c87e11877d167d329332c40af2a2a010_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

c87e11877d167d329332c40af2a2a010_JaffaCakes118
Size

437KB
MD5

c87e11877d167d329332c40af2a2a010
SHA1

1300df3cfffac91453180df92c7fe21c9636c776
SHA256

7a48b331f817f2b9b9ce8ca0aa04f3cea1c4990192602e074ce5876064fb79b5
SHA512

603da05669c830810ebf62a2ff81b3e3d7d3a0af7d18373ee4a0019de9e0a1674de6964a48f4f11baad4418576526eeb9b4a17cf966577e3a8033e7490a2b5c5
SSDEEP

6144:G4PC6/IY+YoOAsboiz1/OfRBoqVAyEFD728vg7k3RXFgrg4UqFYe:1PrIYV0AmfRBoq26UXe

Score

1^/10

Malware Config

Signatures

Files

c87e11877d167d329332c40af2a2a010_JaffaCakes118
.exe windows:5 windows x86 arch:x86

d075d86d23f8dfb0ec99bf2fcaa5e9a3

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

1c:04:dc:c9:be:35:c5:58:42:2b:af:ef:34:98:49:75
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

07/01/2015, 00:00

Not After

29/12/2016, 23:59

Subject

CN=DotCash Limited,OU=IT,O=DotCash Limited,L=Hong Kong,ST=Hong Kong,C=HK

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

23:70:b6:71:d2:6e:3d:45:91:69:5f:1a:03:cb:ab:c3:1a:c2:b6:30
Signer

Actual PE Digest

23:70:b6:71:d2:6e:3d:45:91:69:5f:1a:03:cb:ab:c3:1a:c2:b6:30

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

E:\AvazuMPC\Trunk\Build\BranchBuild\Temp\CodeDir\2.0.7351.0902\Bin\Pdb\Release\AdCleaner.pdb

Imports

kernel32

GetCommandLineW
GetSystemTimeAsFileTime
GetTickCount
QueryPerformanceCounter
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
InterlockedCompareExchange
Sleep
InterlockedExchange
WideCharToMultiByte
MultiByteToWideChar
CreateFileA
MoveFileExW
FreeLibrary
QueryDosDeviceW
SetFilePointer
GetFileSize
GetDiskFreeSpaceExW
CreateDirectoryW
RemoveDirectoryW
FindClose
SetFileAttributesW
FindNextFileW
FindFirstFileW
GetFileAttributesW
DeleteFileW
GetVolumeInformationW
SetFileTime
SystemTimeToFileTime
GetSystemTime
CreateFileW
CreateEventW
UnmapViewOfFile
LoadLibraryA
CreateFileMappingW
OpenFileMappingW
GlobalMemoryStatusEx
LoadLibraryW
GetSystemDirectoryW
GetThreadIOPendingFlag
SetProcessWorkingSetSize
SetThreadPriorityBoost
SetProcessPriorityBoost
GetProcessPriorityBoost
SetThreadPriority
GetThreadPriority
SetPriorityClass
GetPriorityClass
TerminateProcess
ReadFile
GetStartupInfoW
CreatePipe
CreateProcessW
GetExitCodeProcess
ReadProcessMemory
Thread32Next
Thread32First
CreateToolhelp32Snapshot
GetModuleHandleW
OpenThread
GetCurrentThread
GetCurrentProcess
GetCurrentProcessId
OpenProcess
SetLastError
OutputDebugStringA
ReleaseMutex
GetLastError
CreateMutexW
CloseHandle
OpenMutexW
HeapFree
GetProcessHeap
HeapAlloc
GetCurrentThreadId
MapViewOfFile
GetProcAddress

user32

IsWindowEnabled
GetForegroundWindow
GetWindowThreadProcessId
AttachThreadInput
GetParent
GetWindowLongW
IsWindowVisible
PostMessageW
GetThreadDesktop
SetWindowPos
IsHungAppWindow
GetLastActivePopup
ShowWindow
IsIconic
FindWindowW
SendMessageW
EnumWindows
SetForegroundWindow
GetUserObjectInformationW

ole32

CoTaskMemFree

msvcp90

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
?c_str@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEPB_WXZ
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
?_Myptr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEPADXZ
?assign@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@PB_WI@Z
?_Myptr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IBEPBDXZ
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??$?8_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@PB_W@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?swap@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXAAV12@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?length@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIXZ
?end@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE?AV?$_String_iterator@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@2@XZ
?begin@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE?AV?$_String_iterator@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@2@XZ
?reserve@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
?push_back@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXD@Z
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AV?$_String_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AV?$_String_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
?rfind@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEI_WI@Z
?substr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE?AV12@II@Z
??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@ABV10@PB_W@Z
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Myptr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IAEPA_WXZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z
?_Myptr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IBEPB_WXZ
?npos@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@2IB
??$?9_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@PB_W@Z

psapi

GetModuleFileNameExW
GetProcessImageFileNameW
GetProcessMemoryInfo

utility

?LogToFile@LogHelper@util@@SAXPB_W0ZZ
?Find@TString@util@@QAEHPB_WI@Z
??0TString@util@@QAE@PB_WH@Z
?Trim@TString@util@@QAE?AV12@_W@Z
??BTString@util@@QBEPB_WXZ
??4TString@util@@QAEABV01@PB_W@Z
??1TString@util@@UAE@XZ
?GetDefaultOsLanguage@OSHelper@util@@SAHXZ
?ConvertFromIntW@StringHelper@util@@SA?AV?$AutoPtr@_W@2@H@Z
??1CCrashHandler@util@@QAE@XZ
??0CCrashHandler@util@@QAE@HH@Z
?c_str@TString@util@@QAEPB_WXZ

xskin

?GetAppPath@XAppData@@YA?AVXString@@XZ
?InitCore@Util@@YAJPB_W0@Z
??1XString@@QAE@XZ
?GetData@XString@@QBEPB_WXZ
?CombinePath@FileUtil@@YA?AVXString@@PB_W0@Z
?DestoryCore@Util@@YAJXZ
??4XString@@QAEAAV0@ABV0@@Z

xbus

?CreateXBus@XBus@@YAPAUIXBus@1@XZ
?ReleaseXBus@XBus@@YAXPAUIXBus@1@@Z

support

?InitProductType@AppHelper@support@@SAXW4ProductType@2@@Z
?CheckSilenceUpdate@AdcHelper@support@@SA_NV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
?IsUpdateHostExisted@AdcHelper@support@@SA_NXZ
?GetLanguageSetting@AppHelper@support@@SAK_N@Z

msvcr90

wcschr
wcsrchr
wcsstr
memcpy
fclose
fgetc
fopen_s
iswalpha
_vsnwprintf
strlen
wcscat_s
??_U@YAPAXI@Z
_wcsnicmp
wcslen
_wcsicmp
memset
memmove_s
??0exception@std@@QAE@ABV01@@Z
_CxxThrowException
_invalid_parameter_noinfo
??0exception@std@@QAE@XZ
??1exception@std@@UAE@XZ
?what@exception@std@@UBEPBDXZ
??0exception@std@@QAE@ABQBD@Z
__CxxFrameHandler3
??2@YAPAXI@Z
??3@YAXPAX@Z
tolower
toupper
_vsnwprintf_s
_vsnprintf_s
_unlock
__dllonexit
_lock
_encode_pointer
_controlfp_s
_invoke_watson
_crt_debugger_hook
?_type_info_dtor_internal_method@type_info@@QAEXXZ
?terminate@@YAXXZ
_except_handler4_common
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_configthreadlocale
_initterm_e
_initterm
_wcmdln
exit
_XcptFilter
_exit
_cexit
__wgetmainargs
_amsg_exit
_decode_pointer
_onexit
??_V@YAXPAX@Z

iphlpapi

GetExtendedTcpTable

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

mpr

WNetEnumResourceW
WNetOpenEnumW
WNetCloseEnum

advapi32

InitializeSecurityDescriptor
OpenProcessToken
LookupPrivilegeValueW
SetSecurityDescriptorDacl
AdjustTokenPrivileges

ntdll

NtQueryInformationProcess
NtResumeProcess
NtClose
NtSetInformationProcess
NtSetSystemInformation
NtLockVirtualMemory
NtUnlockVirtualMemory
RtlNtPathNameToDosPathName
RtlInitUnicodeString
NtCreatePagingFile
NtDuplicateObject
NtQuerySystemInformation
NtOpenProcess
RtlNtStatusToDosError
NtTerminateProcess
NtSuspendProcess

shlwapi

StrStrW
PathFindFileNameW
PathFileExistsW
PathRemoveBackslashW
PathStripPathW

ws2_32

ntohs

Sections

.text
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 366KB - Virtual size: 365KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d075d86d23f8dfb0ec99bf2fcaa5e9a3

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78Certificate

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

1c:04:dc:c9:be:35:c5:58:42:2b:af:ef:34:98:49:75Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

23:70:b6:71:d2:6e:3d:45:91:69:5f:1a:03:cb:ab:c3:1a:c2:b6:30Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

ole32

msvcp90

psapi

utility

xskin

xbus

support

msvcr90

iphlpapi

version

mpr

advapi32

ntdll

shlwapi

ws2_32

Sections

.text Size: 38KB - Virtual size: 38KB

.rdata Size: 19KB - Virtual size: 18KB

.data Size: 1024B - Virtual size: 1KB

.rsrc Size: 366KB - Virtual size: 365KB

.reloc Size: 5KB - Virtual size: 4KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

1c:04:dc:c9:be:35:c5:58:42:2b:af:ef:34:98:49:75
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

23:70:b6:71:d2:6e:3d:45:91:69:5f:1a:03:cb:ab:c3:1a:c2:b6:30
Signer

.text
Size: 38KB - Virtual size: 38KB

.rdata
Size: 19KB - Virtual size: 18KB

.data
Size: 1024B - Virtual size: 1KB

.rsrc
Size: 366KB - Virtual size: 365KB

.reloc
Size: 5KB - Virtual size: 4KB