d475dacde359875ead2c0bf171b2fd77_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

d475dacde359875ead2c0bf171b2fd77_JaffaCakes118
Size

119KB
MD5

d475dacde359875ead2c0bf171b2fd77
SHA1

d193c0b7370c58b00cfeddef4a864cb05fda375c
SHA256

3603885284dc9a67fe32a1f3f388a9979be23144ab41d0dbe953a2dee2d6c730
SHA512

18f378c9d1bc8b17c7da98fe8c81e1fc06477806c3584d4680cd819e7fd3e3a4b1bc2e2dc6e0d6042c9c2c5ca55a1a4e42d598f585e2c90a0b24a630d7c47410
SSDEEP

3072:0qsqB3PBjgTalaLZ/7C14RRMbwEfaQ+PMC5ZvZEf3i:0pmxg2lqZDCOawEfa3rnCf3

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
d475dacde359875ead2c0bf171b2fd77_JaffaCakes118

Files

d475dacde359875ead2c0bf171b2fd77_JaffaCakes118
.sys windows:6 windows x86 arch:x86

e7c7625140efb3802e298cc400c83c48

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

h:\programming\commerc\c++\bootkit_archiv\svn_bootkit\bootkit\kloader\Release\i386\kloader.pdb

Imports

ntoskrnl.exe

ZwOpenFile
KeDelayExecutionThread
RtlAnsiStringToUnicodeString
ProbeForWrite
ProbeForRead
ObfDereferenceObject
KeUnstackDetachProcess
ZwSetEvent
KeStackAttachProcess
KeClearEvent
KeWaitForMultipleObjects
ExEventObjectType
_except_handler3
PsGetCurrentThreadId
KeInsertQueueApc
KeInitializeApc
PsSetLoadImageNotifyRoutine
PsSetCreateProcessNotifyRoutine
ZwQueryDirectoryFile
ZwCreateFile
ZwSetInformationFile
ZwWriteFile
ZwReadFile
ZwDeleteFile
ZwQueryInformationFile
wcsrchr
PsLookupThreadByThreadId
ZwOpenThread
RtlInitAnsiString
strchr
ZwAllocateVirtualMemory
PsGetCurrentProcessId
IofCompleteRequest
KeQuerySystemTime
_aulldiv
_snwprintf
IoCreateDevice
RtlAppendUnicodeToString
IoCreateSymbolicLink
IoGetLowerDeviceObject
IoFileObjectType
ZwUnmapViewOfSection
MmMapLockedPagesSpecifyCache
KeSetEvent
IoFreeIrp
IoFreeMdl
MmUnlockPages
KeWaitForSingleObject
IofCallDriver
KeInitializeEvent
MmProbeAndLockPages
IoAllocateMdl
IoAllocateIrp
memmove
IoDeleteSymbolicLink
ExRegisterCallback
ExCreateCallback
IoDeleteDevice
ExUnregisterCallback
KeInitializeMutex
RtlTimeToTimeFields
RtlTimeFieldsToTime
KeReleaseMutex
_stricmp
ZwQuerySystemInformation
IoCreateDriver
RtlCompareMemory
ExInterlockedPopEntrySList
ExInterlockedPushEntrySList
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
RtlAppendUnicodeStringToString
RtlPrefixUnicodeString
MmMapLockedPages
strcmp
strlen
_alldiv
_allmul
ExAllocatePool
PsTerminateSystemThread
ExfInterlockedInsertHeadList
ExfInterlockedRemoveHeadList
PsGetVersion
ZwQueryValueKey
ZwOpenKey
MmSizeOfMdl
KeSetTimer
KeInitializeTimer
ZwCreateSection
ZwMapViewOfSection
RtlInitUnicodeString
ZwCreateEvent
PsCreateSystemThread
PsProcessType
ObReferenceObjectByHandle
memset
memcpy
ZwOpenProcess
ZwQueryInformationProcess
ExAllocatePoolWithTag
ExFreePoolWithTag
ZwClose
RtlEqualUnicodeString
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
RtlUpperString
KeTickCount
ZwDeviceIoControlFile
KeResetEvent
_strnicmp
strstr
sprintf
strncat
KeGetCurrentThread

hal

KeRaiseIrqlToDpcLevel
KfReleaseSpinLock
KeGetCurrentIrql
KeQueryPerformanceCounter
KfLowerIrql
KfRaiseIrql
KfAcquireSpinLock

ndis.sys

NdisFreePacketPool
NdisUnchainBufferAtFront
NdisFreePacket
NdisMSleep
NdisAllocateBufferPool
NdisFreeMemory
NdisAllocateMemory
NdisInitializeEvent
NdisAllocatePacketPool
NdisFreeBufferPool
NdisAllocateBuffer
NdisAllocatePacket
NdisSetEvent
NdisMIndicateStatus
NdisWaitEvent

Sections

.text
Size: 105KB - Virtual size: 105KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e7c7625140efb3802e298cc400c83c48

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

ndis.sys

Sections

.text Size: 105KB - Virtual size: 105KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 1KB - Virtual size: 4KB

INIT Size: 4KB - Virtual size: 3KB

.reloc Size: 5KB - Virtual size: 4KB

.text
Size: 105KB - Virtual size: 105KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 1KB - Virtual size: 4KB

INIT
Size: 4KB - Virtual size: 3KB

.reloc
Size: 5KB - Virtual size: 4KB