127e2bb781d84edd891a7ff5f414df86_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

127e2bb781d84edd891a7ff5f414df86_JaffaCakes118
Size

1.2MB
MD5

127e2bb781d84edd891a7ff5f414df86
SHA1

fe6c2018df3eab63327a335048f06894b3a3bcb5
SHA256

1b7945be88f406bb1be5dd5370f6e077f04c291fe350901a0fd3338564e10b78
SHA512

0d08371020d4d401d006201b07aebba5ad3ef5d4ee124ee02fb64168c82e04fad20738e14c247d7e3639e2ce30df995463b6c006dff5cb33c606aa83333e0438
SSDEEP

24576:YVH/Umpvgs1tOhiHYk/6ZZYp94sz96puExlB5icI0IYaKD9pDQtA6IHzMCePoI:YV/XnUiH//6ZZYI3n7icI0IYvXQtA6y8

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/QZoneClone.exe

Files

127e2bb781d84edd891a7ff5f414df86_JaffaCakes118
.rar
QZoneClone.dll
.dll regsvr32 windows:5 windows x86 arch:x86

dc842513ed3f1d9f5ff98812a2ae69fb

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

01-05-2012 00:00

Not After

31-12-2012 23:59

Subject

CN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:b8:e3:5b:53:60:1a:f5:36:c5:c4:f8:ec:98:28:cf
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

23-05-2012 00:00

Not After

23-05-2013 23:59

Subject

CN=Elf Network Co.\,Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=QQAPP,O=Elf Network Co.\,Ltd,L=TianMen,ST=HUBEI,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

6a:42:d0:66:12:f5:77:a0:ef:29:a4:98:d6:f4:6a:66:02:b4:d2:2c
Signer

Actual PE Digest

6a:42:d0:66:12:f5:77:a0:ef:29:a4:98:d6:f4:6a:66:02:b4:d2:2c

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetTempPathW
GetPrivateProfileIntW
WriteFile
InterlockedExchange
GetExitCodeThread
ResetEvent
CreateDirectoryW
lstrcmpW
MulDiv
MapViewOfFile
OpenFileMappingA
OutputDebugStringW
ResumeThread
TerminateThread
FindClose
FindNextFileW
FindFirstFileW
GetTempFileNameA
GetTempPathA
GetPrivateProfileIntA
GetPrivateProfileStringA
DeleteFileA
CopyFileA
CopyFileW
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
UnmapViewOfFile
UnlockFileEx
UnlockFile
SystemTimeToFileTime
SetFilePointer
SetEndOfFile
QueryPerformanceCounter
LockFileEx
LockFile
LocalFree
LoadLibraryA
HeapValidate
HeapSize
HeapReAlloc
HeapFree
HeapDestroy
HeapCreate
HeapAlloc
GetVersionExA
GetSystemTimeAsFileTime
GetSystemTime
GetSystemInfo
GetFullPathNameW
GetFullPathNameA
GetFileAttributesExW
GetFileAttributesW
GetFileAttributesA
GetDiskFreeSpaceW
GetDiskFreeSpaceA
GetCurrentProcessId
FormatMessageW
FormatMessageA
FlushFileBuffers
CreateFileMappingW
CreateFileA
AreFileApisANSI
InterlockedCompareExchange
MoveFileA
SetCurrentDirectoryW
CreatePipe
GetTempFileNameW
GetExitCodeProcess
QueryPerformanceFrequency
OutputDebugStringA
SetEnvironmentVariableA
CompareStringW
CompareStringA
SetStdHandle
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
GetLocaleInfoW
InitializeCriticalSectionAndSpinCount
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetStartupInfoA
GetFileType
SetHandleCount
GetTimeZoneInformation
GetDateFormatA
GetTimeFormatA
GetConsoleMode
GetConsoleCP
GetStringTypeW
GetStringTypeA
GetStdHandle
ExitProcess
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
GetCommandLineA
ExitThread
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
RtlUnwind
LCMapStringW
LCMapStringA
GetStringTypeExW
GetStringTypeExA
GetUserDefaultLCID
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
GetProcessHeap
GetModuleHandleA
VirtualProtect
IsBadReadPtr
GetModuleFileNameA
lstrcpyA
GetSystemWindowsDirectoryW
DeviceIoControl
lstrcatA
GetVersionExW
CreateEventW
Sleep
GetPrivateProfileStringW
CreateThread
WaitForSingleObject
LoadLibraryExW
DisableThreadLibraryCalls
GetModuleFileNameW
lstrcmpiW
OpenEventW
SetEvent
GetTickCount
DeleteFileW
GlobalAlloc
GlobalLock
GlobalUnlock
CreateFileW
GetFileSize
ReadFile
CreateMutexW
lstrlenW
FreeResource
SetLastError
ReleaseMutex
GetCurrentThreadId
lstrlenA
GetVersion
CloseHandle
InterlockedDecrement
InterlockedIncrement
IsBadWritePtr
GetModuleHandleW
LoadLibraryW
GetProcAddress
FreeLibrary
WideCharToMultiByte
DeleteCriticalSection
InitializeCriticalSection
MultiByteToWideChar
GetCurrentProcess
SizeofResource
FlushInstructionCache
LeaveCriticalSection
EnterCriticalSection
GetLastError
RaiseException
FindResourceExW
FindResourceW
LoadResource
LockResource
CreateProcessA

user32

SendMessageW
MoveWindow
GetWindowRect
CallWindowProcA
SetWindowLongA
GetWindowLongW
GetPropW
GetWindowTextA
UnregisterClassA
LoadStringA
LoadStringW
CreateWindowExW
IsWindowUnicode
wsprintfW
SetWindowLongW
PeekMessageW
GetWindowDC
EnableWindow
GetActiveWindow
wsprintfA
GetSysColor
ScreenToClient
InvalidateRgn
RedrawWindow
IsChild
GetClassNameW
FillRect
DestroyAcceleratorTable
CreateAcceleratorTableW
DefWindowProcA
GetMessageW
TranslateMessage
GetClientRect
InvalidateRect
ShowWindow
IsWindow
SetWindowPos
MapWindowPoints
GetMonitorInfoW
MonitorFromWindow
GetWindow
GetParent
GetClassInfoExW
LoadCursorW
CopyRect
SetRect
InflateRect
GetDlgItem
RegisterWindowMessageW
GetClassNameA
EnumChildWindows
IsWindowVisible
DestroyWindow
DefWindowProcW
ReleaseDC
GetDC
RegisterClassExW
SetTimer
KillTimer
CallWindowProcW
SetWindowTextW
GetWindowTextLengthW
IsWindowEnabled
SetCursor
DrawTextW
PostMessageW
GetFocus
GetKeyState
BeginPaint
EndPaint
LoadBitmapW
LoadImageW
PtInRect
GetDesktopWindow
DestroyIcon
EqualRect
GetDlgCtrlID
DrawFrameControl
LoadIconW
DrawIconEx
OffsetRect
FrameRect
FindWindowExW
RemovePropW
SetPropW
SetCapture
ReleaseCapture
GetWindowTextW
ClientToScreen
SetWindowRgn
SetActiveWindow
PostQuitMessage
DispatchMessageW
PostThreadMessageW
MessageBoxW
CharNextW
SetFocus
GetSystemMetrics
SetForegroundWindow

gdi32

SetTextColor
CreateCompatibleDC
CreateDIBSection
BitBlt
DeleteDC
GetStockObject
GetObjectW
CreateFontIndirectW
CreateRectRgn
CreatePen
SetBkColor
StretchBlt
Rectangle
SelectClipRgn
SelectObject
RestoreDC
SaveDC
DeleteObject
SetRectRgn
OffsetRgn
GetDeviceCaps
EnumFontFamiliesW
CreateBitmap
CreateCompatibleBitmap
RectInRegion
RoundRect
CreateRectRgnIndirect
GetClipRgn
MoveToEx
LineTo
TextOutW
GetTextExtentPoint32W
CreateSolidBrush
ExtTextOutW
CombineRgn
SetBkMode

advapi32

RegQueryValueExW
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
RegSetValueExW
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
RegDeleteValueW
RegOpenKeyExA

shell32

SHGetFileInfoA
ShellExecuteW
ShellExecuteA
SHGetFolderPathW

ole32

CoInitialize
OleUninitialize
OleInitialize
CoMarshalInterThreadInterfaceInStream
CoInitializeEx
CoGetInterfaceAndReleaseStream
CoUninitialize
CLSIDFromString
CLSIDFromProgID
CoGetClassObject
OleLockRunning
StringFromGUID2
CoCreateInstance
CoTaskMemFree
CreateStreamOnHGlobal
CoTaskMemRealloc
CoTaskMemAlloc

oleaut32

SysFreeString
VariantClear
SysAllocString
SysStringLen
LoadTypeLi
UnRegisterTypeLi
RegisterTypeLi
VarUI4FromStr
LoadRegTypeLi
DispCallFunc
OleCreateFontIndirect
SafeArrayCreate
SafeArrayPutElement
SafeArrayDestroy
VarBstrCmp
VariantInit
SysAllocStringLen

shlwapi

StrToIntA
PathFileExistsW
StrToIntW
PathFileExistsA
PathRemoveFileSpecW
SHSetValueW
SHGetValueW
SHGetValueA
SHSetValueA

comctl32

_TrackMouseEvent

gdiplus

GdipImageSelectActiveFrame
GdipGetImageEncoders
GdipGetImageEncodersSize
GdipGetPropertyItem
GdipGetPropertyItemSize
GdipImageGetFrameCount
GdipFree
GdipImageGetFrameDimensionsCount
GdipSaveImageToFile
GdipLoadImageFromFileICM
GdipLoadImageFromFile
GdipDrawImageI
GdiplusShutdown
GdiplusStartup
GdipCloneImage
GdipDrawImageRectRectI
GdipDrawImageRectI
GdipCreateFromHDC
GdipGetImageHeight
GdipGetImageWidth
GdipDisposeImage
GdipLoadImageFromStreamICM
GdipLoadImageFromStream
GdipDeleteGraphics
GdipAlloc
GdipImageGetFrameDimensionsList

ws2_32

__WSAFDIsSet
select
setsockopt
shutdown
WSAGetLastError
WSAStartup
gethostbyname
socket
htons
connect
closesocket
send
recv
WSACleanup

urlmon

URLDownloadToFileA

wininet

InternetSetOptionW
InternetGetCookieW
InternetSetCookieW
HttpSendRequestA
InternetOpenUrlW
InternetAttemptConnect
InternetCheckConnectionW
InternetOpenW
InternetConnectW
HttpOpenRequestW
HttpSendRequestW
HttpQueryInfoA
InternetReadFile
InternetCloseHandle
InternetCanonicalizeUrlW
InternetCrackUrlW

iphlpapi

GetAdaptersInfo

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 225KB - Virtual size: 225KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 31KB - Virtual size: 71KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 490KB - Virtual size: 489KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 69KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
QZoneClone.exe
.exe windows:4 windows x86 arch:x86

7fe1a3c530fe1f2545493b4ce67e132f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mfc42

ord3147
ord3259
ord4465
ord3136
ord3262
ord2985
ord3081
ord2976
ord3830
ord3831
ord3825
ord3079
ord4080
ord4622
ord4424
ord3738
ord561
ord815
ord641
ord2514
ord858
ord2621
ord1134
ord3790
ord5265
ord4376
ord4998
ord6052
ord4078
ord1775
ord4407
ord5241
ord6375
ord5163
ord6374
ord4353
ord5280
ord3798
ord4837
ord4441
ord2648
ord2055
ord6376
ord3749
ord2982
ord1727
ord5261
ord2446
ord2124
ord5277
ord4627
ord4425
ord3597
ord1146
ord1168
ord324
ord2301
ord4234
ord4710
ord755
ord470
ord4853
ord6334
ord5875
ord4476
ord4274
ord540
ord4673
ord535
ord2818
ord2405
ord537
ord2764
ord800
ord323
ord1640
ord5785
ord640
ord5714
ord5289
ord5307
ord4698
ord4079
ord2725
ord5302
ord5300
ord3346
ord2396
ord5199
ord1089
ord3922
ord5731
ord2512
ord2554
ord5065
ord4486
ord1641
ord2414
ord3626
ord3663
ord825
ord2385
ord3571
ord1576

msvcrt

_setmbcp
__CxxFrameHandler
fclose
fwrite
fopen
sprintf
strrchr
__dllonexit
_onexit
_exit
_XcptFilter
exit
_controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln

kernel32

GetModuleHandleA
GetModuleFileNameA
WinExec
MoveFileExA
Sleep
FindResourceA
LoadResource
LockResource
SizeofResource
lstrlenA
GetStartupInfoA

user32

IsIconic
GetSystemMetrics
GetClientRect
LoadIconA
SendMessageA
EnableWindow
DrawIcon
LoadBitmapA

gdi32

CreateSolidBrush
BitBlt
CreateCompatibleDC

advapi32

RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegCloseKey

Sections

.text
Size: 24KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 676KB - Virtual size: 674KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

dc842513ed3f1d9f5ff98812a2ae69fb

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:edCertificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

25:b8:e3:5b:53:60:1a:f5:36:c5:c4:f8:ec:98:28:cfCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

6a:42:d0:66:12:f5:77:a0:ef:29:a4:98:d6:f4:6a:66:02:b4:d2:2cSigner

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

shlwapi

comctl32

gdiplus

ws2_32

urlmon

wininet

iphlpapi

Exports

Exports

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

.rdata Size: 225KB - Virtual size: 225KB

.data Size: 31KB - Virtual size: 71KB

.rsrc Size: 490KB - Virtual size: 489KB

.reloc Size: 69KB - Virtual size: 68KB

7fe1a3c530fe1f2545493b4ce67e132f

Headers

File Characteristics

Imports

mfc42

msvcrt

kernel32

user32

gdi32

advapi32

Sections

.text Size: 24KB - Virtual size: 22KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 4KB - Virtual size: 480B

.rsrc Size: 676KB - Virtual size: 674KB

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

25:b8:e3:5b:53:60:1a:f5:36:c5:c4:f8:ec:98:28:cf
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

6a:42:d0:66:12:f5:77:a0:ef:29:a4:98:d6:f4:6a:66:02:b4:d2:2c
Signer

.text
Size: 1.2MB - Virtual size: 1.2MB

.rdata
Size: 225KB - Virtual size: 225KB

.data
Size: 31KB - Virtual size: 71KB

.rsrc
Size: 490KB - Virtual size: 489KB

.reloc
Size: 69KB - Virtual size: 68KB

.text
Size: 24KB - Virtual size: 22KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 4KB - Virtual size: 480B

.rsrc
Size: 676KB - Virtual size: 674KB