Extracted

• JaffaCakes118_dad1a4bc2ec24bf8b689974ae5a7128d85482d970162a70ea40ea0e80fbfa8ee

  .rar
• krpt.dll

  .dll windows:5 windows x86 arch:x86

  b86886e49946fcd21adb84834e5955db

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  IMAGE_FILE_DLL

  Imports

  kernel32

  HeapReAlloc

  HeapAlloc

  HeapFree

  GetProcessHeap

  InitializeCriticalSectionAndSpinCount

  HeapDestroy

  RaiseException

  GetLastError

  HeapSize

  DecodePointer

  DeleteCriticalSection

  GetModuleHandleW

  VirtualProtect

  FindResourceW

  LoadResource

  LockResource

  SizeofResource

  ExpandEnvironmentStringsW

  CreateFileW

  WriteFile

  CloseHandle

  VirtualAlloc

  ExitProcess

  FindResourceExW

  IsDebuggerPresent

  OutputDebugStringW

  EnterCriticalSection

  LeaveCriticalSection

  SetFilePointerEx

  SetStdHandle

  GetConsoleMode

  GetConsoleCP

  FlushFileBuffers

  GetStringTypeW

  EncodePointer

  GetCommandLineA

  GetCurrentThreadId

  IsProcessorFeaturePresent

  GetModuleHandleExW

  GetProcAddress

  MultiByteToWideChar

  WideCharToMultiByte

  SetLastError

  GetStdHandle

  GetFileType

  GetStartupInfoW

  GetModuleFileNameA

  QueryPerformanceCounter

  GetCurrentProcessId

  GetSystemTimeAsFileTime

  GetEnvironmentStringsW

  FreeEnvironmentStringsW

  UnhandledExceptionFilter

  SetUnhandledExceptionFilter

  Sleep

  GetCurrentProcess

  TerminateProcess

  TlsAlloc

  TlsGetValue

  TlsSetValue

  TlsFree

  GetModuleFileNameW

  LoadLibraryExW

  IsValidCodePage

  GetACP

  GetOEMCP

  GetCPInfo

  RtlUnwind

  LCMapStringW

  WriteConsoleW

  shell32

  ShellExecuteW

  shlwapi

  PathFileExistsW

  PathRemoveFileSpecW

  PathAppendW

  Exports

  Exports

  ?_force_link_krpt@@YGXXZ

  Sections

  .text

  Size: 49KB - Virtual size: 49KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 21KB - Virtual size: 20KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 4KB - Virtual size: 12KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 1.3MB - Virtual size: 1.3MB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 4KB - Virtual size: 3KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• wps.exe

  .exe windows:5 windows x86 arch:x86

  4d397650c70c4fb6bf6cb11b18be301b

  
  

  Code Sign

  7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b

  Certificate

  Issuer

  CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

  Not Before

  21-12-2012 00:00

  Not After

  30-12-2020 23:59

  Subject

  CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50

  Certificate

  Issuer

  CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

  Not Before

  18-10-2012 00:00

  Not After

  29-12-2020 23:59

  Subject

  CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  60:86:44:63:bb:bc:2e:4e:67:d4:27:71:e4:cb:d9:a5

  Certificate

  Issuer

  CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

  Not Before

  21-04-2017 00:00

  Not After

  04-02-2020 23:59

  Subject

  CN=Zhuhai Kingsoft Office Software Co.\, Ltd.,OU=RD Department,O=Zhuhai Kingsoft Office Software Co.\, Ltd.,L=Zhuhai,ST=Guangdong,C=CN

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7

  Certificate

  Issuer

  CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

  Not Before

  08-02-2010 00:00

  Not After

  07-02-2020 23:59

  Subject

  CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

  Extended Key Usages

  ExtKeyUsageClientAuth

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  44:e0:b5:be:99:0e:46:a6:96:3f:d9:a1:0d:d4:bb:ac

  Certificate

  Issuer

  CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

  Not Before

  19-04-2017 00:00

  Not After

  03-02-2020 23:59

  Subject

  CN=Zhuhai Kingsoft Office Software Co.\, Ltd.,OU=RD Department,O=Zhuhai Kingsoft Office Software Co.\, Ltd.,L=Zhuhai,ST=Guangdong,C=CN

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a

  Certificate

  Issuer

  CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

  Not Before

  10-12-2013 00:00

  Not After

  09-12-2023 23:59

  Subject

  CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageClientAuth

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12

  Certificate

  Issuer

  CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

  Not Before

  12-01-2016 00:00

  Not After

  11-01-2031 23:59

  Subject

  CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12

  Certificate

  Issuer

  CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

  Not Before

  23-12-2017 00:00

  Not After

  22-03-2029 23:59

  Subject

  CN=Symantec SHA256 TimeStamping Signer - G3,OU=Symantec Trust Network,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  e8:90:7b:3b:64:da:1e:ec:79:5b:11:42:a2:9b:7b:ab:c5:1f:c4:66:26:5a:75:7e:13:09:5a:d6:a5:12:36:c1

  Signer

  Actual PE Digest

  e8:90:7b:3b:64:da:1e:ec:79:5b:11:42:a2:9b:7b:ab:c5:1f:c4:66:26:5a:75:7e:13:09:5a:d6:a5:12:36:c1

  Digest Algorithm

  sha256

  PE Digest Matches

  true

  63:8c:92:0b:69:dc:9b:6b:18:8b:a7:8f:d4:d1:8c:81:90:e5:dc:7a

  Signer

  Actual PE Digest

  63:8c:92:0b:69:dc:9b:6b:18:8b:a7:8f:d4:d1:8c:81:90:e5:dc:7a

  Digest Algorithm

  sha1

  PE Digest Matches

  true

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  IMAGE_FILE_32BIT_MACHINE

  PDB Paths

  h:\syzygy_wpsoptimize\result\wps.pdb

  Imports

  kernel32

  InterlockedIncrement

  InterlockedDecrement

  FreeLibrary

  GetProcAddress

  LoadLibraryW

  GetModuleFileNameW

  CloseHandle

  TerminateProcess

  OpenProcess

  Process32NextW

  Process32FirstW

  GetCurrentProcessId

  CreateToolhelp32Snapshot

  GetLastError

  Sleep

  GetCurrentThreadId

  LoadLibraryA

  GetCommandLineW

  EnterCriticalSection

  LeaveCriticalSection

  UnregisterWaitEx

  WaitForMultipleObjects

  DeleteFileW

  InitializeCriticalSection

  QueueUserWorkItem

  WaitForSingleObject

  DeleteCriticalSection

  CreateThread

  LocalFree

  GetStartupInfoW

  GetModuleHandleW

  GetTickCount

  GetTempPathW

  CopyFileW

  SetDllDirectoryW

  GetDllDirectoryW

  DisconnectNamedPipe

  ConnectNamedPipe

  FlushFileBuffers

  ReadFile

  CreateIoCompletionPort

  CreateNamedPipeW

  WriteFile

  GetQueuedCompletionStatus

  PostQueuedCompletionStatus

  GetOverlappedResult

  CancelIo

  InterlockedExchange

  WaitNamedPipeW

  CreateFileW

  SetNamedPipeHandleState

  GetExitCodeProcess

  GetVersionExW

  LocalAlloc

  GetCurrentProcess

  MultiByteToWideChar

  WideCharToMultiByte

  GetPrivateProfileStringW

  CreateProcessW

  GetProcessId

  SetUnhandledExceptionFilter

  SizeofResource

  LockResource

  LoadResource

  FindResourceW

  FindResourceExW

  GetFileAttributesExW

  OpenFileMappingW

  ReleaseMutex

  UnmapViewOfFile

  CreateMutexW

  VirtualQuery

  MapViewOfFile

  CreateFileMappingW

  VerifyVersionInfoW

  VerSetConditionMask

  GetSystemDirectoryA

  SetEvent

  OpenMutexW

  CreateEventW

  HeapAlloc

  HeapFree

  InterlockedCompareExchange

  GetSystemInfo

  LoadLibraryExW

  GetModuleHandleExW

  SetErrorMode

  RaiseException

  GetPrivateProfileIntW

  GetUserDefaultUILanguage

  SetFilePointerEx

  GetFileSizeEx

  FileTimeToSystemTime

  SystemTimeToFileTime

  GetSystemTime

  CompareFileTime

  GetFileAttributesW

  SystemTimeToTzSpecificLocalTime

  FindClose

  FindFirstFileW

  CreateDirectoryW

  FindNextFileW

  ExpandEnvironmentStringsW

  GetCurrentThread

  ProcessIdToSessionId

  GetStringTypeW

  EncodePointer

  DecodePointer

  HeapSetInformation

  RtlUnwind

  HeapReAlloc

  SetConsoleCtrlHandler

  UnhandledExceptionFilter

  IsDebuggerPresent

  ExitThread

  ExitProcess

  GetSystemTimeAsFileTime

  HeapCreate

  HeapDestroy

  LCMapStringW

  GetCPInfo

  GetStdHandle

  FreeEnvironmentStringsW

  GetEnvironmentStringsW

  SetHandleCount

  InitializeCriticalSectionAndSpinCount

  GetFileType

  TlsAlloc

  TlsGetValue

  TlsSetValue

  TlsFree

  SetLastError

  QueryPerformanceCounter

  GetLocaleInfoW

  IsProcessorFeaturePresent

  GetACP

  GetOEMCP

  IsValidCodePage

  HeapSize

  SetEnvironmentVariableA

  SetEnvironmentVariableW

  GetUserDefaultLCID

  GetLocaleInfoA

  EnumSystemLocalesA

  IsValidLocale

  SetFilePointer

  GetConsoleCP

  GetConsoleMode

  CompareStringW

  SetStdHandle

  WriteConsoleW

  GetProcessHeap

  krpt

  ?_force_link_krpt@@YGXXZ

  Exports

  Exports

  GetHostInterface

  filterpluginExportCreate

  filterpluginFormatCorrect

  filterpluginImportCreate

  filterpluginRegister

  ksGetHWND

  wdGetApplicationObject

  Sections

  .text

  Size: 589KB - Virtual size: 589KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 178KB - Virtual size: 177KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 42KB - Virtual size: 58KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .syzygy

  Size: 1024B - Virtual size: 876B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 165KB - Virtual size: 165KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 34KB - Virtual size: 34KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ