ba4c67347f53e44e5116cdfe46e077c6_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

ba4c67347f53e44e5116cdfe46e077c6_JaffaCakes118
Size

326KB
MD5

ba4c67347f53e44e5116cdfe46e077c6
SHA1

4a49f6ffa6efba84ab11f7acdb6d53412237c6fc
SHA256

084ea0bdfabfa03853043e97027d1e25783b3a8f7912824e94aad8c097a20113
SHA512

d55e92e163dd18efafc17a95768270957103ae4cd4c1598d9ce73e3c77fbf3d8717426a2e592112b298129108fd45c9f7e24a52d67a8386bec31026496881a97
SSDEEP

6144:6eWwce4syTFx/pljNOvdSVfEygdKQIg/H1FGMZFLPN:h1E9Jv4FyhQ5/bGMrN

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Files

ba4c67347f53e44e5116cdfe46e077c6_JaffaCakes118
.sys windows:10 windows x64 arch:x64

202435427b785714c205c5291c664dc3

Code Sign

5f:78:14:9e:b4:f7:5e:b1:74:04:a8:14:3a:ae:ae:d7
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

23/03/2011, 00:00

Not After

22/03/2012, 23:59

Subject

CN=上海域联软件技术有限公司,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=上海域联软件技术有限公司,L=Shanghai,ST=Shanghai,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

46:a5:14:14:da:53:e5:36:61:1f:0a:28:82:a3:60:74:ea:be:85:cb
Signer

Actual PE Digest

46:a5:14:14:da:53:e5:36:61:1f:0a:28:82:a3:60:74:ea:be:85:cb

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

Imports

fltmgr.sys

FltUnregisterFilter
FltParseFileNameInformation
FltReleaseFileNameInformation
FltSetCallbackDataDirty
FltRegisterFilter
FltStartFiltering
FltGetFileNameInformation

ntoskrnl.exe

RtlInitUnicodeString
KdDisableDebugger
ExFreePoolWithTag
ExGetPreviousMode
PsCreateSystemThread
PsTerminateSystemThread
IofCompleteRequest
IoDeleteDevice
IoDeleteSymbolicLink
ZwClose
IoRegisterDriverReinitialization
RtlRandomEx
ZwDeleteFile
KdDebuggerEnabled
MmIsAddressValid
PsGetCurrentProcessId
RtlInitAnsiString
RtlWriteRegistryValue
RtlCreateRegistryKey
RtlAnsiStringToUnicodeString
RtlUnicodeStringToAnsiString
RtlCopyUnicodeString
RtlFreeUnicodeString
RtlFreeAnsiString
KeDelayExecutionThread
ExAllocatePool
PsGetVersion
IoCreateDevice
IoCreateFile
IoCreateSymbolicLink
IoGetDeviceObjectPointer
ObReferenceObjectByHandle
ObfDereferenceObject
ZwCreateFile
ZwOpenFile
ZwLoadDriver
ZwWriteFile
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
IoVolumeDeviceToDosName
IoQueryFileDosDeviceName
FsRtlIsNameInExpression
ZwQuerySystemInformation
IoFileObjectType
RtlCompareUnicodeString
KeStackAttachProcess
KeUnstackDetachProcess
PsLookupProcessByProcessId
PsGetProcessWow64Process
PsGetProcessPeb
ZwTerminateProcess
PsLookupThreadByThreadId
ZwAllocateVirtualMemory
KeInitializeApc
KeInsertQueueApc
KeInitializeEvent
KeSetEvent
KeWaitForSingleObject
ExAllocatePoolWithTag
MmProbeAndLockPages
IoAllocateIrp
IoAllocateMdl
IoBuildDeviceIoControlRequest
IoFreeIrp
IoFreeMdl
IoGetRelatedDeviceObject
__C_specific_handler
RtlEqualUnicodeString
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
MmMapLockedPagesSpecifyCache
MmGetSystemRoutineAddress
ZwUnmapViewOfSection
PsSetCreateProcessNotifyRoutine
PsGetProcessId
ObOpenObjectByPointer
ZwFlushInstructionCache
PsGetProcessImageFileName
PsGetProcessInheritedFromUniqueProcessId
ZwQueryInformationProcess
PsGetProcessExitProcessCalled
PsProcessType
PsInitialSystemProcess
KeClearEvent
IoReuseIrp
IoGetFileObjectGenericMapping
IoGetDeviceAttachmentBaseRef
ObCreateObject
SeCreateAccessState
ZwOpenKey
ZwDeleteKey
ZwEnumerateKey
ZwQueryKey
ZwQueryValueKey
RtlFormatCurrentUserKeyPath
IoCancelIrp
RtlAnsiCharToUnicodeChar
RtlUnicodeToMultiByteN
KeBugCheckEx
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
ExAllocatePool
ExFreePool
NtQuerySystemInformation

hal

HalMakeBeep

Sections

.text
Size: - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 124KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 162KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 320KB - Virtual size: 319KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 108B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

202435427b785714c205c5291c664dc3

Code Sign

5f:78:14:9e:b4:f7:5e:b1:74:04:a8:14:3a:ae:ae:d7Certificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

46:a5:14:14:da:53:e5:36:61:1f:0a:28:82:a3:60:74:ea:be:85:cbSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

fltmgr.sys

ntoskrnl.exe

hal

Sections

.text Size: - Virtual size: 58KB

.rdata Size: - Virtual size: 6KB

.data Size: - Virtual size: 124KB

.pdata Size: - Virtual size: 2KB

.gfids Size: - Virtual size: 4B

INIT Size: - Virtual size: 3KB

.vmp0 Size: - Virtual size: 162KB

.vmp1 Size: 320KB - Virtual size: 319KB

.reloc Size: 512B - Virtual size: 108B

5f:78:14:9e:b4:f7:5e:b1:74:04:a8:14:3a:ae:ae:d7
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

46:a5:14:14:da:53:e5:36:61:1f:0a:28:82:a3:60:74:ea:be:85:cb
Signer

.text
Size: - Virtual size: 58KB

.rdata
Size: - Virtual size: 6KB

.data
Size: - Virtual size: 124KB

.pdata
Size: - Virtual size: 2KB

.gfids
Size: - Virtual size: 4B

INIT
Size: - Virtual size: 3KB

.vmp0
Size: - Virtual size: 162KB

.vmp1
Size: 320KB - Virtual size: 319KB

.reloc
Size: 512B - Virtual size: 108B