/var/tmp/build/firefox-71aaf16cd119/obj-mingw/accessible/interfaces/ia2/IA2Marshal.pdb
Behavioral task
behavioral1
Sample
DLL/IA2Marshal.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DLL/IA2Marshal.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
DLL/freebl3.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
DLL/freebl3.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Installer.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_d54579acfb0e2fb0a84793e4606ca68604145561edc3546d1d8f94b56aea4c1b
-
Size
528KB
-
MD5
d8b7373cb54b34f3b725624365b1ee27
-
SHA1
dbfd67e807e62575f0f543aee6f869ade70a397c
-
SHA256
d54579acfb0e2fb0a84793e4606ca68604145561edc3546d1d8f94b56aea4c1b
-
SHA512
ffc3a3a3e6718c8cd488b9150fe027f5747962b36c082d69860dcce65deef70fdca7eadf936746518cdeee2174fa8e7d4abebc423e20bb13a485a471b1537bbd
-
SSDEEP
12288:VdijvDOg6psceaoJnx4URTVh2pwhdDHrU7Xowmyn/Jj:Np6aoJNNLL0Vma/Jj
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule static1/unpack002/Installer.exe agile_net -
Unsigned PE 2 IoCs
Checks for missing Authenticode signature.
resource unpack002/DLL/IA2Marshal.dll unpack002/DLL/freebl3.dll
Files
-
JaffaCakes118_d54579acfb0e2fb0a84793e4606ca68604145561edc3546d1d8f94b56aea4c1b.zip
Password: infected
-
f_00e1b2.zip
-
DLL/IA2Marshal.dll.dll regsvr32 windows:6 windows x64 arch:x64
647a85e36e41699e332c1c106f975a6f
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL
PDB Paths
Imports
kernel32
DeleteCriticalSection
DisableThreadLibraryCalls
EnterCriticalSection
GetLastError
InitializeCriticalSection
LeaveCriticalSection
Sleep
TlsGetValue
VirtualProtect
VirtualQuery
rpcrt4
CStdStubBuffer_AddRef
CStdStubBuffer_Connect
CStdStubBuffer_CountRefs
CStdStubBuffer_DebugServerQueryInterface
CStdStubBuffer_DebugServerRelease
CStdStubBuffer_Disconnect
CStdStubBuffer_Invoke
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_QueryInterface
IUnknown_AddRef_Proxy
IUnknown_QueryInterface_Proxy
IUnknown_Release_Proxy
NdrCStdStubBuffer2_Release
NdrCStdStubBuffer_Release
NdrDllCanUnloadNow
NdrDllGetClassObject
NdrDllRegisterProxy
NdrDllUnregisterProxy
NdrOleAllocate
NdrOleFree
NdrStubCall2
NdrStubForwardingFunction
ole32
HWND_UserFree
HWND_UserMarshal
HWND_UserSize
HWND_UserUnmarshal
oleaut32
BSTR_UserFree
BSTR_UserMarshal
BSTR_UserSize
BSTR_UserUnmarshal
VARIANT_UserFree
VARIANT_UserMarshal
VARIANT_UserSize
VARIANT_UserUnmarshal
api-ms-win-crt-runtime-l1-1-0
__p___argc
__p___argv
__p___wargv
_configure_narrow_argv
_configure_wide_argv
_crt_at_quick_exit
_crt_atexit
_execute_onexit_table
_initialize_narrow_environment
_initialize_onexit_table
_initialize_wide_environment
_initterm
_register_onexit_function
abort
api-ms-win-crt-private-l1-1-0
memcpy
api-ms-win-crt-stdio-l1-1-0
__acrt_iob_func
__stdio_common_vfprintf
__stdio_common_vfwprintf
fwrite
api-ms-win-crt-environment-l1-1-0
__p__environ
__p__wenviron
api-ms-win-crt-heap-l1-1-0
_set_new_mode
api-ms-win-crt-time-l1-1-0
__daylight
__timezone
__tzname
_tzset
mozglue
calloc
free
api-ms-win-crt-string-l1-1-0
strlen
strncmp
Exports
Exports
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
GetProxyDllInfo
Sections
.text Size: 9KB - Virtual size: 8KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 28KB - Virtual size: 28KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.buildid Size: 512B - Virtual size: 139B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 512B - Virtual size: 312B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.tls Size: 512B - Virtual size: 16B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 30KB - Virtual size: 30KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
DLL/freebl3.dll.dll windows:6 windows x64 arch:x64
8a564fee0e9aa5547525f921a1b23c12
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL
PDB Paths
/var/tmp/build/firefox-71aaf16cd119/obj-mingw/security/nss/lib/freebl/freebl_freebl3/freebl3.pdb
Imports
nss3
NSS_SecureMemcmp
NSS_SecureMemcmpZero
PORT_Alloc_Util
PORT_ArenaAlloc_Util
PORT_ArenaZAlloc_Util
PORT_FreeArena_Util
PORT_Free_Util
PORT_GetError_Util
PORT_NewArena_Util
PORT_SetError_Util
PORT_ZAllocAlignedOffset_Util
PORT_ZAlloc_Util
PORT_ZFree_Util
PR_CallOnce
PR_DestroyCondVar
PR_DestroyLock
PR_GetEnvSecure
PR_Lock
PR_NewCondVar
PR_NewLock
PR_NotifyAllCondVar
PR_NotifyCondVar
PR_Unlock
PR_WaitCondVar
SECITEM_AllocItem_Util
SECITEM_CompareItem_Util
SECITEM_CopyItem_Util
SECITEM_FreeItem_Util
SECITEM_ZfreeItem_Util
SECOID_FindOIDTag_Util
advapi32
CryptAcquireContextA
CryptGenRandom
CryptReleaseContext
SystemFunction036
api-ms-win-crt-heap-l1-1-0
_set_new_mode
calloc
free
malloc
api-ms-win-crt-private-l1-1-0
memcmp
memcpy
api-ms-win-crt-runtime-l1-1-0
__p___argc
__p___argv
__p___wargv
_configure_narrow_argv
_configure_wide_argv
_crt_at_quick_exit
_crt_atexit
_execute_onexit_table
_exit
_initialize_narrow_environment
_initialize_onexit_table
_initialize_wide_environment
_initterm
_register_onexit_function
abort
api-ms-win-crt-string-l1-1-0
_strdup
islower
isupper
memset
strlen
strncmp
tolower
toupper
api-ms-win-crt-time-l1-1-0
__daylight
__timezone
__tzname
_time64
_tzset
api-ms-win-crt-utility-l1-1-0
rand
kernel32
DeleteCriticalSection
EnterCriticalSection
GetComputerNameA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceA
GetLastError
GetLogicalDrives
GetTickCount
GetVolumeInformationA
GlobalMemoryStatus
InitializeCriticalSection
LeaveCriticalSection
QueryPerformanceCounter
Sleep
TlsGetValue
VirtualProtect
VirtualQuery
api-ms-win-crt-stdio-l1-1-0
__acrt_iob_func
__stdio_common_vfprintf
__stdio_common_vfwprintf
_close
_open
_write
fwrite
api-ms-win-crt-environment-l1-1-0
__p__environ
__p__wenviron
Exports
Exports
FREEBL_GetVector
Sections
.text Size: 559KB - Virtual size: 558KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 170KB - Virtual size: 169KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.buildid Size: 512B - Virtual size: 149B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 16KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 7KB - Virtual size: 7KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.tls Size: 512B - Virtual size: 16B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 1024B - Virtual size: 896B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 1024B - Virtual size: 964B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
Installer.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Code Sign
04:00:00:00:00:01:2f:4e:e1:52:d7Certificate
IssuerCN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BENot Before13/04/2011, 10:00Not After28/01/2028, 12:00SubjectCN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BEKey Usages
KeyUsageCertSign
KeyUsageCRLSign
11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14Certificate
IssuerCN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BENot Before24/05/2016, 00:00Not After24/06/2027, 00:00SubjectCN=GlobalSign TSA for MS Authenticode - G2,O=GMO GlobalSign Pte Ltd,C=SGExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
05:37:f2:5a:88:e2:4c:af:dd:79:19:fa:30:1e:81:46Certificate
IssuerCN=DigiCert High Assurance Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=USNot Before16/12/2019, 00:00Not After16/11/2021, 12:00SubjectCN=Avira Operations GmbH & Co. KG,O=Avira Operations GmbH & Co. KG,L=Tettnang,C=DEExtended Key Usages
ExtKeyUsageCodeSigning
Key Usages
KeyUsageDigitalSignature
61:20:4d:b4:00:00:00:00:00:27Certificate
IssuerCN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=USNot Before15/04/2011, 19:45Not After15/04/2021, 19:55SubjectCN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=USKey Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5fCertificate
IssuerCN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=USNot Before11/02/2011, 12:00Not After10/02/2026, 12:00SubjectCN=DigiCert High Assurance Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=USExtended Key Usages
ExtKeyUsageCodeSigning
Key Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6aCertificate
IssuerCN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BENot Before19/09/2018, 00:00Not After28/01/2028, 12:00SubjectCN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSignKey Usages
KeyUsageCertSign
KeyUsageCRLSign
48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0fCertificate
IssuerCN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSignNot Before15/06/2016, 00:00Not After15/06/2024, 00:00SubjectCN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BEExtended Key Usages
ExtKeyUsageCodeSigning
ExtKeyUsageOCSPSigning
Key Usages
KeyUsageCertSign
KeyUsageCRLSign
61:29:15:27:00:00:00:00:00:2aCertificate
IssuerCN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=USNot Before15/04/2011, 19:55Not After15/04/2021, 20:05SubjectCN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BEKey Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
2a:09:50:26:3e:06:49:6a:27:81:f5:50Certificate
IssuerCN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BENot Before11/07/2018, 11:33Not After11/07/2021, 11:33SubjectSERIALNUMBER=HRA 722586,CN=Avira Operations GmbH & Co. KG,OU=Cloud\, Services and Infrastructure,O=Avira Operations GmbH & Co. KG,STREET=Kaplaneiweg 1,L=Tettnang,ST=Baden-Wuerttemberg,C=DE,1.2.840.113549.1.9.1=#0c0c63614061766972612e636f6d,1.3.6.1.4.1.311.60.2.1.1=#1303556c6d,1.3.6.1.4.1.311.60.2.1.2=#1312426164656e2d577565727474656d62657267,1.3.6.1.4.1.311.60.2.1.3=#13024445,2.5.4.15=#131450726976617465204f7267616e697a6174696f6eExtended Key Usages
ExtKeyUsageCodeSigning
Key Usages
KeyUsageDigitalSignature
3d:1a:35:72:30:15:82:63:30:d0:13:71:7e:82:41:08Certificate
IssuerCN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GBNot Before02/05/2019, 00:00Not After01/08/2030, 23:59SubjectCN=Sectigo RSA Time Stamping Signer #1,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GBExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
KeyUsageContentCommitment
30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate
IssuerCN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=USNot Before02/05/2019, 00:00Not After18/01/2038, 23:59SubjectCN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GBExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
a9:24:df:45:43:99:8d:c8:3d:66:9a:a7:09:a6:fe:c0:38:90:1e:b3:c0:c8:b2:eb:c7:7e:be:c0:45:9f:43:3eSigner
Actual PE Digesta9:24:df:45:43:99:8d:c8:3d:66:9a:a7:09:a6:fe:c0:38:90:1e:b3:c0:c8:b2:eb:c7:7e:be:c0:45:9f:43:3eDigest Algorithmsha256PE Digest Matchesfalsea9:0a:db:0c:de:41:92:e9:cd:57:1a:56:6b:9a:e5:3d:c4:b8:60:79Signer
Actual PE Digesta9:0a:db:0c:de:41:92:e9:cd:57:1a:56:6b:9a:e5:3d:c4:b8:60:79Digest Algorithmsha1PE Digest MatchesfalseHeaders
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 69KB - Virtual size: 68KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 65KB - Virtual size: 65KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ