fd8229f8fcbfff00a5b626faa7252410_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

fd8229f8fcbfff00a5b626faa7252410_JaffaCakes118
Size

490KB
MD5

fd8229f8fcbfff00a5b626faa7252410
SHA1

d169e4d4f88000da2054f0c2d1d75591f197d737
SHA256

6c64e836ab36250a0bcb2472e513cb4d426c5970c7f96ee91651c79a4ea40553
SHA512

b0a8eabcacddbaca78111ba18a2dc3fe3de4ac79fca7eca991634c7343b9c44b38865f47c2484d59658c18379886dfd6a4e3528b9bfa646f0917edeaaf6d3693
SSDEEP

6144:4YuZlm8LRlBw662R1pqrc7FmxSqVw/T+SN1TrSnmhPnpdcrFIzdFz/N5WjyfTNQG:4VLBhic7Qy1vSneJFDNhp8

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
fd8229f8fcbfff00a5b626faa7252410_JaffaCakes118

Files

fd8229f8fcbfff00a5b626faa7252410_JaffaCakes118
.exe windows:5 windows x86 arch:x86

e9359ba603691e15543adbbd9590563d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_AGGRESIVE_WS_TRIM
IMAGE_FILE_32BIT_MACHINE

PDB Paths

winlogon.PDB

Imports

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA
A_SHAInit
A_SHAUpdate
A_SHAFinal
LsaStorePrivateData
LsaRetrievePrivateData
LsaNtStatusToWinError
CryptGetUserKey
CryptGetKeyParam
CryptEncrypt
CryptSetProvParam
CryptSignHashW
CryptDeriveKey
CryptGetProvParam
RegOpenCurrentUser
RegDeleteKeyW
AddAccessAllowedAceEx
RegSetKeySecurity
I_ScSendTSMessage
MD5Init
MD5Update
MD5Final
SetFileSecurityA
AllocateLocallyUniqueId
LsaOpenPolicy
LsaQueryInformationPolicy
LsaFreeMemory
LsaClose
RegNotifyChangeKeyValue
QueryServiceConfigW
SetKernelObjectSecurity
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegEnumKeyExW
GetCurrentHwProfileW
RegCloseKey
RegQueryValueExW
RegOpenKeyW
FreeSid
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
RegOpenKeyExW
CreateProcessAsUserW
DuplicateTokenEx
CloseServiceHandle
ControlService
StartServiceW
QueryServiceStatus
OpenServiceW
OpenSCManagerW
EqualSid
GetTokenInformation
RegSetValueExW
RegCreateKeyExW
CryptGenRandom
CryptDestroyHash
CryptVerifySignatureW
CryptSetHashParam
CryptGetHashParam
CryptHashData
CryptCreateHash
CryptDecrypt
ReportEventW
RegisterEventSourceW
CryptImportKey
CryptAcquireContextW
CryptReleaseContext
CryptDestroyKey
RegEnumValueW
RegQueryInfoKeyW
RegDeleteValueW
CredFree
CredDeleteW
CredEnumerateW
CopySid
GetSidLengthRequired
GetSidSubAuthority
GetSidSubAuthorityCount
GetUserNameW
OpenThreadToken
EnumServicesStatusW
ImpersonateLoggedOnUser
RegQueryValueExA
CheckTokenMembership
DeregisterEventSource
LsaGetUserName
RevertToSelf
LookupAccountSidW
IsValidSid
SetTokenInformation
LogonUserW
LookupAccountNameW
OpenProcessToken
SynchronizeWindows31FilesAndWindowsNTRegistry
QueryWindows31FilesMigration
AdjustTokenPrivileges
RegQueryInfoKeyA

authz

AuthzInitializeResourceManager
AuthzAccessCheck
AuthziFreeAuditEventType
AuthziInitializeAuditEvent
AuthziInitializeAuditParams
AuthziInitializeAuditEventType
AuthziLogAuditEvent
AuthzFreeAuditEvent
AuthzFreeResourceManager
AuthzFreeHandle

crypt32

CryptImportPublicKeyInfo
CryptVerifyMessageSignature
CertCreateCertificateContext
CertSetCertificateContextProperty
CertVerifyCertificateChainPolicy
CryptSignMessage
CertCloseStore
CertComparePublicKeyInfo
CryptExportPublicKeyInfo
CertFindExtension
CryptDecryptMessage
CertGetCertificateContextProperty
CertAddCertificateContextToStore
CertOpenStore
CertVerifySubjectCertificateContext
CertGetIssuerCertificateFromStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertEnumCertificatesInStore
CryptImportPublicKeyInfoEx

gdi32

RemoveFontResourceW
AddFontResourceW

kernel32

WTSGetActiveConsoleSessionId
GetTimeFormatW
GetUserDefaultLCID
FileTimeToSystemTime
FileTimeToLocalFileTime
GetProcAddress
LoadLibraryW
GetModuleHandleW
SystemTimeToFileTime
GetSystemTime
SetLastError
TerminateProcess
GetCurrentProcess
CreateTimerQueueTimer
CreateThread
lstrcpynW
GetShortPathNameW
GetProfileStringW
FreeLibrary
ReleaseSemaphore
CreateSemaphoreW
GetSystemInfo
GetComputerNameW
GetEnvironmentVariableW
WaitForSingleObjectEx
LoadResource
FindResourceW
SetThreadExecutionState
DeleteTimerQueueTimer
ResetEvent
GetSystemDirectoryW
TransactNamedPipe
SetNamedPipeHandleState
GetTickCount
CreateFileW
GlobalGetAtomNameW
VirtualLock
VirtualQuery
GetDriveTypeW
Beep
OpenMutexW
QueueUserWorkItem
LeaveCriticalSection
EnterCriticalSection
DisconnectNamedPipe
SearchPathW
lstrcatW
LocalReAlloc
ExpandEnvironmentStringsW
TerminateThread
ResumeThread
GetDiskFreeSpaceExW
GlobalMemoryStatusEx
DeleteFileW
WriteProfileStringW
ReadFile
FindVolumeClose
FindNextVolumeW
FindFirstVolumeW
FormatMessageW
SetPriorityClass
MoveFileExW
WaitForMultipleObjectsEx
GetExitCodeProcess
SleepEx
InterlockedExchange
FindClose
FindFirstFileW
GetWindowsDirectoryW
SetTimerQueueTimer
GetComputerNameA
GetVersionExW
VerSetConditionMask
WriteFile
WaitNamedPipeW
WaitForMultipleObjects
ConnectNamedPipe
DuplicateHandle
OpenProcess
GetOverlappedResult
GetVersionExA
lstrcmpW
SetEnvironmentVariableW
UnregisterWait
CreateNamedPipeW
CreateRemoteThread
CreateActCtxW
GetModuleFileNameW
ExitProcess
LoadLibraryExW
SetErrorMode
SetUnhandledExceptionFilter
GetPrivateProfileStringW
LocalSize
VirtualAlloc
VirtualQueryEx
DebugBreak
CreateFileA
InitializeCriticalSection
ProcessIdToSessionId
SetInformationJobObject
AssignProcessToJobObject
TerminateJobObject
PostQueuedCompletionStatus
PulseEvent
GetQueuedCompletionStatus
CreateIoCompletionPort
CreateJobObjectW
ActivateActCtx
DeactivateActCtx
InterlockedCompareExchange
LoadLibraryA
QueryPerformanceCounter
GetSystemTimeAsFileTime
UnhandledExceptionFilter
GetModuleHandleA
GetStartupInfoA
GetCurrentProcessId
SetThreadPriority
GetCurrentThreadId
lstrcmpiW
GetProfileIntW
LoadLibraryExA
lstrcpyW
lstrlenW
Sleep
LocalAlloc
CreateEventW
GetExitCodeThread
SetThreadAffinityMask
GetProcessAffinityMask
CreateWaitableTimerW
CreateMutexW
OpenEventW
RegisterWaitForSingleObject
WaitForSingleObject
CreateProcessW
SetWaitableTimer
ReleaseMutex
SetEvent
UnregisterWaitEx
CloseHandle
lstrlenA
lstrcpyA
MultiByteToWideChar
GetACP
WideCharToMultiByte
HeapAlloc
GetProcessHeap
HeapFree
lstrcpynA
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
lstrcmpiA
GetFileSize
SetFilePointer
GlobalAlloc
GlobalFree
GetLastError
LocalFree
lstrcatA
lstrcmpA
GetLogicalDriveStringsA
GetDriveTypeA
GetVolumeInformationW
GlobalMemoryStatus
CreateMutexA
FindResourceExW
LockResource
SizeofResource
VerifyVersionInfoW
GetSystemDirectoryA
GetCurrentThread
DelayLoadFailureHook
BaseInitAppcompatCacheSupport
OpenProfileUserMapping
CloseProfileUserMapping
BaseCleanupAppcompatCacheSupport
InitializeCriticalSectionAndSpinCount
VirtualProtect
CreateEventA
TlsSetValue
DeleteCriticalSection
TlsGetValue
TlsAlloc
VirtualFree
TlsFree

msvcrt

_vsnwprintf
wcslen
wcsncpy
wcsstr
atoi
wcstok
memmove
wcschr
swprintf
swscanf
_local_unwind2
_wcslwr
wcscmp
_snwprintf
malloc
_c_exit
_exit
_XcptFilter
_cexit
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
??3@YAXPAX@Z
??2@YAPAXI@Z
__CxxFrameHandler
_itow
_snprintf
_wtol
_strnicmp
sscanf
wcstombs
sprintf
strchr
strncmp
atof
_ftol
isspace
__set_app_type
wcscpy
_controlfp
wcsncmp
_wcsupr
ceil
wcscat
_except_handler3
free
_wcsicmp

nddeapi

ord603
ord612
ord613
ord611

ntdll

RtlAllocateHeap
NtPowerInformation
NtSetSystemPowerState
NtRaiseHardError
RtlDeleteCriticalSection
NtOpenSymbolicLinkObject
NtReplyPort
NtCompleteConnectPort
NtReplyWaitReceivePort
NtAcceptConnectPort
NtCreatePort
RtlConvertSidToUnicodeString
RtlFreeUnicodeString
NtLockProductActivationKeys
RtlTimeToTimeFields
NtUnmapViewOfSection
NtMapViewOfSection
NtOpenSection
NtQuerySymbolicLinkObject
NtQueryVolumeInformationFile
NtSetSecurityObject
RtlAdjustPrivilege
NtOpenFile
NtFsControlFile
RtlAllocateAndInitializeSid
RtlDestroyEnvironment
RtlFreeHeap
NtQueryInformationToken
NtShutdownSystem
RtlEnterCriticalSection
RtlLeaveCriticalSection
RtlInitializeCriticalSection
RtlCreateEnvironment
RtlQueryEnvironmentVariable_U
RtlSetEnvironmentVariable
RtlInitUnicodeString
NtOpenKey
NtQueryValueKey
RtlSubAuthoritySid
RtlInitializeSid
RtlLengthRequiredSid
NtAllocateLocallyUniqueId
RtlGetDaclSecurityDescriptor
RtlCopySid
RtlLengthSid
NtSetInformationThread
NtDuplicateToken
NtDuplicateObject
RtlEqualSid
RtlSetDaclSecurityDescriptor
NtClose
RtlOpenCurrentUser
RtlCreateSecurityDescriptor
RtlAddAce
RtlCreateAcl
RtlNtStatusToDosError
NtOpenDirectoryObject
NtQuerySystemInformation
NtCreateEvent
NtCreatePagingFile
RtlDosPathNameToNtPathName_U
RtlRegisterWait
NtSetValueKey
NtCreateKey
RtlTimeToSecondsSince1980
NtQuerySystemTime
NtPrivilegeObjectAuditAlarm
NtPrivilegeCheck
NtOpenThreadToken
NtOpenProcessToken
RtlUnhandledExceptionFilter
NtQueryInformationProcess
DbgBreakPoint
RtlCheckProcessParameters
RtlSetThreadIsCritical
RtlSetProcessIsCritical
RtlInitString
NtInitiatePowerAction
DbgPrint
NtFilterToken
NtQueryInformationJobObject
NtOpenEvent
RtlGetAce
RtlQueryInformationAcl
NtQuerySecurityObject
RtlCompareUnicodeString
NtSetInformationProcess

profmap

InitializeProfileMappingApi
RemapAndMoveUserW

psapi

EnumProcesses
EnumProcessModules
GetModuleBaseNameW

regapi

RegDefaultUserConfigQueryW
RegUserConfigQuery

rpcrt4

RpcServerRegisterIfEx
RpcServerUseProtseqEpW
RpcImpersonateClient
I_RpcMapWin32Status
RpcServerRegisterIf
RpcGetAuthorizationContextForClient
RpcFreeAuthorizationContext
RpcServerListen
RpcRevertToSelf
NdrServerCall2
UuidCreate

secur32

GetUserNameExW
LsaLookupAuthenticationPackage
LsaRegisterLogonProcess
LsaCallAuthenticationPackage

setupapi

SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiGetClassDevsW
SetupDiGetDeviceRegistryPropertyW

user32

SetFocus
EnumWindows
CreateWindowStationW
RegisterLogonProcess
RecordShutdownReason
LoadLocalFonts
UnhookWindowsHook
SetWindowsHookW
GetWindowTextW
CallNextHookEx
DialogBoxParamW
GetWindowPlacement
GetSystemMenu
DeleteMenu
SetWindowPlacement
SetUserObjectInformationW
GetAsyncKeyState
PostThreadMessageW
SetUserObjectSecurity
CreateDesktopW
KillTimer
GetMessageTime
SetLogonNotifyWindow
UnlockWindowStation
SetTimer
ReplyMessage
UnregisterHotKey
RegisterHotKey
OpenInputDesktop
GetUserObjectInformationW
CloseDesktop
RegisterDeviceNotificationW
SetThreadDesktop
CreateWindowExW
GetMessageW
TranslateMessage
RegisterWindowMessageW
SetCursor
DefWindowProcW
FindWindowW
MessageBoxW
SendNotifyMessageW
PostQuitMessage
MsgWaitForMultipleObjects
GetWindowRect
GetSystemMetrics
PeekMessageW
DispatchMessageW
SetProcessWindowStation
UpdateWindow
ShowWindow
SetWindowPos
PostMessageW
ExitWindowsEx
EnumDisplayMonitors
SystemParametersInfoW
GetDlgItem
SendMessageW
CreateDialogParamW
DestroyWindow
GetWindowLongW
GetDlgItemTextW
EndDialog
SetWindowLongW
LoadStringW
SetWindowTextW
SetDlgItemTextW
wsprintfW
wsprintfA
LockWindowStation
MBToWCSEx
SetWindowStationUser
UpdatePerUserSystemParameters
DialogBoxIndirectParamW
wvsprintfW
SetLastErrorEx
LoadCursorW
CheckDlgButton
IsDlgButtonChecked
RegisterClassW
CloseWindowStation
LoadImageW
GetParent
GetKeyState
GetDesktopWindow
SetForegroundWindow
SwitchDesktop
OpenDesktopW

userenv

WaitForUserPolicyForegroundProcessing
GetAllUsersProfileDirectoryW
ord118
ord117
ord131
ord151
WaitForMachinePolicyForegroundProcessing
ord140
ord150
ord152
UnloadUserProfile
LoadUserProfileW
GetUserProfileDirectoryW
RegisterGPNotification
CreateEnvironmentBlock
DestroyEnvironmentBlock
UnregisterGPNotification
ord130

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

winsta

WinStationRequestSessionsList
WinStationQueryLogonCredentialsW
WinStationIsHelpAssistantSession
WinStationAutoReconnect
_WinStationWaitForConnect
WinStationDisconnect
_WinStationCallback
WinStationNameFromLogonIdW
_WinStationFUSCanRemoteUserDisconnect
WinStationEnumerate_IndexedW
WinStationGetMachinePolicy
WinStationQueryInformationW
WinStationFreeMemory
WinStationReset
_WinStationNotifyDisconnectPipe
WinStationConnectW
WinStationSetInformationW
WinStationShutdownSystem
WinStationCheckLoopBack
_WinStationNotifyLogon
_WinStationNotifyLogoff

wintrust

CryptCATCatalogInfoFromContext
CryptCATAdminCalcHashFromFileHandle
CryptCATAdminAcquireContext
CryptCATAdminEnumCatalogFromHash
CryptCATAdminReleaseCatalogContext
WTHelperProvDataFromStateData
WinVerifyTrust
WTHelperGetProvSignerFromChain
CryptCATAdminReleaseContext

ws2_32

WSACleanup
getaddrinfo
WSAStartup

Sections

.text
Size: 445KB - Virtual size: 444KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 36KB - Virtual size: 121KB

IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

e9359ba603691e15543adbbd9590563d

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

authz

crypt32

gdi32

kernel32

msvcrt

nddeapi

ntdll

profmap

psapi

regapi

rpcrt4

secur32

setupapi

user32

userenv

version

winsta

wintrust

ws2_32

Sections

.text Size: 445KB - Virtual size: 444KB

.data Size: 8KB - Virtual size: 19KB

.rsrc Size: 36KB - Virtual size: 121KB

.text
Size: 445KB - Virtual size: 444KB

.data
Size: 8KB - Virtual size: 19KB

.rsrc
Size: 36KB - Virtual size: 121KB