16c202a683ef85a7b3595898c04eef4e_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

16c202a683ef85a7b3595898c04eef4e_JaffaCakes118
Size

33KB
MD5

16c202a683ef85a7b3595898c04eef4e
SHA1

4e3eaecc444cad6cbb3cb79f74c092d239c35b8d
SHA256

68d49671e0d34960ac99a92f74cebffe51007458f1098c0e6dd6ae774d1b8d5f
SHA512

0534dcd9966c77a0aa17bcff81452756cb6f6d39fdf97b664385f092239e3b52d657507442ce7f2a113afe8ade832f62f9e4a012736623ee2765acdb0e1df867
SSDEEP

768:V/MSsk0Dp9Ur2kSjjqbTdmA3gCTXem8BieHLMbC:VXuvs2kSjjqbTdxQCN8BDHkC

Score

1^/10

Malware Config

Signatures

Files

16c202a683ef85a7b3595898c04eef4e_JaffaCakes118
.sys windows:5 windows x86 arch:x86

0470a889477af954936480d24137207f

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

19:e4:6b:db:66:ff:71:93:1f:e4:3d:b5:4f:76:be:4f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

16/06/2008, 00:00

Not After

13/06/2011, 23:59

Subject

CN=Qiwang Computer,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Qiwang Computer,L=Nanning,ST=Guangxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

35:6e:67:5a:f1:1a:d9:3d:52:4c:0b:ab:f2:f9:58:42:92:63:c5:17
Signer

Actual PE Digest

35:6e:67:5a:f1:1a:d9:3d:52:4c:0b:ab:f2:f9:58:42:92:63:c5:17

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

f:\spyware\spkdll\sysdriver\t\objfre_w2K_x86\i386\RKHit.pdb

Imports

ntoskrnl.exe

_except_handler3
MmUnlockPages
ObfDereferenceObject
KeUnstackDetachProcess
KeStackAttachProcess
PsLookupProcessByProcessId
MmIsAddressValid
KeInitializeSpinLock
ObReferenceObjectByName
IoDriverObjectType
RtlInitUnicodeString
ExFreePool
_stricmp
strrchr
ExAllocatePoolWithTag
ZwQuerySystemInformation
IoFileObjectType
ZwClose
ObReferenceObjectByHandle
ZwOpenKey
PsProcessType
IoDeviceObjectType
MmSectionObjectType
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
ZwOpenFile
RtlImageDirectoryEntryToData
NtBuildNumber
wcscpy
ProbeForRead
IoGetCurrentProcess
RtlAppendUnicodeStringToString
RtlVolumeDeviceToDosName
IoCreateFile
KeGetCurrentThread
KeServiceDescriptorTable
ObQueryNameString
ObReferenceObjectByPointer
ZwQueryInformationProcess
ObOpenObjectByPointer
PsGetVersion
IoAllocateMdl
ObfReferenceObject
PsLookupThreadByThreadId
IoThreadToProcess
NtGlobalFlag
PsThreadType
IofCallDriver
ZwOpenDirectoryObject
MmGetVirtualForPhysical
MmGetPhysicalAddress
MmSystemRangeStart
IoFreeIrp
KeSetEvent
KeWaitForSingleObject
MmBuildMdlForNonPagedPool
IoAllocateIrp
IoGetBaseFileSystemDeviceObject
KeInitializeEvent
IoGetDeviceObjectPointer
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
swprintf
IoGetConfigurationInformation
ZwTerminateProcess
PsGetCurrentProcessId
KeInsertQueueApc
KeInitializeApc
KeClearEvent
ExfInterlockedInsertTailList
ExfInterlockedRemoveHeadList
wcsstr
_wcsupr
IoCreateSynchronizationEvent
MmGetSystemRoutineAddress
ZwOpenEvent
IoDeleteDevice
RtlInitAnsiString
IofCompleteRequest
IoCreateSymbolicLink
IoCreateDevice
KeTickCount
KeBugCheckEx
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUserProbeAddress
IoFreeMdl

hal

KfAcquireSpinLock
KfReleaseSpinLock
KeStallExecutionProcessor

Sections

.text
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 768B - Virtual size: 756B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0470a889477af954936480d24137207f

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

19:e4:6b:db:66:ff:71:93:1f:e4:3d:b5:4f:76:be:4fCertificate

Extended Key Usages

Key Usages

35:6e:67:5a:f1:1a:d9:3d:52:4c:0b:ab:f2:f9:58:42:92:63:c5:17Signer

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

Sections

.text Size: 18KB - Virtual size: 18KB

.rdata Size: 768B - Virtual size: 756B

.data Size: 4KB - Virtual size: 4KB

INIT Size: 2KB - Virtual size: 2KB

.reloc Size: 1KB - Virtual size: 1KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

19:e4:6b:db:66:ff:71:93:1f:e4:3d:b5:4f:76:be:4f
Certificate

35:6e:67:5a:f1:1a:d9:3d:52:4c:0b:ab:f2:f9:58:42:92:63:c5:17
Signer

.text
Size: 18KB - Virtual size: 18KB

.rdata
Size: 768B - Virtual size: 756B

.data
Size: 4KB - Virtual size: 4KB

INIT
Size: 2KB - Virtual size: 2KB

.reloc
Size: 1KB - Virtual size: 1KB