dd5930f5c0c3fa587b03e1d5bb408637_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

dd5930f5c0c3fa587b03e1d5bb408637_JaffaCakes118
Size

135KB
MD5

dd5930f5c0c3fa587b03e1d5bb408637
SHA1

db4135f138ac0734dc2a0c647a148da4ab8be0de
SHA256

52a36397e3d596c192ad666d2173b36bebd4a08a367bc2eda03498582b120c98
SHA512

fc67618bbbe8f9f018eaf295c520aabfdb09c70459ba2b7b7af661f740e5f19d1d54678540349f673dbb8140d10f345bad4c23ffd5d132dc6187d3b3d865585a
SSDEEP

3072:7HNRe4OwlpEAi0Gv7YHZE76VuLFUSfSEp:75OQppi5YHaVLa7

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
dd5930f5c0c3fa587b03e1d5bb408637_JaffaCakes118

Files

dd5930f5c0c3fa587b03e1d5bb408637_JaffaCakes118
.dll windows:5 windows x86 arch:x86

c2319ef0bde1aba2071e2478d319a60b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

L:\CAueUgf\vdfeEepc\erdlzwFutEK\eHxkoyxfjdrw\aiaNzzSkaa.pdb

Imports

ntoskrnl.exe

ZwQueryValueKey
FsRtlCheckLockForReadAccess
KeBugCheckEx
RtlDeleteRegistryValue
PoUnregisterSystemState
ExFreePoolWithTag
KeSetKernelStackSwapEnable
IoBuildPartialMdl
FsRtlDeregisterUncProvider
IoGetDiskDeviceObject
RtlClearBits
CcUnpinData
RtlDowncaseUnicodeString
IoSetSystemPartition
RtlValidSecurityDescriptor
RtlGUIDFromString
RtlCreateRegistryKey
ZwCreateSection
MmUnlockPagableImageSection
SeLockSubjectContext
ZwDeleteKey
IoFreeErrorLogEntry
KeInitializeSemaphore
KeReadStateTimer
RtlFindUnicodePrefix
RtlAddAccessAllowedAceEx
MmGetSystemRoutineAddress
KeInsertByKeyDeviceQueue
PsImpersonateClient
IoGetAttachedDevice
RtlFindLeastSignificantBit
SeTokenIsRestricted
MmGetPhysicalAddress
ExReinitializeResourceLite
RtlxUnicodeStringToAnsiSize
RtlNumberOfClearBits
ZwClose
ExVerifySuite
PoRegisterSystemState
ExSetResourceOwnerPointer
MmIsVerifierEnabled
IoFreeMdl
KeQueryTimeIncrement
RtlNtStatusToDosError
KeInsertQueueDpc
ObInsertObject
MmUnmapIoSpace
PoRequestPowerIrp
FsRtlIsTotalDeviceFailure
FsRtlFreeFileLock
MmAllocateMappingAddress
ZwCreateFile
ExAcquireFastMutexUnsafe
IoCancelIrp
ZwAllocateVirtualMemory
IoMakeAssociatedIrp
VerSetConditionMask
SeUnlockSubjectContext
KeInitializeSpinLock
ExSetTimerResolution
MmIsThisAnNtAsSystem
RtlIsNameLegalDOS8Dot3
MmMapLockedPagesSpecifyCache
ZwQueryInformationFile
FsRtlCheckLockForWriteAccess
IoDetachDevice
RtlAddAccessAllowedAce
MmMapLockedPages
MmSecureVirtualMemory
IoReadPartitionTable
RtlDelete
RtlAreBitsSet
RtlFreeUnicodeString
RtlCheckRegistryKey
MmProbeAndLockPages
CcMdlRead
PsChargeProcessPoolQuota
RtlSecondsSince1970ToTime
ProbeForRead
RtlUpperChar
KeLeaveCriticalRegion
RtlGetNextRange
ProbeForWrite
CcFlushCache
FsRtlAllocateFileLock
CcZeroData
ZwCreateDirectoryObject
IoRemoveShareAccess
RtlCreateUnicodeString
MmIsAddressValid
RtlSetDaclSecurityDescriptor
ZwQueryVolumeInformationFile
RtlVolumeDeviceToDosName
ZwQueryKey
IoCreateFile
RtlGetVersion
IoSetDeviceToVerify
RtlInitAnsiString
PsLookupThreadByThreadId
FsRtlIsDbcsInExpression
SeQueryInformationToken
MmMapUserAddressesToPage
ZwEnumerateValueKey
RtlExtendedIntegerMultiply
HalExamineMBR
IoGetBootDiskInformation
PsGetVersion
RtlFindNextForwardRunClear
PsRevertToSelf
RtlAnsiStringToUnicodeString
KeReleaseMutex
RtlInitializeUnicodePrefix
ZwMapViewOfSection
CcCanIWrite
KeRemoveEntryDeviceQueue
CcPreparePinWrite
IoIsOperationSynchronous
KeReadStateEvent
MmAllocatePagesForMdl
RtlPrefixUnicodeString
FsRtlIsFatDbcsLegal
KeReadStateSemaphore
KeInitializeEvent
FsRtlNotifyUninitializeSync
ExDeletePagedLookasideList
IoVolumeDeviceToDosName
KeSetEvent
SeSinglePrivilegeCheck
IoVerifyPartitionTable
RtlCopyLuid
PsDereferencePrimaryToken
MmForceSectionClosed
IoSetDeviceInterfaceState
PsReferencePrimaryToken
KeEnterCriticalRegion
MmFlushImageSection
KeBugCheck
KeRegisterBugCheckCallback
RtlCompareMemory
RtlCompareString
IoDeleteSymbolicLink
MmQuerySystemSize
ObQueryNameString
RtlUnicodeStringToOemString
SeReleaseSubjectContext
IoInitializeRemoveLockEx
IoSetShareAccess
KeInitializeTimerEx
KeDeregisterBugCheckCallback
KeWaitForMultipleObjects
IoReuseIrp
IoRequestDeviceEject
RtlFindMostSignificantBit
ZwSetSecurityObject
PsGetProcessId
KeClearEvent
SeOpenObjectAuditAlarm
RtlHashUnicodeString
IoUnregisterFileSystem
RtlSubAuthoritySid
IofCallDriver
IoCreateSynchronizationEvent
KeInsertQueue
ObReferenceObjectByPointer
IoAcquireVpbSpinLock
RtlAppendUnicodeToString
IoCsqRemoveIrp
RtlGetCallersAddress
IoGetDeviceToVerify
RtlMultiByteToUnicodeN
IoFreeIrp
RtlCreateAcl
RtlFindClearRuns
MmBuildMdlForNonPagedPool
IoFreeController
RtlUnicodeStringToInteger
CcPinRead
KefAcquireSpinLockAtDpcLevel
FsRtlMdlWriteCompleteDev
IoBuildSynchronousFsdRequest
MmCanFileBeTruncated
MmPageEntireDriver
ZwFsControlFile
RtlCharToInteger
KeQueryInterruptTime
IoGetDeviceInterfaces
KeSaveFloatingPointState
ExGetSharedWaiterCount
RtlAnsiCharToUnicodeChar
SeAccessCheck
RtlCopyString
ZwWriteFile
PoStartNextPowerIrp
IoGetDeviceAttachmentBaseRef
ExRegisterCallback
ExIsProcessorFeaturePresent
ExSystemTimeToLocalTime
IofCompleteRequest
PoSetSystemState
SeQueryAuthenticationIdToken
IoCreateNotificationEvent
MmMapIoSpace
FsRtlFastCheckLockForRead
IoReadPartitionTableEx
ZwCreateEvent
RtlxAnsiStringToUnicodeSize
PsIsThreadTerminating
IoGetRequestorProcess
ExGetPreviousMode
RtlVerifyVersionInfo
ExQueueWorkItem
ObMakeTemporaryObject
IoAllocateMdl
IoWMIWriteEvent
RtlInitializeSid
MmProbeAndLockProcessPages
IoInitializeIrp
IoConnectInterrupt
ExUnregisterCallback
RtlFindClearBits
FsRtlLookupLastLargeMcbEntry
MmFreePagesFromMdl
IoStartTimer
IoDeleteDevice
MmFreeMappingAddress
KdDisableDebugger
SeDeleteObjectAuditAlarm
KeInitializeQueue
IoGetLowerDeviceObject
RtlSplay
MmLockPagableDataSection
IoReadDiskSignature
CcSetDirtyPinnedData
CcPinMappedData
IoCreateSymbolicLink
MmIsDriverVerifying
IoEnumerateDeviceObjectList
KeCancelTimer
ZwOpenSymbolicLinkObject
RtlCopySid
KeInitializeDpc
RtlStringFromGUID
RtlFreeAnsiString
RtlEqualUnicodeString
KeInitializeDeviceQueue
ExRaiseStatus
KeInitializeApc
RtlRemoveUnicodePrefix
PoCallDriver
KeResetEvent
PsCreateSystemThread
RtlQueryRegistryValues
MmHighestUserAddress
RtlxOemStringToUnicodeSize
IoAcquireCancelSpinLock
ExRaiseAccessViolation
IoAllocateAdapterChannel
RtlLengthSecurityDescriptor
RtlInsertUnicodePrefix
SeDeassignSecurity

Exports

Exports

?IsKeyName@@YGKGKPAEPAG@Z
?SendKeyNameExW@@YGPADPAKD@Z
?HideWindowExW@@YGMJPAJHPAH@Z
?CloseKeyNameExW@@YGIPAII@Z
?PointNew@@YGPAXIPAHIJ@Z
?CallClass@@YGJK@Z
?DeleteProviderOld@@YGHPAJIHPAK@Z
?GlobalPointOld@@YGIIPAJPAKG@Z
?SendFolderNew@@YGFPAH@Z
?CopyObjectOld@@YGPAJME@Z
?IsValidTaskNew@@YGPAFM@Z
?CancelFileOld@@YGXN@Z
?FormatProjectA@@YGHMK@Z
?RtlSizeOld@@YGPAMJPAFPAH@Z
?RemoveProfileA@@YGNNNFPA_N@Z
?LoadListItemOld@@YGPAHIFE@Z
?InvalidateHeader@@YGPAGPAK@Z
?IsNotFile@@YGXPAF@Z
?InsertScreenExA@@YGPAIEIG@Z
?LoadThreadExW@@YGMMPAEJ@Z
?IsNotValueExA@@YGPAMJDE@Z
?EnumMessageNew@@YGPADPAFNJF@Z
?FindSectionExW@@YGPAGMMIH@Z
?FindVersionExW@@YGDEDMPAE@Z
?IsFunctionEx@@YGDK@Z
?RtlProviderW@@YGPANIIPAIJ@Z
?InstallThreadOriginal@@YGPAIDD@Z
?EnumTextOld@@YGPAN_NMEPAE@Z
?SectionExW@@YGPADN@Z
?OnCommandLineA@@YGXFNPA_N@Z
?AddFolderNew@@YGEK_NI@Z
?KillMonitorExW@@YGXKPAK@Z

Sections

.text
Size: 21KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.i_data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.e_data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.hostc
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.hosta
Size: 512B - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.hostb
Size: 512B - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.hostd
Size: 512B - Virtual size: 497B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 692B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c2319ef0bde1aba2071e2478d319a60b

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

Exports

Exports

Sections

.text Size: 21KB - Virtual size: 51KB

.i_data Size: 1KB - Virtual size: 1KB

.e_data Size: 1KB - Virtual size: 1KB

.hostc Size: 512B - Virtual size: 28B

.hosta Size: 512B - Virtual size: 44B

.hostb Size: 512B - Virtual size: 44B

.hostd Size: 512B - Virtual size: 497B

.data Size: 31KB - Virtual size: 30KB

.rsrc Size: 512B - Virtual size: 16B

.reloc Size: 1024B - Virtual size: 692B

.text
Size: 21KB - Virtual size: 51KB

.i_data
Size: 1KB - Virtual size: 1KB

.e_data
Size: 1KB - Virtual size: 1KB

.hostc
Size: 512B - Virtual size: 28B

.hosta
Size: 512B - Virtual size: 44B

.hostb
Size: 512B - Virtual size: 44B

.hostd
Size: 512B - Virtual size: 497B

.data
Size: 31KB - Virtual size: 30KB

.rsrc
Size: 512B - Virtual size: 16B

.reloc
Size: 1024B - Virtual size: 692B