54b513ceacc56a011b9f523f196c4c46_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

54b513ceacc56a011b9f523f196c4c46_JaffaCakes118
Size

59KB
MD5

54b513ceacc56a011b9f523f196c4c46
SHA1

6756c10ab655514da7961482f0e57db7a0ce2be0
SHA256

a8669e9cfbb19572be0eba1a6f59d24a3155b01f6546ddded4c69898d6ae600c
SHA512

8df046921090118b15dbb738da433747e62ef090e2a0dd870cf364d187394637f1125b32ec4f0e2928a33aaf76e0f2c209c0aef45f3352bfe63ac700c2b0484d
SSDEEP

1536:DC3bSEQlc99wh6JPiJLG1G1G4G1GueBd3aDCCK:WbqcJPiJLG1G1G4G1GueBdKw

Score

1^/10

Malware Config

Signatures

Files

54b513ceacc56a011b9f523f196c4c46_JaffaCakes118
.sys windows:6 windows x64 arch:x64

d4f5b56ddb416b2ffb4a20e516537459

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

21/05/2009, 00:00

Not After

20/05/2019, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5d:06:88:f9:04:0a:d5:22:87:fc:32:ad:ec:eb:85:b0
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

26/01/2010, 00:00

Not After

25/01/2013, 23:59

Subject

CN=Tencent Technology(Shenzhen) Company Limited,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Tencent Technology(Shenzhen) Company Limited,L=shenzhen,ST=guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

16:b7:cc:48:eb:2e:d4:fa:29:90:a2:86:6d:67:5c:54:bf:38:af:fd
Signer

Actual PE Digest

16:b7:cc:48:eb:2e:d4:fa:29:90:a2:86:6d:67:5c:54:bf:38:af:fd

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

e:\works\filemon_update\Bin\fre\amd64\QQSysMon.pdb

Imports

ntoskrnl.exe

ExAllocatePool
IoGetCurrentProcess
ZwClose
ObReferenceObjectByHandle
ZwDuplicateObject
RtlFreeAnsiString
ZwOpenProcess
PsGetCurrentProcessId
MmIsAddressValid
ObfDereferenceObject
FsRtlIsDbcsInExpression
RtlInitAnsiString
_strupr
KeReleaseMutex
KeWaitForSingleObject
PsLookupThreadByThreadId
strncmp
KeReleaseSpinLock
KeAcquireSpinLockRaiseToDpc
ExAllocatePoolWithTag
PsLookupProcessByProcessId
KeUnstackDetachProcess
IoFileObjectType
ZwQueryInformationProcess
ZwTerminateProcess
KeStackAttachProcess
ProbeForRead
IoGetDeviceObjectPointer
RtlPrefixUnicodeString
RtlCopyUnicodeString
wcschr
_wcsicmp
ExAcquireResourceExclusiveLite
wcsncpy
_wcslwr
ExAcquireResourceSharedLite
ExReleaseResourceLite
ExDeleteResourceLite
ExInitializeResourceLite
KeBugCheckEx
ObQueryNameString
KeEnterCriticalRegion
PsSetCreateProcessNotifyRoutine
ZwQuerySystemInformation
ExInterlockedPopEntryList
RtlUnicodeStringToAnsiString
PsSetCreateThreadNotifyRoutine
MmGetSystemRoutineAddress
RtlInitUnicodeString
_wcsnicmp
NtBuildNumber
PsSetLoadImageNotifyRoutine
KeLeaveCriticalRegion
KeInitializeMutex
ExFreePoolWithTag
IoThreadToProcess
_stricmp
__C_specific_handler

fltmgr.sys

FltParseFileNameInformation
FltReleaseFileNameInformation
FltRegisterFilter
FltBuildDefaultSecurityDescriptor
FltCloseCommunicationPort
FltUnregisterFilter
FltGetFileNameInformation
FltAllocateContext
FltReleaseContext
FltQueryInformationFile
FltFreeSecurityDescriptor
FltCreateCommunicationPort
FltCloseClientPort
FltCancelFileOpen
FltSetStreamHandleContext
FltSendMessage
FltGetStreamHandleContext
FltStartFiltering

Sections

.text
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 952B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 230B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d4f5b56ddb416b2ffb4a20e516537459

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5cCertificate

Extended Key Usages

Key Usages

61:0c:12:06:00:00:00:00:00:1bCertificate

Key Usages

5d:06:88:f9:04:0a:d5:22:87:fc:32:ad:ec:eb:85:b0Certificate

Extended Key Usages

Key Usages

16:b7:cc:48:eb:2e:d4:fa:29:90:a2:86:6d:67:5c:54:bf:38:af:fdSigner

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

fltmgr.sys

Sections

.text Size: 28KB - Virtual size: 27KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 9KB - Virtual size: 12KB

.pdata Size: 1KB - Virtual size: 1KB

PAGE Size: 2KB - Virtual size: 2KB

INIT Size: 3KB - Virtual size: 3KB

.rsrc Size: 1024B - Virtual size: 952B

.reloc Size: 512B - Virtual size: 230B

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

5d:06:88:f9:04:0a:d5:22:87:fc:32:ad:ec:eb:85:b0
Certificate

16:b7:cc:48:eb:2e:d4:fa:29:90:a2:86:6d:67:5c:54:bf:38:af:fd
Signer

.text
Size: 28KB - Virtual size: 27KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 9KB - Virtual size: 12KB

.pdata
Size: 1KB - Virtual size: 1KB

PAGE
Size: 2KB - Virtual size: 2KB

INIT
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 1024B - Virtual size: 952B

.reloc
Size: 512B - Virtual size: 230B