBitmapFromScan0
GdipBitmapLockBits
GdipBitmapUnlockBits
GdipCreateBitmapFromStream
GdipCreateBitmapFromStreamICM
GdiplusShutdown

sapfewcls

??0CMyBitmap@@QAE@XZ
?GetRuntimeClass@CMyBitmap@@UBEPAUCRuntimeClass@@XZ
??1CMyBitmap@@UAE@XZ
?LoadBitmapA@CMyBitmap@@QAEHPBD@Z
?Init@CSapBitmapDll@@QAEHXZ
?SapBitmapDll@@3VCSapBitmapDll@@A

sapfewdr

?DrawBitmap@CMyDraw@@QAEHPAVCDC@@PAVCBitmap@@HHHHKH@Z
DrwCodePageOfCharSet
?MyDraw@@3VCMyDraw@@A

sapfewnls

myImeCall
?CharSetOfSapCodePage@CMyImeCall@@QBEEI@Z

mfc90

ord6153
ord6327
ord6584
ord6646
ord6557
ord4116
ord3056
ord4760
ord4529
ord4113
ord6335
ord3579
ord1247
ord5750
ord6791
ord580
ord781
ord4248
ord1691
ord436
ord4502
ord2082
ord5963
ord791
ord6155
ord3140
ord587
ord1692
ord5761
ord6802
ord4153
ord4392
ord1607
ord4237
ord686
ord1186
ord5877
ord2484
ord5869
ord899
ord6148
ord1005
ord554
ord758
ord3953
ord3762
ord2449
ord321
ord2452
ord2451
ord614
ord3227
ord742
ord821
ord5757
ord5540
ord512
ord338
ord6493
ord6152
ord902
ord5861
ord3312
ord697
ord445
ord819
ord4461
ord553
ord499
ord3599
ord3130
ord6754
ord6770
ord3187
ord6769
ord736
ord1197
ord1357
ord6074
ord3663
ord613
ord6081
ord337
ord3179
ord5753
ord663
ord5520
ord404
ord636
ord6170
ord367
ord4030
ord1490
ord1222
ord5924
ord3946
ord3980
ord1146
ord1258
ord4065
ord4442
ord2337
ord6154
ord904
ord3528
ord1276
ord2372
ord3650
ord3269
ord4649
ord1723
ord1786
ord2286
ord784
ord3157
ord6257
ord699
ord5863
ord447
ord6209
ord2758
ord600
ord290
ord4463
ord2692
ord654
ord4506
ord2672
ord1321
ord3148
ord4507
ord2480
ord6670
ord3314
ord5878
ord724
ord2197
ord481
ord2143
ord4516
ord3612
ord3479
ord2588
ord3643
ord4646
ord1720
ord2283
ord777
ord3480
ord4638
ord1668
ord611
ord3519
ord5828
ord5851
ord3783
ord3620
ord757
ord4477
ord5482
ord301
ord2141
ord6527
ord4396
ord4527
ord6078
ord4727
ord6048
ord2100
ord1766
ord5706
ord2057
ord490
ord3485
ord3125
ord4122
ord4605
ord2896
ord2566
ord1709
ord446
ord491
ord585
ord787
ord729
ord698
ord4462
ord5835
ord3049
ord1364
ord480
ord262
ord903
ord5808
ord6079
ord6616
ord6291
ord1746
ord5997
ord4384
ord1062
ord3831
ord2356
ord3997
ord910
ord3178
ord6462
ord6810
ord1098
ord589
ord4029
ord300
ord265
ord2327
ord266
ord1603
ord2481
ord4481
ord817
ord2691
ord4434
ord4409
ord6783
ord4159
ord6781
ord4733
ord2251
ord2206
ord6018
ord4165
ord1046
ord5533
ord6721
ord5813
ord4199
ord2087
ord3209
ord5657
ord5659
ord4333
ord4981
ord5663
ord5646
ord6001
ord3110
ord4890
ord3659
ord793
ord796
ord1108
ord3611
ord3477
ord3534
ord2106
ord1137
ord798
ord4305
ord1500
ord2360
ord4993
ord6559
ord2899
ord3987
ord1938
ord4223
ord2330
ord2720
ord2539
ord1183
ord6740
ord316
ord820
ord945
ord310
ord941
ord601
ord3213
ord305
ord6613
ord1611
ord639
ord5615
ord4617
ord5152
ord5309
ord2208
ord1810
ord1809
ord1678
ord3344
ord6388
ord1496
ord4650
ord5636
ord4668
ord3506
ord374
ord4919
ord4494
ord2275
ord1669
ord4639
ord957
ord2609
ord2632
ord2627
ord3226
ord3483
ord692
ord1492
ord6771
ord2105
ord1605
ord3346
ord6391
ord1755
ord1752
ord4331
ord1497
ord5585
ord2074
ord5497
ord6780
ord4589
ord5647
ord3732
ord5139
ord4688
ord1729
ord6446
ord5668
ord5666
ord958
ord963
ord967
ord965
ord969
ord2610
ord2630
ord2614
ord2620
ord2618
ord2616
ord2633
ord2628
ord2612
ord2635
ord2623
ord2605
ord2607
ord2625
ord2375
ord2368
ord1644
ord6784
ord4160
ord6782
ord3671
ord5389
ord6356
ord3218
ord1446
ord5608
ord2139
ord1792
ord1791
ord1728
ord5633
ord2766
ord2978
ord3107
ord4714
ord2961
ord3135
ord2769
ord2888
ord2759
ord3277
ord4066
ord4067
ord4057
ord2886
ord4334
ord4895
ord4667
ord595
ord2587
ord1252
ord1254
ord800
ord6333
ord524
ord744
ord5167
ord6676
ord6682
ord2590
ord693
ord2280
ord4644
ord3244
ord3554
ord2069
ord2592
ord2591
ord1361
ord2130
ord4498
ord2282
ord3568
ord1061
ord1358
ord1087
ord6494
ord2795
ord2447
ord605
ord1278
ord1233
ord1145
ord322
ord801
ord3077
ord1387

msvcr90

exit
_acmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
?terminate@@YAXXZ
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_crt_debugger_hook
_invoke_watson
_controlfp_s
abs
getenv
_access
_itoa
??0exception@std@@QAE@ABV01@@Z
_CxxThrowException
_invalid_parameter_noinfo
??0exception@std@@QAE@XZ
?what@exception@std@@UBEPBDXZ
??0exception@std@@QAE@ABQBD@Z
??1exception@std@@UAE@XZ
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
strcpy
_ismbblead
sprintf
_mbsnbcpy
strcat
fopen
_time64
_localtime64
strftime
memmove_s
vfprintf
fflush
atol
calloc
_mbschr
tolower
_ftime64_s
_ismbcprint
sscanf_s
_vscprintf
_makepath_s
_mbsicmp
swprintf_s
strcat_s
system
_resetstkoflw
free
malloc
_XcptFilter
_exit
_cexit
__getmainargs
_amsg_exit
_except_handler4_common
_decode_pointer
_onexit
_lock
_encode_pointer
__dllonexit
_unlock
_mbsrchr
_recalloc
memcpy_s
getenv_s
__iob_func
fprintf
vsprintf_s
_splitpath_s
sprintf_s
memset
strcpy_s
__CxxFrameHandler3
_mbslwr_s
_mbsnbicmp
_mbscmp
_mbsstr
_mbspbrk
_mbsnbcpy_s
_putenv
_setmbcp
_mbsnbcat_s
atoi
_itoa_s
strlen
_errno

kernel32

FreeLibrary
SetUnhandledExceptionFilter
HeapFree
HeapAlloc
GetProcessHeap
GetCurrentProcess
GetCurrentThread
TlsFree
TlsAlloc
InitializeCriticalSection
VirtualProtect
VirtualAlloc
VirtualQuery
VirtualFree
TlsGetValue
TlsSetValue
GetWindowsDirectoryA
CreateDirectoryA
GetTempPathA
InterlockedExchange
LockResource
LoadResource
GetFileInformationByHandle
FileTimeToLocalFileTime
ReleaseMutex
WaitForSingleObject
CreateMutexA
GetSystemInfo
GetTickCount
GetSystemTime
Sleep
GetCurrentThreadId
OutputDebugStringA
GetFileAttributesA
SetFileAttributesA
WritePrivateProfileStringA
FormatMessageA
LocalFree
GetPrivateProfileIntA
GetPrivateProfileStringA
GetUserDefaultLCID
EnterCriticalSection
LeaveCriticalSection
GetLocalTime
CreateFileA
GetSystemDefaultLangID
GetFileTime
FileTimeToSystemTime
GlobalAlloc
WideCharToMultiByte
lstrlenW
GlobalFree
GetModuleFileNameA
SizeofResource
FindResourceA
LocalAlloc
InterlockedCompareExchange
InterlockedDecrement
lstrlenA
DeleteCriticalSection
GetStartupInfoA
TerminateProcess
UnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetSystemTimeAsFileTime
MultiByteToWideChar
GetEnvironmentVariableA
lstrcpynA
SetLastError
LoadLibraryA
InterlockedIncrement
GetVersionExA
GetProcAddress
CreateEventA
GetModuleHandleA
GetCurrentProcessId
GetCurrentDirectoryA
CreateSemaphoreA
RaiseException
CloseHandle
GetLastError
TerminateThread

user32

GetWindowDC
LockWindowUpdate
GetActiveWindow
RegisterWindowMessageA
GetFocus
MessageBeep
LoadBitmapA
DrawIcon
CreatePopupMenu
AppendMenuA
EnableMenuItem
GetSystemMenu
IsIconic
GetWindowRect
GetClientRect
ScreenToClient
UpdateWindow
InvalidateRect
IsWindowVisible
GetForegroundWindow
LoadCursorA
DestroyIcon
GetSystemMetrics
GetCursorPos
IsWindow
GetSubMenu
SetLayeredWindowAttributes
DrawIconEx
GetSysColor
UnhookWindowsHookEx
CallNextHookEx
SetWindowsHookExA
SetRect
GetDlgCtrlID
SetWindowTextA
IsWindowEnabled
FindWindowA
MessageBoxIndirectA
RedrawWindow
EnumThreadWindows
IsRectEmpty
UpdateLayeredWindow
OffsetRect
EndPaint
BeginPaint
SetWindowLongA
GetWindowLongA
SystemParametersInfoA
SetCursor
CheckMenuItem
DrawFocusRect
DrawEdge
UnionRect
GetParent
InflateRect
PtInRect
GetKeyState
SetPropA
GetKeyboardState
EnumWindows
MessageBoxA
GetWindowTextA
SetForegroundWindow
LoadIconA
SendMessageTimeoutA
PostMessageA
SendMessageA
IsZoomed
ShowWindow
DestroyMenu
SetWindowPos
SetParent
GetDesktopWindow
SetRectEmpty
SetTimer
KillTimer
CopyRect
ClientToScreen
GetCursor
RemovePropA
GetMonitorInfoA
MonitorFromRect
SetFocus
EnableWindow
ReleaseDC
GetWindow
GetDC
MapVirtualKeyA
ToAscii

gdi32

GetClipBox
SetViewportOrgEx
GetViewportOrgEx
SetDIBColorTable
DeleteDC
DeleteObject
SetLayout
CreatePen
GetStockObject
SelectObject
SetBkMode
CreateDIBitmap
BitBlt
RealizePalette
GetDeviceCaps
CreateCompatibleDC
CreatePalette
CreateDIBSection
GetTextExtentPoint32A
GetObjectA

advapi32

OpenProcessToken
GetTokenInformation
LookupAccountSidA
RegCreateKeyA
RegSetValueA
RegCreateKeyExA
RegSetValueExA
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
OpenThreadToken

shell32

DragQueryFileA
ShellExecuteA
Shell_NotifyIconA

shlwapi

SHGetValueA

ole32

CoCreateInstance
OleDestroyMenuDescriptor
StgOpenStorage
CoRegisterClassObject
GetRunningObjectTable
CreateFileMoniker
OleRun

oleaut32

CreateErrorInfo
VariantChangeType
GetErrorInfo
SysStringLen
SysStringByteLen
SysAllocStringByteLen
LoadRegTypeLi
SysAllocStringLen
SysAllocString
VariantCopy
VariantClear
VariantInit
RevokeActiveObject
SysFreeString

msvcp90

??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
??$?MDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??$?9DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z

Exports

Exports

??0CSplashWindow@@QAE@II@Z
??1CSplashWindow@@UAE@XZ
??_7CSplashWindow@@6B@
?Create@CSplashWindow@@QAEHXZ
?GetBitmapAndPalette@CSplashWindow@@IAEHIAAVCBitmap@@AAVCPalette@@@Z
?GetMessageMap@CSplashWindow@@MBEPBUAFX_MSGMAP@@XZ
?GetThisMessageMap@CSplashWindow@@KGPBUAFX_MSGMAP@@XZ
?OnPaint@CSplashWindow@@IAEXXZ
?OnTimer@CSplashWindow@@IAEXI@Z
?PreTranslateMessage@CSplashWindow@@UAEHPAUtagMSG@@@Z

Sections

.text
Size: 239KB - Virtual size: 239KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 129KB - Virtual size: 128KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 43KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

SapLogon
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 680KB - Virtual size: 680KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

081564781e960a383383262793dcd279

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

sapfewcb

sapfewrm

saplgmgr

saplgnui

sapthmcust

sapshlib

sapguilib

saplgdll

sapfewut

sappctxt

version

sapfhook

sapfewed

sapfdraw

sapthmdrw

gdiplus

sapfewcls

sapfewdr

sapfewnls

mfc90

msvcr90

kernel32

user32

gdi32

advapi32

shell32

shlwapi

ole32

oleaut32

msvcp90

Exports

Exports

Sections

.text Size: 239KB - Virtual size: 239KB

.rdata Size: 129KB - Virtual size: 128KB

.data Size: 43KB - Virtual size: 46KB

SapLogon Size: 8KB - Virtual size: 8KB

.rsrc Size: 680KB - Virtual size: 680KB

.text
Size: 239KB - Virtual size: 239KB

.rdata
Size: 129KB - Virtual size: 128KB

.data
Size: 43KB - Virtual size: 46KB

SapLogon
Size: 8KB - Virtual size: 8KB

.rsrc
Size: 680KB - Virtual size: 680KB