WFE[.]rar | Triage

Sharing

Copy URL Twitter E-mail

General

Target

WFE.rar
Size

741KB
MD5

5182ee4c6e5afe95ee96fc601214ce4d
SHA1

5a07523661e9450ea2fd2c897f6afe46c01e4fcb
SHA256

c007ecaeb961caf81d759ba780a7201b847d49cc3ae0daa75094dd0db843b019
SHA512

60edeb2d7a14e205afeb5fe6f00b0e3dd87ef3265297c336d8abf3dae7b50793f93057df8f8189bff7aacc262f2818ab03aa5264ff46512119459747c409bfda
SSDEEP

12288:FBwdtAAqrmrcdh12hOQCU6TReT1J2hAr0KfrvjApv8uph5oXOgbpqNXAksvTSGXE:mtAAqrwACCU6ToS6r0Kfrvsp7SJbmsGj

Score

3^/10

Malware Config

Signatures

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/WFE/Modules/d3d8to9.dll
unpack001/WFE/WFEApp.exe
unpack001/WFE/WFEDll.dll
unpack001/WFE/WFEUpdater.exe

Files

WFE.rar
.rar
WFE/Language.xml
WFE/Localisation.ini
WFE/Modules/d3d8to9.dll
.dll windows x86

17eae39f06667a396e40a3a79a222ead

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

d3d9

Direct3DCreate9

kernel32

UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetCurrentProcessId
GetCurrentThreadId
IsDebuggerPresent
InitializeSListHead
DisableThreadLibraryCalls
GetSystemTimeAsFileTime

user32

GetDC
ReleaseDC

gdi32

GetDeviceCaps

msvcp140

?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
?_Init@locale@std@@CAPAV_Locimp@12@_N@Z
?_Xbad_alloc@std@@YAXXZ
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?id@?$ctype@D@std@@2V0locale@2@A
?id@?$collate@D@std@@2V0locale@2@A
??1_Lockit@std@@QAE@XZ
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?tolower@?$ctype@D@std@@QBEPBDPADPBD@Z
?tolower@?$ctype@D@std@@QBEDD@Z
??1facet@locale@std@@MAE@XZ
??0facet@locale@std@@IAE@I@Z
?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UAEXXZ
??Bid@locale@std@@QAEIXZ
?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ
??1_Locinfo@std@@QAE@XZ
??0_Locinfo@std@@QAE@PBD@Z
_Strxfrm
?_Xlength_error@std@@YAXPBD@Z
?_Xout_of_range@std@@YAXPBD@Z
??0_Lockit@std@@QAE@H@Z
_Strcoll

vcruntime140

_except_handler4_common
__std_type_info_destroy_list
memset
_CxxThrowException
__current_exception_context
memmove
memcpy
strchr
__CxxFrameHandler3
__std_exception_destroy
memchr
__std_terminate
__std_exception_copy
__current_exception

api-ms-win-crt-runtime-l1-1-0

_configure_narrow_argv
terminate
_cexit
_crt_atexit
_execute_onexit_table
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_initterm
_seh_filter_dll
_initterm_e
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
realloc
free

api-ms-win-crt-convert-l1-1-0

strtoul

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf_s
__stdio_common_vsprintf

api-ms-win-crt-math-l1-1-0

ceil

Exports

Exports

Direct3DCreate8

Sections

.text
Size: 92KB - Virtual size: 92KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
WFE/Profiles/WFEConfig.ini
WFE/Profiles/WFEConfigBase.ini
WFE/ReadMe.txt
WFE/TestCommands.ini
WFE/WFE.mpq
WFE/WFEApp.exe
.exe windows x86

2610cd5d8ffbefa205703d83296f5c5a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

api-ms-win-crt-stdio-l1-1-0

fgets
__stdio_common_vfprintf_s
fclose
fopen
fopen_s

api-ms-win-crt-string-l1-1-0

isspace
tolower
strncpy
_stricmp

api-ms-win-crt-heap-l1-1-0

_callnewh
malloc
free

api-ms-win-crt-runtime-l1-1-0

terminate
_cexit
_crt_at_quick_exit
_crt_atexit
_initialize_narrow_environment
abort
_invalid_parameter_noinfo_noreturn
_seh_filter_dll
_configure_narrow_argv
_execute_onexit_table
_initialize_onexit_table
_register_onexit_function

vcruntime140

memmove
__current_exception_context
__FrameUnwindFilter
__std_exception_copy
__std_exception_destroy
_CxxThrowException
_except_handler4_common
memset
__current_exception
strchr

kernel32

GetCurrentThreadId
QueryPerformanceCounter
GetSystemTimeAsFileTime
K32GetModuleFileNameExA
GetCurrentProcessId
Sleep
WideCharToMultiByte
GetFileAttributesA
CreateDirectoryA
GetModuleFileNameA
VirtualFreeEx
WaitForSingleObject
CreateRemoteThread
WriteProcessMemory
VirtualAllocEx
GetProcAddress
GetModuleHandleA
OpenProcess
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
GetModuleHandleW
GetCurrentProcess
TerminateProcess
Module32Next
GetLastError
CloseHandle
CreateToolhelp32Snapshot
Process32First
Process32Next
Module32First

user32

FindWindowA
EnumWindows
GetWindowThreadProcessId
PostMessageA
GetKeyState
GetAsyncKeyState

advapi32

RegQueryValueExA
LookupPrivilegeValueA
AdjustTokenPrivileges
RegOpenKeyExA
RegSetValueExA
RegCloseKey
OpenProcessToken

msvcp140

?__ExceptionPtrDestroy@@YAXPAX@Z
?__ExceptionPtrCopy@@YAXPAXPBX@Z
?_Xlength_error@std@@YAXPBD@Z
?_Xout_of_range@std@@YAXPBD@Z

api-ms-win-crt-convert-l1-1-0

strtod
strtol
strtoul
strtof

mscoree

_CorExeMain

Exports

Exports

??0INIReader@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?Get@INIReader@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV23@00@Z
?GetBoolean@INIReader@@QBE_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0_N@Z
?GetFloat@INIReader@@QBEMABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0M@Z
?GetInteger@INIReader@@QBEHABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0J@Z
?GetLong@INIReader@@QBEJABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0J@Z
?GetReal@INIReader@@QBENABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0N@Z
?GetUInteger@INIReader@@QBEIABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0J@Z
?GetULong@INIReader@@QBEKABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0J@Z
?MakeKey@INIReader@@CA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV23@0@Z
?ParseError@INIReader@@QBEHXZ
?ValueHandler@INIReader@@CAHPAXPBD11@Z
EnableDebugPrivEx
GetExePath
GetExePathByName
GetProcessIdByName
InjectToProcess
InjectToProcessByName
InjectToWindowByNameEx
InjectToWindowEx

Sections

.text
Size: 282KB - Virtual size: 282KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 359KB - Virtual size: 359KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
WFE/WFEAppStyleDefault.ini
WFE/WFEDll.dll
.dll windows x86

7c693f05bb2f0f7dac3c7b4df2a8639a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

version

VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA

kernel32

WriteConsoleW
HeapSize
SetStdHandle
GetModuleHandleA
GetLastError
CloseHandle
GetStdHandle
GetConsoleWindow
FreeConsole
AllocConsole
SetConsoleTitleA
K32GetProcessMemoryInfo
GetCurrentProcess
GetCurrentThread
WriteFile
ReadFile
VirtualProtect
FlushInstructionCache
GetProcAddress
MultiByteToWideChar
WideCharToMultiByte
GetModuleFileNameA
GetTickCount64
TlsGetValue
GetFileAttributesA
LoadLibraryA
DisableThreadLibraryCalls
GetCurrentThreadId
SuspendThread
ResumeThread
GetThreadContext
SetThreadContext
VirtualAlloc
VirtualFree
VirtualQuery
SetLastError
FreeLibrary
GetModuleHandleW
LoadLibraryExW
GetProcessHeap
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
HeapReAlloc
ReadConsoleW
GetConsoleMode
GetConsoleOutputCP
FlushFileBuffers
GetFileSizeEx
GetTimeZoneInformation
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
HeapAlloc
GetFileType
HeapFree
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
FreeLibraryAndExitThread
ExitThread
FormatMessageA
CreateFileW
FindClose
FindFirstFileW
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
SetEndOfFile
SetFilePointerEx
AreFileApisANSI
GetFileInformationByHandleEx
LocalFree
GetLocaleInfoEx
QueryPerformanceCounter
QueryPerformanceFrequency
WaitForSingleObjectEx
Sleep
GetExitCodeThread
EncodePointer
DecodePointer
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
GetSystemTimeAsFileTime
GetStringTypeW
GetCPInfo
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetCurrentProcessId
InitializeSListHead
RtlUnwind
RaiseException
InterlockedFlushSList
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsSetValue
TlsFree
CreateThread

user32

ClipCursor
BlockInput
MapVirtualKeyA
DefWindowProcA
ShowWindow
SendInput
SetCursorPos
ScreenToClient
GetCursorPos
GetWindowPlacement
GetKeyState
SetWindowPlacement
SetWindowLongA
GetWindowLongA
GetWindowRect
MonitorFromWindow
GetMonitorInfoA
GetForegroundWindow
GetActiveWindow
FindWindowA
SetTimer
KillTimer
SendMessageA
SetWindowPos

Exports

Exports

??0INIReader@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?Get@INIReader@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV23@00@Z
?GetBoolean@INIReader@@QBE_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0_N@Z
?GetFloat@INIReader@@QBEMABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0M@Z
?GetInteger@INIReader@@QBEHABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0J@Z
?GetLong@INIReader@@QBEJABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0J@Z
?GetReal@INIReader@@QBENABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0N@Z
?GetUInteger@INIReader@@QBEIABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0J@Z
?GetULong@INIReader@@QBEKABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0J@Z
?MakeKey@INIReader@@CA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV23@0@Z
?ParseError@INIReader@@QBEHXZ
?ValueHandler@INIReader@@CAHPAXPBD11@Z

Sections

.text
Size: 550KB - Virtual size: 550KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 117KB - Virtual size: 117KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 75KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.detourc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 42KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
WFE/WFEGameColours.ini
WFE/WFESettings.ini
WFE/WFESettingsBase.ini
WFE/WFEUpdater.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 74KB - Virtual size: 74KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

17eae39f06667a396e40a3a79a222ead

Headers

DLL Characteristics

File Characteristics

Imports

d3d9

kernel32

user32

gdi32

msvcp140

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-math-l1-1-0

Exports

Exports

Sections

.text Size: 92KB - Virtual size: 92KB

.rdata Size: 18KB - Virtual size: 18KB

.data Size: 2KB - Virtual size: 2KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 5KB - Virtual size: 4KB

2610cd5d8ffbefa205703d83296f5c5a

Headers

DLL Characteristics

File Characteristics

Imports

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

vcruntime140

kernel32

user32

advapi32

msvcp140

api-ms-win-crt-convert-l1-1-0

mscoree

Exports

Exports

Sections

.text Size: 282KB - Virtual size: 282KB

.rdata Size: 359KB - Virtual size: 359KB

.data Size: 3KB - Virtual size: 13KB

.rsrc Size: 38KB - Virtual size: 38KB

.reloc Size: 2KB - Virtual size: 2KB

7c693f05bb2f0f7dac3c7b4df2a8639a

Headers

DLL Characteristics

File Characteristics

Imports

version

kernel32

user32

Exports

Exports

Sections

.text Size: 550KB - Virtual size: 550KB

.rdata Size: 117KB - Virtual size: 117KB

.data Size: 9KB - Virtual size: 75KB

.detourc Size: 4KB - Virtual size: 4KB

.detourd Size: 512B - Virtual size: 12B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 42KB - Virtual size: 42KB

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 74KB - Virtual size: 74KB

.rsrc Size: 38KB - Virtual size: 38KB

.text
Size: 92KB - Virtual size: 92KB

.rdata
Size: 18KB - Virtual size: 18KB

.data
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 5KB - Virtual size: 4KB

.text
Size: 282KB - Virtual size: 282KB

.rdata
Size: 359KB - Virtual size: 359KB

.data
Size: 3KB - Virtual size: 13KB

.rsrc
Size: 38KB - Virtual size: 38KB

.reloc
Size: 2KB - Virtual size: 2KB

.text
Size: 550KB - Virtual size: 550KB

.rdata
Size: 117KB - Virtual size: 117KB

.data
Size: 9KB - Virtual size: 75KB

.detourc
Size: 4KB - Virtual size: 4KB

.detourd
Size: 512B - Virtual size: 12B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 42KB - Virtual size: 42KB

.text
Size: 74KB - Virtual size: 74KB

.rsrc
Size: 38KB - Virtual size: 38KB

.reloc
Size: 512B - Virtual size: 12B