d00f682075f4218baaf728a91799f19e_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

d00f682075f4218baaf728a91799f19e_JaffaCakes118
Size

217KB
MD5

d00f682075f4218baaf728a91799f19e
SHA1

68efd87466cbca11eb771812c0189a6907a4a72d
SHA256

47c66106c1e82e05f91d47184185bb91ae00124b0392d54561817150bcd58be0
SHA512

f5c7aaeb7a4808f3b9c91a19795dde4af794f0fd78adc9a72b1aa84f9c8964d539d110a59cf68e1936aa7c73e94c111a3ec8b1d29729204fb80e2e1f77fbe992
SSDEEP

6144:mjGTZexXT7V3zD51gdwL7dKbeO7hlzCXy:/Ze1T9f5EwL7dUlCy

Score

1^/10

Malware Config

Signatures

Files

d00f682075f4218baaf728a91799f19e_JaffaCakes118
.exe windows:4 windows x86 arch:x86

dc04e41ca16a4e5fba2faf62019e6201

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

21/05/2009, 00:00

Not After

20/05/2019, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

5a:1e:7e:8d:b4:43:bf:3d:03:fb:fe:ca:27:c3:97:89
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

31/05/2010, 00:00

Not After

30/05/2012, 23:59

Subject

CN=TaoBao(china) Software Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=TaoBao(china) Software Co.\, Ltd,L=Hangzhou,ST=Zhejiang,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

a4:0b:35:ad:52:71:18:54:46:bd:83:c3:88:cd:5d:16:ed:c3:6f:cc
Signer

Actual PE Digest

a4:0b:35:ad:52:71:18:54:46:bd:83:c3:88:cd:5d:16:ed:c3:6f:cc

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

E:\AliWWAutoPackage\Trunk\SourceCode\IMClient-RV\symbol\Release\AliIM.pdb

Imports

comctl32

InitCommonControlsEx

netapi32

Netbios

guibase

UIGlobalProperty

kernel32

GetFileSize
ReadFile
LockResource
lstrlenA
CloseHandle
FindResourceExW
Sleep
MultiByteToWideChar
EnterCriticalSection
LeaveCriticalSection
GetModuleHandleW
GetProcessHeap
DeleteFileW
GetSystemDefaultLangID
HeapFree
InterlockedCompareExchange
GetModuleFileNameW
lstrlenW
InitializeCriticalSection
lstrcmpiW
GetCurrentProcess
DeleteCriticalSection
InterlockedIncrement
InterlockedDecrement
FindFirstFileW
FindClose
CreateProcessW
WriteProfileStringW
GetExitCodeProcess
CreateFileW
GetCurrentThreadId
MoveFileExW
CopyFileW
FindNextFileW
QueryPerformanceCounter
IsDebuggerPresent
UnhandledExceptionFilter
TerminateProcess
GetStartupInfoW
SetCurrentDirectoryW
GetProcAddress
FreeLibrary
GetCurrentDirectoryW
LoadLibraryW
SizeofResource
GetProfileIntW
LoadResource
GetLastError
GetCurrentProcessId
FindResourceW
RaiseException
LoadLibraryExW
LocalFree
WaitForSingleObject
GetVersionExW
GetTickCount
HeapSize
HeapReAlloc
HeapAlloc
HeapDestroy
GetThreadLocale
GetLocaleInfoA
GetACP
InterlockedExchange
GetVersionExA
GetSystemTimeAsFileTime
SetUnhandledExceptionFilter

user32

MessageBoxW
UnregisterClassA
GetActiveWindow
CharNextW
FindWindowW

advapi32

RegQueryValueExW
RegEnumKeyExW
FreeSid
RegQueryInfoKeyW
RegSetValueExW
GetTokenInformation
OpenProcessToken
RegDeleteKeyW
RegCloseKey
AllocateAndInitializeSid
RegCreateKeyExW
RegDeleteValueW
RegOpenKeyExW
RegQueryValueW
EqualSid
RegOpenKeyW

shell32

SHCreateDirectoryExW
CommandLineToArgvW
ShellExecuteW

ole32

CoTaskMemRealloc
CoCreateInstance
OleRun
OleUninitialize
OleInitialize
CoTaskMemFree
CoTaskMemAlloc

oleaut32

SysAllocString
SysFreeString
SysStringByteLen
VariantClear
SysStringLen
SysAllocStringByteLen
VarUI4FromStr

atl80

ord64

shlwapi

SHDeleteKeyW
PathFileExistsW

gdiplus

GdiplusStartup
GdiplusShutdown

msvcp80

??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAA_WI@Z
?empty@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE_NXZ
??$?M_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@0@Z
??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@ABV10@0@Z
??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@ABV10@PB_W@Z
??$?8_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@PB_W@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ

rvcore

EnableMsgBus
create_main_thread_window
GetRvCore

msvcr80

_configthreadlocale
_initterm_e
_initterm
_wcmdln
exit
_XcptFilter
_controlfp_s
_invoke_watson
_exit
_cexit
__wgetmainargs
_amsg_exit
?terminate@@YAXXZ
_decode_pointer
_onexit
_lock
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_crt_debugger_hook
_except_handler4_common
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
??3@YAXPAX@Z
wcschr
wcsrchr
strlen
memmove_s
memset
??0exception@std@@QAE@ABQBD@Z
?what@exception@std@@UBEPBDXZ
??1exception@std@@UAE@XZ
_vscwprintf
??0exception@std@@QAE@XZ
vswprintf_s
memcmp
_invalid_parameter_noinfo
calloc
memcpy
_recalloc
sprintf_s
??0exception@std@@QAE@ABV01@@Z
_wputenv_s
malloc
free
??_V@YAXPAX@Z
wcsncat_s
_wsplitpath
??2@YAPAXI@Z
_wcsicmp
memcpy_s
wcslen
wcsstr
wcsncpy_s
_wcslwr
_ultow
wcscat
wcscpy
_wgetenv
wcscmp
_encode_pointer
__CxxFrameHandler3
_CxxThrowException
_unlock
__dllonexit
__setusermatherr

updateassist

IsServiceRunning
Update
CheckUpdate
RunService
Deploy
RegService
GetDefaultAppID

Sections

.text
Size: 128KB - Virtual size: 125KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 32KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 44KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

dc04e41ca16a4e5fba2faf62019e6201

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5cCertificate

Extended Key Usages

Key Usages

5a:1e:7e:8d:b4:43:bf:3d:03:fb:fe:ca:27:c3:97:89Certificate

Extended Key Usages

Key Usages

a4:0b:35:ad:52:71:18:54:46:bd:83:c3:88:cd:5d:16:ed:c3:6f:ccSigner

Headers

File Characteristics

PDB Paths

Imports

comctl32

netapi32

guibase

kernel32

user32

advapi32

shell32

ole32

oleaut32

atl80

shlwapi

gdiplus

msvcp80

rvcore

msvcr80

updateassist

Sections

.text Size: 128KB - Virtual size: 125KB

.rdata Size: 32KB - Virtual size: 28KB

.data Size: 4KB - Virtual size: 2KB

.rsrc Size: 44KB - Virtual size: 40KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

5a:1e:7e:8d:b4:43:bf:3d:03:fb:fe:ca:27:c3:97:89
Certificate

a4:0b:35:ad:52:71:18:54:46:bd:83:c3:88:cd:5d:16:ed:c3:6f:cc
Signer

.text
Size: 128KB - Virtual size: 125KB

.rdata
Size: 32KB - Virtual size: 28KB

.data
Size: 4KB - Virtual size: 2KB

.rsrc
Size: 44KB - Virtual size: 40KB