General
-
Target
bf2824979ff04f1e9954d4857078799e_JaffaCakes118
-
Size
56KB
-
MD5
bf2824979ff04f1e9954d4857078799e
-
SHA1
eb54a5eb4afcc09d331178cba39dc21ed1e66f26
-
SHA256
90a7ecd6f09ce8dc6ecdef81869a702371d32e235ec573c60e9794a4939de459
-
SHA512
ac14ba2766ab822eed5c2cf92ba0c556831ae40492611d12ddd20b3126d4a839262e28b8231f514cfb476c9e060b351a16d87f4d2e1ea086fa19d10530bdf4eb
-
SSDEEP
1536:slshLws32LqTGuzGMsZRswK/mG1cnNyfCFR:sS+s3frzHsZR3K/mGmJ
Malware Config
Signatures
-
resource yara_rule sample vmprotect -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource bf2824979ff04f1e9954d4857078799e_JaffaCakes118
Files
-
bf2824979ff04f1e9954d4857078799e_JaffaCakes118.sys windows:5 windows x86 arch:x86
0e949ddcf30b9927d9dd83910968119b
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntoskrnl.exe
ObfDereferenceObject
KeStackAttachProcess
ExDeleteNPagedLookasideList
ExInterlockedPopEntrySList
PsProcessType
ZwRequestWaitReplyPort
ObReferenceObjectByHandle
ZwTerminateProcess
DbgPrint
strncmp
_wcsnicmp
PsGetCurrentProcessId
IoFreeMdl
ZwClose
MmProbeAndLockPages
RtlCompareMemory
MmUnlockPages
MmIsAddressValid
ObOpenObjectByPointer
IoAllocateMdl
KeServiceDescriptorTable
RtlFreeAnsiString
IoGetCurrentProcess
MmMapLockedPagesSpecifyCache
KeUnstackDetachProcess
strncpy
RtlUnicodeStringToAnsiString
RtlInitAnsiString
MmGetSystemRoutineAddress
ExfInterlockedInsertTailList
RtlInitUnicodeString
RtlSetDaclSecurityDescriptor
PsLookupProcessByProcessId
NtBuildNumber
ExInitializeNPagedLookasideList
memmove
ExInterlockedPushEntrySList
IoThreadToProcess
_strnicmp
ExFreePoolWithTag
ZwQuerySystemInformation
ExAllocatePoolWithTag
_except_handler3
memcpy
hal
KfAcquireSpinLock
KfReleaseSpinLock
fltmgr.sys
FltParseFileNameInformation
FltReleaseFileNameInformation
FltRegisterFilter
FltBuildDefaultSecurityDescriptor
FltCloseCommunicationPort
FltUnregisterFilter
FltGetFileNameInformation
FltIsDirectory
FltFreeSecurityDescriptor
FltDoCompletionProcessingWhenSafe
FltCreateCommunicationPort
FltSetCallbackDataDirty
FltCloseClientPort
FltLockUserBuffer
FltStartFiltering
Sections
.text Size: - Virtual size: 9KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rdata Size: - Virtual size: 884B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.data Size: - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
PAGE Size: - Virtual size: 79B
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
INIT Size: - Virtual size: 2KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 1024B - Virtual size: 552B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.vmp0 Size: - Virtual size: 1KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.vmp1 Size: - Virtual size: 28KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.vmp2 Size: 53KB - Virtual size: 53KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 512B - Virtual size: 96B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ