bd9a2895d87ed60fc0017fd2213119ea_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

bd9a2895d87ed60fc0017fd2213119ea_JaffaCakes118
Size

373KB
MD5

bd9a2895d87ed60fc0017fd2213119ea
SHA1

410ef708937017afea9534ad5190a7df91e26761
SHA256

81f35dcd965dff4faaaa775075d80da22a5fdaaa4ff5d40188cd5341be6c778f
SHA512

b932f1bf722f1660fa8d1d31d1ffd72b122aedd3af78f67fe232427aaa900ab498b6c132f82ec02cba266a3d6adc1f56d31472ed3b6064b66ebf02eef92eb130
SSDEEP

6144:3q3MeqFcA0uf2kHdvs7Wf8HZFhT3N5sRcsRp0056rJ0:63Mz6duf79vs+Eh7NOx5WS

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
bd9a2895d87ed60fc0017fd2213119ea_JaffaCakes118

Files

bd9a2895d87ed60fc0017fd2213119ea_JaffaCakes118
.exe windows:6 windows x64 arch:x64

c52f461397796fd58466780950bcc444

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

services.pdb

Imports

advapi32

TraceMessage
GetTokenInformation
ConvertSidToStringSidW
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
InitiateSystemShutdownExW
ImpersonateLoggedOnUser
CreateProcessAsUserW
RevertToSelf
OpenThreadToken
LsaOpenPolicy
LsaLookupSids
LsaFreeMemory
LsaClose
OpenProcessToken
AdjustTokenPrivileges
EqualSid
RegNotifyChangeKeyValue
InitializeSecurityDescriptor
SetSecurityDescriptorOwner
RegSetKeySecurity
RegGetKeySecurity
GetSecurityDescriptorDacl
GetLengthSid
CopySid
InitializeAcl
AddAce
SetSecurityDescriptorDacl
RegLoadMUIStringW
LsaManageSidNameMapping
LookupPrivilegeValueW
LsaQueryInformationPolicy
LsaLookupNames
LsaStorePrivateData
AllocateLocallyUniqueId
AllocateAndInitializeSid
FreeSid
GetKernelObjectSecurity
ConvertSecurityDescriptorToStringSecurityDescriptorW
ConvertStringSecurityDescriptorToSecurityDescriptorW
SetKernelObjectSecurity
AddAccessAllowedAce
SetTokenInformation
LsaEnumeratePrivileges
RegOpenKeyW
EventRegister
EventWrite
SystemFunction005
SystemFunction029
StartServiceCtrlDispatcherW
ControlTraceW
EnableTrace
GetTraceEnableFlags
GetTraceLoggerHandle
StartTraceW
GetTraceEnableLevel
RegisterTraceGuidsW
CheckTokenMembership
LogonUserExExW

kernel32

DuplicateHandle
GetCurrentProcess
CreateNamedPipeW
ConnectNamedPipe
WaitForMultipleObjects
GetOverlappedResult
CancelIo
ReadFile
WriteFile
TransactNamedPipe
GetTickCount
GetModuleHandleW
LoadLibraryW
GetProcAddress
FreeLibrary
GetSystemTimeAsFileTime
CreateEventW
ResetEvent
SetEvent
GetCurrentThread
CreateFileW
DeviceIoControl
GetCurrentProcessId
ResumeThread
GetProcessId
GetDriveTypeW
OpenEventW
GetSystemDirectoryW
GetSystemWow64DirectoryW
GetComputerNameW
SetUnhandledExceptionFilter
SetErrorMode
HeapCreate
SetConsoleCtrlHandler
SetProcessShutdownParameters
ExitThread
CompareStringW
SetThreadPriority
GetProcessTimes
OpenProcess
IsWow64Process
LoadLibraryA
DelayLoadFailureHook
QueryPerformanceCounter
GetCurrentThreadId
UnhandledExceptionFilter
GetExitCodeThread
GetEnvironmentVariableW
FindFirstFileW
MoveFileExW
CreateDirectoryW
GetVersionExW
lstrlenW
FindClose
FindNextFileW
TerminateProcess
WaitForSingleObject
HeapFree
HeapAlloc
SetLastError
CreateProcessW
ExpandEnvironmentStringsW
CloseHandle
GetLastError
CreateThread
Sleep
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
LocalFree
LocalAlloc
GetSystemTime
HeapSetInformation

user32

RegisterServicesProcess
BroadcastSystemMessageW
LoadStringW

msvcrt

_itow
_vsnwprintf
_wcslwr
wcsrchr
time
_ltow
wcscspn
wcschr
__getmainargs
__C_specific_handler
_wcsnicmp
_exit
_cexit
exit
_initterm
_amsg_exit
__setusermatherr
_commode
_fmode
__set_app_type
?terminate@@YAXXZ
wcstoul
wcsstr
_wcsicmp
_wtol
wcsncmp
_ultow
memcpy
memset
_XcptFilter

rpcrt4

I_RpcSessionStrictContextHandle
I_RpcBindingInqLocalClientPID
RpcServerInqBindingHandle
RpcImpersonateClient
RpcRevertToSelf
I_RpcMapWin32Status
RpcServerUseProtseqEpW
RpcServerRegisterIfEx
RpcServerInqCallAttributesW
RpcServerUseProtseqW
RpcServerInqBindings
RpcBindingToStringBindingW
RpcStringBindingParseW
RpcStringFreeW
RpcEpRegisterW
RpcServerInqDefaultPrincNameW
RpcServerRegisterAuthInfoW
RpcBindingVectorFree
RpcServerSubscribeForNotification
RpcServerUnsubscribeForNotification
UuidEqual
I_RpcBindingIsClientLocal
UuidCreate
RpcAsyncCompleteCall
RpcAsyncAbortCall
RpcServerRegisterIf
RpcServerUnregisterIfEx
RpcServerListen
RpcMgmtWaitServerListen
RpcMgmtStopServerListening
RpcServerUnregisterIf
RpcStringBindingComposeW
RpcEpResolveBinding
RpcBindingFree
NdrClientCall3
RpcAsyncInitializeHandle
Ndr64AsyncClientCall
Ndr64AsyncServerCallAll
RpcServerInqCallAttributesA
UuidFromStringW
I_RpcExceptionFilter
NdrServerCall2
NdrAsyncServerCall
RpcBindingFromStringBindingW
UuidCreateNil
NdrServerCallAll

ntdll

NtAdjustPrivilegesToken
NtSetInformationThread
NtQueryInformationToken
NtFilterToken
RtlCopyUnicodeString
NtDeleteFile
NtQueryDirectoryFile
NtWaitForSingleObject
RtlAppendUnicodeToString
RtlAppendUnicodeStringToString
NtSetInformationFile
NtQueryInformationFile
RtlSetProcessIsCritical
NtOpenProcessToken
NtSetInformationProcess
NtSetEvent
RtlFreeHeap
RtlUnhandledExceptionFilter
RtlQueueApcWow64Thread
NtQueueApcThread
NtOpenThread
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlInitializeCriticalSection
RtlAreAllAccessesGranted
NtDuplicateToken
NtAccessCheckAndAuditAlarm
NtAccessCheck
NtPrivilegeObjectAuditAlarm
NtPrivilegeCheck
RtlMapGenericMask
RtlSetSecurityObject
NtOpenThreadToken
RtlValidRelativeSecurityDescriptor
NtCloseObjectAuditAlarm
RtlDeregisterWait
RtlReleaseResource
RtlAcquireResourceShared
RtlInitializeResource
RtlAcquireResourceExclusive
RtlQueueWorkItem
RtlDeleteSecurityObject
RtlCopyLuid
NtQueryKey
NtShutdownSystem
NtInitializeRegistry
NtSetSystemEnvironmentValue
RtlInitUnicodeString
NtClose
RtlNtStatusToDosError
RtlQuerySecurityObject
WinSqmAddToStream
RtlSetControlSecurityDescriptor
NtDeleteKey
NtEnumerateKey
NtDeleteValueKey
NtSetValueKey
NtQueryValueKey
NtOpenKey
NtCreateKey
RtlLengthSecurityDescriptor
RtlValidSecurityDescriptor
RtlSetEnvironmentVariable
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAccessAllowedAce
RtlCreateAcl
RtlConvertExclusiveToShared
RtlConvertSharedToExclusive
RtlCreateServiceSid
RtlRegisterWait
RtlEqualUnicodeString
RtlGetNtProductType
RtlCopySid
RtlLengthSid
NtUnloadDriver
RtlCompareUnicodeString
NtQueryDirectoryObject
NtOpenDirectoryObject
NtLoadDriver
RtlAdjustPrivilege
RtlExpandEnvironmentStrings_U
NtOpenFile
NtQuerySymbolicLinkObject
RtlNtStatusToDosErrorNoTeb
RtlSubAuthoritySid
RtlLengthRequiredSid
RtlAddAce
RtlNewSecurityObject
RtlSetGroupSecurityDescriptor
RtlSetSaclSecurityDescriptor
RtlAllocateHeap
RtlInitializeSid
RtlSubAuthorityCountSid
RtlSetOwnerSecurityDescriptor
RtlAnsiStringToUnicodeString
RtlInitAnsiString
RtlUnicodeStringToAnsiString
RtlUnicodeStringToInteger
NtOpenSymbolicLinkObject
RtlFreeUnicodeString
RtlDosPathNameToNtPathName_U
NtDeleteObjectAuditAlarm
NtFlushKey

userenv

LoadUserProfileW
UnloadUserProfile
DestroyEnvironmentBlock
CreateEnvironmentBlock

scesrv

ScesrvInitializeServer
ScesrvTerminateServer

ncobjapi

WmiCreateObjectWithFormat
WmiSetAndCommitObject
WmiEventSourceConnect

Sections

.text
Size: 235KB - Virtual size: 235KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 95KB - Virtual size: 95KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

c52f461397796fd58466780950bcc444

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

user32

msvcrt

rpcrt4

ntdll

userenv

scesrv

ncobjapi

Sections

.text Size: 235KB - Virtual size: 235KB

.rdata Size: 95KB - Virtual size: 95KB

.data Size: 9KB - Virtual size: 9KB

.pdata Size: 12KB - Virtual size: 11KB

.rsrc Size: 18KB - Virtual size: 18KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 235KB - Virtual size: 235KB

.rdata
Size: 95KB - Virtual size: 95KB

.data
Size: 9KB - Virtual size: 9KB

.pdata
Size: 12KB - Virtual size: 11KB

.rsrc
Size: 18KB - Virtual size: 18KB

.reloc
Size: 1KB - Virtual size: 1KB