0644fdf7c0e1303e21a32c825abae14b_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

0644fdf7c0e1303e21a32c825abae14b_JaffaCakes118
Size

2.1MB
MD5

0644fdf7c0e1303e21a32c825abae14b
SHA1

301a2aa18192428fa1a6fdf26731878b1d3674de
SHA256

b4cb22f370714b14bf227099a29434c66b3a3a69778ae6b9b713f3531b09b052
SHA512

ef4764a95840b956070b6d501eb000e4ceba3070c504e5eea165f55ab15178637f700cd913fa5220530d6ddd0c8743a295668bbc143d417a2d356e1b2a70875e
SSDEEP

24576:Rj0ODp9I6yX2Y/liNl6z5cI1QwIi+Msc79qtOaaw1/m:901X3l8l6z/IJMsc79Tc+

Score

1^/10

Malware Config

Signatures

Files

0644fdf7c0e1303e21a32c825abae14b_JaffaCakes118
.dll regsvr32 windows:4 windows x86 arch:x86

b73db2e43defc37b447a6d5ffd16db4e

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

7b:16:17:5c:aa:44:51:eb:77:b2:8c:cc:d4:e9:88:94
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

28/06/2013, 00:00

Not After

29/06/2015, 23:59

Subject

CN=SAP AG,OU=SAP Business Objects Production CSA2013+OU=Digital ID Class 3 - Microsoft Software Validation v2,O=SAP AG,L=Walldorf,ST=Baden-Wuerttemberg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

39:e2:2b:e4:11:5e:2c:42:f9:88:12:cc:e5:47:1b:dc:7c:af:39:e8
Signer

Actual PE Digest

39:e2:2b:e4:11:5e:2c:42:f9:88:12:cc:e5:47:1b:dc:7c:af:39:e8

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

d:\Cortez_REL\win32_x86\release\pdb\crystalreports.cpp\rptdefmodel.pdb

Imports

kernel32

FreeLibrary
CompareStringA
GetModuleHandleA
GetModuleFileNameA
GetWindowsDirectoryA
GetSystemDirectoryA
InterlockedExchange
SetLastError
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
LocalFree
QueryPerformanceCounter
LoadLibraryA
LocalAlloc
HeapAlloc
RaiseException
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
InterlockedCompareExchange
Sleep
GetLastError
GetVersionExA
GetThreadLocale
GetLocaleInfoA
GetACP
DisableThreadLibraryCalls
GetUserDefaultLangID
lstrlenA
GetProcessHeap
HeapFree
InterlockedDecrement
InterlockedIncrement
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
GetTickCount
EnterCriticalSection

user32

SetRectEmpty
UnregisterClassA

gdi32

GetStockObject

advapi32

RegCloseKey

ole32

CoTaskMemAlloc
CoTaskMemFree
StringFromCLSID
CoCreateInstance
CoCreateFreeThreadedMarshaler
CoInitialize
StringFromGUID2
CLSIDFromProgID
CoUninitialize

oleaut32

OleCreateFontIndirect
VariantChangeType
VarR8FromDec
VariantTimeToSystemTime
VariantChangeTypeEx
SysFreeString
SysAllocString
SysStringLen
LoadRegTypeLi
LoadTypeLi
VarBstrCat
SysAllocStringLen
SysAllocStringByteLen
SysStringByteLen
VariantClear
VariantCopy
VarCyFromI4
VarCyFromI2
VariantInit
CreateErrorInfo
SetErrorInfo
GetErrorInfo
VarBstrCmp
VarDecFromStr
SystemTimeToVariantTime
VarDateFromStr

msvcp80

?end@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE?AV?$_String_iterator@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@2@XZ
?_Myptr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IAEPA_WXZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
?c_str@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEPB_WXZ
?begin@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE?AV?$_String_iterator@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@2@XZ
?swap@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXAAV12@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
?max@?$numeric_limits@J@std@@SAJXZ
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
?compare@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEHPB_W@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z

atl80

ord30
ord32
ord58
ord31
ord61
ord22
ord64
ord49
ord15
ord18
ord23

cxlibw-5-0

?g_traceIsOff@CXLib500@@3_NA
?ShouldTrace_slowpath@CXLib500@@YA_NW4tracelevel@SLogger@1@PBDH@Z
??0?$SString_t@_W$00@CXLib500@@QAE@PB_W@Z
??1?$SString_t@_W$00@CXLib500@@QAE@XZ
??0SResString@CXLib500@@QAE@ABVSWCharString@1@ABV?$SChar_t@_W$00@1@@Z
??BSResString@CXLib500@@QBE?AVSWCharString@1@XZ
??0SWCharString@CXLib500@@QAE@ABV01@@Z
??1SResString@CXLib500@@QAE@XZ
??0SWCharString@CXLib500@@QAE@PB_W@Z
?isEmpty@?$SString_t@_W$00@CXLib500@@QBE_NXZ
?Initialize@SResManager@CXLib500@@SA_NXZ
??B?$SString_t@_W$00@CXLib500@@QBEPB_WXZ
?GetCollection@SResManager@CXLib500@@SA?AV?$CSmartRefCountPtr@VSResCollection@CXLib500@@@2@PB_W0QAUHINSTANCE__@@@Z
?Terminate@SResManager@CXLib500@@SA_NXZ
??0SWCharString@CXLib500@@QAE@XZ
??4SWCharString@CXLib500@@QAEAAV01@PB_W@Z
??Y?$SString_t@_W$00@CXLib500@@QAEAAV01@PB_W@Z
??1SWCharString@CXLib500@@QAE@XZ
?ShouldAssert@CXLib500@@YA_NXZ
?SAssert@CXLib500@@YAXPBDH0@Z
?compareNoCase@?$SString_t@_W$00@CXLib500@@QBEHABV12@@Z
?ThreadInitialize@SResManager@CXLib500@@SA_NKAAK@Z
?ThreadUninitialize@SResManager@CXLib500@@SAXK@Z
??RSTraceObj@CXLib500@@QAEXPB_W@Z
?ToNumber@NeutralString@CXLib500@@SA_NABVSWCharString@2@AAN@Z
?FromString@SStringConvByLocale@CXLib500@@SA_NABVSWCharString@2@KAAN@Z
?ToNumber@NeutralString@CXLib500@@SA_NABVSWCharString@2@AAK@Z
?FromString@SStringConvByLocale@CXLib500@@SA_NABVSWCharString@2@KAAK@Z
?ToNumber@NeutralString@CXLib500@@SA_NABVSWCharString@2@AAJ@Z
?FromString@SStringConvByLocale@CXLib500@@SA_NABVSWCharString@2@KAAJ@Z
??6SResString@CXLib500@@QAEAAV01@ABVSWCharString@1@@Z
??0?$SChar_t@_W$00@CXLib500@@QAE@_W@Z

msvcr80

_lock
memmove_s
??0exception@std@@QAE@ABQBDH@Z
realloc
swscanf
strlen
_except_handler4_common
?terminate@@YAXXZ
__clean_type_info_names_internal
?_name_internal_method@type_info@@QBEPBDPAU__type_info_node@@@Z
_unlock
__dllonexit
_encode_pointer
iswspace
_decode_pointer
_malloc_crt
_encoded_null
_initterm
_initterm_e
_amsg_exit
_adjust_fdiv
__CppXcptFilter
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_crt_debugger_hook
_onexit
wcscat
_vswprintf_c_l
malloc
memcpy
_wsplitpath
wcscat_s
wcscpy_s
wcsstr
wcscmp
memcpy_s
memcmp
free
wcslen
_wcsicmp
wcscpy
swprintf_s
??_V@YAXPAX@Z
??0exception@std@@QAE@ABV01@@Z
??2@YAPAXI@Z
_invalid_parameter_noinfo
memset
_CxxThrowException
_purecall
__CxxFrameHandler3
??0exception@std@@QAE@XZ
??1exception@std@@UAE@XZ
?what@exception@std@@UBEPBDXZ
??0exception@std@@QAE@ABQBD@Z
??3@YAXPAX@Z

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 872KB - Virtual size: 871KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 589KB - Virtual size: 589KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 210KB - Virtual size: 214KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 248KB - Virtual size: 247KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 213KB - Virtual size: 213KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b73db2e43defc37b447a6d5ffd16db4e

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

7b:16:17:5c:aa:44:51:eb:77:b2:8c:cc:d4:e9:88:94Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

39:e2:2b:e4:11:5e:2c:42:f9:88:12:cc:e5:47:1b:dc:7c:af:39:e8Signer

Headers

File Characteristics

PDB Paths

Imports

kernel32

user32

gdi32

advapi32

ole32

oleaut32

msvcp80

atl80

cxlibw-5-0

msvcr80

Exports

Exports

Sections

.text Size: 872KB - Virtual size: 871KB

.rdata Size: 589KB - Virtual size: 589KB

.data Size: 210KB - Virtual size: 214KB

.rsrc Size: 248KB - Virtual size: 247KB

.reloc Size: 213KB - Virtual size: 213KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

7b:16:17:5c:aa:44:51:eb:77:b2:8c:cc:d4:e9:88:94
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

39:e2:2b:e4:11:5e:2c:42:f9:88:12:cc:e5:47:1b:dc:7c:af:39:e8
Signer

.text
Size: 872KB - Virtual size: 871KB

.rdata
Size: 589KB - Virtual size: 589KB

.data
Size: 210KB - Virtual size: 214KB

.rsrc
Size: 248KB - Virtual size: 247KB

.reloc
Size: 213KB - Virtual size: 213KB