ae67bcb4313cb87c9a886b4a6c0b078b_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

ae67bcb4313cb87c9a886b4a6c0b078b_JaffaCakes118
Size

712KB
MD5

ae67bcb4313cb87c9a886b4a6c0b078b
SHA1

f67a09f5e45209f762ad5a18ff117fd085e88c2c
SHA256

b57dbd956e0350bad4fb15743a773763dc2680536d00a26ba0cbb7ba412209b2
SHA512

6149aaa425f210c1ae7ed0aeb3cd29bd012af73de6d5583c22d92434b38fc056799fb007e68503031cfdd43661fd9dbf66c92e40ba6d4f9d670517a08cc996b6
SSDEEP

12288:0iW5FNgXyF7LG4VTUh5pAu4VNmy45rXUZG2E0GfrK/SUcsj9d:0iafWQK4Vu3Gmy45rutBGfrKKUcyH

Score

3^/10

Malware Config

Signatures

Unsigned PE 10 IoCs

Checks for missing Authenticode signature.

resource
ae67bcb4313cb87c9a886b4a6c0b078b_JaffaCakes118
unpack001/$PLUGINSDIR/InstallOptions.dll
unpack001/$PLUGINSDIR/System.dll
unpack001/EasyBCD.exe
unpack001/bin/BootGrabber.exe
unpack001/bin/NST Downloader.exe
unpack001/bin/bcdboot.exe
unpack001/bin/bcdedit.exe
unpack001/bin/bootpart.exe
unpack001/bin/bootsect.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
sample	nsis_installer_1
sample	nsis_installer_2

Files

ae67bcb4313cb87c9a886b4a6c0b078b_JaffaCakes118
.exe windows:4 windows x86 arch:x86

099c0646ea7282d232219f8807883be0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetTickCount
CreateFileA
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
SetFileTime
GetTempPathA
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
GetVersion
CloseHandle
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetWindowsDirectoryA

user32

EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
DestroyWindow
CreateDialogParamA
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 36KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/InstallOptions.dll
.dll windows:4 windows x86 arch:x86

b1cd0d78f652ce5fc63f0879371af012

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

SetCurrentDirectoryA
GetCurrentDirectoryA
MultiByteToWideChar
GetPrivateProfileIntA
GlobalLock
GetModuleHandleA
lstrcmpiA
GetPrivateProfileStringA
lstrcatA
lstrcpynA
WritePrivateProfileStringA
lstrlenA
lstrcpyA
GlobalFree
GlobalUnlock
GlobalAlloc

user32

MapWindowPoints
GetDlgCtrlID
CloseClipboard
GetClipboardData
OpenClipboard
PtInRect
SetWindowRgn
LoadIconA
LoadImageA
SetWindowLongA
CreateWindowExA
MapDialogRect
SetWindowPos
GetWindowRect
CreateDialogParamA
ShowWindow
EnableMenuItem
GetSystemMenu
EnableWindow
GetDlgItem
DestroyIcon
DestroyWindow
DispatchMessageA
TranslateMessage
GetMessageA
IsDialogMessageA
LoadCursorA
SetCursor
DrawTextA
GetWindowLongA
DrawFocusRect
CallWindowProcA
PostMessageA
MessageBoxA
CharNextA
wsprintfA
GetWindowTextA
SetWindowTextA
SendMessageA
GetClientRect

gdi32

SetTextColor
CreateCompatibleDC
GetObjectA
GetDIBits
CreateRectRgn
CombineRgn
DeleteObject
SelectObject

shell32

SHBrowseForFolderA
SHGetDesktopFolder
SHGetPathFromIDListA
ShellExecuteA

comdlg32

GetOpenFileNameA
GetSaveFileNameA
CommDlgExtendedError

ole32

CoTaskMemFree

Exports

Exports

dialog
initDialog
show

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

2017f2acbdaa42ab3e4adeb8b4c37e7b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalSize
GetLastError
lstrcpyA
lstrcpynA
FreeLibrary
lstrcatA
GetProcAddress
LoadLibraryA
GetModuleHandleA
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
VirtualAlloc
VirtualProtect

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 784B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 100B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 520B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/ioSpecial.ini
$PLUGINSDIR/modern-wizard.bmp
EasyBCD.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

I:\EasyBCD\EasyBCD\bin\optimized\EasyBCD.pdb

Imports

mscoree

_CorExeMain

Sections

.rsrc
Size: 84KB - Virtual size: 84KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.text
Size: 823KB - Virtual size: 822KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
EasyBCD.exe.config
.xml
bin/BootGrabber.exe
.exe windows:5 windows x86 arch:x86

6e4e8adbc1ccdb4003389ec90ecb7cac

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

J:\EasyBCD\Release\BootGrabber.pdb

Imports

kernel32

GetVolumeInformationW
GetVolumePathNamesForVolumeNameW
FindVolumeClose
FindNextVolumeW
LocalFree
LoadResource
LockResource
SizeofResource
FindFirstVolumeW
FindResourceExW
CreateFileW
WaitForSingleObject
GetCurrentProcess
DefineDosDeviceW
GetFileAttributesW
WriteFile
DeviceIoControl
ReadFile
CloseHandle
GetLastError
FreeLibrary
GetProcAddress
FindResourceW
LoadLibraryW
WriteConsoleW
SetStdHandle
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
RaiseException
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
DecodePointer
EncodePointer
GetCommandLineW
HeapSetInformation
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetStdHandle
GetModuleFileNameW
IsProcessorFeaturePresent
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
SetLastError
GetCurrentThreadId
ExitProcess
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoW
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
Sleep
RtlUnwind
SetFilePointer
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
MultiByteToWideChar
LCMapStringW
GetStringTypeW
FlushFileBuffers

advapi32

LookupPrivilegeValueW
FreeSid
OpenProcessToken
SetNamedSecurityInfoW
SetEntriesInAclW
AllocateAndInitializeSid
AdjustTokenPrivileges

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

Sections

.text
Size: 70KB - Virtual size: 69KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/NST Downloader.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\SVN\NST Downloader\trunk\NST Downloader\obj\Release\NST Downloader.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/bcdboot.exe
.exe windows:6 windows x86 arch:x86

1a16d1b3988c58f85caa16730bac4ae7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

bcdboot.pdb

Imports

kernel32

SetUnhandledExceptionFilter
OutputDebugStringA
GetModuleHandleA
Sleep
InterlockedExchange
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
LoadLibraryW
GetProcAddress
FreeLibrary
FormatMessageW
GetStdHandle
GetFileType
GetConsoleMode
WriteConsoleW
GetConsoleOutputCP
WideCharToMultiByte
GetProcessHeap
HeapAlloc
WriteFile
HeapFree
GetModuleFileNameW
GetLastError
InterlockedCompareExchange
SetLastError
UnhandledExceptionFilter
LoadLibraryExW
QueryDosDeviceW
LocalFree
GetFileAttributesW
GetVolumeInformationW
GetVolumePathNameW
SetFileAttributesW
FindClose
FindNextFileW
FindFirstFileW
CreateFileW
GetCurrentThread
CloseHandle
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetFileSizeEx
GetLocaleInfoW
DeviceIoControl
CopyFileExW
GetFullPathNameW
CreateDirectoryW
GetVersionExW
GetCurrentProcess
SearchPathW
GetUserDefaultUILanguage
GetSystemDefaultUILanguage
LoadResource
FindResourceExW

msvcrt

bsearch
wcsstr
strncmp
wcsncmp
ungetc
_isatty
_write
_lseeki64
_fileno
_wcsnicmp
__pioinfo
__badioinfo
realloc
wcstombs
ferror
wctomb
_itoa
_snprintf
localeconv
isxdigit
isleadbyte
mbtowc
isdigit
calloc
fwprintf
fflush
_read
wcsrchr
_controlfp
?terminate@@YAXXZ
iswctype
free
malloc
memcpy
memset
__set_app_type
__p__fmode
__p__commode
__setusermatherr
_amsg_exit
_initterm
exit
_XcptFilter
_exit
_cexit
__wgetmainargs
_iob
__mb_cur_max
wcschr
_vsnwprintf
_wcsupr
_wcslwr
_errno
_wsetlocale
_wcsicmp
wcstoul

imagehlp

CheckSumMappedFile

shlwapi

PathRemoveBackslashW

ntdll

NtAllocateUuids
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
RtlGetVersion
NtResetEvent
LdrGetDllHandle
RtlInitAnsiString
LdrGetProcedureAddress
NtDeleteKey
NtCreateFile
NtSaveKey
NtSetValueKey
NtQueryValueKey
NtDeleteValueKey
NtCreateKey
NtSetSecurityObject
RtlAllocateAndInitializeSid
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAceEx
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlLengthSecurityDescriptor
RtlSetOwnerSecurityDescriptor
NtOpenThreadToken
NtOpenProcessToken
NtAdjustPrivilegesToken
NtLoadKey
NtUnloadKey
NtQueryAttributesFile
NtQueryKey
NtEnumerateKey
NtOpenKey
RtlFreeUnicodeString
RtlStringFromGUID
RtlAllocateHeap
RtlFreeHeap
NtSetInformationFile
LdrFindResource_U
LdrAccessResource
NtQueryInformationFile
NtOpenProcess
NtQueryInformationProcess
NtSetInformationThread
NtOpenFile
NtCreateEvent
NtDeviceIoControlFile
NtWaitForSingleObject
NtQueryInformationThread
NtClose
NtQuerySystemInformation
RtlNtStatusToDosError
RtlCompareMemory
RtlUnwind
RtlInitUnicodeString
RtlGUIDFromString
RtlFreeSid

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

advapi32

LookupPrivilegeValueW
OpenThreadToken
SetNamedSecurityInfoW
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
GetSecurityDescriptorControl
ConvertStringSecurityDescriptorToSecurityDescriptorW
AdjustTokenPrivileges
ConvertSidToStringSidW
GetTokenInformation
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
OpenProcessToken

Sections

.text
Size: 128KB - Virtual size: 128KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/bcdedit.exe
.exe windows:6 windows x86 arch:x86

aea7ec4000ea25c8f07648a3a844869b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

bcdedit.pdb

Imports

kernel32

GetConsoleOutputCP
WriteConsoleW
GetConsoleMode
GetFileType
GetStdHandle
DeviceIoControl
CloseHandle
CreateFileW
GetModuleFileNameW
SetLastError
FreeLibrary
GetProcAddress
LoadLibraryW
LocalFree
FormatMessageW
WideCharToMultiByte
LoadLibraryExW
LoadResource
FindResourceExW
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetModuleHandleA
SetUnhandledExceptionFilter
OutputDebugStringA
InterlockedCompareExchange
Sleep
InterlockedExchange
WriteFile
QueryDosDeviceW
GetLastError
CreateFileMappingW
GetVersionExW
GetLocaleInfoW
UnmapViewOfFile
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
SearchPathW
MapViewOfFile

msvcrt

__wgetmainargs
_cexit
_exit
_XcptFilter
exit
_initterm
_amsg_exit
__setusermatherr
__p__commode
__set_app_type
memmove
malloc
free
iswctype
?terminate@@YAXXZ
_controlfp
calloc
isdigit
mbtowc
isleadbyte
isxdigit
localeconv
_snprintf
_itoa
wctomb
ferror
wcstombs
realloc
__badioinfo
__pioinfo
_read
_fileno
_lseeki64
_write
_isatty
ungetc
bsearch
wcsncmp
strncmp
wcsstr
wcsrchr
_iob
__mb_cur_max
_wcsupr
_wcslwr
_errno
_wsetlocale
iswspace
towupper
_vsnwprintf
memcpy
memset
wcschr
_wcsicmp
wcstoul
_wcsnicmp
__p__fmode

ntdll

RtlUnwind
RtlStringFromGUID
NtOpenFile
NtClose
RtlGUIDFromString
RtlDosPathNameToNtPathName_U
RtlInitUnicodeString
RtlFreeUnicodeString
RtlCompareMemory
RtlAllocateHeap
RtlNtStatusToDosError
RtlFreeHeap
NtQuerySystemInformation
NtWaitForSingleObject
NtDeviceIoControlFile
NtCreateEvent
NtOpenKey
NtEnumerateKey
NtQueryKey
NtQueryAttributesFile
NtUnloadKey
NtLoadKey
NtAdjustPrivilegesToken
NtOpenProcessToken
NtOpenThreadToken
RtlFreeSid
RtlSetOwnerSecurityDescriptor
RtlLengthSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAccessAllowedAceEx
RtlCreateAcl
RtlLengthSid
RtlAllocateAndInitializeSid
NtSetSecurityObject
NtCreateKey
NtDeleteValueKey
NtQueryValueKey
NtSetValueKey
NtSaveKey
NtCreateFile
NtDeleteKey
LdrGetProcedureAddress
RtlInitAnsiString
LdrGetDllHandle
NtDeleteFile
NtQueryInformationFile
NtQueryVolumeInformationFile
NtResetEvent
RtlGetVersion
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
NtAllocateUuids

advapi32

RegCloseKey
RegOpenKeyExW
RegQueryValueExW

Sections

.text
Size: 143KB - Virtual size: 143KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 135KB - Virtual size: 134KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/bootpart.exe
.exe windows:4 windows x86 arch:x86

a1b806c525c5e26ea0bf18cd8572ce80

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

crtdll

memcpy
sprintf
strncmp
strlen
strcpy
atoi
_strcmpi
printf
memset
strcmp
_getch
strcat
_exit
_XcptFilter
exit
_initterm
__GetMainArgs
_commode_dll
_fmode_dll
_global_unwind2
_local_unwind2

kernel32

CreateFileA
OpenFile
SetFilePointer
SetErrorMode
_lwrite
_lclose
GetFileAttributesA
ReadFile
lstrcatA
GetLastError
SetFileAttributesA
DeviceIoControl
_lread
CloseHandle
GetVersion

user32

wsprintfA

Sections

.text
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 536B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
bin/bootsect.exe
.exe windows:6 windows x86 arch:x86

11ee6a8ad6acd010c04212b386d12fef

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

bootsect.pdb

Imports

kernel32

SetFilePointer
LocalFree
FormatMessageW
GetModuleFileNameW
ReadFile
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetModuleHandleA
SetUnhandledExceptionFilter
OutputDebugStringA
InterlockedCompareExchange
Sleep
InterlockedExchange
WriteFile
GetLastError
QueryDosDeviceW
FindResourceExW
LoadResource
SetLastError
LoadLibraryExW
MapViewOfFile
CloseHandle
CreateFileMappingW
CreateFileW
GetVersionExW
GetLocaleInfoW
FreeLibrary
UnmapViewOfFile
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
SearchPathW
UnhandledExceptionFilter

msvcrt

exit
_initterm
_amsg_exit
__setusermatherr
__p__commode
__p__fmode
__set_app_type
malloc
_XcptFilter
iswctype
?terminate@@YAXXZ
_controlfp
calloc
isdigit
mbtowc
isleadbyte
isxdigit
localeconv
_snprintf
_itoa
wctomb
ferror
wcstombs
realloc
__badioinfo
__pioinfo
_read
_fileno
_lseeki64
_write
_isatty
ungetc
wcsstr
bsearch
wcsncmp
_exit
_cexit
__getmainargs
_iob
__mb_cur_max
_wcslwr
_errno
iswxdigit
memset
printf
_vsnwprintf
_stricmp
isalpha
_wcsnicmp
_wcsicmp
memcpy
free

ntdll

RtlUnwind
NtOpenDirectoryObject
NtQueryDirectoryObject
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
NtCreateEvent
NtDeviceIoControlFile
NtWaitForSingleObject
NtResetEvent
RtlFreeHeap
RtlAllocateHeap
RtlNtStatusToDosError
RtlInitUnicodeString
NtOpenFile
NtClose
NtFsControlFile
NtQueryVolumeInformationFile
NtQuerySystemInformation
NtOpenKey
NtQueryValueKey

advapi32

RegCloseKey
RegOpenKeyExW
RegQueryValueExW

Sections

.text
Size: 53KB - Virtual size: 52KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 22KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

099c0646ea7282d232219f8807883be0

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 23KB - Virtual size: 22KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 107KB

.ndata Size: - Virtual size: 36KB

.rsrc Size: 19KB - Virtual size: 18KB

b1cd0d78f652ce5fc63f0879371af012

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

comdlg32

ole32

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 6KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 2KB - Virtual size: 10KB

.rsrc Size: 512B - Virtual size: 152B

.reloc Size: 1KB - Virtual size: 1KB

2017f2acbdaa42ab3e4adeb8b4c37e7b

Headers

File Characteristics

Imports

kernel32

user32

ole32

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 7KB

.rdata Size: 1024B - Virtual size: 784B

.data Size: 512B - Virtual size: 100B

.reloc Size: 1024B - Virtual size: 520B

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.rsrc Size: 84KB - Virtual size: 84KB

.text Size: 823KB - Virtual size: 822KB

.reloc Size: 512B - Virtual size: 12B

6e4e8adbc1ccdb4003389ec90ecb7cac

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

version

Sections

.text Size: 70KB - Virtual size: 69KB

.rdata Size: 20KB - Virtual size: 20KB

.data Size: 4KB - Virtual size: 11KB

.text
Size: 23KB - Virtual size: 22KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 107KB

.ndata
Size: - Virtual size: 36KB

.rsrc
Size: 19KB - Virtual size: 18KB

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 2KB - Virtual size: 10KB

.rsrc
Size: 512B - Virtual size: 152B

.reloc
Size: 1KB - Virtual size: 1KB

.text
Size: 7KB - Virtual size: 7KB

.rdata
Size: 1024B - Virtual size: 784B

.data
Size: 512B - Virtual size: 100B

.reloc
Size: 1024B - Virtual size: 520B

.rsrc
Size: 84KB - Virtual size: 84KB

.text
Size: 823KB - Virtual size: 822KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 70KB - Virtual size: 69KB

.rdata
Size: 20KB - Virtual size: 20KB

.data
Size: 4KB - Virtual size: 11KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 7KB - Virtual size: 6KB

.text
Size: 9KB - Virtual size: 9KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 128KB - Virtual size: 128KB

.data
Size: 1024B - Virtual size: 1KB

.rsrc
Size: 5KB - Virtual size: 4KB

.reloc
Size: 7KB - Virtual size: 7KB

.text
Size: 143KB - Virtual size: 143KB

.data
Size: 1024B - Virtual size: 1KB

.rsrc
Size: 135KB - Virtual size: 134KB

.reloc
Size: 7KB - Virtual size: 7KB

.text
Size: 5KB - Virtual size: 4KB

.rdata
Size: 9KB - Virtual size: 8KB

.data
Size: 512B - Virtual size: 536B

.text
Size: 53KB - Virtual size: 52KB

.data
Size: 22KB - Virtual size: 26KB