H:\KmdKit4D\samples\GPE\Gpe.pdb
Static task
static1
1 signatures
General
-
Target
ae42fa07bd17f800133976cb739cbace_JaffaCakes118
-
Size
299KB
-
MD5
ae42fa07bd17f800133976cb739cbace
-
SHA1
5af7b1911cd64d90c81dbf3b02a21ac6ac761f16
-
SHA256
30c6b2875fae08f4f99e987f4b6722f3224f2f32fbd1187e2ff2c535e8972821
-
SHA512
6c3e03663300a45e6b0026b0def748de4be67f3e213267990199190ad747ce589dcb1f7b9bb0282e8e8d21ed340e6c4288fc0cb6174301c41b658a018b61bfb2
-
SSDEEP
6144:15d8DB1ITH9kwM7xBTyMf/qbKg51fDIS075TraIK8udk+l:WD7IxkpxBTRf/qBfUP9KIM2e
Score
3/10
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource ae42fa07bd17f800133976cb739cbace_JaffaCakes118
Files
-
ae42fa07bd17f800133976cb739cbace_JaffaCakes118.sys windows:5 windows x86 arch:x86
76dcd97ff868eab72f565ee09496e04a
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
PDB Paths
Imports
ntoskrnl.exe
ExAllocatePool
ZwQuerySystemInformation
ExFreePool
NtBuildNumber
wcsncpy
_itow
wcscat
wcslen
PsLookupProcessByProcessId
KeAttachProcess
ObReferenceObjectByHandle
ObQueryNameString
_wcsnicmp
KeDetachProcess
ZwOpenProcess
ZwDuplicateObject
ZwQueryObject
ZwClose
ZwQueryInformationProcess
IoFileObjectType
ObReferenceObjectByPointer
RtlVolumeDeviceToDosName
RtlCopyUnicodeString
RtlAppendUnicodeStringToString
MmSectionObjectType
ExAllocatePoolWithTag
memcpy
ExFreePoolWithTag
RtlCompareMemory
strcpy
strcat
RtlInitAnsiString
RtlAnsiStringToUnicodeString
ZwCreateFile
ZwQueryInformationFile
ZwReadFile
RtlFreeUnicodeString
ZwOpenFile
ZwCreateSection
ZwMapViewOfSection
strcmp
ZwUnmapViewOfSection
strlen
PsThreadType
IoThreadToProcess
PsProcessType
KeSetEvent
IoFreeMdl
IoFreeIrp
ObCreateObject
IoAllocateIrp
KeInitializeEvent
SeCreateAccessState
IoGetFileObjectGenericMapping
KeGetCurrentThread
KeWaitForSingleObject
IoGetRelatedDeviceObject
IoAllocateMdl
MmBuildMdlForNonPagedPool
IoCreateFile
strrchr
_strlwr
wcsrchr
PsGetCurrentProcessId
IoStopTimer
IoInitializeTimer
IoStartTimer
IoGetRequestorSessionId
ExEventObjectType
PsSetCreateProcessNotifyRoutine
IoDeleteSymbolicLink
IoDeleteDevice
_strnicmp
KdDisableDebugger
MmAllocateNonCachedMemory
Ke386QueryIoAccessMap
Ke386SetIoAccessMap
Ke386IoSetAccessProcess
MmFreeNonCachedMemory
KeServiceDescriptorTable
IoCreateDevice
IoCreateSymbolicLink
PsSetLoadImageNotifyRoutine
IoGetCurrentProcess
MmIsAddressValid
memset
MmGetSystemRoutineAddress
RtlInitUnicodeString
MmMapLockedPagesSpecifyCache
ExInterlockedFlushSList
ExInterlockedPopEntrySList
ExInterlockedPushEntrySList
InterlockedExchange
IofCompleteRequest
KefAcquireSpinLockAtDpcLevel
KefReleaseSpinLockFromDpcLevel
ObfDereferenceObject
RtlPrefetchMemoryNonTemporal
RtlUshortByteSwap
RtlUlongByteSwap
RtlUlonglongByteSwap
IofCallDriver
MmGetPhysicalAddress
InterlockedDecrement
InterlockedIncrement
RtlCompareString
RtlInitString
InterlockedPushEntrySList
PsTerminateSystemThread
MmUnmapViewOfSection
KeSetPriorityThread
ExDeleteNPagedLookasideList
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
RtlEqualUnicodeString
RtlFreeAnsiString
strncpy
RtlAppendUnicodeToString
strchr
strncmp
RtlUnicodeStringToAnsiString
ZwSetValueKey
ZwCreateKey
KeCancelTimer
ExfInterlockedRemoveHeadList
ExfInterlockedInsertHeadList
KeWaitForMultipleObjects
KeSetTimerEx
KeInitializeTimerEx
ZwQueryValueKey
ZwOpenKey
KeQueryTimeIncrement
PsCreateSystemThread
ExInitializeNPagedLookasideList
InterlockedPopEntrySList
IoBuildDeviceIoControlRequest
ExfInterlockedInsertTailList
KeTickCount
_alldiv
_allmul
MmUnmapLockedPages
KeNumberProcessors
KeSetAffinityThread
MmMapLockedPages
MmProbeAndLockPages
_except_handler3
IoCancelIrp
ZwEnumerateKey
ZwQueryKey
KdEnteredDebugger
PsGetVersion
hal
KfAcquireSpinLock
WRITE_PORT_UCHAR
KfRaiseIrql
KfLowerIrql
KeGetCurrentIrql
KfReleaseSpinLock
Sections
.text Size: 50KB - Virtual size: 50KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 3KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1024B - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
INIT Size: 4KB - Virtual size: 3KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 1024B - Virtual size: 832B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.GPE0 Size: 4KB - Virtual size: 3KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.GPE1 Size: 224KB - Virtual size: 224KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
.reloc Size: 10KB - Virtual size: 10KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ