d:\work\projects\bk2\kloader\Release\amd64\kloader.pdb
General
-
Target
0f068e82a6e139884f691c4211292213_JaffaCakes118
-
Size
32KB
-
MD5
0f068e82a6e139884f691c4211292213
-
SHA1
7145b8b36a99d1d4d06b905f5ff3514f52459a64
-
SHA256
73d807dcf7103b8dfadd56db747508cbe258081a8a900989285679999bad11cc
-
SHA512
1e3718f7003ba0983fe0c7b1d9ad76f6f1087f0075e373932a181f6183343981b635068309c75e10fe40974e9559b593a1b56abd63d91d1609ef551c5cc491e1
-
SSDEEP
768:1s+AXzb42R31wTIdn+rMe9jXFzi6EAYatyuFZAmu:16Db42ZOMd+rJ9jXhE9aty8K
Malware Config
Extracted
Family
gozi
Signatures
-
Gozi family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 0f068e82a6e139884f691c4211292213_JaffaCakes118
Files
-
0f068e82a6e139884f691c4211292213_JaffaCakes118.sys windows:5 windows x64 arch:x64
94e9c5c6ed6d263882de562ac1045d50
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
PDB Paths
Imports
ntoskrnl.exe
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
RtlEqualUnicodeString
ZwClose
ExFreePoolWithTag
ExAllocatePoolWithTag
ZwQueryInformationProcess
ZwOpenProcess
RtlAnsiStringToUnicodeString
RtlInitAnsiString
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
ZwAllocateVirtualMemory
KeDelayExecutionThread
KeInsertQueueApc
KeInitializeApc
PsSetLoadImageNotifyRoutine
PsSetCreateProcessNotifyRoutine
Sections
.text Size: 11KB - Virtual size: 10KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 1024B - Virtual size: 672B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
INIT Size: 1024B - Virtual size: 656B
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 14KB - Virtual size: 16KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ