a82f36d7f6b368bbdc26d7b13add8795_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

a82f36d7f6b368bbdc26d7b13add8795_JaffaCakes118
Size

127KB
MD5

a82f36d7f6b368bbdc26d7b13add8795
SHA1

3c05531abaf68d5dedcb710f0e34461223c1b7de
SHA256

48c30f45e5b7185cfa3f68b4932089b30c1e25770e8d2cf59baa0ef6f8e1237a
SHA512

5cac4b497efb1a0223a35e3567d8b9629af07e737be936cebd06528a38a4834f0b0361ef2f0e6ce251d788e033c44a166c4d7144741464377329837718e0037e
SSDEEP

1536:EvwVYg0KL7ivNv/qAF8lC7E1SU39X5rL98nXCAhoU8uMxpq2R8T2dK0:b0KL7Kv/qKcXGnhoU8txpF8wK0

Score

1^/10

Malware Config

Signatures

Files

a82f36d7f6b368bbdc26d7b13add8795_JaffaCakes118
.sys windows:6 windows x86 arch:x86

d28304c8164957eba87aff640ecd1675

Code Sign

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:be
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

10/05/2010, 00:00

Not After

10/05/2015, 23:59

Subject

CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

63:57:25:f2:49:31:91:f6:f4:f6:86:23:40:34:fe:80
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

24/05/2011, 00:00

Not After

04/06/2013, 23:59

Subject

CN=Malwarebytes Corporation,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Malwarebytes Corporation,L=San Jose,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

30:4c:ed:32:a8:43:07:8f:11:23:ea:7c:b3:c2:2d:c1:54:e2:af:2c
Signer

Actual PE Digest

30:4c:ed:32:a8:43:07:8f:11:23:ea:7c:b3:c2:2d:c1:54:e2:af:2c

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\mbamsw~1\FLT\binchk_wlh_x86\i386\mbamswissarmy32.pdb

Imports

ntoskrnl.exe

KeLeaveCriticalRegion
KeEnterCriticalRegion
CcWaitForCurrentLazyWriterActivity
KeInitializeTimer
ExFreePoolWithTag
RtlUpcaseUnicodeChar
ExAllocatePoolWithTag
memcpy
ZwQueryVolumeInformationFile
ZwClose
ZwOpenFile
MmUnmapLockedPages
MmMapLockedPagesSpecifyCache
FsRtlIsNameInExpression
RtlUpcaseUnicodeString
IoCreateFile
IoRegisterLastChanceShutdownNotification
ZwDisplayString
RtlCompareMemory
_allmul
IoGetDeviceAttachmentBaseRef
ObfReferenceObject
IoGetDeviceObjectPointer
swprintf
KeWaitForSingleObject
IofCallDriver
ExReleaseResourceLite
ExAcquireResourceExclusiveLite
IoBuildSynchronousFsdRequest
KeInitializeEvent
IofCompleteRequest
ExAllocatePool
ZwQueryValueKey
ZwOpenKey
_alldiv
_allrem
_allshl
_aulldiv
_aullrem
RtlDecompressBuffer
_allshr
RtlEqualUnicodeString
_wcsicmp
RtlOemToUnicodeN
IoStartPacket
IoSetHardErrorOrVerifyDevice
IoAllocateIrp
IoFreeIrp
IoFreeMdl
MmUnlockPages
IoStartNextPacket
IoWriteErrorLogEntry
IoAllocateErrorLogEntry
KeInitializeDpc
IoInitializeIrp
KefReleaseSpinLockFromDpcLevel
KefAcquireSpinLockAtDpcLevel
IoGetDriverObjectExtension
MmIsAddressValid
RtlAppendUnicodeToString
ObQueryNameString
RtlAppendUnicodeStringToString
RtlCopyUnicodeString
ObReferenceObjectByHandle
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
FsRtlDissectName
RtlVolumeDeviceToDosName
wcschr
IoFileObjectType
RtlAnsiStringToUnicodeString
strchr
RtlInitAnsiString
strstr
ZwQuerySystemInformation
toupper
towupper
RtlEqualString
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
wcsncpy
ObCreateObject
IoDriverObjectType
RtlUnicodeStringToAnsiString
ObReferenceObjectByName
RtlFreeUnicodeString
ZwWriteFile
ZwCreateFile
RtlTimeToTimeFields
ExSystemTimeToLocalTime
KeQuerySystemTime
_vsnwprintf
IoGetLowerDeviceObject
KeTickCount
KeBugCheckEx
RtlUnwind
KeSetTimer
KeBugCheck
RtlAssert
IoDeleteSymbolicLink
ObfDereferenceObject
memset
IoCreateDevice
RtlInitUnicodeString
DbgPrint
IoCreateSymbolicLink
_vsnprintf
IoDeleteDevice

hal

KfAcquireSpinLock
KfReleaseSpinLock
KfRaiseIrql
KfLowerIrql
HalReturnToFirmware
KeGetCurrentIrql
KeRaiseIrqlToDpcLevel

classpnp.sys

ClassReleaseRemoveLock
ClassCompleteRequest
ClassAcquireRemoveLockEx

Sections

.text
Size: 91KB - Virtual size: 91KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 820B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

NONPAGE
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d28304c8164957eba87aff640ecd1675

Code Sign

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:beCertificate

Extended Key Usages

Key Usages

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fdCertificate

Extended Key Usages

Key Usages

61:0c:12:06:00:00:00:00:00:1bCertificate

Key Usages

63:57:25:f2:49:31:91:f6:f4:f6:86:23:40:34:fe:80Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

30:4c:ed:32:a8:43:07:8f:11:23:ea:7c:b3:c2:2d:c1:54:e2:af:2cSigner

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

classpnp.sys

Sections

.text Size: 91KB - Virtual size: 91KB

.rdata Size: 1024B - Virtual size: 820B

.data Size: 13KB - Virtual size: 16KB

NONPAGE Size: 512B - Virtual size: 4B

PAGE Size: 3KB - Virtual size: 3KB

INIT Size: 4KB - Virtual size: 3KB

.rsrc Size: 1024B - Virtual size: 1008B

.reloc Size: 4KB - Virtual size: 3KB

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:be
Certificate

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

63:57:25:f2:49:31:91:f6:f4:f6:86:23:40:34:fe:80
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

30:4c:ed:32:a8:43:07:8f:11:23:ea:7c:b3:c2:2d:c1:54:e2:af:2c
Signer

.text
Size: 91KB - Virtual size: 91KB

.rdata
Size: 1024B - Virtual size: 820B

.data
Size: 13KB - Virtual size: 16KB

NONPAGE
Size: 512B - Virtual size: 4B

PAGE
Size: 3KB - Virtual size: 3KB

INIT
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 1024B - Virtual size: 1008B

.reloc
Size: 4KB - Virtual size: 3KB