be23e26fe2bd9594cf23bd9516f597a4_JaffaCakes118

General

Target

be23e26fe2bd9594cf23bd9516f597a4_JaffaCakes118
Size

121KB
MD5

be23e26fe2bd9594cf23bd9516f597a4
SHA1

34295b992b1501192203a3437993c72aa3ff3c71
SHA256

1f4f4d203b60a19c03d145819539ed849c1a20f0ca970aafbd0ff9cdb281413a
SHA512

7a7b6abd9cbd2d3e28fa18a609dd583a7782f1b4ad22a3938af79244c45dcaf4f0809acd8f77879d2ab6bea1cab46c07274a27162967d639ddbd6c877e410da4
SSDEEP

3072:AuL2P7rhJu4TckdTpHe+JNT0KLc4oEqc9gzXo/1s:AbzlM4T/d5eWNQKL6i6P

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
be23e26fe2bd9594cf23bd9516f597a4_JaffaCakes118

Files

be23e26fe2bd9594cf23bd9516f597a4_JaffaCakes118
.sys windows:5 windows x86 arch:x86

635a682624b37d893ac2a628f1a345d5

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

ZwCreateKey
ZwReadFile
ExGetPreviousMode
KeDelayExecutionThread
ZwCreateFile
PsCreateSystemThread
ZwQueryDirectoryFile
ZwDeleteFile
ZwQueryInformationProcess
ZwCreateSection
ZwOpenFile
ZwQueryInformationFile
ZwOpenKey
ExFreePoolWithTag
_wcsnicmp
ExAllocatePoolWithTag
KeDetachProcess
ObQueryNameString
ZwQueryValueKey
IoGetCurrentProcess
ObReferenceObjectByHandle
KeAttachProcess
ZwOpenProcess
KeServiceDescriptorTable
PsGetCurrentProcessId
MmIsAddressValid
ObfDereferenceObject
ZwSetValueKey
ZwWriteFile
ZwClose
IoCreateFile
RtlInitUnicodeString
_except_handler3

hal

KeRaiseIrqlToDpcLevel
KfLowerIrql

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 90KB - Virtual size: 90KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1024B - Virtual size: 912B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 1024B - Virtual size: 822B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 412B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

635a682624b37d893ac2a628f1a345d5

Headers

File Characteristics

Imports

ntoskrnl.exe

hal

Sections

.text Size: 8KB - Virtual size: 7KB

.data Size: 90KB - Virtual size: 90KB

INIT Size: 1024B - Virtual size: 912B

.vmp0 Size: 1024B - Virtual size: 822B

.vmp1 Size: 19KB - Virtual size: 19KB

.reloc Size: 512B - Virtual size: 412B

.text
Size: 8KB - Virtual size: 7KB

.data
Size: 90KB - Virtual size: 90KB

INIT
Size: 1024B - Virtual size: 912B

.vmp0
Size: 1024B - Virtual size: 822B

.vmp1
Size: 19KB - Virtual size: 19KB

.reloc
Size: 512B - Virtual size: 412B