Desktop[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Desktop.zip
Size

726KB
MD5

e246ae7e246c2b2338ef39b5e9939eb0
SHA1

8949c272d89bab738829ffef1c32d21e678dc08f
SHA256

854102ce0b7bfa33c717e4b8c5733cb8485a0eccc107879dbd4f628076a920df
SHA512

16bc0975d95f7652b58ff060e3ff9e6b0a953b1cf759c68494316289128d161e44b6580c9bdf493889389f4e25432608122e7f5ba75236dffd7d9d75f5d276a3
SSDEEP

12288:9WVwx1ONnb1D52lCec+t67p48j41ErhI0IVZDJOPIwKrKcso6Y/aE2lWTM9eS1s6:9Zx1mhd2l9c1dYEGBVxJOwwKryY/a/lj

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
static1/unpack001/php5ts.dll	acprotect

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/php5ts.dll	upx

Files

Desktop.zip
.zip

Password: infected
php5ts.dll
.dll windows x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Exports

Exports

GetSMErrorText
OnUpdateBool
OnUpdateLong
OnUpdateLongGEZero
OnUpdateReal
OnUpdateString
OnUpdateStringUnempty
PHP_3HAVAL128Init
PHP_3HAVAL160Init
PHP_3HAVAL192Init
PHP_3HAVAL224Init
PHP_3HAVAL256Init
PHP_3TIGERInit
PHP_4HAVAL128Init
PHP_4HAVAL160Init
PHP_4HAVAL192Init
PHP_4HAVAL224Init
PHP_4HAVAL256Init
PHP_4TIGERInit
PHP_5HAVAL128Init
PHP_5HAVAL160Init
PHP_5HAVAL192Init
PHP_5HAVAL224Init
PHP_5HAVAL256Init
PHP_ADLER32Final
PHP_ADLER32Init
PHP_ADLER32Update
PHP_CRC32BFinal
PHP_CRC32BUpdate
PHP_CRC32Final
PHP_CRC32Init
PHP_CRC32Update
PHP_GOSTFinal
PHP_GOSTInit
PHP_GOSTUpdate
PHP_HAVAL128Final
PHP_HAVAL160Final
PHP_HAVAL192Final
PHP_HAVAL224Final
PHP_HAVAL256Final
PHP_HAVALUpdate
PHP_MD2Final
PHP_MD2Init
PHP_MD2Update
PHP_MD4Final
PHP_MD4Update
PHP_MD5Final
PHP_MD5Init
PHP_MD5Update
PHP_RIPEMD128Final
PHP_RIPEMD128Init
PHP_RIPEMD128Update
PHP_RIPEMD160Final
PHP_RIPEMD160Init
PHP_RIPEMD160Update
PHP_RIPEMD256Final
PHP_RIPEMD256Init
PHP_RIPEMD256Update
PHP_RIPEMD320Final
PHP_RIPEMD320Init
PHP_RIPEMD320Update
PHP_SHA1Final
PHP_SHA1Init
PHP_SHA1Update
PHP_SHA256Final
PHP_SHA256Init
PHP_SHA256Update
PHP_SHA384Final
PHP_SHA384Init
PHP_SHA384Update
PHP_SHA512Final
PHP_SHA512Init
PHP_SHA512Update
PHP_SNEFRUFinal
PHP_SNEFRUInit
PHP_SNEFRUUpdate
PHP_TIGER128Final
PHP_TIGER160Final
PHP_TIGER192Final
PHP_TIGERUpdate
PHP_WHIRLPOOLFinal
PHP_WHIRLPOOLInit
PHP_WHIRLPOOLUpdate
TSMClose
TSendMail
UTF8ToHtml
UTF8Toisolat1
ValidateFormat
XML_GetUserData
__docbDefaultSAXHandler
__htmlDefaultSAXHandler
__oldXMLWDcompatibility
__xmlBufferAllocScheme
__xmlDefaultBufferSize
__xmlDefaultSAXHandler
__xmlDefaultSAXLocator
__xmlDeregisterNodeDefaultValue
__xmlDoValidityCheckingDefaultValue
__xmlGenericError
__xmlGenericErrorContext
__xmlGetWarningsDefaultValue
__xmlIndentTreeOutput
__xmlKeepBlanksDefaultValue
__xmlLineNumbersDefaultValue
__xmlLoadExtDtdDefaultValue
__xmlParserDebugEntities
__xmlParserVersion
__xmlPedanticParserDefaultValue
__xmlRegisterNodeDefaultValue
__xmlSaveNoEmptyTags
__xmlSubstituteEntitiesDefaultValue
__xmlTreeIndentString
_array_init
_convert_to_string
_ecalloc
_efree
_emalloc
_erealloc
_estrdup
_estrndup
_libiconv_version
_object_and_properties_init
_object_init
_object_init_ex
_php_emit_fd_setsize_warning
_php_error_log
_php_error_log_ex
_php_find_ps_module
_php_find_ps_serializer
_php_get_stream_filters_hash
_php_math_basetolong
_php_math_basetozval
_php_math_longtobase
_php_math_number_format
_php_math_zvaltobase
_php_stream_alloc
_php_stream_cast
_php_stream_copy_to_mem
_php_stream_copy_to_stream
_php_stream_copy_to_stream_ex
_php_stream_eof
_php_stream_filter_alloc
_php_stream_filter_append
_php_stream_filter_flush
_php_stream_filter_prepend
_php_stream_flush
_php_stream_fopen
_php_stream_fopen_from_fd
_php_stream_fopen_from_file
_php_stream_fopen_from_pipe
_php_stream_fopen_temporary_file
_php_stream_fopen_tmpfile
_php_stream_fopen_with_path
_php_stream_free
_php_stream_get_line
_php_stream_get_url_stream_wrappers_hash
_php_stream_getc
_php_stream_make_seekable
_php_stream_memory_create
_php_stream_memory_get_buffer
_php_stream_memory_open
_php_stream_mkdir
_php_stream_mmap_range
_php_stream_mmap_unmap
_php_stream_mmap_unmap_ex
_php_stream_open_wrapper_as_file
_php_stream_open_wrapper_ex
_php_stream_opendir
_php_stream_passthru
_php_stream_printf
_php_stream_putc
_php_stream_puts
_php_stream_read
_php_stream_readdir
_php_stream_rmdir
_php_stream_scandir
_php_stream_seek
_php_stream_set_option
_php_stream_sock_open_from_socket
_php_stream_sock_open_host
_php_stream_stat
_php_stream_stat_path
_php_stream_tell
_php_stream_temp_create
_php_stream_temp_open
_php_stream_truncate_set_size
_php_stream_write
_php_stream_xport_create
_safe_emalloc
_safe_erealloc
_safe_malloc
_safe_realloc
_xml_zval_strdup
_zend_bailout
_zend_get_parameters_array
_zend_get_parameters_array_ex
_zend_hash_add_or_update
_zend_hash_index_update_or_next_insert
_zend_hash_init
_zend_hash_init_ex
_zend_hash_merge
_zend_hash_quick_add_or_update
_zend_list_addref
_zend_list_delete
_zend_list_find
_zend_mem_block_size
_zend_mm_alloc
_zend_mm_block_size
_zend_mm_free
_zend_mm_realloc
_zend_ts_hash_add_or_update
_zend_ts_hash_index_update_or_next_insert
_zend_ts_hash_init
_zend_ts_hash_init_ex
_zend_ts_hash_quick_add_or_update
_zval_copy_ctor_func
_zval_dtor_func
_zval_internal_dtor
_zval_internal_ptr_dtor
_zval_ptr_dtor
add_assoc_bool_ex
add_assoc_double_ex
add_assoc_function
add_assoc_long_ex
add_assoc_null_ex
add_assoc_resource_ex
add_assoc_string_ex
add_assoc_stringl_ex
add_assoc_zval_ex
add_char_to_string
add_function
add_get_assoc_string_ex
add_get_assoc_stringl_ex
add_get_index_double
add_get_index_long
add_get_index_string
add_get_index_stringl
add_index_bool
add_index_double
add_index_long
add_index_null
add_index_resource
add_index_string
add_index_stringl
add_index_zval
add_next_index_bool
add_next_index_double
add_next_index_long
add_next_index_null
add_next_index_resource
add_next_index_string
add_next_index_stringl
add_next_index_zval
add_property_bool_ex
add_property_double_ex
add_property_long_ex
add_property_null_ex
add_property_resource_ex
add_property_string_ex
add_property_stringl_ex
add_property_zval_ex
add_string_to_string
adler32
ap_php_slprintf
ap_php_snprintf
ap_php_vslprintf
ap_php_vsnprintf
attribute
attributeDecl
basic_globals_id
bitwise_and_function
bitwise_not_function
bitwise_or_function
bitwise_xor_function
boolean_not_function
boolean_xor_function
call_user_function
call_user_function_ex
cdataBlock
cfg_get_double
cfg_get_entry
cfg_get_long
cfg_get_string
characters
checkNamespace
comment
compare_function
compile_file
compile_filename
compile_string
compiler_globals_id
compress
compress2
compressBound
concat_function
convert_scalar_to_number
convert_to_array
convert_to_boolean
convert_to_double
convert_to_long
convert_to_long_base
convert_to_null
convert_to_object
core_globals_id
crc32
crypt
decrement_function
deflate
deflateBound
deflateCopy
deflateEnd
deflateInit2_
deflateInit_
deflateParams
deflatePrime
deflateReset
deflateSetDictionary
destroy_op_array
destroy_zend_class
destroy_zend_function
display_ini_entries
display_link_numbers
div_function
do_bind_class
do_bind_function
do_bind_inherited_class
docbCreateFileParserCtxt
docbCreatePushParserCtxt
docbDefaultSAXHandlerInit
docbEncodeEntities
docbFreeParserCtxt
docbParseChunk
docbParseDoc
docbParseDocument
docbParseFile
docbSAXParseDoc
docbSAXParseFile
dom_node_class_entry
dom_object_get_node
dummy_indent
elementDecl
empty_fcall_info_cache
endDocument
endElement
entityDecl
execute
execute_internal
executor_globals_id
expand_filepath
expand_filepath_ex
externalSubset
file_globals_id
flock
free_estring
function_add_ref
getColumnNumber
getEntity
getLineNumber
getNamespace
getParameterEntity
getPublicId
getSystemId
get_active_class_name
get_active_function_name
get_binary_op
get_crc_table
get_timezone_info
get_unary_op
get_zend_version
gettimeofday
globalNamespace
gzclearerr
gzclose
gzdopen
gzeof
gzerror
gzflush
gzgetc
gzgets
gzopen
gzprintf
gzputc
gzputs
gzread
gzrewind
gzseek
gzsetparams
gztell
gzungetc
gzwrite
hasExternalSubset
hasInternalSubset
highlight_file
highlight_string
htmlAttrAllowed
htmlAutoCloseTag
htmlCreateFileParserCtxt
htmlCreateMemoryParserCtxt
htmlCreatePushParserCtxt
htmlCtxtReadDoc
htmlCtxtReadFd
htmlCtxtReadFile
htmlCtxtReadIO
htmlCtxtReadMemory
htmlCtxtReset
htmlCtxtUseOptions
htmlDefaultSAXHandlerInit
htmlDocContentDumpFormatOutput
htmlDocContentDumpOutput
htmlDocDump
htmlDocDumpMemory
htmlElementAllowedHere
htmlElementStatusHere
htmlEncodeEntities
htmlEntityLookup
htmlEntityValueLookup
htmlFreeParserCtxt
htmlGetMetaEncoding
htmlHandleOmittedElem
htmlInitAutoClose
htmlIsAutoClosed
htmlIsBooleanAttr
htmlIsScriptAttribute
htmlNewDoc
htmlNewDocNoDtD
htmlNodeDump
htmlNodeDumpFile
htmlNodeDumpFileFormat
htmlNodeDumpFormatOutput
htmlNodeDumpOutput
htmlNodeStatus
htmlParseCharRef
htmlParseChunk
htmlParseDoc
htmlParseDocument
htmlParseElement
htmlParseEntityRef
htmlParseFile
htmlReadDoc
htmlReadFd
htmlReadFile
htmlReadIO
htmlReadMemory
htmlSAXParseDoc
htmlSAXParseFile
htmlSaveFile
htmlSaveFileEnc
htmlSaveFileFormat
htmlSetMetaEncoding
htmlTagLookup
iconv_canonicalize
ignorableWhitespace
increment_function
inflate
inflateBack
inflateBackEnd
inflateBackInit_
inflateCopy
inflateEnd
inflateInit2_
inflateInit_
inflateReset
inflateSetDictionary
inflateSync
inflateSyncPoint
ini_scanner_globals_id
initGenericErrorDefaultFunc
init_op_array
initdocbDefaultSAXHandler
inithtmlDefaultSAXHandler
initxmlDefaultSAXHandler
inputPop
inputPush
instanceof_function
instanceof_function_ex
internalSubset
isStandalone
is_equal_function
is_identical_function
is_not_equal_function
is_not_identical_function
is_smaller_function
is_smaller_or_equal_function
is_zend_mm
isolat1ToUTF8
language_scanner_globals_id
le_index_ptr
lex_scan
libiconv
libiconv_close
libiconv_open
libiconv_set_relocation_prefix
libiconvctl
libiconvlist
localeconv_r
make_digest
make_digest_ex
make_sha1_digest
mod_function
module_registry

Sections

UPX0
Size: - Virtual size: 732KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 688KB - Virtual size: 692KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 91KB - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
票_据.data
票_据.exe
.exe windows x86

67bfdb134f0fdf5aaedc30c76c31917d

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

php5ts

zend_hash_del_key_or_index
_erealloc
zend_strndup
_zend_hash_add_or_update
zend_hash_find
tsrm_realpath
_estrndup
php_handle_auth_data
zend_extensions
zend_llist_copy
zend_llist_sort
zend_llist_apply_with_argument
zend_llist_destroy
_zend_hash_init
module_registry
zend_hash_copy
zend_qsort
zend_hash_sort
zend_hash_apply_with_argument
zend_hash_destroy
tsrm_startup
sapi_startup
tsrm_shutdown
executor_globals_id
php_body_write
gettimeofday
compiler_globals_id
_estrdup
php_output_startup
php_output_activate
php_end_ob_buffers
zend_load_extension
php_strlcat
php_request_startup
php_check_open_basedir
php_fopen_primary_script
php_execute_script
php_lint_script
zend_printf
open_file_for_scanning
php_get_highlight_struct
zend_highlight
php_request_shutdown
php_module_shutdown
php_print_info
php_printf
get_zend_version
sapi_shutdown
zend_strip
display_ini_entries
zend_unregister_ini_entries
ts_allocate_id
zend_register_ini_entries
php_module_startup
ts_resource_ex
php_import_environment_variables
_emalloc
_efree
core_globals_id
zend_hash_num_elements
_zval_dtor_func
_zval_copy_ctor_func
zend_hash_internal_pointer_reset_ex
zend_hash_get_current_key_ex
zend_hash_get_current_data_ex
sapi_module
php_register_variable_safe
zend_hash_move_forward_ex
php_header_write
ap_php_slprintf
zend_llist_get_first_ex
zend_llist_get_next_ex
sapi_globals_id
php_handle_aborted_connection
php_module_shutdown_wrapper
zend_error
OnUpdateBool
OnUpdateString

ws2_32

shutdown
listen
bind
setsockopt
socket
htonl
gethostbyname
inet_addr
htons
WSAGetLastError
recv
closesocket
inet_ntoa
accept
send

kernel32

ReleaseMutex
CreateEventA
ConnectNamedPipe
GetLastError
CloseHandle
DisconnectNamedPipe
GetNamedPipeInfo
CreateNamedPipeA
WaitForSingleObject
GetStdHandle
FlushFileBuffers
CreateThread
SetNamedPipeHandleState

advapi32

RevertToSelf
GetSidLengthRequired
InitializeSid
GetSidSubAuthority
InitializeAcl
AddAccessAllowedAce
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
ImpersonateNamedPipeClient

msvcrt

_get_osfhandle
strncpy
_open_osfhandle
strerror
strncmp
strstr
strrchr
_setjmp3
_fmode
__mb_cur_max
_isctype
_pctype
realloc
printf
exit
fgetc
ftell
fseek
rewind
fclose
malloc
free
fprintf
getenv
strchr
atoi
fflush
fwrite
_iob
_exit
_XcptFilter
__p___initenv
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
_strnicmp
_read
_strdup
_setmode
_stricmp
_stat
_putenv
_errno
_write

Sections

.text
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Headers

File Characteristics

Exports

Exports

Sections

UPX0 Size: - Virtual size: 732KB

UPX1 Size: 688KB - Virtual size: 692KB

.rsrc Size: 91KB - Virtual size: 92KB

67bfdb134f0fdf5aaedc30c76c31917d

Headers

File Characteristics

Imports

php5ts

ws2_32

kernel32

advapi32

msvcrt

Sections

.text Size: 24KB - Virtual size: 21KB

.rdata Size: 12KB - Virtual size: 8KB

.data Size: 4KB - Virtual size: 896B

.rsrc Size: 4KB - Virtual size: 3KB

UPX0
Size: - Virtual size: 732KB

UPX1
Size: 688KB - Virtual size: 692KB

.rsrc
Size: 91KB - Virtual size: 92KB

.text
Size: 24KB - Virtual size: 21KB

.rdata
Size: 12KB - Virtual size: 8KB

.data
Size: 4KB - Virtual size: 896B

.rsrc
Size: 4KB - Virtual size: 3KB