b2e6f28df5466e9a37c60650ebed5e21_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

b2e6f28df5466e9a37c60650ebed5e21_JaffaCakes118
Size

357KB
MD5

b2e6f28df5466e9a37c60650ebed5e21
SHA1

6787746469544f643f8228a9d9302095bdba7751
SHA256

48889e272a054bcb255dd74fcec273a61da8d6789c842cf20c06fbec37ace1ee
SHA512

caf8f9a037a9b3a6fc5358ea13fbd2b900220a42544e319e4c09bad5e33b134149a63ddbef5febf1eb37dfc7446b757e2d0461c6f996cac19174014c9c6b65bb
SSDEEP

6144:+9cxUG7Id7X1x4s+Y0F3bOQjpe7bLSvCsHZr92pfDMzBYcpikm:acxUG7Id5Ss+YSbjMfLyCsawFs

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
b2e6f28df5466e9a37c60650ebed5e21_JaffaCakes118

Files

b2e6f28df5466e9a37c60650ebed5e21_JaffaCakes118
.sys windows:6 windows x64 arch:x64

6784ab92d9ba4316947e907d3287f0a6

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

mrxsmb.pdb

Imports

ntoskrnl.exe

ExInterlockedInsertTailList
KeInitializeSpinLock
KeGetCurrentNodeNumber
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExQueryDepthSList
IoAllocateMdl
MmBuildMdlForNonPagedPool
IoFreeMdl
ExInitializeNPagedLookasideList
KeQueryHighestNodeNumber
ExDeleteNPagedLookasideList
RtlTimeFieldsToTime
toupper
KeAcquireSpinLockAtDpcLevel
KeReleaseSpinLockFromDpcLevel
ExAcquireResourceExclusiveLite
KeInitializeEvent
KeQueryTimeIncrement
KeWaitForSingleObject
KeFlushQueuedDpcs
RtlUnicodeStringToOemString
RtlUpcaseUnicodeStringToOemString
ExAcquireSpinLockShared
ExReleaseSpinLockShared
FsRtlCancellableWaitForMultipleObjects
FsRtlCancellableWaitForSingleObject
KeBugCheckEx
KeTryToAcquireSpinLockAtDpcLevel
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
ExAcquireRundownProtection
ExReleaseRundownProtection
RtlCopyUnicodeString
ExInitializeResourceLite
ExDeleteResourceLite
IoWMIOpenBlock
IoWMISetNotificationCallback
ObfDereferenceObject
RtlAppendUnicodeToString
RtlAppendUnicodeStringToString
ZwOpenFile
KeReleaseSpinLock
RtlCompareUnicodeString
IoCreateFile
RtlInitializeSid
RtlIntegerToUnicodeString
IoRaiseInformationalHardError
MmUnmapLockedPages
IoBuildPartialMdl
NlsMbOemCodePageTag
RtlxUnicodeStringToOemSize
ExWaitForRundownProtectionRelease
IoFreeIrp
IoGetCurrentProcess
RtlInitAnsiString
KeResetEvent
KeQueryActiveProcessorCountEx
LsaFreeReturnBuffer
SeMarkLogonSessionForTerminationNotification
MmProbeAndLockPages
MmUnlockPages
MmMapLockedPagesSpecifyCache
ExInitializeRundownProtection
KfRaiseIrql
KeAcquireInStackQueuedSpinLockAtDpcLevel
KeReleaseInStackQueuedSpinLockFromDpcLevel
KeLowerIrql
KeExpandKernelStackAndCallout
ProbeForWrite
KeStackAttachProcess
IoGetRequestorProcess
KeUnstackDetachProcess
KeDelayExecutionThread
RtlCompareMemory
EtwWrite
KeLeaveCriticalRegion
KeEnterCriticalRegion
IofCompleteRequest
KeSetEvent
_wcsnicmp
ZwSetValueKey
ZwQueryValueKey
KeAcquireSpinLockRaiseToDpc
SeRegisterLogonSessionTerminatedRoutine
SeUnregisterLogonSessionTerminatedRoutine
RtlEqualUnicodeString
RtlHashUnicodeString
ExfReleasePushLockShared
ExfAcquirePushLockShared
KeReleaseGuardedMutex
IoIs32bitProcess
KeAcquireGuardedMutex
ExReleaseResourceLite
ExAcquireResourceSharedLite
ExfTryToWakePushLock
ExfAcquirePushLockExclusive
RtlLengthRequiredSid
IoWMIRegistrationControl
RtlGUIDFromString
ZwEnumerateValueKey
ZwOpenKey
RtlVerifyVersionInfo
VerSetConditionMask
RtlFreeUnicodeString
EtwUnregister
ZwClose
ExUuidCreate
IofCallDriver
ObReferenceObjectByHandle
ZwCreateFile
IoGetRelatedDeviceObject
KeReadStateEvent
RtlIpv6AddressToStringA
IoAllocateIrp
RtlIpv4AddressToStringA
EtwProviderEnabled
IoGetActivityIdThread
RtlPrefixUnicodeString
KeInitializeGuardedMutex
EtwRegister
RtlGetDaclSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAccessAllowedAce
RtlCreateAcl
RtlNtStatusToDosError
RtlSubAuthoritySid
MmGetSystemRoutineAddress
NtDeviceIoControlFile
RtlInitUnicodeString
ExAllocatePoolWithTag
ExFreePoolWithTag
ExReleaseSpinLockExclusive
ExAcquireSpinLockExclusive
SeReleaseSubjectContext
SeExports
SeSinglePrivilegeCheck
SeAccessCheck
SeCaptureSubjectContext
PcwUnregister
PcwRegister
PcwAddInstance
ZwDeviceIoControlFile
IoCancelIrp
__C_specific_handler

hal

KeQueryPerformanceCounter

rdbss.sys

RxDereferenceAndDeleteRxContext_Real
RxCreateRxContext
RxLowIoGetBufferAddress
RxMapUserBuffer
RxNameCacheExpireEntriesWithPrefix
RxUpdateNetRootCachingMode
RxNameCacheScavengeEntries
RxTearDownDiagnosticLogger
RxDereferenceCredential
RxInitializeDiagnosticLogger
RxCeFreeIrp
RxRegisterAsynchronousRequest
RxDeregisterAsynchronousRequest
RxCeAllocateIrpWithMDL
RxGetRDBSSProcess
RxLogEventWithAnnotation
RxReferenceCredential
RxFindEa
RxPerProcessCountersEnabled
RxCancelContext
RxClearMinirdrCancelRoutine
RxSetMinirdrCancelRoutine
RxDiagnosticTrace
RxpTrackDereference
RxFinalizeConnection
RxReference
RxpTrackReference
RxPrefixTableEnumerate
RxPrefixTableInitEnumContext
RxIsPrefixTableEmpty
RxPostToWorkerThread
RxPostPreAllocatedOneShotTimerRequest
RxCancelPreAllocatedTimerRequest
RxLogEventDirect
RxFsdDispatch
RxUnregisterMinirdr
RxRegisterMinirdr
RxDispatchToWorkerThread
RxDereference
RxPrefixTableLookupName
RxSetDomainForMailslotBroadcast
RxDeleteLinkedVNetRoot
RxCreateLinkedVNetRoot
RxSignalNetStatus
RxStopMinirdr
RxStartMinirdr

ksecdd.sys

BCryptEncrypt
BCryptOpenAlgorithmProvider
BCryptKeyDerivation
BCryptGenerateSymmetricKey
InitSecurityInterfaceW
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptGetProperty
GetSecurityUserInfo
SspiEncodeStringsAsAuthIdentity
MapSecurityError
SspiCompareAuthIdentities
BCryptDestroyHash
FreeCredentialsHandle
BCryptCloseAlgorithmProvider
DeleteSecurityContext

tdi.sys

TdiRegisterPnPHandlers
TdiCopyBufferToMdl
TdiCopyMdlToBuffer
TdiDeregisterPnPHandlers

netio.sys

FreeMibTable
GetUnicastIpAddressTable
NsiSetAllParameters
NsiFreeTable
NsiAllocateAndGetTable
NsiGetAllParameters
GetIfEntry2
CreateSortedAddressPairs
NsiDeregisterChangeNotification
NsiRegisterChangeNotification
ConvertInterfaceLuidToIndex
ConvertInterfaceGuidToLuid
NmrRegisterClient
NmrDeregisterClient
NmrWaitForClientDeregisterComplete
NmrClientAttachProvider
GetIpInterfaceEntry
GetBestRoute2

msrpc.sys

RpcBindingCreateW
I_RpcExceptionFilter
RpcBindingBind
RpcBindingUnbind
RpcAsyncCancelCall
RpcAsyncCompleteCall
RpcAsyncInitializeHandle
Ndr64AsyncClientCall
RpcBindingFree

Exports

Exports

CopyBufferToMdl
FsRtlValidateChangeNotifyBuffer
FsRtlValidateFileInformationBufferEx
MRxSmb2QueryConnectionPerformance
MRxSmbActivateRecurrentService
MRxSmbBootedRemotely
MRxSmbCancelRecurrentService
MRxSmbCreateVNetRoot
MRxSmbDeallocateForFcb
MRxSmbDeallocateForFobx
MRxSmbDeallocateForSrvOpen
MRxSmbDeregisterDialect
MRxSmbDeregisterSubRedirector
MRxSmbDeviceObject
MRxSmbExtractNetRootName
MRxSmbFinalizeNetRoot
MRxSmbFinalizeSrvCall
MRxSmbFinalizeVNetRoot
MRxSmbGetConfigurationBlock
MRxSmbGetHighestSupportedDialect
MRxSmbGetShareRights
MRxSmbInitializeRecurrentService
MRxSmbIsStreamFile
MRxSmbLogTransportError
MRxSmbPreparseName
MRxSmbRegisterDialect
MRxSmbRegisterSubRedirector
MRxSmbRemoteBootMachineDomain
MRxSmbRemoteBootMachineName
MRxSmbRemoteBootMachinePassword
MRxSmbRemoteBootPath
MRxSmbRemoteBootShare
MRxSmbShutdownRecurrentService
MRxSmbStatistics
MRxSmbUpdateNetRootState
MRxSmbUseKernelModeSecurity
RxCeEstablishConnection
RxCeGetTransportAddresses
RxCeInitiateVCDisconnect
RxCeQueryAdapterStatus
RxCeQueryInformation
RxCeQueryLocalAddressInformation
RxCeQueryTransportInformation
RxCeReceive
RxCeSend
RxCeSendDatagram
RxCeTearDownVC
SmbCeAcquireSpinLock
SmbCeAllocateExchangeBuffer
SmbCeAllocateImplicitExchangeBuffer
SmbCeAssociateExchangeWithCompoundingKeyEx
SmbCeCheckServerEntryDialect
SmbCeContinueExchange
SmbCeDereferenceBindingObject
SmbCeDereferenceExchange
SmbCeDereferenceNetRootEntry
SmbCeDereferenceServerEntryEx
SmbCeDereferenceSessionEntryEx
SmbCeDereferenceTransportArray
SmbCeDereferenceVNetRootContext
SmbCeDisconnectServerEntryLite
SmbCeDisconnectSessionEntryLite
SmbCeDissociateExchangeWithCompoundingKey
SmbCeEstablishMultipleChannels
SmbCeFindTransport
SmbCeFreeExchangeBuffer
SmbCeInitializeConnectionInfo
SmbCeInitializeExchange
SmbCeInitiateExchange
SmbCeIsExchangeFinalizable
SmbCeQueryOptimalBufferSize
SmbCeQueryServerAvailability
SmbCeRecoverSessionEntryLite
SmbCeReferenceBindingObject
SmbCeReferenceExchange
SmbCeReferenceNetRootEntry
SmbCeReferenceServerEntry
SmbCeReferenceSessionEntry
SmbCeReferenceTransportArray
SmbCeReferenceVNetRootContext
SmbCeReleaseSpinLock
SmbCeResumeSuspendedExchangesLite
SmbCeRuntimeContext
SmbCeSetConnectionKeepalive
SmbCeSetExchangeExpiryTimeEx
SmbCeSetServerBufferSizes
SmbCeSuspendExchangeLite
SmbCeSwitchConnectionObjectTransport
SmbCeTranslateObjectState
SmbCeUpdateServerAvailability
SmbCeUpdateTransportDispatchVectors
SmbCeWaitForCompletionAndFinalizeExchangeEx
SmbCepCompleteExchangeLite
SmbCepDereferenceTransport
SmbCepReferenceTransport
SmbCseAllocateCompoundingKey
SmbCseDereferenceCompoundingKey
SmbCseEstimateRequiredCreditsLite
SmbCseFinalizeBufferContext
SmbCseGetMemoryDescriptors
SmbCseInitializeBufferContextWithMemoryRegistration
SmbCseReferenceCompoundingKey
SmbCseReleaseCompoundingKey
SmbCseSubmitBufferContext
SmbMmAllocateServerTransport
SmbMmFreeServerTransport
SubRdrBuildDialectRevisionNegotiateList
SubRdrGetDialectIndex
UninitializeSecurityContextForBindingObject
VctCreateAndCacheEncryptionKey
VctDereferenceEndpoint
VctDerereferenceEncryptionKey
VctMarkConnectionForLargeMtu
VctReferenceEncryptionKey
VctReferenceEndpoint
VctReleaseEncryptionKey

Sections

.text
Size: 206KB - Virtual size: 206KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

ALMOSTRO
Size: 512B - Virtual size: 332B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 46KB - Virtual size: 45KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.edata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGEDATA
Size: - Virtual size: 8B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 42KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 236B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6784ab92d9ba4316947e907d3287f0a6

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

rdbss.sys

ksecdd.sys

tdi.sys

netio.sys

msrpc.sys

Exports

Exports

Sections

.text Size: 206KB - Virtual size: 206KB

.rdata Size: 31KB - Virtual size: 31KB

.data Size: 1KB - Virtual size: 6KB

.pdata Size: 15KB - Virtual size: 14KB

ALMOSTRO Size: 512B - Virtual size: 332B

PAGE Size: 46KB - Virtual size: 45KB

.edata Size: 4KB - Virtual size: 4KB

PAGEDATA Size: - Virtual size: 8B

INIT Size: 8KB - Virtual size: 8KB

.rsrc Size: 42KB - Virtual size: 41KB

.reloc Size: 512B - Virtual size: 236B

.text
Size: 206KB - Virtual size: 206KB

.rdata
Size: 31KB - Virtual size: 31KB

.data
Size: 1KB - Virtual size: 6KB

.pdata
Size: 15KB - Virtual size: 14KB

ALMOSTRO
Size: 512B - Virtual size: 332B

PAGE
Size: 46KB - Virtual size: 45KB

.edata
Size: 4KB - Virtual size: 4KB

PAGEDATA
Size: - Virtual size: 8B

INIT
Size: 8KB - Virtual size: 8KB

.rsrc
Size: 42KB - Virtual size: 41KB

.reloc
Size: 512B - Virtual size: 236B