11019114f08e7442917af7b03ee3bc43_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

11019114f08e7442917af7b03ee3bc43_JaffaCakes118
Size

1.0MB
MD5

11019114f08e7442917af7b03ee3bc43
SHA1

c9a8a95ab4b79c674e046383f46cf1a86720d03e
SHA256

7fe27a183150eff2a02014586362f83aaa459e332dcf639b19810ff7fc558f23
SHA512

8839959876f155d94f71733a9727eb8515dcc3230abefa428ee78c581d67dce75678a2f4101cc097015ad50859b386f382913c34191c9a381885ad29ed35fc57
SSDEEP

24576:4KMu2X7ZoLUg59+dpxOW18a/b85KFuEhFW83ZsiR95EETBlD:BVEh09UxOd2Y5K3r3CW9aubD

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
static1/unpack001/让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/WebMon.dll	acprotect

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/WebMon.dll	upx

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
unpack001/让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/SafeReg.sys
unpack001/让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/WebMon.dll
unpack002/out.upx
unpack001/让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/safeguard.sys
unpack001/让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/sysshield.exe

Files

11019114f08e7442917af7b03ee3bc43_JaffaCakes118
.rar
让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/Filter.dat
让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/SafeReg.sys
.sys windows:4 windows x86 arch:x86

bc934f36a431da14e128499649300c77

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

KeServiceDescriptorTable
IoDeleteDevice
IoDeleteSymbolicLink
RtlInitUnicodeString
IoCreateSymbolicLink
KeInitializeMutex
IoCreateDevice
ExFreePool
RtlQueryRegistryValues
memmove
ExAllocatePoolWithTag
KeReleaseMutex
KeWaitForSingleObject
IofCompleteRequest
ZwSetValueKey
ZwCreateKey
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
RtlInitAnsiString
strstr
RtlCheckRegistryKey
RtlAnsiStringToUnicodeString
sprintf
strncat
ObReferenceObjectByHandle
ObQueryNameString
ObfDereferenceObject
_except_handler3
strncmp
IoGetCurrentProcess
PsGetCurrentProcessId

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 96B - Virtual size: 92B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 832B - Virtual size: 810B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 640B - Virtual size: 616B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/SafeRegs.sys
让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/WebMon.dll
.dll windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_BYTES_REVERSED_HI

Exports

Exports

ControlHook

Sections

UPX0
Size: - Virtual size: 248KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 148KB - Virtual size: 152KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.dll windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 306KB - Virtual size: 306KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 3KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 73B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/inreg.dat
让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/readme.chm
.chm
让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/safeguard.sys
.sys windows:4 windows x86 arch:x86

733e537886fc3845a6763d07a8c33cd3

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

InterlockedExchange
IoDeleteSymbolicLink
IoCompleteRequest
ExAllocatePoolWithQuota
ExAllocatePool
IoCreateDevice
ExAllocatePoolWithTag
KeWaitForSingleObject
IoCreateSymbolicLink
ZwOpenProcess
ExFreePool
IoDeleteDevice
ProbeForRead
RtlInitUnicodeString
KeInitializeMutex
KeServiceDescriptorTable
KeReleaseMutex
DbgPrint

Sections

.text
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 96B - Virtual size: 76B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 64B - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_INIT_
Size: 32B - Virtual size: 30B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_EXIT_
Size: 32B - Virtual size: 30B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 512B - Virtual size: 496B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 224B - Virtual size: 202B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/sysshield.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 750KB - Virtual size: 749KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 3KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 16B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 50KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 56KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/tmp.reg
让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/yourset.ini
让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/使用说明.txt
让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/安全盾使用说明.txt
让影子系统靠边站吧-系统安全盾SysShield V1.45-中国绿软基地专用绿色版/绿化说明.txt

Sharing

General

Malware Config

Signatures

Files

bc934f36a431da14e128499649300c77

Headers

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 8KB - Virtual size: 8KB

.data Size: 96B - Virtual size: 92B

INIT Size: 832B - Virtual size: 810B

.reloc Size: 640B - Virtual size: 616B

Headers

File Characteristics

Exports

Exports

Sections

UPX0 Size: - Virtual size: 248KB

UPX1 Size: 148KB - Virtual size: 152KB

.rsrc Size: 4KB - Virtual size: 4KB

Headers

File Characteristics

Sections

CODE Size: 306KB - Virtual size: 306KB

DATA Size: 4KB - Virtual size: 3KB

BSS Size: - Virtual size: 3KB

.idata Size: 8KB - Virtual size: 8KB

.edata Size: 512B - Virtual size: 73B

.reloc Size: 20KB - Virtual size: 20KB

.rsrc Size: 13KB - Virtual size: 13KB

733e537886fc3845a6763d07a8c33cd3

Headers

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 2KB - Virtual size: 2KB

.rdata Size: 96B - Virtual size: 76B

.data Size: 64B - Virtual size: 40B

_INIT_ Size: 32B - Virtual size: 30B

_EXIT_ Size: 32B - Virtual size: 30B

INIT Size: 512B - Virtual size: 496B

.reloc Size: 224B - Virtual size: 202B

Headers

File Characteristics

Sections

CODE Size: 750KB - Virtual size: 749KB

DATA Size: 7KB - Virtual size: 6KB

BSS Size: - Virtual size: 3KB

.idata Size: 11KB - Virtual size: 11KB

.tls Size: - Virtual size: 16B

.rdata Size: 512B - Virtual size: 24B

.reloc Size: 50KB - Virtual size: 49KB

.rsrc Size: 56KB - Virtual size: 56KB

.text
Size: 8KB - Virtual size: 8KB

.data
Size: 96B - Virtual size: 92B

INIT
Size: 832B - Virtual size: 810B

.reloc
Size: 640B - Virtual size: 616B

UPX0
Size: - Virtual size: 248KB

UPX1
Size: 148KB - Virtual size: 152KB

.rsrc
Size: 4KB - Virtual size: 4KB

CODE
Size: 306KB - Virtual size: 306KB

DATA
Size: 4KB - Virtual size: 3KB

BSS
Size: - Virtual size: 3KB

.idata
Size: 8KB - Virtual size: 8KB

.edata
Size: 512B - Virtual size: 73B

.reloc
Size: 20KB - Virtual size: 20KB

.rsrc
Size: 13KB - Virtual size: 13KB

.text
Size: 2KB - Virtual size: 2KB

.rdata
Size: 96B - Virtual size: 76B

.data
Size: 64B - Virtual size: 40B

_INIT_
Size: 32B - Virtual size: 30B

_EXIT_
Size: 32B - Virtual size: 30B

INIT
Size: 512B - Virtual size: 496B

.reloc
Size: 224B - Virtual size: 202B

CODE
Size: 750KB - Virtual size: 749KB

DATA
Size: 7KB - Virtual size: 6KB

BSS
Size: - Virtual size: 3KB

.idata
Size: 11KB - Virtual size: 11KB

.tls
Size: - Virtual size: 16B

.rdata
Size: 512B - Virtual size: 24B

.reloc
Size: 50KB - Virtual size: 49KB

.rsrc
Size: 56KB - Virtual size: 56KB