b624b739d21ea4e49b3e64f63aa5c32e_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

b624b739d21ea4e49b3e64f63aa5c32e_JaffaCakes118
Size

11.1MB
MD5

b624b739d21ea4e49b3e64f63aa5c32e
SHA1

f4c00e5b4582f806b6ad55109c01c7fecf38c1c9
SHA256

adea78c625d53136dce1b64ced56914445b1c68f2ee0fe7339884ca7f418d64d
SHA512

058730da339ae369bd9eb73e7ff85e16c30b63b62f6ce50ce15e5baaf3012949c674a0caab13764f88256ce7e50bb7526538eb217b9ad4eb15730430a9728ade
SSDEEP

196608:ZzYcXo/FfvZ3PtA2moW9HYSnHiByzdI5mVO1FbGTNXMeCXqUWBF7:ZEcXo/FHZ3PlmoK4UHiEzdmmk1Fbp6Uo

Score

1^/10

Malware Config

Signatures

Files

b624b739d21ea4e49b3e64f63aa5c32e_JaffaCakes118
.sys windows:6 windows x64 arch:x64

4212826dc1c3d1d24b9bc218365fc2bb

Code Sign

01
Certificate

Issuer

CN=Microsoft Authenticode(tm) Root Authority,O=MSFT,C=US

Not Before

01/01/1995, 08:00

Not After

31/12/1999, 23:59

Subject

CN=Microsoft Authenticode(tm) Root Authority,O=MSFT,C=US

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/01/1997, 07:00

Not After

31/12/2020, 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

09:cd:4e:8a:e7:51:f8:d0:98:b6:c4:a0:2b:2a:82:2d
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

15/11/2018, 00:00

Not After

14/01/2020, 23:59

Subject

CN=Xingning kaimei Network Technology Co. Ltd.,OU=IT,O=Xingning kaimei Network Technology Co. Ltd.,L=Xingning,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

79:ad:16:a1:4a:a0:a5:ad:4c:73:58:f4:07:13:2e:65
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

09/05/2001, 23:19

Not After

09/05/2021, 23:28

Subject

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

72:94:04:10:1f:3e:0c:a3:47:83:7f:ca:17:5a:84:38
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01/11/2005, 13:46

Not After

01/11/2025, 13:54

Subject

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

01
Certificate

Issuer

CN=Microsoft Authenticode(tm) Root Authority,O=MSFT,C=US

Not Before

01/01/1995, 08:00

Not After

31/12/1999, 23:59

Subject

CN=Microsoft Authenticode(tm) Root Authority,O=MSFT,C=US

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/01/1997, 07:00

Not After

31/12/2020, 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

38:54:06:aa:9c:17:ca:35:2d:97:1c:43:8b:30:39:fe
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

15/11/2018, 00:00

Not After

14/01/2020, 23:59

Subject

CN=Xingning kaimei Network Technology Co. Ltd.,OU=IT,O=Xingning kaimei Network Technology Co. Ltd.,L=Xingning,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

79:ad:16:a1:4a:a0:a5:ad:4c:73:58:f4:07:13:2e:65
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

09/05/2001, 23:19

Not After

09/05/2021, 23:28

Subject

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

72:94:04:10:1f:3e:0c:a3:47:83:7f:ca:17:5a:84:38
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01/11/2005, 13:46

Not After

01/11/2025, 13:54

Subject

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

89:21:27:47:30:e2:82:46:43:94:eb:ea:88:e2:8a:ce:57:0f:2a:1c:c3:24:82:f4:89:55:45:77:15:a6:11:3c
Signer

Actual PE Digest

89:21:27:47:30:e2:82:46:43:94:eb:ea:88:e2:8a:ce:57:0f:2a:1c:c3:24:82:f4:89:55:45:77:15:a6:11:3c

Digest Algorithm

sha256

PE Digest Matches

true

15:7e:3c:88:2e:71:89:37:c3:73:65:f7:29:c4:f7:43:54:8b:0a:5a
Signer

Actual PE Digest

15:7e:3c:88:2e:71:89:37:c3:73:65:f7:29:c4:f7:43:54:8b:0a:5a

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

PsLookupProcessByProcessId
ZwQuerySymbolicLinkObject
_wcsnicmp
ZwReadFile
SeCreateAccessState
IoGetRelatedDeviceObject
RtlInitUnicodeString
KeSetEvent
ExGetPreviousMode
IoGetFileObjectGenericMapping
ObCreateObject
strchr
MmGetSystemRoutineAddress
RtlAppendUnicodeToString
IoCreateFile
KeInitializeEvent
RtlInitAnsiString
RtlUnicodeStringToAnsiString
RtlGetVersion
ZwQuerySystemInformation
MmBuildMdlForNonPagedPool
ZwOpenSymbolicLinkObject
IoFreeMdl
FsRtlIsNameInExpression
ZwOpenProcessTokenEx
RtlImageDirectoryEntryToData
RtlFreeUnicodeString
IoFileObjectType
ZwCreateFile
IoGetDeviceObjectPointer
ExSystemTimeToLocalTime
ZwQueryValueKey
RtlPrefixUnicodeString
RtlRandomEx
_vsnprintf
KeQueryTimeIncrement
ZwClose
IofCompleteRequest
PsGetProcessInheritedFromUniqueProcessId
ObReferenceObjectByHandle
KeWaitForSingleObject
IoFreeIrp
RtlTimeToTimeFields
RtlFreeAnsiString
IoAllocateIrp
ZwOpenProcess
toupper
ObfReferenceObject
MmIsAddressValid
ObfDereferenceObject
ZwOpenFile
wcstombs
ZwQueryInformationToken
RtlImageNtHeader
ZwWriteFile
ZwDeleteKey
ObOpenObjectByPointer
ZwEnumerateKey
IoAllocateMdl
IofCallDriver
ZwQueryKey
ZwOpenKey
IoReuseIrp
KeResetEvent
KeReadStateEvent
KeInitializeMutex
ExInitializeNPagedLookasideList
KeReleaseInStackQueuedSpinLock
RtlAnsiStringToUnicodeString
KeAcquireInStackQueuedSpinLock
ExpInterlockedPopEntrySList
KeReleaseMutex
IoCancelIrp
KeDelayExecutionThread
ExQueryDepthSList
MmProbeAndLockPages
MmUnlockPages
KeWaitForMultipleObjects
ExDeleteNPagedLookasideList
ZwOpenEvent
ExQueueWorkItem
ZwCreateEvent
IoDeleteSymbolicLink
IoRegisterShutdownNotification
PsSetLoadImageNotifyRoutine
strstr
IoDeleteDevice
ZwSetValueKey
IoGetLowerDeviceObject
PsSetCreateProcessNotifyRoutine
RtlEqualUnicodeString
KeUnstackDetachProcess
RtlTimeFieldsToTime
IoVolumeDeviceToDosName
wcsrchr
PsCreateSystemThread
IoRegisterBootDriverReinitialization
IoUnregisterShutdownNotification
PsTerminateSystemThread
ZwFreeVirtualMemory
_vsnwprintf
PsGetProcessSessionId
PsRemoveLoadImageNotifyRoutine
RtlUpperString
RtlWriteRegistryValue
ZwDeleteFile
PsGetVersion
PsThreadType
RtlEqualString
ZwDeviceIoControlFile
strrchr
IoCreateSymbolicLink
IoCreateDevice
ZwQueryInformationFile
PsGetProcessWin32WindowStation
ZwLoadDriver
RtlCreateRegistryKey
KeStackAttachProcess
ZwAllocateVirtualMemory
ExDeletePagedLookasideList
ExInitializePagedLookasideList
ExAcquireResourceExclusiveLite
KeLeaveCriticalRegion
KeEnterCriticalRegion
ExAcquireResourceSharedLite
ExReleaseResourceLite
ExDeleteResourceLite
ExInitializeResourceLite
atoi
RtlUpperChar
ZwTerminateProcess
_wcsicmp
ObQueryNameString
CmRegisterCallback
PsGetCurrentProcessId
CmUnRegisterCallback
KeBugCheckEx
ExFreePoolWithTag
ExpInterlockedPushEntrySList
RtlConvertSidToUnicodeString
RtlCompareUnicodeString
__C_specific_handler
RtlUpcaseUnicodeString
IoBuildDeviceIoControlRequest
FsRtlRegisterFileSystemFilterCallbacks
IoAttachDeviceToDeviceStackSafe
IoDetachDevice
IoGetDiskDeviceObject
IoEnumerateDeviceObjectList
IoUnregisterFsRegistrationChange
IoRegisterFsRegistrationChange
PsLookupThreadByThreadId
MmHighestUserAddress
KeInitializeApc
KeInsertQueueApc
ZwUnloadKey
ZwCreateKey
ZwSaveKey
_wcslwr
ZwOpenDirectoryObject
ZwSetInformationFile
ExAllocatePool
IoGetCurrentProcess
ZwQueryDirectoryObject
ZwFlushKey
ZwLoadKey
KeClearEvent
ExAllocatePoolWithTag
RtlInitString
_stricmp
ExAllocatePool
NtQuerySystemInformation
ExFreePoolWithTag
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
KeQueryActiveProcessors
KeSetSystemAffinityThread
KeRevertToUserAffinityThread
DbgPrint

fltmgr.sys

FltRegisterFilter
FltUnregisterFilter
FltStartFiltering

hal

KeQueryPerformanceCounter

Sections

.text
Size: - Virtual size: 202KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 2.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.CRY
Size: - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.STL
Size: - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: - Virtual size: 5.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.wow0
Size: - Virtual size: 4.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.wow1
Size: 11.1MB - Virtual size: 11.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4212826dc1c3d1d24b9bc218365fc2bb

Code Sign

01Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40Certificate

09:cd:4e:8a:e7:51:f8:d0:98:b6:c4:a0:2b:2a:82:2dCertificate

Extended Key Usages

Key Usages

79:ad:16:a1:4a:a0:a5:ad:4c:73:58:f4:07:13:2e:65Certificate

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

72:94:04:10:1f:3e:0c:a3:47:83:7f:ca:17:5a:84:38Certificate

Key Usages

01Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40Certificate

38:54:06:aa:9c:17:ca:35:2d:97:1c:43:8b:30:39:feCertificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

79:ad:16:a1:4a:a0:a5:ad:4c:73:58:f4:07:13:2e:65Certificate

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

72:94:04:10:1f:3e:0c:a3:47:83:7f:ca:17:5a:84:38Certificate

Key Usages

89:21:27:47:30:e2:82:46:43:94:eb:ea:88:e2:8a:ce:57:0f:2a:1c:c3:24:82:f4:89:55:45:77:15:a6:11:3cSigner

15:7e:3c:88:2e:71:89:37:c3:73:65:f7:29:c4:f7:43:54:8b:0a:5aSigner

Headers

File Characteristics

Imports

ntoskrnl.exe

fltmgr.sys

hal

Sections

.text Size: - Virtual size: 202KB

.rdata Size: - Virtual size: 7KB

.data Size: - Virtual size: 2.2MB

.pdata Size: - Virtual size: 4KB

.CRY Size: - Virtual size: 16B

.STL Size: - Virtual size: 32B

PAGE Size: - Virtual size: 5.8MB

INIT Size: - Virtual size: 5KB

.wow0 Size: - Virtual size: 4.4MB

.wow1 Size: 11.1MB - Virtual size: 11.1MB

.reloc Size: 512B - Virtual size: 12B

01
Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

09:cd:4e:8a:e7:51:f8:d0:98:b6:c4:a0:2b:2a:82:2d
Certificate

79:ad:16:a1:4a:a0:a5:ad:4c:73:58:f4:07:13:2e:65
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

72:94:04:10:1f:3e:0c:a3:47:83:7f:ca:17:5a:84:38
Certificate

01
Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

38:54:06:aa:9c:17:ca:35:2d:97:1c:43:8b:30:39:fe
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

79:ad:16:a1:4a:a0:a5:ad:4c:73:58:f4:07:13:2e:65
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

72:94:04:10:1f:3e:0c:a3:47:83:7f:ca:17:5a:84:38
Certificate

89:21:27:47:30:e2:82:46:43:94:eb:ea:88:e2:8a:ce:57:0f:2a:1c:c3:24:82:f4:89:55:45:77:15:a6:11:3c
Signer

15:7e:3c:88:2e:71:89:37:c3:73:65:f7:29:c4:f7:43:54:8b:0a:5a
Signer

.text
Size: - Virtual size: 202KB

.rdata
Size: - Virtual size: 7KB

.data
Size: - Virtual size: 2.2MB

.pdata
Size: - Virtual size: 4KB

.CRY
Size: - Virtual size: 16B

.STL
Size: - Virtual size: 32B

PAGE
Size: - Virtual size: 5.8MB

INIT
Size: - Virtual size: 5KB

.wow0
Size: - Virtual size: 4.4MB

.wow1
Size: 11.1MB - Virtual size: 11.1MB

.reloc
Size: 512B - Virtual size: 12B