071989a231f910fdf14f94faee4cd64b_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

071989a231f910fdf14f94faee4cd64b_JaffaCakes118
Size

289KB
MD5

071989a231f910fdf14f94faee4cd64b
SHA1

563309e1cea2f117c3802a84bc507db386a181fa
SHA256

76c7ed107c73db6106edab38a935c8fe6dc3f8f82b9295d6ae236798f673e59d
SHA512

4a61157f7c2d75410b55aa0b4db4aaa895d24a914697acfbfeb5439985e2c9ab0398fa8f3d714589306181d672a20a2972cf16f319bec47fff4355282a2e0397
SSDEEP

6144:p0V98cFca6WSrQ0G3B67zjOj8kY0ceoeoVncRBcUaCNpT:p41Fca6vwB+jO1oVVnRI

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
071989a231f910fdf14f94faee4cd64b_JaffaCakes118

Files

071989a231f910fdf14f94faee4cd64b_JaffaCakes118
.dll windows:5 windows x86 arch:x86

a3956ec45f0da1bb7772e8b4aa02495a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

termsrv.pdb

Imports

msvcrt

wcscpy
wcscmp
_except_handler3
_wcsnicmp
wcscat
swscanf
wcsncpy
wcslen
wcsncat
swprintf
wcsrchr
memmove
_snwprintf
wcschr
sprintf
qsort
strncpy
gmtime
time
mktime
_mbslen
mbstowcs
??3@YAXPAX@Z
??2@YAPAXI@Z
free
_initterm
malloc
_adjust_fdiv
_ftol
_snprintf
strncmp
iswdigit
_wcsupr
wcstok
_wtol
_stricmp
__CxxFrameHandler
_purecall
_wcsicmp

ntdll

NtOpenProcessToken
NtQueryInformationToken
RtlLengthSid
RtlCopySid
NtAllocateVirtualMemory
NtFreeVirtualMemory
RtlAcquireResourceShared
NtDelayExecution
DbgBreakPoint
RtlPrefixUnicodeString
NtResetEvent
NtWaitForMultipleObjects
RtlInitializeGenericTable
RtlDeleteCriticalSection
NtOpenProcess
NtQueryVirtualMemory
RtlLookupElementGenericTable
RtlCompareMemory
RtlInsertElementGenericTable
RtlDeleteElementGenericTable
RtlInitializeResource
NtCreateEvent
NtDuplicateObject
NtQuerySystemTime
RtlEqualSid
RtlAdjustPrivilege
RtlInitializeCriticalSection
NtTerminateProcess
RtlLengthRequiredSid
NtReleaseMutant
NtWaitForSingleObject
NtCreateMutant
NtQueryInformationProcess
NtDuplicateToken
NtSetInformationThread
RtlpNtEnumerateSubKey
NtRequestPort
NtConnectPort
NtSetEvent
RtlEnterCriticalSection
RtlAllocateHeap
NtOpenThreadToken
NtReplyPort
NtCompleteConnectPort
NtAcceptConnectPort
NtCreateSection
NtReplyWaitReceivePort
RtlFreeUnicodeString
NtCreatePort
RtlAnsiStringToUnicodeString
RtlInitAnsiString
RtlQueryRegistryValues
NtDeviceIoControlFile
RtlExtendedLargeIntegerDivide
RtlConvertExclusiveToShared
RtlConvertSharedToExclusive
RtlDeleteResource
NtRequestWaitReplyPort
RtlFreeHeap
RtlLeaveCriticalSection
RtlAcquireResourceExclusive
RtlReleaseResource
RtlInitUnicodeString
NtOpenKey
NtQueryValueKey
NtClose
VerSetConditionMask
RtlCreateEnvironment
RtlSetProcessIsCritical
DbgPrint
NtQuerySystemInformation
NtSetTimer
NtCreateTimer
RtlCopySecurityDescriptor
RtlNtStatusToDosError
RtlDeleteAce
RtlGetAce
RtlQueryInformationAcl
RtlGetDaclSecurityDescriptor
RtlMapGenericMask
RtlSubAuthoritySid
RtlInitializeSid
RtlCreateUserSecurityObject
RtlSetDaclSecurityDescriptor
RtlAddAccessAllowedAce
RtlCreateAcl
RtlCreateSecurityDescriptor
RtlWriteRegistryValue
RtlCreateRegistryKey
RtlLengthSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetOwnerSecurityDescriptor
NtSetSecurityObject
NtQuerySecurityObject
NtOpenSymbolicLinkObject
NtQueryDirectoryObject
NtCreateDirectoryObject
RtlFreeSid
RtlAllocateAndInitializeSid
RtlIntegerToUnicodeString
RtlAppendUnicodeToString
NtQueryMutant

icaapi

IcaOpen
IcaStackCallback
IcaStackConnectionWait
IcaStackConnectionRequest
IcaStackConnectionAccept
_IcaStackIoControl
IcaStackUnlock
IcaStackReconnect
IcaStackTerminate
IcaChannelClose
IcaStackIoControl
IcaPushConsoleStack
IcaChannelOpen
IcaChannelIoControl
IcaStackConnectionClose
IcaStackClose
IcaClose
IcaIoControl
IcaStackOpen
IcaStackDisconnect

shell32

SHGetFolderPathA

setupapi

SetupDiGetDeviceRegistryPropertyA
SetupDiGetClassDevsA
SetupDiEnumDeviceInfo
SetupDiDestroyDeviceInfoList

shlwapi

PathAppendA

wintrust

CryptCATAdminCalcHashFromFileHandle
CryptCATAdminEnumCatalogFromHash
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseCatalogContext
CryptCATAdminReleaseContext
WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
CryptCATAdminAcquireContext
WinVerifyTrust

rpcrt4

RpcServerInqDefaultPrincNameW
RpcServerRegisterAuthInfoW
RpcServerRegisterIfEx
RpcBindingToStringBindingW
RpcServerListen
RpcImpersonateClient
I_RpcBindingIsClientLocal
RpcRevertToSelf
RpcServerUseProtseqEpW
I_RpcBindingInqLocalClientPID
RpcStringFreeW
RpcRaiseException
RpcSsContextLockExclusive
NdrServerCall2
RpcServerRegisterIf
RpcStringBindingParseW

kernel32

GetLocalTime
GetDiskFreeSpaceA
GetDateFormatW
FileTimeToSystemTime
InitializeCriticalSection
GetVersion
CreateMutexW
GetModuleHandleA
InterlockedExchange
OutputDebugStringA
GetProcessAffinityMask
SetThreadAffinityMask
ResumeThread
GetExitCodeThread
GetSystemInfo
GetLogicalDriveStringsA
GetDriveTypeA
GetVolumeInformationW
GetVolumeInformationA
GlobalMemoryStatus
lstrlenA
lstrcpyA
GetFileSize
WriteFile
SetFilePointer
ReadFile
CreateFileA
GetVersionExA
HeapAlloc
HeapFree
CompareFileTime
CreateWaitableTimerW
SetWaitableTimer
LeaveCriticalSection
FormatMessageW
GetSystemDefaultLCID
SystemTimeToFileTime
LoadLibraryExA
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetCurrentThreadId
QueryPerformanceCounter
LoadLibraryA
InterlockedCompareExchange
DelayLoadFailureHook
lstrcpynW
GetACP
MultiByteToWideChar
SetLastError
lstrlenW
LocalFree
LocalAlloc
GetProcessHeap
DisableThreadLibraryCalls
DebugBreak
Sleep
CloseHandle
CreateProcessW
GetCurrentProcessId
IsDebuggerPresent
GetVersionExW
ResetEvent
SetEvent
VerifyVersionInfoW
CreateEventW
GetLastError
ReleaseMutex
UnmapViewOfFile
MapViewOfFile
OpenFileMappingW
WaitForMultipleObjects
OpenEventW
OpenMutexW
InterlockedDecrement
CreateThread
CreateFileW
GetSystemDirectoryW
GetSystemTime
GetComputerNameA
GetSystemTimeAsFileTime
UnregisterWait
WaitForSingleObject
InterlockedIncrement
lstrcpyW
ExitThread
QueryDosDeviceW
ProcessIdToSessionId
IsBadReadPtr
IsBadWritePtr
OpenProcess
GetComputerNameW
FreeLibrary
GetProcAddress
LoadLibraryW
GetProfileStringW
GetTickCount
RegisterWaitForSingleObject
lstrcatW
lstrcmpiW
GetProfileIntW
GetWindowsDirectoryW
SetThreadPriority
GetCurrentThread
LocalSize
GetCurrentProcess
PulseEvent
GetComputerNameExW
WideCharToMultiByte
InitializeCriticalSectionAndSpinCount
EnterCriticalSection
DeleteCriticalSection

user32

GetCursorPos
wvsprintfA
BroadcastSystemMessageA
wsprintfA
GetSystemMetrics
wsprintfW
ExitWindowsEx
LoadStringW
MessageBeep
GetMessageTime

secur32

GetUserNameExW

ws2_32

inet_ntoa
gethostbyname
WSAStartup
getaddrinfo
WSAGetLastError
inet_addr

advapi32

GetSidSubAuthorityCount
GetSidSubAuthority
AccessCheckAndAuditAlarmW
AllocateAndInitializeSid
SetEntriesInAclW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
RegEnumKeyW
DeregisterEventSource
CryptAcquireContextW
CryptCreateHash
CryptImportKey
CryptVerifySignatureW
CryptDestroyKey
CryptDestroyHash
CryptReleaseContext
AddAce
GetAce
GetAclInformation
GetUserNameA
CryptHashData
RegisterServiceCtrlHandlerW
GetSidIdentifierAuthority
IsValidSid
GetTokenInformation
EqualSid
LookupAccountSidW
RegSetValueExW
CryptGenRandom
RegisterEventSourceW
ReportEventW
SetServiceBits
RegOpenKeyW
GetUserNameW
SetServiceStatus
RegOpenKeyExW
GetSecurityDescriptorDacl
LsaDelete
LsaSetSecret
LsaClose
LsaOpenSecret
LsaCreateSecret
LsaOpenPolicy
LsaFreeMemory
LsaQuerySecret
GetEventLogInformation
LsaQueryInformationPolicy
RegQueryValueExW
RegCloseKey
LogonUserW
AddAccessAllowedAce
InitializeAcl
GetLengthSid
OpenThreadToken
CheckTokenMembership
MakeSelfRelativeSD
MakeAbsoluteSD
IsValidSecurityDescriptor
ElfReportEventW
ElfRegisterEventSourceW
I_ScSendTSMessage
RegNotifyChangeKeyValue
RegCreateKeyExW
RegQueryValueExA
RegOpenKeyExA
GetCurrentHwProfileA
RegEnumKeyExA
RegEnumKeyExW
LsaStorePrivateData
LsaNtStatusToWinError
LsaRetrievePrivateData
RegDeleteValueW
OpenProcessToken

crypt32

CertCloseStore
CertCreateCertificateContext
CertOpenStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertGetIssuerCertificateFromStore
CertVerifySubjectCertificateContext
CryptExportPublicKeyInfo
CertEnumCertificatesInStore
CertFindExtension
CertVerifyCertificateChainPolicy
CertComparePublicKeyInfo
CryptDecodeObject
CryptVerifyCertificateSignature
CryptBinaryToStringW

oleaut32

VariantInit
SysFreeString
SysAllocStringLen
SafeArrayDestroy
VariantClear
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayCreate
SysAllocString
SysStringByteLen

authz

AuthzFreeResourceManager
AuthziAllocateAuditParams
AuthziInitializeAuditParamsWithRM
AuthziInitializeAuditEvent
AuthziLogAuditEvent
AuthzFreeAuditEvent
AuthziFreeAuditParams
AuthzInitializeResourceManager
AuthziInitializeAuditEventType
AuthziFreeAuditEventType

mstlsapi

ord29
ord35
ord34
ord33
ord36
ord38
ord26
ord39
ord6
ord30
ord24
ord32
ord134
ord25
ord41
ord40
ord10
ord43
ord131
ord135
ord132
ord133

Exports

Exports

ServiceMain

Sections

.text
Size: 254KB - Virtual size: 253KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a3956ec45f0da1bb7772e8b4aa02495a

Headers

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

icaapi

shell32

setupapi

shlwapi

wintrust

rpcrt4

kernel32

user32

secur32

ws2_32

advapi32

crypt32

oleaut32

authz

mstlsapi

Exports

Exports

Sections

.text Size: 254KB - Virtual size: 253KB

.data Size: 4KB - Virtual size: 38KB

.rsrc Size: 16KB - Virtual size: 16KB

.reloc Size: 13KB - Virtual size: 12KB

.text
Size: 254KB - Virtual size: 253KB

.data
Size: 4KB - Virtual size: 38KB

.rsrc
Size: 16KB - Virtual size: 16KB

.reloc
Size: 13KB - Virtual size: 12KB