bd46808484ec0a65c16f96d1b51f53fe_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

bd46808484ec0a65c16f96d1b51f53fe_JaffaCakes118
Size

519KB
MD5

bd46808484ec0a65c16f96d1b51f53fe
SHA1

d70640bb03b1409fa42ee0f437f13f25a23e3963
SHA256

44074c608c8556b4391919e884f5774b5f68e05d01a80091de434b41722820d6
SHA512

5ed8510615171ec95ff2b71f2e4406f6ee199f89309e537b8bf78164da40e4dd60e1d00e7212d6ecd795c05e983691282a25b3ece2d6d066140419f5f52e132a
SSDEEP

6144:SLNZlxEdL5RvGlcHF37newMLao6nMnKHOD13PRnCfOVSePfLtisgZY3Z2SsQLH5u:Fdz+lcDKao6nSKHs5qOMgxZgLSsPdn

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
bd46808484ec0a65c16f96d1b51f53fe_JaffaCakes118

Files

bd46808484ec0a65c16f96d1b51f53fe_JaffaCakes118
.exe windows:5 windows x86 arch:x86

d1f1e65aa1f57d18a21c032c5efb3d13

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_AGGRESIVE_WS_TRIM
IMAGE_FILE_32BIT_MACHINE

PDB Paths

winlogon.PDB

Imports

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA
A_SHAInit
A_SHAUpdate
A_SHAFinal
LsaStorePrivateData
LsaRetrievePrivateData
LsaNtStatusToWinError
CryptGetUserKey
CryptGetKeyParam
CryptEncrypt
CryptSetProvParam
CryptSignHashW
CryptDeriveKey
CryptGetProvParam
RegOpenCurrentUser
RegDeleteKeyW
AddAccessAllowedAceEx
RegSetKeySecurity
I_ScSendTSMessage
MD5Init
MD5Update
MD5Final
SetFileSecurityA
AllocateLocallyUniqueId
LsaOpenPolicy
LsaQueryInformationPolicy
LsaFreeMemory
LsaClose
RegNotifyChangeKeyValue
QueryServiceConfigW
SetKernelObjectSecurity
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegEnumKeyExW
GetCurrentHwProfileW
RegCloseKey
RegQueryValueExW
RegOpenKeyW
FreeSid
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
RegOpenKeyExW
CreateProcessAsUserW
DuplicateTokenEx
CloseServiceHandle
ControlService
StartServiceW
QueryServiceStatus
OpenServiceW
OpenSCManagerW
EqualSid
GetTokenInformation
RegSetValueExW
RegCreateKeyExW
CryptGenRandom
CryptDestroyHash
CryptVerifySignatureW
CryptSetHashParam
CryptGetHashParam
CryptHashData
CryptCreateHash
CryptDecrypt
ReportEventW
RegisterEventSourceW
CryptImportKey
CryptAcquireContextW
CryptReleaseContext
CryptDestroyKey
RegEnumValueW
RegQueryInfoKeyW
RegDeleteValueW
CredFree
CredDeleteW
CredEnumerateW
CopySid
GetSidLengthRequired
GetSidSubAuthority
GetSidSubAuthorityCount
GetUserNameW
OpenThreadToken
EnumServicesStatusW
ImpersonateLoggedOnUser
RegQueryValueExA
CheckTokenMembership
DeregisterEventSource
LsaGetUserName
RevertToSelf
LookupAccountSidW
IsValidSid
SetTokenInformation
LogonUserW
LookupAccountNameW
OpenProcessToken
SynchronizeWindows31FilesAndWindowsNTRegistry
QueryWindows31FilesMigration
AdjustTokenPrivileges
RegQueryInfoKeyA

authz

AuthzInitializeResourceManager
AuthzAccessCheck
AuthziFreeAuditEventType
AuthziInitializeAuditEvent
AuthziInitializeAuditParams
AuthziInitializeAuditEventType
AuthziLogAuditEvent
AuthzFreeAuditEvent
AuthzFreeResourceManager
AuthzFreeHandle

crypt32

CryptImportPublicKeyInfo
CryptVerifyMessageSignature
CertCreateCertificateContext
CertSetCertificateContextProperty
CertVerifyCertificateChainPolicy
CryptSignMessage
CertCloseStore
CertComparePublicKeyInfo
CryptExportPublicKeyInfo
CertFindExtension
CryptDecryptMessage
CertGetCertificateContextProperty
CertAddCertificateContextToStore
CertOpenStore
CertVerifySubjectCertificateContext
CertGetIssuerCertificateFromStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertEnumCertificatesInStore
CryptImportPublicKeyInfoEx

gdi32

RemoveFontResourceW
AddFontResourceW

kernel32

WTSGetActiveConsoleSessionId
GetTimeFormatW
GetUserDefaultLCID
FileTimeToSystemTime
FileTimeToLocalFileTime
GetProcAddress
LoadLibraryW
GetModuleHandleW
SystemTimeToFileTime
GetSystemTime
SetLastError
TerminateProcess
GetCurrentProcess
CreateTimerQueueTimer
CreateThread
lstrcpynW
GetShortPathNameW
GetProfileStringW
FreeLibrary
ReleaseSemaphore
CreateSemaphoreW
GetSystemInfo
GetComputerNameW
GetEnvironmentVariableW
WaitForSingleObjectEx
LoadResource
FindResourceW
SetThreadExecutionState
DeleteTimerQueueTimer
ResetEvent
GetSystemDirectoryW
TransactNamedPipe
SetNamedPipeHandleState
GetTickCount
CreateFileW
GlobalGetAtomNameW
VirtualLock
VirtualQuery
GetDriveTypeW
Beep
ExpandEnvironmentStringsW
OpenMutexW
QueueUserWorkItem
LeaveCriticalSection
EnterCriticalSection
DisconnectNamedPipe
SearchPathW
lstrcatW
LocalReAlloc
TerminateThread
ResumeThread
GetDiskFreeSpaceExW
GlobalMemoryStatusEx
DeleteFileW
WriteProfileStringW
ReadFile
FindVolumeClose
FindNextVolumeW
FindFirstVolumeW
FormatMessageW
SetPriorityClass
MoveFileExW
WaitForMultipleObjectsEx
GetExitCodeProcess
SleepEx
InterlockedExchange
FindClose
FindFirstFileW
GetWindowsDirectoryW
SetTimerQueueTimer
GetComputerNameA
GetVersionExW
VerSetConditionMask
WriteFile
WaitNamedPipeW
WaitForMultipleObjects
ConnectNamedPipe
GetVersionExA
DuplicateHandle
OpenProcess
GetOverlappedResult
lstrcmpW
SetEnvironmentVariableW
UnregisterWait
CreateNamedPipeW
CreateRemoteThread
CreateActCtxW
GetModuleFileNameW
ExitProcess
LoadLibraryExW
SetErrorMode
SetUnhandledExceptionFilter
GetPrivateProfileStringW
LocalSize
VirtualAlloc
VirtualQueryEx
DebugBreak
CreateFileA
InitializeCriticalSection
ProcessIdToSessionId
SetInformationJobObject
AssignProcessToJobObject
TerminateJobObject
PostQueuedCompletionStatus
PulseEvent
GetQueuedCompletionStatus
CreateIoCompletionPort
CreateJobObjectW
ActivateActCtx
DeactivateActCtx
InterlockedCompareExchange
LoadLibraryA
QueryPerformanceCounter
GetSystemTimeAsFileTime
UnhandledExceptionFilter
GetModuleHandleA
GetStartupInfoA
GetCurrentProcessId
SetThreadPriority
GetCurrentThreadId
lstrcmpiW
GetProfileIntW
LoadLibraryExA
lstrcpyW
lstrlenW
Sleep
LocalAlloc
CreateEventW
GetExitCodeThread
SetThreadAffinityMask
GetProcessAffinityMask
CreateWaitableTimerW
CreateMutexW
OpenEventW
RegisterWaitForSingleObject
WaitForSingleObject
CreateProcessW
SetWaitableTimer
ReleaseMutex
SetEvent
UnregisterWaitEx
CloseHandle
lstrlenA
lstrcpyA
MultiByteToWideChar
GetACP
WideCharToMultiByte
HeapAlloc
GetProcessHeap
HeapFree
lstrcpynA
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
lstrcmpiA
GetFileSize
SetFilePointer
GlobalAlloc
GlobalFree
GetLastError
LocalFree
lstrcatA
lstrcmpA
GetLogicalDriveStringsA
GetDriveTypeA
GetVolumeInformationW
GlobalMemoryStatus
CreateMutexA
FindResourceExW
LockResource
SizeofResource
VerifyVersionInfoW
GetSystemDirectoryA
GetCurrentThread
DelayLoadFailureHook
BaseInitAppcompatCacheSupport
OpenProfileUserMapping
CloseProfileUserMapping
BaseCleanupAppcompatCacheSupport
InitializeCriticalSectionAndSpinCount
VirtualProtect
CreateEventA
TlsSetValue
TlsGetValue
DeleteCriticalSection
TlsAlloc
VirtualFree
TlsFree

msvcrt

wcslen
_vsnwprintf
wcsncpy
wcsstr
atoi
wcstok
memmove
wcschr
swprintf
swscanf
_local_unwind2
_wcslwr
wcscmp
_snwprintf
malloc
_c_exit
_exit
_XcptFilter
_cexit
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
??3@YAXPAX@Z
??2@YAPAXI@Z
__CxxFrameHandler
_itow
_snprintf
_wtol
_strnicmp
sscanf
wcstombs
sprintf
strchr
strncmp
atof
_ftol
isspace
wcscpy
_controlfp
wcsncmp
_wcsupr
ceil
wcscat
_except_handler3
free
_wcsicmp

nddeapi

ord603
ord612
ord613
ord611

ntdll

RtlSubAuthoritySid
RtlAllocateHeap
NtPowerInformation
NtSetSystemPowerState
NtRaiseHardError
RtlDeleteCriticalSection
NtOpenSymbolicLinkObject
NtReplyPort
NtCompleteConnectPort
NtReplyWaitReceivePort
NtAcceptConnectPort
NtCreatePort
RtlConvertSidToUnicodeString
RtlFreeUnicodeString
NtLockProductActivationKeys
RtlTimeToTimeFields
NtUnmapViewOfSection
NtMapViewOfSection
NtOpenSection
NtQuerySymbolicLinkObject
NtQueryVolumeInformationFile
NtSetSecurityObject
RtlAdjustPrivilege
NtOpenFile
NtFsControlFile
RtlAllocateAndInitializeSid
RtlDestroyEnvironment
RtlFreeHeap
NtQueryInformationToken
NtShutdownSystem
RtlEnterCriticalSection
RtlLeaveCriticalSection
RtlInitializeCriticalSection
RtlCreateEnvironment
RtlQueryEnvironmentVariable_U
RtlSetEnvironmentVariable
RtlInitUnicodeString
NtOpenKey
NtQueryValueKey
RtlInitializeSid
RtlLengthRequiredSid
NtAllocateLocallyUniqueId
RtlGetDaclSecurityDescriptor
RtlCopySid
RtlLengthSid
NtSetInformationThread
NtDuplicateToken
NtDuplicateObject
RtlEqualSid
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
NtClose
RtlOpenCurrentUser
RtlAddAce
RtlCreateAcl
RtlNtStatusToDosError
NtSetInformationProcess
NtQuerySystemInformation
NtCreateEvent
NtCreatePagingFile
RtlDosPathNameToNtPathName_U
RtlRegisterWait
NtSetValueKey
NtCreateKey
RtlTimeToSecondsSince1980
NtQuerySystemTime
NtPrivilegeObjectAuditAlarm
NtPrivilegeCheck
NtOpenThreadToken
NtOpenProcessToken
RtlInitString
RtlUnhandledExceptionFilter
NtQueryInformationProcess
DbgBreakPoint
RtlCheckProcessParameters
RtlSetThreadIsCritical
RtlSetProcessIsCritical
RtlGetNtProductType
NtInitiatePowerAction
DbgPrint
NtFilterToken
NtQueryInformationJobObject
NtOpenEvent
RtlGetAce
RtlQueryInformationAcl
NtQuerySecurityObject
RtlCompareUnicodeString
NtOpenDirectoryObject

profmap

InitializeProfileMappingApi
RemapAndMoveUserW

psapi

EnumProcesses
EnumProcessModules
GetModuleBaseNameW

regapi

RegDefaultUserConfigQueryW
RegUserConfigQuery

rpcrt4

RpcServerRegisterIfEx
RpcServerUseProtseqEpW
RpcImpersonateClient
I_RpcMapWin32Status
RpcServerRegisterIf
RpcGetAuthorizationContextForClient
RpcFreeAuthorizationContext
RpcServerListen
RpcRevertToSelf
NdrServerCall2
UuidCreate

secur32

LsaCallAuthenticationPackage
GetUserNameExW
LsaLookupAuthenticationPackage
LsaRegisterLogonProcess

setupapi

SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiGetClassDevsW
SetupDiGetDeviceRegistryPropertyW

user32

SetFocus
EnumWindows
CreateWindowStationW
RegisterLogonProcess
RecordShutdownReason
LoadLocalFonts
UnhookWindowsHook
SetWindowsHookW
GetWindowTextW
CallNextHookEx
DialogBoxParamW
GetWindowPlacement
GetSystemMenu
DeleteMenu
SetWindowPlacement
SetUserObjectInformationW
GetAsyncKeyState
PostThreadMessageW
SetUserObjectSecurity
CreateDesktopW
GetMessageTime
SetTimer
SetLogonNotifyWindow
UnlockWindowStation
ReplyMessage
UnregisterHotKey
RegisterHotKey
OpenInputDesktop
GetUserObjectInformationW
CloseDesktop
RegisterDeviceNotificationW
SetThreadDesktop
CreateWindowExW
GetMessageW
TranslateMessage
RegisterWindowMessageW
RegisterClassW
SetCursor
FindWindowW
MessageBoxW
SendNotifyMessageW
PostQuitMessage
MsgWaitForMultipleObjects
GetWindowRect
GetSystemMetrics
PeekMessageW
DispatchMessageW
KillTimer
SetProcessWindowStation
UpdateWindow
ShowWindow
SetWindowPos
PostMessageW
ExitWindowsEx
EnumDisplayMonitors
SystemParametersInfoW
GetDlgItem
SendMessageW
CreateDialogParamW
DestroyWindow
GetWindowLongW
GetDlgItemTextW
EndDialog
SetWindowLongW
LoadStringW
SetWindowTextW
SetDlgItemTextW
wsprintfW
wsprintfA
LockWindowStation
MBToWCSEx
SetWindowStationUser
UpdatePerUserSystemParameters
DialogBoxIndirectParamW
wvsprintfW
SetLastErrorEx
LoadCursorW
CheckDlgButton
IsDlgButtonChecked
DefWindowProcW
CloseWindowStation
LoadImageW
GetParent
GetKeyState
GetDesktopWindow
SetForegroundWindow
SwitchDesktop
OpenDesktopW

userenv

ord131
WaitForUserPolicyForegroundProcessing
GetAllUsersProfileDirectoryW
ord118
ord117
ord151
WaitForMachinePolicyForegroundProcessing
ord140
ord150
ord152
UnloadUserProfile
LoadUserProfileW
ord130
RegisterGPNotification
CreateEnvironmentBlock
DestroyEnvironmentBlock
UnregisterGPNotification
GetUserProfileDirectoryW

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

winsta

WinStationRequestSessionsList
WinStationQueryLogonCredentialsW
WinStationIsHelpAssistantSession
WinStationAutoReconnect
_WinStationWaitForConnect
_WinStationNotifyLogoff
WinStationDisconnect
_WinStationCallback
WinStationNameFromLogonIdW
_WinStationFUSCanRemoteUserDisconnect
WinStationEnumerate_IndexedW
WinStationGetMachinePolicy
WinStationQueryInformationW
WinStationFreeMemory
WinStationReset
_WinStationNotifyDisconnectPipe
WinStationConnectW
WinStationSetInformationW
WinStationShutdownSystem
WinStationCheckLoopBack
_WinStationNotifyLogon

wintrust

CryptCATAdminEnumCatalogFromHash
CryptCATCatalogInfoFromContext
CryptCATAdminCalcHashFromFileHandle
CryptCATAdminAcquireContext
CryptCATAdminReleaseCatalogContext
WTHelperProvDataFromStateData
WinVerifyTrust
WTHelperGetProvSignerFromChain
CryptCATAdminReleaseContext

ws2_32

WSAStartup
WSACleanup
getaddrinfo

Sections

.text
Size: 450KB - Virtual size: 450KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 8KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 59KB - Virtual size: 59KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d1f1e65aa1f57d18a21c032c5efb3d13

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

authz

crypt32

gdi32

kernel32

msvcrt

nddeapi

ntdll

profmap

psapi

regapi

rpcrt4

secur32

setupapi

user32

userenv

version

winsta

wintrust

ws2_32

Sections

.text Size: 450KB - Virtual size: 450KB

.data Size: 8KB - Virtual size: 19KB

.rsrc Size: 59KB - Virtual size: 59KB

.text
Size: 450KB - Virtual size: 450KB

.data
Size: 8KB - Virtual size: 19KB

.rsrc
Size: 59KB - Virtual size: 59KB