d390016b477d98db582c3003428e4ca3_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

d390016b477d98db582c3003428e4ca3_JaffaCakes118
Size

428KB
MD5

d390016b477d98db582c3003428e4ca3
SHA1

90100ade9a56b3bb315f9d0e14b8a00b53241a4d
SHA256

046d1269c4ca9b24f5afb97637e19f339da45c0430abb01cc241e8305a23ee7f
SHA512

33dac1eb12e4abaaddd51f04bf171b33d18267fb58979606471ea8413767218d41d6365e5d45a5029a8ac9b401595ae708c7186e57fd4e31bc9ed27db07c70ce
SSDEEP

12288:Meru5x0G8RxkQWuHRpY5zpM93NISBf2yIPFz4Ztkdxte+:Mr5x4t4fievPYtkd

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
d390016b477d98db582c3003428e4ca3_JaffaCakes118

Files

d390016b477d98db582c3003428e4ca3_JaffaCakes118
.exe windows:5 windows x86 arch:x86

47f1c2b2c4adbfe55308abf414679ffc

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

RtlCreateEnvironment
RtlCreateUserThread
RtlpNtCreateKey
RtlTryEnterCriticalSection
NtReleaseSemaphore
ZwOpenSection
ZwPulseEvent
ZwQueryInformationJobObject
RtlReleaseResource
NtRequestPort
LdrQueryImageFileExecutionOptions
_allmul
ZwSetDefaultLocale
vDbgPrintExWithPrefix
RtlAppendUnicodeStringToString
NlsMbOemCodePageTag
RtlTimeToTimeFields
ZwReleaseKeyedEvent
NtOpenIoCompletion
RtlQueryHeapInformation
LdrGetDllHandle
RtlFindLeastSignificantBit
RtlFreeUnicodeString
RtlFindActivationContextSectionGuid
RtlCreateAndSetSD
ZwReleaseSemaphore
NtOpenSection
DbgPrintReturnControlC
ZwAreMappedFilesTheSame
RtlCopyUnicodeString
NtCreateFile
ZwSuspendProcess
RtlInitializeGenericTableAvl
RtlExtendedLargeIntegerDivide
RtlZeroMemory
ZwSetContextThread
RtlIsActivationContextActive
NtFlushWriteBuffer

msvcrt

_dup
_ismbbkprint
_getws
_ismbbpunct
_i64toa
_loaddll
_isatty
??1__non_rtti_object@@UAE@XZ
_pipe
fseek
__CxxDetectRethrow
_pwctype
__p__mbctype
_safe_fdivr
_wcstoui64
memcmp
_wcsrev
_setmbcp
islower
__p__amblksiz
_wsystem
_wchdir
strcmp
_wcsdup
strspn
isprint
_isctype
isxdigit
__wgetmainargs
_wgetdcwd
__fpecode
putwchar
freopen
_open_osfhandle
__unDName
_ismbbalpha
_mbscat
??1type_info@@UAE@XZ
_ismbcspace
atoi
vprintf
_wspawnvpe
isspace

kernel32

LocalAlloc
RemoveDirectoryW
GetCurrentThreadId
GetCurrentDirectoryW
GetProcessShutdownParameters
AddConsoleAliasW
CreateSocketHandle
GetModuleHandleW
CreateMutexA
CmdBatNotification
GetPrivateProfileStructW
GetConsoleTitleA
CopyFileExW
BackupRead
SetFileShortNameW
ScrollConsoleScreenBufferW
GetHandleInformation
CreateSemaphoreA
TransactNamedPipe
MapViewOfFileEx
VirtualUnlock
GetSystemTime
SetEvent
GetDiskFreeSpaceExW
VirtualQueryEx
GlobalFindAtomW
QueryActCtxW
VirtualAlloc
WriteFileGather
BuildCommDCBAndTimeoutsA
CreateFileA
GetConsoleCommandHistoryW
LoadLibraryA
EnumDateFormatsExA
OpenSemaphoreA

imagehlp

SymInitialize
SymGetSymPrev64
SymLoadModule64
SymUnloadModule
FindExecutableImageEx
MapFileAndCheckSumA
ImageEnumerateCertificates
SymFindFileInPath
StackWalk64
SymGetSymPrev
ImageGetCertificateData
ImageDirectoryEntryToData
ImageRvaToSection
FindFileInPath
SymEnumerateSymbols64
SymFunctionTableAccess64
GetImageUnusedHeaderBytes
StackWalk
SymGetLineFromName
SymGetTypeInfo
BindImage
UpdateDebugInfoFile
SymGetLineNext
EnumerateLoadedModules
SymGetSearchPath
ImageNtHeader
SetImageConfigInformation
SymRegisterCallback64
SymSetOptions
SymEnumerateModules64
SymMatchFileName
GetImageConfigInformation
SymGetSymNext64
SymSetSearchPath
GetTimestampForLoadedLibrary

advapi32

StartTraceA
ConvertSidToStringSidA
I_ScIsSecurityProcess
LogonUserW
CredEnumerateA
SetSecurityDescriptorDacl
PrivilegeCheck
CredGetTargetInfoW
GetMultipleTrusteeOperationW
ObjectPrivilegeAuditAlarmW
AreAllAccessesGranted
GetInheritanceSourceA
GetSecurityDescriptorControl
AddAuditAccessObjectAce
QueryServiceConfigA
LsaGetSystemAccessAccount
SystemFunction029
LsaQueryForestTrustInformation
EnumerateTraceGuids
GetTrusteeNameW
GetSidSubAuthorityCount
SystemFunction005
MD4Init
PrivilegedServiceAuditAlarmW
QueryServiceConfigW
ElfBackupEventLogFileA
SetSecurityDescriptorRMControl
GetInformationCodeAuthzPolicyW
GetFileSecurityA
AccessCheckByTypeResultListAndAuditAlarmByHandleW
LsaEnumerateTrustedDomains
SetAclInformation
SaferiRecordEventLogEntry
GetSidLengthRequired
ClearEventLogW

ifsutil

?EnableVolumeCompression@IFS_SYSTEM@@SGEPBVWSTRING@@@Z
?ReverseCopy@INTSTACK@@QAEEPAV1@@Z
?RemoveEdge@DIGRAPH@@QAEEKK@Z
?QueryDisjointRange@NUMBER_SET@@QBEXKPAVBIG_INT@@0@Z
?AddVolumeName@MOUNT_POINT_MAP@@QAEEPAVWSTRING@@0@Z
??0CANNED_SECURITY@@QAE@XZ
?QueryFileSystemName@IFS_SYSTEM@@SGEPBVWSTRING@@PAV2@PAJ1@Z
??0VOL_LIODPDRV@@IAE@XZ
?IsFileSystemEnabled@IFS_SYSTEM@@SGEPBVWSTRING@@PAE@Z
??0SUPERAREA@@IAE@XZ
?QueryCanonicalNtDriveName@IFS_SYSTEM@@SGEPBVWSTRING@@PAV2@@Z
??1MOUNT_POINT_MAP@@UAE@XZ
?DiskCopyMainLoop@@YGHPBVWSTRING@@000EPAVMESSAGE@@1@Z
?Push@INTSTACK@@QAEEVBIG_INT@@@Z
?CheckAndAdd@SPARSE_SET@@QAEEVBIG_INT@@PAE@Z
?QueryMediaByte@DP_DRIVE@@QBEEXZ
?Read@LOG_IO_DP_DRIVE@@QAEEVBIG_INT@@KPAX@Z
??0READ_CACHE@@QAE@XZ
?QueryNtfsSupportInfo@DP_DRIVE@@SGJPAXPAE@Z
?Remove@NUMBER_SET@@QAEEVBIG_INT@@0@Z
?Read@IO_DP_DRIVE@@QAEEVBIG_INT@@KPAX@Z
?QueryNumber@NUMBER_SET@@QBE?AVBIG_INT@@V2@@Z
?QueryPageSize@IFS_SYSTEM@@SGKXZ
?QueryDriveName@MOUNT_POINT_MAP@@QAEEPAVWSTRING@@0@Z
?DismountVolume@IFS_SYSTEM@@SGEPBVWSTRING@@@Z
??1VOL_LIODPDRV@@UAE@XZ
?GetCannedSecurity@IFS_SYSTEM@@SGPAVCANNED_SECURITY@@XZ
??0MOUNT_POINT_MAP@@QAE@XZ
?Initialize@DP_DRIVE@@QAEEPBVWSTRING@@0PAVMESSAGE@@EE@Z
?QueryParentsWithChildren@DIGRAPH@@QBEEPAVNUMBER_SET@@K@Z
?Initialize@SUPERAREA@@IAEEPAVMEM@@PAVLOG_IO_DP_DRIVE@@KPAVMESSAGE@@@Z
??1SUPERAREA@@UAE@XZ
?QueryRecommendedMediaType@DP_DRIVE@@QBE?AW4_MEDIA_TYPE@@XZ

user32

RegisterClassA
PostQuitMessage
DefWindowProcA

Sections

.text
Size: 59KB - Virtual size: 59KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 304KB - Virtual size: 724KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

47f1c2b2c4adbfe55308abf414679ffc

Headers

File Characteristics

Imports

ntdll

msvcrt

kernel32

imagehlp

advapi32

ifsutil

user32

Sections

.text Size: 59KB - Virtual size: 59KB

.rdata Size: 44KB - Virtual size: 43KB

.data Size: 304KB - Virtual size: 724KB

.rsrc Size: 19KB - Virtual size: 19KB

.text
Size: 59KB - Virtual size: 59KB

.rdata
Size: 44KB - Virtual size: 43KB

.data
Size: 304KB - Virtual size: 724KB

.rsrc
Size: 19KB - Virtual size: 19KB