mimikatz | bf69b0887a654001dc28b9b45a79a161_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

bf69b0887a654001dc28b9b45a79a161_JaffaCakes118
Size

1.1MB
MD5

bf69b0887a654001dc28b9b45a79a161
SHA1

9b34a0366c2f646accfacf4ae1733eb60461f952
SHA256

3fe11e31740f9783ec79cdc85ff9f0529f5346a48af35a891f70b87f755612b0
SHA512

8aa18c01ae234e75037a105d336252574f7c3fde817dbf3dafeccf22a24f1a84176e68ce6e5a754fdd182d66a6af364a869740f4c44928b60985ae72ba4d0e4b
SSDEEP

24576:7twY9Ercp2U0ZSXE5RFglb4oQ8VIDEs9ekZBymhZ8oLwjPZ+/yCOl9c:W2oF0Eil5pdXli8oLOPZ+KN9c

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
sample	mimikatz

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
bf69b0887a654001dc28b9b45a79a161_JaffaCakes118

Files

bf69b0887a654001dc28b9b45a79a161_JaffaCakes118
.exe windows:6 windows x86 arch:x86

1a90a448b1d8bcf6a1d4467a797f9c31

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\workspace\projects\fb1\download_o\Release\netsys.pdb

Imports

advapi32

DuplicateTokenEx
CreateProcessAsUserW
OpenProcessToken
SetTokenInformation
RegQueryValueExA
RegCloseKey
RegOpenKeyExW
RegEnumKeyExW
QueryServiceStatusEx
OpenServiceW
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
ChangeServiceConfig2W
SetServiceStatus
OpenSCManagerW
CloseServiceHandle
CreateServiceW
IsTextUnicode
ConvertSidToStringSidW
LsaFreeMemory
IsValidSid
GetSidSubAuthority
GetSidSubAuthorityCount
LsaClose
LsaOpenPolicy
LsaQueryInformationPolicy
CreateWellKnownSid
CryptReleaseContext
GetLengthSid
CryptImportKey
CryptSetKeyParam
CopySid
CryptDecrypt
CryptAcquireContextW
CryptDestroyKey
CryptGenKey
CryptGetProvParam
CryptGetHashParam
CryptDestroyHash
CryptSetHashParam
CryptHashData
CryptCreateHash
CryptExportKey
CreateProcessWithLogonW
LookupPrivilegeNameW
OpenThreadToken
CheckTokenMembership
LookupAccountSidW
CryptGetUserKey
CryptSetProvParam
CryptEnumProvidersW
CryptEnumProviderTypesW
SystemFunction006
CredIsMarshaledCredentialW
CredUnmarshalCredentialW
RegQueryInfoKeyW
RegEnumValueW
RegQueryValueExW
SetThreadToken
GetTokenInformation
CryptAcquireContextA
CryptGetKeyParam
SystemFunction007
ConvertStringSidToSidW
A_SHAFinal
A_SHAInit
A_SHAUpdate

crypt32

CryptBinaryToStringW
CryptProtectData
CertAddEncodedCertificateToStore
CertFreeCertificateContext
CertCloseStore
PFXExportCertStoreEx
CertSetCertificateContextProperty
CertOpenStore
CryptAcquireCertificatePrivateKey
CryptDecodeObjectEx
CryptStringToBinaryA
CryptStringToBinaryW
CryptFindOIDInfo
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CryptQueryObject
CertFindCertificateInStore
CryptEncodeObject
CertGetNameStringW
CertGetCertificateContextProperty
CryptExportPublicKeyInfo
CryptSignAndEncodeCertificate
CertNameToStrW
CryptUnprotectData
CertEnumSystemStore
CryptBinaryToStringA

ole32

CoCreateInstance

shell32

SHGetSpecialFolderPathW

user32

IsCharAlphaNumericW
wsprintfW

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

wtsapi32

WTSQueryUserToken

kernel32

RtlUnwind
RaiseException
SetHandleInformation
ReadProcessMemory
LoadLibraryExW
QueryPerformanceFrequency
GetStdHandle
GetFileType
GetModuleHandleExW
WriteConsoleW
GetCommandLineA
GetCommandLineW
IsValidLocale
GetUserDefaultLCID
GetTickCount
ExitProcess
CreateFileW
DeviceIoControl
CopyFileA
VerifyVersionInfoW
VerSetConditionMask
CreateProcessW
MultiByteToWideChar
FindClose
GetModuleFileNameW
FindNextFileW
FindFirstFileW
CreateDirectoryA
FreeLibrary
WTSGetActiveConsoleSessionId
GetProcAddress
CreateThread
CloseHandle
Process32FirstW
DeleteFileA
LoadLibraryA
GetBinaryTypeA
Process32NextW
GetLastError
Sleep
ProcessIdToSessionId
CreateToolhelp32Snapshot
VirtualProtect
WriteProcessMemory
VirtualQueryEx
VirtualQuery
GetCurrentThread
DuplicateHandle
IsWow64Process
GetProcessId
lstrlenW
lstrlenA
OpenProcess
WaitForSingleObject
MoveFileA
GetModuleFileNameA
GetFileAttributesA
WideCharToMultiByte
LocalFree
GetFileAttributesW
EnumSystemLocalesW
GetTimeZoneInformation
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleCP
FindFirstFileExW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
VirtualProtectEx
CreatePipe
GetFileSizeEx
GetDateFormatW
GetTimeFormatW
FileTimeToLocalFileTime
FileTimeToSystemTime
FlushFileBuffers
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
SystemTimeToFileTime
GetProcessHeap
GetFileSize
LockFileEx
CreateFileMappingA
UnlockFile
HeapDestroy
HeapCompact
HeapAlloc
SetStdHandle
LoadLibraryW
GetSystemInfo
HeapReAlloc
DeleteFileW
GetVersionExA
CreateFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetDiskFreeSpaceA
GetTempPathA
HeapSize
HeapValidate
UnmapViewOfFile
GetVersionExW
CreateMutexW
GetTempPathW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
InterlockedCompareExchange
WriteFile
GetFullPathNameW
HeapFree
HeapCreate
ReadFile
AreFileApisANSI
LocalAlloc
InitializeSListHead
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetStartupInfoW
IsDebuggerPresent
WaitForSingleObjectEx
ResetEvent
SetEvent
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetStringTypeW
GetLocaleInfoW
LCMapStringW
CompareStringW
GetCPInfo
DecodePointer
EncodePointer
GetModuleHandleW
GetSystemTimeAsFileTime
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
SwitchToThread
CreateEventW
InitializeCriticalSectionAndSpinCount
SetLastError
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
FormatMessageW

winhttp

WinHttpCloseHandle
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpConnect
WinHttpQueryDataAvailable
WinHttpOpen
WinHttpAddRequestHeaders
WinHttpReadData
WinHttpOpenRequest
WinHttpSetTimeouts

iphlpapi

GetAdaptersInfo

urlmon

URLDownloadToFileA

bcrypt

BCryptEncrypt
BCryptFreeBuffer
BCryptEnumRegisteredProviders
BCryptGetProperty
BCryptGenerateSymmetricKey
BCryptImportKeyPair
BCryptExportKey
BCryptSetProperty
BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptDecrypt
BCryptOpenAlgorithmProvider

cryptdll

MD5Init
MD5Final
CDLocateCheckSum
CDGenerateRandomBits
MD5Update

ncrypt

NCryptImportKey
NCryptOpenStorageProvider
NCryptGetProperty
NCryptSetProperty
NCryptExportKey
NCryptFreeBuffer
NCryptEnumKeys
NCryptOpenKey
NCryptFinalizeKey
NCryptFreeObject

netapi32

DsGetDcNameW
NetApiBufferFree

oleaut32

SysFreeString
SysAllocString
VariantInit

rpcrt4

UuidCreate
NdrMesTypeEncode2
NdrMesTypeDecode2
NdrMesTypeFree2
NdrMesTypeAlignSize2
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcBindingSetAuthInfoExW
RpcStringFreeW
MesHandleFree
MesEncodeIncrementalHandleCreate
MesDecodeIncrementalHandleCreate
RpcBindingFree
MesIncrementalHandleReset
NdrClientCall2

shlwapi

PathFindFileNameW
PathIsDirectoryW

winscard

SCardFreeMemory
SCardListReadersW
SCardGetCardTypeProviderNameW
SCardConnectW
SCardReleaseContext
SCardEstablishContext
SCardDisconnect
SCardControl
SCardListCardsW
SCardGetAttrib

wldap32

ord310
ord304
ord301
ord54
ord309

ntdll

RtlFreeUnicodeString
RtlFreeAnsiString
RtlUpcaseUnicodeStringToOemString
NtCompareTokens
RtlEqualString
RtlEqualUnicodeString
NtQuerySystemInformation
NtQueryInformationProcess
RtlGetCurrentPeb
NtSuspendProcess
RtlFreeOemString
NtTerminateProcess
RtlUnicodeStringToAnsiString
RtlStringFromGUID
NtQueryObject
NtResumeProcess
RtlInitUnicodeString
RtlDowncaseUnicodeString
RtlGUIDFromString

Exports

Exports

exec

Sections

.text
Size: 842KB - Virtual size: 842KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 247KB - Virtual size: 247KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1a90a448b1d8bcf6a1d4467a797f9c31

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

crypt32

ole32

shell32

user32

userenv

wtsapi32

kernel32

winhttp

iphlpapi

urlmon

bcrypt

cryptdll

ncrypt

netapi32

oleaut32

rpcrt4

shlwapi

winscard

wldap32

ntdll

Exports

Exports

Sections

.text Size: 842KB - Virtual size: 842KB

.rdata Size: 247KB - Virtual size: 247KB

.data Size: 14KB - Virtual size: 26KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 32KB - Virtual size: 31KB

.text
Size: 842KB - Virtual size: 842KB

.rdata
Size: 247KB - Virtual size: 247KB

.data
Size: 14KB - Virtual size: 26KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 32KB - Virtual size: 31KB