pandastealer | ca17c7f891fbb38395620bc2d32bc249_JaffaCakes118 | Triage

Sharing

General

Target

ca17c7f891fbb38395620bc2d32bc249_JaffaCakes118
Size

6.3MB
MD5

ca17c7f891fbb38395620bc2d32bc249
SHA1

872052e5331c2c45f85811bc69d80aa27a8b7473
SHA256

3b0297bcc784040797f3b12d6ff64e995d35a807465de50b5d6837247799f278
SHA512

0212410d476b4425493b83b79fa0f46292b78d8246ab1744d0b455ed6f9fb0abd6d9dd602c489e0c1a4ec8c2daee0bf0dd33040ac8c63e13745857e0e89a62ba
SSDEEP

98304:TvzFOCl2USRBqd8Y/hXdbCwYIO28vGi6xiLF1FkXshb5XbxyQAmrLuTm8Fbnr8:rOvQ88hs28uipL7VjremuTR3

Score

10^/10

vmprotect pandastealer

Malware Config

Signatures

Panda Stealer payload 1 IoCs

Processes:

resource yara_rule

sample family_pandastealer
Pandastealer family
pandastealer
VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

sample vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
ca17c7f891fbb38395620bc2d32bc249_JaffaCakes118

Files

ca17c7f891fbb38395620bc2d32bc249_JaffaCakes118
.exe windows:6 windows x86 arch:x86

46c433d73eba05e8fe12aef750b53216

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetVersionExA
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

GetDC
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

gdi32

DeleteObject

shlwapi

PathFindExtensionW

gdiplus

GdipSaveImageToFile

wininet

HttpEndRequestA

wtsapi32

WTSSendMessageW

Sections

.text
Size: 546KB - Virtual size: 545KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 107KB - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 3.3MB - Virtual size: 3.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 2.4MB - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 37KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ