b7d4c66ce7a5c10032d0fc6cb356c086_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

b7d4c66ce7a5c10032d0fc6cb356c086_JaffaCakes118
Size

340KB
MD5

b7d4c66ce7a5c10032d0fc6cb356c086
SHA1

6e81c79081e500e2e91fab099390861e31f06d98
SHA256

03d27e99fd392bb5850bf518a796054af8f7d5a8c0e78ce4eff1ff1eb250aeea
SHA512

e67a456c5b9e3be22cb5c633c99e0d1346d1340d56122edab903fae4aa26fb5c63b3ff8544c0c52d79f57f043eea17dbe4cc87ef61d5bbc8f0d486adab259283
SSDEEP

6144:71noD0ArMD1MvYvfqTtU4du1u1B1CKLa2kKPmnW/U3pEIy7qlR:71noIfXvf+d1B1CKLaRs5/6Py+lR

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
b7d4c66ce7a5c10032d0fc6cb356c086_JaffaCakes118

Files

b7d4c66ce7a5c10032d0fc6cb356c086_JaffaCakes118
.sys windows:5 windows x86 arch:x86

fe8afeae3204dc7705f8452a36070abd

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\Kernel Detective\Driver\Release\KeDetective.pdb

Imports

ntoskrnl.exe

IoGetCurrentProcess
PsGetCurrentThreadId
PsGetCurrentProcessId
KeSetTargetProcessorDpc
KeInitializeDpc
KeInsertQueueDpc
KeNumberProcessors
PsGetProcessPeb
ProbeForRead
wcsncpy
MmIsAddressValid
IoGetBaseFileSystemDeviceObject
RtlAnsiStringToUnicodeString
IoBuildSynchronousFsdRequest
_wcsnicmp
RtlPrefixString
SeCreateAccessState
RtlInitUnicodeString
KeSetEvent
IoGetFileObjectGenericMapping
ObCreateObject
strchr
IoCreateFile
KeInitializeEvent
RtlInitAnsiString
wcsncat
RtlEqualUnicodeString
IoFreeMdl
RtlImageDirectoryEntryToData
RtlFreeUnicodeString
IoFileObjectType
KeGetCurrentThread
ZwClose
ObReferenceObjectByHandle
KeWaitForSingleObject
IoFreeIrp
MmProbeAndLockPages
IoAllocateIrp
MmUnlockPages
ObfReferenceObject
RtlCopyUnicodeString
ObfDereferenceObject
RtlImageNtHeader
RtlMultiByteToUnicodeN
IoQueryFileDosDeviceName
ObOpenObjectByPointer
IoAllocateMdl
ObQueryNameString
ZwWaitForSingleObject
PsCreateSystemThread
PsTerminateSystemThread
KeInitializeSpinLock
_wcsicmp
sprintf
ExAcquireRundownProtection
ExSystemTimeToLocalTime
_strnicmp
PsProcessType
KeQueryActiveProcessors
IoBuildDeviceIoControlRequest
IoDeleteSymbolicLink
KeLeaveCriticalRegion
ZwYieldExecution
PsRemoveCreateThreadNotifyRoutine
PsIsSystemThread
IoDeleteDevice
MmGetSystemRoutineAddress
RtlGetVersion
ExReleaseRundownProtection
PsSetCreateProcessNotifyRoutine
KeEnterCriticalRegion
IoDriverObjectType
ExReleaseResourceLite
PsGetThreadWin32Thread
IofCompleteRequest
PsSetLegoNotifyRoutine
PsRemoveLoadImageNotifyRoutine
PsInitialSystemProcess
PsThreadType
RtlCompareUnicodeString
ExDeleteResourceLite
IoCreateSymbolicLink
ObReferenceObjectByName
IoCreateDevice
ExInitializeResourceLite
KeCancelTimer
CmUnRegisterCallback
KeDeregisterBugCheckCallback
PsGetProcessId
KeSetAffinityThread
MmSystemRangeStart
MmUnmapLockedPages
MmHighestUserAddress
MmBuildMdlForNonPagedPool
MmIsNonPagedSystemAddressValid
MmSectionObjectType
MmMapLockedPages
MmCreateMdl
IoDeviceObjectType
wcstombs
PsGetProcessSectionBaseAddress
KeDelayExecutionThread
PsGetProcessInheritedFromUniqueProcessId
IoThreadToProcess
KeInitializeApc
PsGetThreadTeb
PsGetThreadId
PsIsThreadTerminating
PsGetThreadProcessId
_snprintf
KeQuerySystemTime
PsGetProcessImageFileName
_snwprintf
ExFreePoolWithTag
ExAcquireResourceExclusiveLite
ExAllocatePoolWithTag
_except_handler3
memset
memcpy

hal

KfAcquireSpinLock
KeGetCurrentIrql
KfLowerIrql
KeRaiseIrqlToDpcLevel
KfReleaseSpinLock

Sections

.text
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 920B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.kd0
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.kd1
Size: 234KB - Virtual size: 234KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

fe8afeae3204dc7705f8452a36070abd

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

Sections

.text Size: 52KB - Virtual size: 51KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 1KB - Virtual size: 4KB

INIT Size: 3KB - Virtual size: 3KB

.rsrc Size: 1024B - Virtual size: 920B

.kd0 Size: 3KB - Virtual size: 3KB

.kd1 Size: 234KB - Virtual size: 234KB

.reloc Size: 9KB - Virtual size: 8KB

.text
Size: 52KB - Virtual size: 51KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 1KB - Virtual size: 4KB

INIT
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 1024B - Virtual size: 920B

.kd0
Size: 3KB - Virtual size: 3KB

.kd1
Size: 234KB - Virtual size: 234KB

.reloc
Size: 9KB - Virtual size: 8KB