mimikatz | d7b5f5334abdea9419cb69a1ff5a194b_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

d7b5f5334abdea9419cb69a1ff5a194b_JaffaCakes118
Size

1.1MB
MD5

d7b5f5334abdea9419cb69a1ff5a194b
SHA1

fd3f30a88ca26f8f591588c01349a93f0e74c63a
SHA256

2a70cb46fb85f4da4414f0c6211fb8d3ab047a7f4ed35638d7b376ef30eb9c45
SHA512

82bc1e3089e4f26395b84fe79177c066fafab308d02ee1c34a107d4762533b77715010cad42247ab1be62712196740f8e9c0697daeab9cba4a03bdcb399d75d9
SSDEEP

12288:kCg1g4Gk+wq91vw4viqm5nUXhvYZ4CqkEl+I0rgZ33hfzszUndVnKqcqqTwV:kTgUik4viqOUXhgLqp+I0sZBbckfnp

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
sample	mimikatz

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
d7b5f5334abdea9419cb69a1ff5a194b_JaffaCakes118

Files

d7b5f5334abdea9419cb69a1ff5a194b_JaffaCakes118
.dll windows:5 windows x64 arch:x64

6b56153664d829f70fd040a23ed75713

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

ncrypt

BCryptDecrypt
BCryptEncrypt
BCryptGenerateSymmetricKey
BCryptSetProperty
BCryptGetProperty
NCryptExportKey
NCryptImportKey
NCryptSetProperty
NCryptGetProperty
NCryptOpenKey
NCryptFreeBuffer
NCryptEnumKeys
BCryptEnumRegisteredProviders
NCryptOpenStorageProvider
BCryptFreeBuffer
BCryptDestroyKey
BCryptImportKeyPair
BCryptExportKey
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider
NCryptFreeObject

fltlib

FilterFindNext
FilterFindFirst

cabinet

ord14
ord13
ord11
ord10

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

winscard

SCardListCardsW
SCardControl
SCardGetAttrib
SCardConnectW
SCardFreeMemory
SCardGetCardTypeProviderNameW
SCardEstablishContext
SCardReleaseContext
SCardListReadersW
SCardTransmit
SCardDisconnect

advapi32

CryptGetKeyParam
QueryServiceObjectSecurity
OpenServiceW
OpenSCManagerW
DeleteService
CreateServiceW
ControlService
CloseServiceHandle
FreeSid
AllocateAndInitializeSid
RegSetValueExW
RegQueryInfoKeyW
RegEnumValueW
RegEnumKeyExW
CreateProcessWithLogonW
CreateWellKnownSid
CopySid
CryptDuplicateKey
CryptEncrypt
CryptSetHashParam
CryptAcquireContextA
CredIsMarshaledCredentialW
CredUnmarshalCredentialW
SystemFunction025
SystemFunction024
ConvertStringSecurityDescriptorToSecurityDescriptorW
CredFree
CredEnumerateW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
LookupPrivilegeNameW
OpenThreadToken
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
CreateProcessAsUserW
OpenProcessToken
LookupPrivilegeValueW
LsaQuerySecret
LsaOpenSecret
CheckTokenMembership
LookupAccountNameW
LookupAccountSidW
IsTextUnicode
BuildSecurityDescriptorW
StartServiceW
SetServiceObjectSecurity
CryptAcquireContextW
CryptReleaseContext
CryptGenKey
CryptDestroyKey
CryptSetKeyParam
CryptSetProvParam
CryptGetProvParam
CryptEnumProvidersW
ConvertSidToStringSidW
ConvertStringSidToSidW
LsaFreeMemory
IsValidSid
GetSidSubAuthority
GetSidSubAuthorityCount
CryptDecrypt
SetThreadToken
GetTokenInformation
DuplicateTokenEx
QueryServiceStatusEx
CryptGetUserKey
CryptExportKey
CryptImportKey
CryptEnumProviderTypesW
SystemFunction006
SystemFunction007
ClearEventLogW
GetNumberOfEventLogRecords
OpenEventLogW
GetLengthSid
CryptDeriveKey
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptSignHashW
LsaClose
LsaOpenPolicy
LsaQueryInformationPolicy
LsaQueryTrustedDomainInfoByName
LsaEnumerateTrustedDomainsEx
LsaRetrievePrivateData
SystemFunction001
SystemFunction005
SystemFunction013
SystemFunction032
A_SHAUpdate
A_SHAFinal
A_SHAInit

crypt32

CryptEncodeObject
CertOpenStore
CertCloseStore
CertFindCertificateInStore
CertFreeCertificateContext
CertGetCertificateContextProperty
CryptSignAndEncodeCertificate
CryptStringToBinaryW
CryptUnprotectData
PFXExportCertStoreEx
CertAddEncodedCertificateToStore
CertSetCertificateContextProperty
CertGetNameStringW
CertEnumSystemStore
CryptExportPublicKeyInfo
CryptAcquireCertificatePrivateKey
CertNameToStrW
CertAddCertificateContextToStore
CryptBinaryToStringW
CertEnumCertificatesInStore
CryptProtectData

cryptdll

CDGenerateRandomBits
MD5Final
MD5Update
MD5Init
CDLocateCheckSum
CDLocateCSystem

dnsapi

DnsQuery_A
DnsFree

netapi32

NetRemoteTOD
DsEnumerateDomainTrustsW
NetApiBufferFree
NetSessionEnum
NetWkstaUserEnum
NetShareEnum
NetStatisticsGet
DsGetDcNameW
NetServerGetInfo
I_NetServerTrustPasswordsGet
I_NetServerAuthenticate2
I_NetServerReqChallenge

ole32

CoCreateInstance
CoUninitialize
CoInitializeEx

oleaut32

SysFreeString
SysAllocString
VariantInit

rpcrt4

MesEncodeIncrementalHandleCreate
RpcBindingFree
RpcBindingToStringBindingW
RpcBindingVectorFree
RpcStringFreeW
RpcServerInqBindings
RpcServerListen
RpcServerRegisterIf2
RpcServerUnregisterIfEx
RpcServerUseProtseqEpW
RpcMgmtStopServerListening
RpcEpResolveBinding
RpcServerRegisterAuthInfoW
RpcEpRegisterW
RpcEpUnregister
RpcMgmtEpEltInqBegin
RpcMgmtEpEltInqDone
RpcMgmtEpEltInqNextW
UuidCreate
I_RpcGetCurrentCallHandle
I_RpcBindingInqSecurityContext
RpcBindingSetOption
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcImpersonateClient
RpcRevertToSelf
RpcBindingInqAuthClientW
NdrMesTypeFree2
RpcMgmtWaitServerListen
UuidToStringW
NdrServerCall2
NdrClientCall2
NdrMesTypeEncode2
NdrMesTypeAlignSize2
MesHandleFree
MesIncrementalHandleReset
MesDecodeIncrementalHandleCreate
RpcBindingSetAuthInfoExW
NdrMesTypeDecode2

shlwapi

PathCombineW
PathIsDirectoryW
PathFindFileNameW
PathCanonicalizeW
PathIsRelativeW

samlib

SamLookupNamesInDomain
SamEnumerateUsersInDomain
SamiChangePasswordUser
SamSetInformationUser
SamQueryInformationUser
SamOpenUser
SamOpenDomain
SamLookupDomainInSamServer
SamEnumerateDomainsInSamServer
SamConnect
SamCloseHandle
SamFreeMemory
SamOpenGroup
SamOpenAlias
SamGetGroupsForUser
SamGetAliasMembership
SamGetMembersInGroup
SamGetMembersInAlias
SamEnumerateGroupsInDomain
SamEnumerateAliasesInDomain
SamRidToSid
SamLookupIdsInDomain

secur32

InitializeSecurityContextW
DeleteSecurityContext
FreeContextBuffer
EnumerateSecurityPackagesW
QueryContextAttributesW
FreeCredentialsHandle
AcquireCredentialsHandleW
LsaFreeReturnBuffer
LsaCallAuthenticationPackage
LsaConnectUntrusted
LsaDeregisterLogonProcess
LsaLookupAuthenticationPackage

shell32

CommandLineToArgvW

user32

PostMessageW
DefWindowProcW
UnregisterClassW
SendMessageW
CreateWindowExW
DestroyWindow
OpenClipboard
CloseClipboard
GetClipboardSequenceNumber
SetClipboardViewer
ChangeClipboardChain
GetClipboardData
EnumClipboardFormats
GetUserObjectInformationW
IsCharAlphaNumericW
DispatchMessageW
GetMessageW
GetKeyboardLayout
RegisterClassExW
TranslateMessage

hid

HidD_GetHidGuid
HidP_GetCaps
HidD_GetAttributes
HidD_GetPreparsedData
HidD_FreePreparsedData
HidD_SetFeature
HidD_GetFeature

setupapi

SetupDiGetClassDevsW
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailW
SetupDiDestroyDeviceInfoList

wldap32

ord79
ord54
ord301
ord304
ord309
ord310
ord13
ord208
ord41
ord26
ord27
ord36
ord127
ord167
ord142
ord14
ord133
ord147
ord157
ord145
ord88
ord12
ord73
ord203
ord69
ord113
ord140
ord139
ord97
ord96
ord77
ord224
ord223
ord122

ntdll

NtCompareTokens
RtlCreateUserThread
RtlGetCurrentPeb
NtQueryInformationProcess
RtlDecompressBuffer
RtlCompressBuffer
RtlGetCompressionWorkSpaceSize
RtlDowncaseUnicodeString
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
NtQuerySystemInformation
NtQueryObject
RtlIpv6AddressToStringW
RtlIpv4AddressToStringW
NtEnumerateSystemEnvironmentValuesEx
NtSetSystemEnvironmentValueEx
NtQuerySystemEnvironmentValueEx
NtTerminateProcess
NtSuspendProcess
RtlAdjustPrivilege
NtResumeProcess
RtlStringFromGUID
RtlFreeUnicodeString
RtlFreeOemString
RtlUpcaseUnicodeStringToOemString
RtlEqualUnicodeString
RtlGetNtVersionNumbers
RtlEqualString
RtlGUIDFromString
RtlInitUnicodeString
RtlUpcaseUnicodeString
RtlAppendUnicodeStringToString
RtlAnsiStringToUnicodeString

msasn1

ASN1_CreateModule
ASN1BERDotVal2Eoid
ASN1_CloseModule
ASN1_CreateEncoder
ASN1BEREoid2DotVal
ASN1_CreateDecoder
ASN1_CloseDecoder
ASN1_FreeEncoded
ASN1_CloseEncoder
ASN1Free

winsta

WinStationConnectW
WinStationFreeMemory
WinStationEnumerateW
WinStationQueryInformationW
WinStationOpenServerW
WinStationCloseServer

kernel32

GetCurrentThreadId
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetModuleFileNameW
GetStringTypeW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
LoadLibraryExW
GetConsoleCP
GetConsoleMode
GetFileType
GetModuleFileNameA
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetCommandLineA
GetModuleHandleExW
ExitProcess
DecodePointer
EncodePointer
RtlUnwindEx
CreateEventW
SetEvent
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
CreateProcessW
CreatePipe
SetHandleInformation
ReadFile
TryEnterCriticalSection
GetFullPathNameW
GetFullPathNameA
HeapReAlloc
WaitForSingleObject
SystemTimeToFileTime
SetConsoleCtrlHandler
GetModuleHandleW
GlobalSize
SetLastError
Sleep
CreateThread
CreateFileW
LoadLibraryW
lstrlenA
GetProcAddress
FreeLibrary
GetSystemTimeAsFileTime
GetLastError
CloseHandle
GetCurrentProcessId
OpenProcess
AllocConsole
lstrlenW
RaiseException
LocalFree
LocalAlloc
GetTimeZoneInformation
GetSystemDirectoryW
SetCurrentDirectoryW
FillConsoleOutputCharacterW
GetConsoleScreenBufferInfo
SetConsoleCursorPosition
GetCurrentProcess
GetCurrentThread
GetStdHandle
ProcessIdToSessionId
GetComputerNameW
GetProcessId
FileTimeToSystemTime
TerminateThread
WriteFile
GetFileInformationByHandle
SetFilePointer
FileTimeToLocalFileTime
FileTimeToDosDateTime
GetTempPathA
GetTempFileNameA
GetCurrentDirectoryA
CreateFileA
DeleteFileA
GetFileSizeEx
FlushFileBuffers
FindClose
ExpandEnvironmentStringsW
GetCurrentDirectoryW
GetFileAttributesW
FindFirstFileW
FindNextFileW
DuplicateHandle
DeviceIoControl
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
VirtualAllocEx
VirtualFreeEx
VirtualProtectEx
VirtualQueryEx
ReadProcessMemory
WriteProcessMemory
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
GetComputerNameExW
ConnectNamedPipe
DisconnectNamedPipe
SetNamedPipeHandleState
GetNamedPipeInfo
CreateNamedPipeW
WaitNamedPipeW
CreateRemoteThread
ClearCommError
PurgeComm
WideCharToMultiByte
GetTimeFormatW
GetDateFormatW
AreFileApisANSI
GetSystemTime
DeleteFileW
GetVersionExA
OutputDebugStringA
GetFileAttributesExW
GetSystemInfo
GetDiskFreeSpaceA
CreateFileMappingA
GetDiskFreeSpaceW
LockFileEx
HeapSize
GetTempPathW
MultiByteToWideChar
HeapValidate
HeapCreate
GetFileAttributesA
HeapDestroy
GetVersionExW
FormatMessageW
FormatMessageA
GetProcessHeap
UnlockFileEx
GetTickCount
OutputDebugStringW
WaitForSingleObjectEx
CompareStringW
LCMapStringW
SetFilePointerEx
SetStdHandle
WriteConsoleW
ReadConsoleW
SetEnvironmentVariableA
LockFile
FlushViewOfFile
UnlockFile
HeapFree
QueryPerformanceCounter
GetFileSize
CreateMutexW
HeapCompact
SetEndOfFile
HeapAlloc

Exports

Exports

DeinitServerExtension
GetExtensionName
InitServerExtension
ReflectiveLoader
powershell_reflective_mimikatz

Sections

.text
Size: 680KB - Virtual size: 680KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 361KB - Virtual size: 361KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 30KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6b56153664d829f70fd040a23ed75713

Headers

DLL Characteristics

File Characteristics

Imports

version

ncrypt

fltlib

cabinet

userenv

winscard

advapi32

crypt32

cryptdll

dnsapi

netapi32

ole32

oleaut32

rpcrt4

shlwapi

samlib

secur32

shell32

user32

hid

setupapi

wldap32

ntdll

msasn1

winsta

kernel32

Exports

Exports

Sections

.text Size: 680KB - Virtual size: 680KB

.rdata Size: 361KB - Virtual size: 361KB

.data Size: 30KB - Virtual size: 42KB

.pdata Size: 29KB - Virtual size: 28KB

.reloc Size: 6KB - Virtual size: 6KB

.text
Size: 680KB - Virtual size: 680KB

.rdata
Size: 361KB - Virtual size: 361KB

.data
Size: 30KB - Virtual size: 42KB

.pdata
Size: 29KB - Virtual size: 28KB

.reloc
Size: 6KB - Virtual size: 6KB