29c0392f691526963bd40078aa12cdcf_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

29c0392f691526963bd40078aa12cdcf_JaffaCakes118
Size

257KB
MD5

29c0392f691526963bd40078aa12cdcf
SHA1

94640c193f8fbf69a1bb066e66942017820f375d
SHA256

7c4237d094093126a17de91c0dab17c801694a81d21b4d4318eb829c326f13e3
SHA512

3e6640f2be678323e10a26b94006b97081c82ae1dacb1e466aea337c425520c34483d16f022f8161d828704301e1a30d840f28d01b555aa5072981b3cae72095
SSDEEP

6144:2PPgnYy9ljMUO9tQIIez4GBxCI2SiI/+Ft3C7jjVU:nIUEtQ7g4GN/+HC7

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
29c0392f691526963bd40078aa12cdcf_JaffaCakes118

Files

29c0392f691526963bd40078aa12cdcf_JaffaCakes118
.dll windows:5 windows x86 arch:x86

abb7f6ffeb46d13fde553d7cb0ba2329

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

schedsvc.pdb

Imports

msvcrt

wcscmp
fclose
_wfopen
wcsncpy
_wcsicmp
_except_handler3
wcsstr
qsort
_vsnwprintf
??3@YAXPAX@Z
??2@YAPAXI@Z
free
_initterm
_adjust_fdiv
__dllonexit
wcsncmp
malloc
wcstoul
memcpy
wcsspn
wcspbrk
rand
_wtol
wcschr
_ultow
_wcsrev
wcsrchr
sscanf
_purecall
towupper
fgetws
_snwprintf
wcscat
swprintf
wcslen
wcscpy
_onexit
memmove
_wcsnicmp
_wcsupr
_itow

ntdll

RtlNtStatusToDosError
NtSetSystemInformation
NtOpenProcessToken
RtlNewSecurityObject
RtlCreateAcl
RtlAddAce
RtlGetVersion
NtCreateFile
NtQueryInformationFile
NtQueryAttributesFile
RtlInitUnicodeString
RtlDosPathNameToNtPathName_U
NtOpenFile
NtQueryDirectoryFile
RtlFreeHeap
NtClose
NtQuerySystemInformation
RtlEqualUnicodeString
RtlInitString
NtSetInformationThread
NtDuplicateToken
NtDuplicateObject
NtAccessCheck
NtOpenThreadToken
NtPowerInformation
RtlInitializeSid
RtlLengthRequiredSid
RtlSubAuthoritySid
RtlCopySid
RtlSubAuthorityCountSid
RtlDeleteSecurityObject
RtlLengthSid
RtlSetSaclSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlCreateSecurityDescriptor

advapi32

ReportEventW
GetSidIdentifierAuthority
GetSidSubAuthorityCount
GetSidSubAuthority
CryptCreateHash
CryptHashData
CryptSignHashW
CryptDestroyHash
LsaRemoveAccountRights
WmiOpenBlock
WmiCloseBlock
WmiQueryAllDataW
AccessCheck
AddAce
GetSecurityDescriptorDacl
GetSecurityInfo
SetEntriesInAclW
SetSecurityInfo
RegOpenKeyExA
GetUserNameW
OpenProcessToken
LookupAccountSidW
LsaStorePrivateData
LsaRetrievePrivateData
CreateProcessAsUserW
ImpersonateLoggedOnUser
GetKernelObjectSecurity
RegisterEventSourceW
GetFileSecurityW
GetSecurityDescriptorOwner
DeregisterEventSource
RegConnectRegistryW
IsTokenRestricted
EqualSid
LogonUserW
LsaQueryInformationPolicy
CopySid
LookupAccountNameW
GetTokenInformation
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextW
CryptGenKey
CryptDestroyKey
RegCloseKey
RegQueryValueExW
RegOpenKeyW
RegSetValueExW
RegCreateKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
FreeSid
SetKernelObjectSecurity
SetFileSecurityW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AddAccessAllowedAce
InitializeAcl
GetLengthSid
SetNamedSecurityInfoW
AllocateAndInitializeSid
RevertToSelf
OpenThreadToken
ImpersonateSelf
UnregisterIdleTask
CloseServiceHandle
QueryServiceStatus
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
RegisterIdleTask
EnumServicesStatusExW
TraceMessage
RegCreateKeyExW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
RegisterTraceGuidsW
UnregisterTraceGuids
CheckTokenMembership
SetServiceStatus
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegisterServiceCtrlHandlerExW
RegOpenKeyExW
RegDeleteValueW
LsaNtStatusToWinError
LsaClose
LsaFreeMemory
LsaEnumerateAccountRights
LsaOpenPolicy
LsaAddAccountRights
IsValidSid

ole32

CoTaskMemAlloc
CoCreateInstance
CoUninitialize
CoInitializeEx
CoGetCallContext
CoTaskMemFree

netapi32

NetApiBufferFree
DsGetDcNameW
NetUserGetInfo

secur32

LsaFreeReturnBuffer
LsaDeregisterLogonProcess
LsaCallAuthenticationPackage
LsaLookupAuthenticationPackage
LsaConnectUntrusted
GetUserNameExW

ntdsapi

DsUnBindW
DsCrackNamesW
DsBindW
DsFreeNameResultW

imagehlp

ImageRvaToVa
ImageDirectoryEntryToData
ImageNtHeader

authz

AuthzFreeResourceManager
AuthziFreeAuditEventType
AuthziInitializeAuditEventType
AuthzInitializeResourceManager
AuthzFreeAuditEvent
AuthziLogAuditEvent
AuthziInitializeAuditEvent
AuthziInitializeAuditParams

shlwapi

PathFindExtensionW

kernel32

DelayLoadFailureHook
InitializeCriticalSectionAndSpinCount
ReadFile
SetFilePointer
GetTimeFormatW
GetDateFormatW
SetEndOfFile
FormatMessageW
TlsFree
TlsAlloc
FindNextChangeNotification
GetComputerNameW
LoadLibraryW
WTSGetActiveConsoleSessionId
InterlockedIncrement
InterlockedDecrement
SetThreadPriority
SetEnvironmentVariableW
GetEnvironmentVariableW
SetLastError
GetStartupInfoW
SearchPathW
SetCurrentDirectoryW
LocalReAlloc
GetFileInformationByHandle
GetFileType
lstrcpynW
GetVolumeInformationW
GetLocaleInfoW
GetUserDefaultUILanguage
GetUserDefaultLCID
IsBadWritePtr
TlsSetValue
TlsGetValue
GetComputerNameExW
ExitProcess
GetModuleFileNameW
lstrcmpiW
FindFirstChangeNotificationW
lstrlenW
CreateWaitableTimerW
GetCurrentDirectoryW
LocalFileTimeToFileTime
GetVersionExW
FindCloseChangeNotification
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
SetWaitableTimer
CancelWaitableTimer
InitializeCriticalSection
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetCurrentThreadId
QueryPerformanceCounter
LoadLibraryA
GetProcAddress
LoadLibraryExW
FreeLibrary
GetModuleHandleW
ChangeTimerQueueTimer
DeleteTimerQueueTimer
OpenProcess
CreateTimerQueueTimer
DuplicateHandle
UnregisterWaitEx
DeleteAtom
InterlockedExchange
CloseHandle
VirtualFree
GetProcessHeap
HeapFree
GetLastError
GetWindowsDirectoryW
HeapAlloc
ReleaseMutex
WaitForSingleObject
FindClose
FindFirstFileW
FindNextFileW
MapViewOfFile
CreateFileMappingW
GetFileSize
CreateFileW
WriteFile
GetFileTime
MultiByteToWideChar
CompareFileTime
SystemTimeToFileTime
GetSystemTime
FileTimeToSystemTime
FileTimeToLocalFileTime
GetCurrentThread
GetFileAttributesW
GetSystemDirectoryW
GetFullPathNameW
ExpandEnvironmentStringsW
GetSystemPowerStatus
SetEvent
InterlockedCompareExchange
ResetEvent
Sleep
RegisterWaitForSingleObject
GetTickCount
LocalFree
LocalAlloc
OpenEventW
WaitForMultipleObjects
VirtualAlloc
CreateMutexW
CreateEventW
SetFileAttributesW
CreateDirectoryW
FlushFileBuffers
GetExitCodeProcess
CreateProcessW
GetCurrentProcessId
GetLocalTime
FindVolumeClose
FindNextVolumeW
QueryDosDeviceW
GetVolumePathNamesForVolumeNameW
FindFirstVolumeW
DeleteFileW
UnmapViewOfFile
GetDriveTypeW
GetSystemTimeAsFileTime
CreateThread
QueueUserWorkItem
DisableThreadLibraryCalls

user32

PostQuitMessage
UnregisterClassW
DestroyWindow
DefWindowProcW
TranslateMessage
GetMessageW
UpdateWindow
DispatchMessageW
SystemParametersInfoW
GetProcessWindowStation
SetProcessWindowStation
SetUserObjectSecurity
CreateDesktopW
CreateWindowStationW
CloseDesktop
CloseWindowStation
LoadStringW
EnumWindows
EnumThreadWindows
IsWindow
GetWindowThreadProcessId
LoadStringA
MessageBoxA
PostMessageW
SendMessageW
RegisterWindowMessageW
ShowWindow
RegisterClassW
CreateWindowExW

rpcrt4

RpcServerUseProtseqEpW
RpcEpRegisterW
RpcServerRegisterIfEx
RpcServerUseProtseqW
RpcEpUnregister
RpcServerUnregisterIf
NdrServerCall2
UuidCreate
RpcStringFreeW
RpcStringBindingParseW
RpcBindingVectorFree
RpcImpersonateClient
RpcServerRegisterAuthInfoW
RpcServerInqBindings
RpcBindingToStringBindingW
RpcServerUnregisterIfEx
RpcRevertToSelf

userenv

LoadUserProfileW
CreateEnvironmentBlock
DestroyEnvironmentBlock
UnloadUserProfile

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

wtsapi32

WTSEnumerateSessionsW
WTSQuerySessionInformationW
WTSQueryUserToken
WTSFreeMemory

Exports

Exports

CloseProc
SPUninstall
SPUninstallCallback
SchedServiceMain
SysPrepBackup
SysPrepCallback
SysPrepRestore

Sections

.text
Size: 173KB - Virtual size: 172KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 62KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

abb7f6ffeb46d13fde553d7cb0ba2329

Headers

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

advapi32

ole32

netapi32

secur32

ntdsapi

imagehlp

authz

shlwapi

kernel32

user32

rpcrt4

userenv

version

wtsapi32

Exports

Exports

Sections

.text Size: 173KB - Virtual size: 172KB

.data Size: 62KB - Virtual size: 65KB

.rsrc Size: 12KB - Virtual size: 11KB

.reloc Size: 9KB - Virtual size: 9KB

.text
Size: 173KB - Virtual size: 172KB

.data
Size: 62KB - Virtual size: 65KB

.rsrc
Size: 12KB - Virtual size: 11KB

.reloc
Size: 9KB - Virtual size: 9KB