0eefa6e0172fd3e5fe656ed1afda14f5_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

0eefa6e0172fd3e5fe656ed1afda14f5_JaffaCakes118
Size

1014KB
MD5

0eefa6e0172fd3e5fe656ed1afda14f5
SHA1

9a9403d71f15e674b3239c22a2c863924da9824f
SHA256

a6265dd1e3e14bd7c3dd23468d76cf6c1d2cf3ce1e458c9da2cfca107a5e64c3
SHA512

083c081ae921e1cb4139bd66945cb7df0c180d6588eff702bdd5c98b9b81a6177d314f652beeb05221b38bc4825bfbf01eb8c1e94db2c86af7f407653214b3a2
SSDEEP

24576:dhv9mcBpsf3AA8f7SLVy5W4MWgYFeYQSVvhyk/Hbb:dmtvpLGWqgqISVZyQHbb

Score

4^/10

pdf link

Malware Config

Signatures

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
static1/unpack001/Easy unpacking/Unpack pecompact 2.xx and serial bypass by XOR06.pdf	pdf_with_link_action

One or more HTTP URLs in PDF identified
Detects presence of HTTP links in PDF files.
pdf link

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Easy unpacking/ODbgScript.dll
unpack001/Easy unpacking/OllyDump.dll

Files

0eefa6e0172fd3e5fe656ed1afda14f5_JaffaCakes118
.rar
Easy unpacking/ODbgScript.dll
.dll windows:5 windows x86 arch:x86

9dc65eadff077816f7e7fca07fceda80

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ollydbg.exe

ord27
ord160
ord170
ord45
ord144
ord75
ord61
ord42
ord44
ord142
ord128
ord129
ord19
ord23
ord175
ord149
ord24
ord165
ord77
ord127
ord169
ord25
ord117
ord5
ord32
ord174
ord48
ord13
ord31
ord4
ord161
ord124
ord39
ord102
ord141
ord109
ord106
ord10
ord3
ord157
ord33
ord186
ord60
ord11
ord131
ord78
ord74
ord1
ord79
ord89
ord107
ord87
ord113
ord114
ord46
ord28
ord73
ord71
ord92
ord2
ord12
ord100
ord65
ord105
ord104
ord93
ord108
ord88
ord101
ord53
ord172
ord90

kernel32

HeapAlloc
QueryPerformanceCounter
GetCurrentProcess
SetFilePointer
GetFileSize
CreateFileA
GetTickCount
FormatMessageA
WriteFile
HeapCreate
ReadFile
GetLastError
GetProcAddress
GetModuleFileNameA
GetModuleHandleA
LoadLibraryExA
QueryPerformanceFrequency
CloseHandle
LocalFree
GetFullPathNameA
IsBadCodePtr
GetThreadContext
lstrlenA
lstrcpynA
LocalAlloc
RtlUnwind
InterlockedExchange
Sleep
InterlockedCompareExchange
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetVersion
GetSystemTimeAsFileTime
WriteProcessMemory
GetCurrentProcessId
GetCurrentThreadId
VirtualAllocEx
VirtualFreeEx
GetCurrentThread
FreeLibrary
HeapFree

user32

GetClassNameA
SetDlgItemTextA
DestroyWindow
GetWindowRect
CreateMenu
PostMessageA
DialogBoxParamA
GetKeyState
SetForegroundWindow
LoadIconA
SetFocus
SendMessageA
InvalidateRect
GetDlgItem
EndDialog
SetWindowPos
CreatePopupMenu
DefMDIChildProcA
DestroyMenu
GetParent
FindWindowExA
ChildWindowFromPoint
MessageBoxA
GetDesktopWindow
AppendMenuA
IsWindowVisible
EnumThreadWindows
GetDlgItemTextA

shlwapi

StrCmpNIA
PathFileExistsA

comdlg32

GetOpenFileNameA

shell32

ShellExecuteA

mfc42

ord1168
ord826
ord269
ord1116
ord1176
ord1575
ord1577
ord1182
ord342
ord1243
ord1197
ord1570
ord1253
ord1255
ord6467
ord1578
ord600
ord825
ord823

msvcp60

?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
?find_last_not_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?find_first_not_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?at@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ
?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
?insert@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IPBD@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
??0out_of_range@std@@QAE@ABV01@@Z
?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
??0logic_error@std@@QAE@ABV01@@Z
?compare@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEHPBD@Z
?find_first_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??1_Lockit@std@@QAE@XZ
??0_Lockit@std@@QAE@XZ
?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@XZ
?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ
?open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXPBDH@Z
??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z
??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@XZ
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z
?compare@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEHABV12@@Z
?find_first_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIPBD@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ
??_F?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@D@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??Mstd@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??0Init@ios_base@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
?open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXPBDH@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
??1out_of_range@std@@UAE@XZ
?getline@std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@1@AAV21@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z

msvcrt

strtoul
strncat
strncmp
ceil
strstr
_stricmp
_itoa
wcsncpy
strtok
fopen
_ultoa
toupper
realloc
_splitpath
??0exception@@QAE@XZ
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
_CxxThrowException
_callnewh
memset
memcpy
__lconv_init
_unlock
__dllonexit
_lock
_onexit
??1type_info@@UAE@XZ
_XcptFilter
_initterm
_amsg_exit
??0exception@@QAE@ABV0@@Z
strncpy
tolower
strchr
malloc
free
sscanf
sprintf
_strupr
__CxxFrameHandler
strrchr

Exports

Exports

DebugScript
ExecuteScript
_ODBG_Pausedex
_ODBG_Pluginaction
_ODBG_Pluginclose
_ODBG_Plugincmd
_ODBG_Plugindata
_ODBG_Plugindestroy
_ODBG_Plugininit
_ODBG_Pluginmainloop
_ODBG_Pluginmenu
_ODBG_Pluginreset
_ODBG_Pluginshortcut

Sections

.text
Size: 183KB - Virtual size: 182KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 135KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Easy unpacking/OllyDump.dll
.dll windows:4 windows x86 arch:x86

5a3ef0fd287f0ec4556b6cfd980bb4f8

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ollydbg.exe

_Addtolist
_Deleteruntrace
_Disasm
_Findmemory
_Findmodule
_Findthread
_Getcputhreadid
_Getstatus
_Plugingetvalue
_Readmemory
_Sendshortcut
_Setcpu
_Settracecondition
_Startruntrace
_Updatelist

comdlg32

GetSaveFileNameA

kernel32

CloseHandle
CreateFileA
ExitProcess
FreeEnvironmentStringsA
GetACP
GetCPInfo
GetCurrentThreadId
GetEnvironmentStrings
GetFileSize
GetFileType
GetLastError
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetPrivateProfileIntA
GetPrivateProfileStringA
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeW
GetVersion
GetVersionExA
GlobalAlloc
GlobalFree
GlobalMemoryStatus
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
IsBadStringPtrA
LCMapStringA
LoadLibraryA
RaiseException
ReadFile
RtlUnwind
SetConsoleCtrlHandler
SetFilePointer
SetHandleCount
Sleep
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
VirtualAlloc
VirtualFree
WriteFile
WritePrivateProfileStringA

user32

CallWindowProcA
ClientToScreen
DestroyMenu
DialogBoxParamA
EndDialog
EnumThreadWindows
GetDlgItem
GetDlgItemInt
GetDlgItemTextA
GetSubMenu
GetSystemMetrics
GetWindowRect
GetWindowTextLengthA
IsDlgButtonChecked
LoadMenuA
MessageBoxA
MoveWindow
SendMessageA
SetDlgItemInt
SetDlgItemTextA
SetWindowLongA
SetWindowTextA
TrackPopupMenu
UpdateWindow
wsprintfA

Exports

Exports

_ODBG_Pluginaction
_ODBG_Pluginclose
_ODBG_Plugindata
_ODBG_Plugindestroy
_ODBG_Plugininit
_ODBG_Pluginmainloop
_ODBG_Pluginmenu
_ODBG_Pluginreset
___CPPdebugHook

Sections

.text
Size: 50KB - Virtual size: 52KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 488KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.edata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Easy unpacking/PeCompact 2.xx - 3.xx OEP Finder.txt
Easy unpacking/Unpack pecompact 2.xx and serial bypass by XOR06.pdf
.pdf
- http://www.icopybot.com/plisteditor_setup.exe
- http://www.icopybot.com/plisteditor_setup.exeen-US
- http://www.thelegendofrandom.com/forum/index.php
- http://www.thelegendofrandom.com/forum/index.phpen-US

Sharing

General

Malware Config

Signatures

Files

9dc65eadff077816f7e7fca07fceda80

Headers

File Characteristics

Imports

ollydbg.exe

kernel32

user32

shlwapi

comdlg32

shell32

mfc42

msvcp60

msvcrt

Exports

Exports

Sections

.text Size: 183KB - Virtual size: 182KB

.rdata Size: 17KB - Virtual size: 16KB

.data Size: 1KB - Virtual size: 135KB

.rsrc Size: 13KB - Virtual size: 12KB

.reloc Size: 17KB - Virtual size: 16KB

5a3ef0fd287f0ec4556b6cfd980bb4f8

Headers

File Characteristics

Imports

ollydbg.exe

comdlg32

kernel32

user32

Exports

Exports

Sections

.text Size: 50KB - Virtual size: 52KB

.data Size: 14KB - Virtual size: 488KB

.tls Size: 512B - Virtual size: 4KB

.idata Size: 2KB - Virtual size: 4KB

.edata Size: 512B - Virtual size: 4KB

.rsrc Size: 5KB - Virtual size: 8KB

.reloc Size: 3KB - Virtual size: 4KB

.text
Size: 183KB - Virtual size: 182KB

.rdata
Size: 17KB - Virtual size: 16KB

.data
Size: 1KB - Virtual size: 135KB

.rsrc
Size: 13KB - Virtual size: 12KB

.reloc
Size: 17KB - Virtual size: 16KB

.text
Size: 50KB - Virtual size: 52KB

.data
Size: 14KB - Virtual size: 488KB

.tls
Size: 512B - Virtual size: 4KB

.idata
Size: 2KB - Virtual size: 4KB

.edata
Size: 512B - Virtual size: 4KB

.rsrc
Size: 5KB - Virtual size: 8KB

.reloc
Size: 3KB - Virtual size: 4KB