e:\work\rkhit\drv\rkhit\objfre_w2K_x86\i386\RKHit.pdb
Static task
static1
1 signatures
General
-
Target
563f1b2e6f58d3c0f8529975fcaa529c_JaffaCakes118
-
Size
27KB
-
MD5
563f1b2e6f58d3c0f8529975fcaa529c
-
SHA1
3955eaf713fbd5f0d8387365ba5dd979f584ada8
-
SHA256
ba4ab3de7c0ca33a35188d49b226d48c1e089f8b522195b4227064d285659b1e
-
SHA512
fcee7c5417da687ea7afa7b4f7f8492d072443cd7beec08e49c93ed39dc2e2e57746e8590c0b0d4aa2ee122d2eb5296c78493e3b4b7b9eb5248e12d588861270
-
SSDEEP
768:/gwhyO18ffg2JhDmXHuF4V4HjF7FCinp+:YwhXQfg23DmXHuFa4DNsgp+
Score
3/10
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 563f1b2e6f58d3c0f8529975fcaa529c_JaffaCakes118
Files
-
563f1b2e6f58d3c0f8529975fcaa529c_JaffaCakes118.sys windows:5 windows x86 arch:x86
c6a570ca573a33dddde0988f4247cfb9
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
PDB Paths
Imports
ntoskrnl.exe
ObfDereferenceObject
KeUnstackDetachProcess
KeStackAttachProcess
PsLookupProcessByProcessId
MmIsAddressValid
KeInitializeSpinLock
ObReferenceObjectByName
IoDriverObjectType
RtlInitUnicodeString
ExFreePool
_stricmp
strrchr
ExAllocatePoolWithTag
ZwQuerySystemInformation
IoFileObjectType
ZwClose
ObReferenceObjectByHandle
ZwOpenKey
PsProcessType
IoDeviceObjectType
MmSectionObjectType
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
ZwOpenFile
RtlImageDirectoryEntryToData
NtBuildNumber
RtlAppendUnicodeStringToString
RtlVolumeDeviceToDosName
IoCreateFile
wcscpy
ProbeForRead
IoGetCurrentProcess
KeGetCurrentThread
KeServiceDescriptorTable
ObQueryNameString
ObReferenceObjectByPointer
MmUnlockPages
PsGetVersion
MmUserProbeAddress
IoThreadToProcess
PsLookupThreadByThreadId
NtGlobalFlag
PsThreadType
IofCallDriver
ZwOpenDirectoryObject
MmGetVirtualForPhysical
MmGetPhysicalAddress
MmSystemRangeStart
IoFreeIrp
KeSetEvent
KeWaitForSingleObject
MmBuildMdlForNonPagedPool
IoAllocateIrp
IoGetBaseFileSystemDeviceObject
KeInitializeEvent
IoGetDeviceObjectPointer
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
swprintf
IoGetConfigurationInformation
ZwTerminateProcess
PsGetCurrentProcessId
KeInsertQueueApc
KeInitializeApc
KeClearEvent
MmGetSystemRoutineAddress
IoDeleteDevice
IoDeleteSymbolicLink
RtlInitAnsiString
IofCompleteRequest
IoCreateSymbolicLink
IoCreateDevice
KeTickCount
KeBugCheckEx
_except_handler3
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
ObOpenObjectByPointer
IoFreeMdl
hal
ExReleaseFastMutex
KeStallExecutionProcessor
KfAcquireSpinLock
KfReleaseSpinLock
ExAcquireFastMutex
Sections
.text Size: 17KB - Virtual size: 17KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 768B - Virtual size: 644B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
INIT Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ