b39674d64227227b60d3fbd0834d1c72_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

b39674d64227227b60d3fbd0834d1c72_JaffaCakes118
Size

8KB
MD5

b39674d64227227b60d3fbd0834d1c72
SHA1

1b5f6e2e651159d317a67a10e5b007350f4fe86d
SHA256

4403a7fbb6292d0d9be90f18e3171cb30f2a1743eece6520c9a5ec6953217399
SHA512

a84edbe4789135c17989288e534c9e04f0afc48231720fac334ce93d135aa28b11c54eb0785c1b4b1af9037b34ebccd58478c7f44dc4c26e361be32a3e15f95a
SSDEEP

96:TKFcvl/j/Pm/wBPhpsMtwom186hel3WF0h6y1K12yT6PmSmPZxd:Tu+/j/e/EPUMtwoiJsly0ubvnd

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
b39674d64227227b60d3fbd0834d1c72_JaffaCakes118

Files

b39674d64227227b60d3fbd0834d1c72_JaffaCakes118
.sys windows:5 windows x86 arch:x86

146c0417c61fffa58272e14d4e352fba

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\works\byshell_up30\byshell_sys\byshell_bypass_sys_up31\bypass\i386\bypass.pdb

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
ZwQuerySystemInformation
KeServiceDescriptorTable
strstr
_strupr
strncpy
IoCreateFile
RtlInitUnicodeString
RtlGetVersion
strncmp
ExFreePoolWithTag
ZwClose
ZwWaitForSingleObject
ZwReadFile
ZwQueryInformationFile
ZwCreateFile
_except_handler3
_local_unwind2
KeTickCount
KeBugCheckEx
IoGetCurrentProcess
sprintf

hal

KeGetCurrentIrql

Sections

.text
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 384B - Virtual size: 356B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 768B - Virtual size: 664B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 256B - Virtual size: 254B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ