General
-
Target
16940a004f8e3241163a98f9ea2ccf94_JaffaCakes118
-
Size
707KB
-
MD5
16940a004f8e3241163a98f9ea2ccf94
-
SHA1
b707e20e38d8a27c7aa6f598a3296a713aeeaba0
-
SHA256
d8f421ac21aac3e5db05fad8f777f6dc07468c0f2b8e6e7286ce8ab414d2cb03
-
SHA512
94c757efc7db14b34a8a96e408c85264dbc88b8fe9e3091abf103bfc6455fd7ccc45b3fbf0c21005c125f64c191696553235efd8793cdb31163d88c6d6524b5e
-
SSDEEP
12288:4UC1qcd+kRtMnDkPy+QF2G0VFnedXqqssH0xzWzWE8Gax79s31:4UC17+Rwv9GEFnush0ax79sl
Malware Config
Signatures
-
resource yara_rule sample vmprotect -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 16940a004f8e3241163a98f9ea2ccf94_JaffaCakes118
Files
-
16940a004f8e3241163a98f9ea2ccf94_JaffaCakes118.sys windows:5 windows x86 arch:x86
d1c4f968d79d8b78345c7603cbef07cf
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntoskrnl.exe
KeTickCount
KeQueryTimeIncrement
KeWaitForSingleObject
_allmul
ZwClose
IoGetCurrentProcess
ObfDereferenceObject
PsGetVersion
KeUnstackDetachProcess
KeStackAttachProcess
PsLookupProcessByProcessId
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
RtlAppendUnicodeToString
memcpy
wcslen
ExFreePoolWithTag
IoDeleteSymbolicLink
RtlFreeUnicodeString
KeSetEvent
RtlAnsiStringToUnicodeString
RtlInitAnsiString
_except_handler3
IofCompleteRequest
RtlAssert
ExAllocatePool
ZwQuerySystemInformation
RtlCompareString
strncpy
strlen
MmGetSystemRoutineAddress
RtlInitUnicodeString
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
ZwCreateFile
ExAllocatePoolWithTag
strcpy
ZwReadFile
ZwQueryInformationFile
KefAcquireSpinLockAtDpcLevel
KefReleaseSpinLockFromDpcLevel
KeInitializeEvent
PsCreateSystemThread
RtlAppendUnicodeStringToString
memset
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
ExAllocatePool
ExFreePool
NtQuerySystemInformation
hal
KfLowerIrql
KfRaiseIrql
KfAcquireSpinLock
KfReleaseSpinLock
KeGetCurrentIrql
HalMakeBeep
Sections
.text Size: - Virtual size: 19KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: - Virtual size: 356B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
INIT Size: - Virtual size: 1KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.vmp0 Size: - Virtual size: 974B
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.vmp1 Size: - Virtual size: 608KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.vmp2 Size: 705KB - Virtual size: 705KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 512B - Virtual size: 280B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ