General
-
Target
10e9b54414655a55f9265a717ad35753_JaffaCakes118
-
Size
714KB
-
MD5
10e9b54414655a55f9265a717ad35753
-
SHA1
a08ea6aa5bf8ca5277b9d1067d74fb61b3672dd6
-
SHA256
e132d1f8f75164acdc54669f9358092511ef3e9bdeb3fe950510332ed6040a43
-
SHA512
10191df111d8b2ac0422addd16caf8885fe2601c134866c2ce8851b46a3816a96518525cdea3398b30fd7ccadeb710dbc0b8cbd29c6e0f906b72b65bcd844d44
-
SSDEEP
12288:qzUNEuRUYTKTgeUY4PpdjbEB4JL+m5XdT0YtMAzPLSbhhwaK87hhrVXLDYiK45mp:qzKEumfEeUYgQOJL+WjPLS0aK8PVXLDU
Malware Config
Signatures
-
resource yara_rule sample vmprotect -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 10e9b54414655a55f9265a717ad35753_JaffaCakes118
Files
-
10e9b54414655a55f9265a717ad35753_JaffaCakes118.sys windows:5 windows x86 arch:x86
d1c4f968d79d8b78345c7603cbef07cf
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntoskrnl.exe
KeTickCount
KeQueryTimeIncrement
KeWaitForSingleObject
_allmul
ZwClose
IoGetCurrentProcess
ObfDereferenceObject
PsGetVersion
KeUnstackDetachProcess
KeStackAttachProcess
PsLookupProcessByProcessId
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
RtlAppendUnicodeToString
memcpy
wcslen
ExFreePoolWithTag
IoDeleteSymbolicLink
RtlFreeUnicodeString
KeSetEvent
RtlAnsiStringToUnicodeString
RtlInitAnsiString
_except_handler3
IofCompleteRequest
RtlAssert
ExAllocatePool
ZwQuerySystemInformation
RtlCompareString
strncpy
strlen
MmGetSystemRoutineAddress
RtlInitUnicodeString
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
ZwCreateFile
ExAllocatePoolWithTag
strcpy
ZwReadFile
ZwQueryInformationFile
KefAcquireSpinLockAtDpcLevel
KefReleaseSpinLockFromDpcLevel
KeInitializeEvent
PsCreateSystemThread
RtlAppendUnicodeStringToString
memset
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
ExAllocatePool
ExFreePool
NtQuerySystemInformation
hal
KfLowerIrql
KfRaiseIrql
KfAcquireSpinLock
KfReleaseSpinLock
KeGetCurrentIrql
HalMakeBeep
Sections
.text Size: - Virtual size: 19KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: - Virtual size: 356B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
INIT Size: - Virtual size: 1KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.vmp0 Size: - Virtual size: 974B
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.vmp1 Size: - Virtual size: 625KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.vmp2 Size: 712KB - Virtual size: 712KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 512B - Virtual size: 176B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ