General

Malware Config

Signatures

Files

• gw.zip

  .zip

  Password: infected

• GWSetup.exe

  .exe windows x86

  6764de3c337d1174cf7fb745719c7224

  
  

  Code Sign

  04:00:00:00:00:01:2f:4e:e1:52:d7

  Certificate

  Issuer

  CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

  Not Before

  13-04-2011 10:00

  Not After

  28-01-2028 12:00

  Subject

  CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  04:00:00:00:00:01:31:89:c6:37:e8

  Certificate

  Issuer

  CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

  Not Before

  02-08-2011 10:00

  Not After

  02-08-2019 10:00

  Subject

  CN=GlobalSign CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14

  Certificate

  Issuer

  CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

  Not Before

  24-05-2016 00:00

  Not After

  24-06-2027 00:00

  Subject

  CN=GlobalSign TSA for MS Authenticode - G2,O=GMO GlobalSign Pte Ltd,C=SG

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  36:6c:4f:b8:e7:15:ab:f9:7d:d9:dc:00

  Certificate

  Issuer

  CN=GlobalSign CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

  Not Before

  22-06-2016 01:44

  Not After

  29-09-2018 06:11

  Subject

  CN=北京网康科技有限公司,OU=NGFW产品部,O=北京网康科技有限公司,L=Beijing,ST=Beijing,C=CN

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  d9:dd:54:b8:ab:da:f7:03:21:6d:9d:c2:df:0a:ee:53:78:3f:7d:73

  Signer

  Actual PE Digest

  d9:dd:54:b8:ab:da:f7:03:21:6d:9d:c2:df:0a:ee:53:78:3f:7d:73

  Digest Algorithm

  sha1

  PE Digest Matches

  true

  Signature Validations

  Trusted

  true

  Verification

  Signing Certificate

  CN=北京网康科技有限公司,OU=NGFW产品部,O=北京网康科技有限公司,L=Beijing,ST=Beijing,C=CN

  21-10-2016 09:04

  Valid: true

  Chain 1

  CN=北京网康科技有限公司,OU=NGFW产品部,O=北京网康科技有限公司,L=Beijing,ST=Beijing,C=CN

  CN=GlobalSign CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

  CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_RELOCS_STRIPPED

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LINE_NUMS_STRIPPED

  IMAGE_FILE_LOCAL_SYMS_STRIPPED

  IMAGE_FILE_32BIT_MACHINE

  Imports

  kernel32

  LocalFileTimeToFileTime

  DosDateTimeToFileTime

  GetFileAttributesA

  FileTimeToDosDateTime

  FileTimeToLocalFileTime

  GetFileInformationByHandle

  GetLastError

  HeapFree

  HeapAlloc

  GetProcessHeap

  CopyFileA

  GetSystemTime

  MoveFileExA

  RemoveDirectoryA

  SetFileTime

  FindNextFileA

  FindFirstFileA

  SystemTimeToTzSpecificLocalTime

  FileTimeToSystemTime

  GetTimeZoneInformation

  GetFileTime

  ExpandEnvironmentStringsA

  SetEndOfFile

  SetFilePointer

  OutputDebugStringA

  GetLocalTime

  lstrcmpiA

  SetFileAttributesA

  lstrcpynA

  lstrcpyA

  lstrcatA

  FreeLibrary

  GetTempPathA

  CreateDirectoryA

  LoadLibraryA

  GetProcAddress

  Sleep

  GetModuleFileNameA

  GlobalFree

  lstrlenA

  DeleteFileA

  WriteFile

  CreateFileA

  CloseHandle

  GetFileSize

  GlobalAlloc

  ReadFile

  FindClose

  GetStartupInfoA

  GetModuleHandleA

  advapi32

  RegEnumKeyExA

  RegDeleteValueA

  AddAccessAllowedAce

  RegSetKeySecurity

  RegDeleteKeyA

  RegEnumKeyA

  RegEnumValueA

  RegQueryValueExA

  RegSetValueExA

  RegCloseKey

  RegCreateKeyExA

  RegOpenKeyExA

  AllocateAndInitializeSid

  GetLengthSid

  InitializeAcl

  AddAccessAllowedAceEx

  InitializeSecurityDescriptor

  SetSecurityDescriptorDacl

  SetFileSecurityA

  FreeSid

  shell32

  StrCmpNIA

  shlwapi

  StrTrimA

  version

  GetFileVersionInfoA

  GetFileVersionInfoSizeA

  VerQueryValueA

  msvcrt

  fopen

  _stricmp

  _controlfp

  _except_handler3

  __set_app_type

  strstr

  strrchr

  strncat

  strncpy

  _strrev

  atoi

  _access

  _open

  _CxxThrowException

  _read

  _write

  memmove

  _close

  _lseek

  ??2@YAPAXI@Z

  ??3@YAXPAX@Z

  strchr

  sprintf

  _errno

  remove

  _snprintf

  __CxxFrameHandler

  fclose

  _fileno

  free

  malloc

  ftell

  fseek

  _vsnprintf

  iscntrl

  __dllonexit

  _onexit

  ??1type_info@@UAE@XZ

  _exit

  _XcptFilter

  exit

  _acmdln

  __getmainargs

  _initterm

  __setusermatherr

  _adjust_fdiv

  __p__commode

  __p__fmode

  setupapi

  SetupIterateCabinetA

  Sections

  .text

  Size: 20KB - Virtual size: 20KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 3KB - Virtual size: 3KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 2KB - Virtual size: 7KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 16KB - Virtual size: 15KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ