fa8cc57141a1b459b90353758acd3a49_JaffaCakes118

General

Target

fa8cc57141a1b459b90353758acd3a49_JaffaCakes118
Size

7KB
MD5

fa8cc57141a1b459b90353758acd3a49
SHA1

4e41633b8507fc8fecb2d92af55b99b1c89781fb
SHA256

44399ed6093df3d39f9c58675bb8fb0999e997b06f6e9ff93050a2bbb34cd65b
SHA512

e2e8d3695dcd4d328211d8e68e443c7abe48b12a696e4015f4f426a3bd9e9eb989dd1c5af76f55097a123aaf8ec4d5eeee45e9cb996b8acbf20b6f9a03d1e57a
SSDEEP

192:6Y1hmmRmW+Mz1MAGTOGRTvBP92sE9nP9XKaPssYoMXxPB:6YPmcoMz1fGtBVeoaPbYokB

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/powerio.sys
unpack001/~tmp1174.exe

Files

fa8cc57141a1b459b90353758acd3a49_JaffaCakes118
.zip

Password: infected
powerio.sys
.sys windows:4 windows x86 arch:x86

671efa099d633cb5f2ade8a010e4d9cb

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\p4root\Win32\TdiTest\TestSys\release\test.pdb

Imports

ntoskrnl.exe

IoBuildDeviceIoControlRequest
IoGetRelatedDeviceObject
RtlInitUnicodeString
IoFreeWorkItem
KeInitializeEvent
ZwCreateFile
IoAllocateWorkItem
ZwClose
_purecall
ObReferenceObjectByHandle
KeWaitForSingleObject
ExFreePoolWithTag
ObfDereferenceObject
IoQueueWorkItem
IoAllocateMdl
IofCallDriver
ExRaiseStatus
IoDeleteSymbolicLink
IoDeleteDevice
IofCompleteRequest
IoCreateSymbolicLink
IoCreateDevice
MmProbeAndLockPages
ExAllocatePoolWithTag
_except_handler3

hal

KeGetCurrentIrql

Sections

.text
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 612B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1024B - Virtual size: 730B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 176B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 474B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
~tmp1174.exe
.exe windows:4 windows x86 arch:x86

6dfd56862a6e3fa30cd834e46a247612

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CloseHandle
GetModuleHandleW
FindResourceW
GetSystemDirectoryW
ExitProcess
LoadResource
LockResource
SizeofResource
CreateFileW
WriteFile

user32

wsprintfW

advapi32

CloseServiceHandle
CreateServiceW
OpenSCManagerW
StartServiceW

Sections

.text
Size: 512B - Virtual size: 365B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 616B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

671efa099d633cb5f2ade8a010e4d9cb

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

Sections

.text Size: 3KB - Virtual size: 3KB

.rdata Size: 1024B - Virtual size: 612B

.data Size: 512B - Virtual size: 16B

INIT Size: 1024B - Virtual size: 730B

.rsrc Size: 512B - Virtual size: 176B

.reloc Size: 512B - Virtual size: 474B

6dfd56862a6e3fa30cd834e46a247612

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

Sections

.text Size: 512B - Virtual size: 365B

.rdata Size: 1024B - Virtual size: 616B

.rsrc Size: 8KB - Virtual size: 8KB

.text
Size: 3KB - Virtual size: 3KB

.rdata
Size: 1024B - Virtual size: 612B

.data
Size: 512B - Virtual size: 16B

INIT
Size: 1024B - Virtual size: 730B

.rsrc
Size: 512B - Virtual size: 176B

.reloc
Size: 512B - Virtual size: 474B

.text
Size: 512B - Virtual size: 365B

.rdata
Size: 1024B - Virtual size: 616B

.rsrc
Size: 8KB - Virtual size: 8KB