gootkit | ee6a0423ca9a7940c286a470d2db0a43_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

ee6a0423ca9a7940c286a470d2db0a43_JaffaCakes118
Size

120KB
MD5

ee6a0423ca9a7940c286a470d2db0a43
SHA1

5e9e110597d77b2e40e9e4b8a253eb5fb20a085d
SHA256

14d150a2ea315ad6ebe5b0f6cf2093d474636c3ed7af97f5f322f56194077bf9
SHA512

b71979e80ba0efc858712e2b5cf17568b5b57d7a6dc34435eedb344eaee1194fb01e7647fe6679c4c7e4c45096c3d3a3c19ba9476ecfd7fa5b93e522dab9b1ca
SSDEEP

3072:Z9mQrWSB/WM+dCB+IF1G6sT11I0E9TAUQ+iU2r2:Z9USBOMNBNF1cxy0E9TAUQ+iU2r2

Score

10^/10

308 gootkit

Malware Config

Extracted

Family

gootkit

Botnet

308

waabitii.com

buyyou.org

pep.hheadz4life.com

trktrk.org

fields.mobi

Attributes

vendor_id
308

Signatures

Gootkit family
gootkit

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ee6a0423ca9a7940c286a470d2db0a43_JaffaCakes118

Files

ee6a0423ca9a7940c286a470d2db0a43_JaffaCakes118
.exe windows:5 windows x86 arch:x86

cec901dd4cece3a5835f751a49aba900

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_AGGRESIVE_WS_TRIM
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

shlwapi

StrCpyW
StrCmpIW
StrCpyNW
StrCmpW
StrStrIW
StrRChrW
StrDupW
PathMatchSpecW
StrStrA
StrCatW
PathFindFileNameW

psapi

GetProcessImageFileNameA

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock
GetProfilesDirectoryW

ws2_32

WSAStartup
socket
inet_addr
closesocket
gethostbyname
bind
ntohs

winhttp

WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSetTimeouts
WinHttpAddRequestHeaders
WinHttpQueryHeaders
WinHttpSetOption
WinHttpOpenRequest
WinHttpConnect
WinHttpQueryDataAvailable
WinHttpOpen
WinHttpCloseHandle
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpCrackUrl
WinHttpReadData

kernel32

GetFileAttributesW
lstrcmpW
VirtualProtect
GetExitCodeProcess
FindClose
MapViewOfFile
CreateFileMappingW
OpenMutexW
CreateMutexW
SetErrorMode
GetCommandLineW
GetModuleHandleExA
GetModuleFileNameA
GetFileTime
GetSystemTime
SystemTimeToFileTime
GetFileSize
DeleteFileW
LocalAlloc
SetEndOfFile
SetFileTime
RemoveDirectoryW
WriteFile
CreateEventA
GlobalMemoryStatusEx
SetEnvironmentVariableA
GetSystemInfo
TerminateThread
GetSystemDirectoryW
GetEnvironmentVariableA
HeapFree
GetCurrentProcess
lstrlenW
lstrlenA
GetModuleHandleA
GetVersion
GetLastError
CloseHandle
HeapAlloc
GetProcAddress
GetComputerNameW
GetCurrentProcessId
GetProcessHeap
GetModuleHandleW
WideCharToMultiByte
lstrcpyW
GetTickCount
GetComputerNameA
lstrcmpA
Sleep
LoadLibraryA
WriteProcessMemory
SetLastError
ExpandEnvironmentStringsW
TerminateProcess
WaitForSingleObject
ResumeThread
GetExitCodeThread
lstrcatW
GetThreadContext
ReadProcessMemory
CreateProcessW
CreateRemoteThread
IsBadReadPtr
GetShortPathNameW
CreateFileW
VirtualFree
VirtualAlloc
lstrcpyA
HeapReAlloc
GlobalFree
GlobalAlloc
LocalFree
OpenProcess
MultiByteToWideChar
GetLogicalDrives
WaitForMultipleObjects
DeleteAtom
GetCurrentThreadId
IsSystemResumeAutomatic
ExitThread
GetCommandLineA
ProcessIdToSessionId
CreateThread
FindAtomW
FindNextFileW
ReadFile
GetModuleFileNameW
SetFilePointer
lstrcmpiA
ExitProcess
SetEvent
FindFirstFileW
SetEnvironmentVariableW

user32

CreatePopupMenu
ExitWindowsEx
GetCapture
ReleaseCapture
GetClipboardOwner
wsprintfA
GetActiveWindow
CountClipboardFormats
GetProcessWindowStation
GetMessagePos
GetDesktopWindow
wsprintfW
GetClipboardViewer
GetInputState
GetShellWindow
CreateMenu
GetCaretBlinkTime
GetClipboardSequenceNumber
DestroyCaret
GetForegroundWindow
GetKBCodePage
GetDoubleClickTime
CloseClipboard
GetMenuCheckMarkDimensions
GetCursor
GetOpenClipboardWindow
GetFocus
GetMessageExtraInfo
GetMessageTime
GetDialogBaseUnits

advapi32

LookupPrivilegeValueA
RegOpenKeyExA
CheckTokenMembership
FreeSid
OpenProcessToken
SetSecurityDescriptorDacl
SetFileSecurityW
SetEntriesInAclW
InitializeSecurityDescriptor
GetUserNameW
RegOpenKeyW
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegOpenKeyA
SetTokenInformation
CreateProcessAsUserW
GetLengthSid
DuplicateTokenEx
LookupAccountSidW
AdjustTokenPrivileges
RevertToSelf
GetTokenInformation
ConvertSidToStringSidW
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegDeleteValueW
RegQueryValueExW
RegCreateKeyA
GetUserNameA
RegCloseKey
RegQueryValueExA
GetSidSubAuthorityCount
AllocateAndInitializeSid
GetSidSubAuthority
CreateWellKnownSid
RegSetValueExA

ole32

CoCreateInstance
CoInitialize
CoInitializeEx
CoUninitialize
CoTaskMemFree

Sections

.text
Size: 62KB - Virtual size: 61KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 43KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

cec901dd4cece3a5835f751a49aba900

Headers

DLL Characteristics

File Characteristics

Imports

shlwapi

psapi

userenv

ws2_32

winhttp

kernel32

user32

advapi32

ole32

Sections

.text Size: 62KB - Virtual size: 61KB

.rdata Size: 7KB - Virtual size: 7KB

.data Size: 43KB - Virtual size: 44KB

.reloc Size: 4KB - Virtual size: 3KB

.text
Size: 62KB - Virtual size: 61KB

.rdata
Size: 7KB - Virtual size: 7KB

.data
Size: 43KB - Virtual size: 44KB

.reloc
Size: 4KB - Virtual size: 3KB