?ChildProcessMain@Awesomium@@YAHPAUHINSTANCE__@@@Z
?InstallKBHook@@YAHXZ
?MainThreads@Awesomium@@YAH_N@Z
?MainThreads@Awesomium@@YA_NPAUInitStance@1@@Z
?SetDisablePrintScreen@@YAXH@Z
?UnInstallKBHook@@YAHXZ
Overview
overview
7Static
static
7HKeyboard.dll
windows7-x64
1HKeyboard.dll
windows10-1703-x64
1HKeyboard.dll
windows10-2004-x64
1KS.exe
windows7-x64
6KS.exe
windows10-1703-x64
6KS.exe
windows10-2004-x64
6_sogou_pin...11.exe
windows7-x64
7_sogou_pin...11.exe
windows10-1703-x64
7_sogou_pin...11.exe
windows10-2004-x64
7Resubmissions
25-08-2023 15:01
230825-sdyfdseg2t 7Behavioral task
behavioral1
Sample
HKeyboard.dll
Resource
win7-20230712-en
windows7-x64
1 signatures
300 seconds
Behavioral task
behavioral2
Sample
HKeyboard.dll
Resource
win10-20230703-en
windows10-1703-x64
1 signatures
300 seconds
Behavioral task
behavioral3
Sample
HKeyboard.dll
Resource
win10v2004-20230824-en
windows10-2004-x64
1 signatures
300 seconds
Behavioral task
behavioral4
Sample
KS.exe
Resource
win7-20230712-en
windows7-x64
3 signatures
300 seconds
Behavioral task
behavioral5
Sample
KS.exe
Resource
win10-20230703-en
windows10-1703-x64
3 signatures
300 seconds
Behavioral task
behavioral6
Sample
KS.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
3 signatures
300 seconds
Behavioral task
behavioral7
Sample
_sogou_pinyin_Release_13.8.0.8160_1111.exe
Resource
win7-20230712-en
windows7-x64
4 signatures
300 seconds
Behavioral task
behavioral8
Sample
_sogou_pinyin_Release_13.8.0.8160_1111.exe
Resource
win10-20230703-en
windows10-1703-x64
4 signatures
300 seconds
Behavioral task
behavioral9
Sample
_sogou_pinyin_Release_13.8.0.8160_1111.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
4 signatures
300 seconds
General
-
Target
搜狗输入法金秋1.cab
-
Size
121.3MB
-
MD5
800ecd4c7b8e453ce0f01a2660d93ee9
-
SHA1
607a7ceb03f54b7575d49db6094ac756d85e1d45
-
SHA256
0cfc4ec5d31d5c0630453dbad12c5bd68176abfdc4a657703cf83105d3eb3624
-
SHA512
bd21a1693a4e3aa614b2a9afe09d376dac85432df743e02065215ce667e1e233638a9574deb34ed91d7fe7383958d056a6c6a47eb5a28e27ce7b8d2b70149c7b
-
SSDEEP
3145728:86Odyqv0eg18Rx0OYWebzLKQIjJYCX6EYsU1ocWTRKop315hF:86OQ4s8Rx0OpkKQILwicWNKop3nhF
Score
7/10
Malware Config
Signatures
-
Processes:
resource yara_rule static1/unpack001/_sogou_pinyin_Release_13.8.0.8160_1111.exe upx -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource unpack001/HKeyboard.dll
Files
-
搜狗输入法金秋1.cab.cab
-
HKeyboard.dll.dll windows x86
4e75bdb3791d69e6ac3cd32edeaa3204
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
Imports
kernel32
Sleep
ReadFile
GetProcAddress
VirtualAlloc
DisableThreadLibraryCalls
LoadLibraryA
IsDebuggerPresent
CloseHandle
lstrcpyW
GetTickCount64
HeapSize
GetStringTypeW
MultiByteToWideChar
GetCurrentThreadId
DecodePointer
GetCommandLineA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
GetModuleHandleW
SetLastError
GetLastError
InterlockedDecrement
HeapFree
ExitProcess
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
HeapCreate
HeapDestroy
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapAlloc
HeapReAlloc
LoadLibraryW
WriteFile
GetModuleFileNameW
RtlUnwind
LCMapStringW
IsProcessorFeaturePresent
user32
MessageBoxA
wsprintfA
Exports
Exports
Sections
.text Size: 18KB - Virtual size: 18KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 8KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 3KB - Virtual size: 14KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 512B - Virtual size: 436B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
KS.exe.exe windows x86
ce73294650088bad6c93a82556f6b06a
Code Sign
7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate
IssuerCN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZANot Before21-12-2012 00:00Not After30-12-2020 23:59SubjectCN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageCertSign
KeyUsageCRLSign
1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78Certificate
IssuerOU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=USNot Before08-11-2006 00:00Not After07-11-2021 23:59SubjectCN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=USKey Usages
KeyUsageCertSign
KeyUsageCRLSign
0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate
IssuerCN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=USNot Before18-10-2012 00:00Not After29-12-2020 23:59SubjectCN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
4f:0f:15:6d:f2:8a:6e:f4:26:76:74:d2:43:27:ef:15Certificate
IssuerCN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=USNot Before12-06-2017 00:00Not After12-06-2019 23:59SubjectCN=YOZOSOFT INC.\,LTD.,OU=综合管理部,O=YOZOSOFT INC.\,LTD.,L=wuxi,ST=jiangsu,C=CNExtended Key Usages
ExtKeyUsageCodeSigning
Key Usages
KeyUsageDigitalSignature
3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate
IssuerCN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=USNot Before10-12-2013 00:00Not After09-12-2023 23:59SubjectCN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=USExtended Key Usages
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
Key Usages
KeyUsageCertSign
KeyUsageCRLSign
1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78Certificate
IssuerOU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=USNot Before08-11-2006 00:00Not After07-11-2021 23:59SubjectCN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=USKey Usages
KeyUsageCertSign
KeyUsageCRLSign
4f:0f:15:6d:f2:8a:6e:f4:26:76:74:d2:43:27:ef:15Certificate
IssuerCN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=USNot Before12-06-2017 00:00Not After12-06-2019 23:59SubjectCN=YOZOSOFT INC.\,LTD.,OU=综合管理部,O=YOZOSOFT INC.\,LTD.,L=wuxi,ST=jiangsu,C=CNExtended Key Usages
ExtKeyUsageCodeSigning
Key Usages
KeyUsageDigitalSignature
3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate
IssuerCN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=USNot Before10-12-2013 00:00Not After09-12-2023 23:59SubjectCN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=USExtended Key Usages
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
Key Usages
KeyUsageCertSign
KeyUsageCRLSign
7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12Certificate
IssuerCN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=USNot Before12-01-2016 00:00Not After11-01-2031 23:59SubjectCN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageCertSign
KeyUsageCRLSign
7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12Certificate
IssuerCN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=USNot Before23-12-2017 00:00Not After22-03-2029 23:59SubjectCN=Symantec SHA256 TimeStamping Signer - G3,OU=Symantec Trust Network,O=Symantec Corporation,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
66:40:93:4f:87:56:3f:44:54:be:74:58:d9:0d:34:04:3e:8d:56:d9:c8:c6:91:c8:3e:e8:c0:ff:67:29:45:22Signer
Actual PE Digest66:40:93:4f:87:56:3f:44:54:be:74:58:d9:0d:34:04:3e:8d:56:d9:c8:c6:91:c8:3e:e8:c0:ff:67:29:45:22Digest Algorithmsha256PE Digest Matchestruef9:3b:0f:8d:5e:da:9b:65:ed:80:3f:3d:3d:e3:b0:aa:35:f6:a9:b5Signer
Actual PE Digestf9:3b:0f:8d:5e:da:9b:65:ed:80:3f:3d:3d:e3:b0:aa:35:f6:a9:b5Digest Algorithmsha1PE Digest MatchestrueHeaders
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
Imports
hkeyboard
?UnInstallKBHook@@YAHXZ
?SetDisablePrintScreen@@YAXH@Z
?InstallKBHook@@YAHXZ
mfc42
ord3346
ord5300
ord5302
ord2725
ord4079
ord4698
ord5307
ord5289
ord5714
ord2982
ord3147
ord3259
ord4465
ord3136
ord3262
ord2985
ord3081
ord2976
ord3830
ord3831
ord3825
ord3079
ord4080
ord4622
ord4424
ord3738
ord561
ord825
ord815
ord641
ord2514
ord2621
ord1134
ord5265
ord4376
ord4853
ord4998
ord4710
ord2396
ord4078
ord1775
ord4407
ord5241
ord2385
ord5163
ord6374
ord4353
ord5280
ord3798
ord4837
ord4441
ord2648
ord2055
ord6376
ord3749
ord5065
ord1727
ord5261
ord2446
ord2124
ord5277
ord4627
ord4425
ord3597
ord324
ord4234
ord1146
ord1168
ord800
ord4160
ord540
ord2863
ord2379
ord755
ord470
ord2764
ord4204
ord537
ord6215
ord5199
ord1089
ord3922
ord5731
ord2512
ord2554
ord4486
ord6375
ord4274
ord4673
ord6052
ord1576
msvcrt
__p__fmode
__set_app_type
_except_handler3
_controlfp
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
_onexit
__dllonexit
__CxxFrameHandler
_setmbcp
__p__commode
kernel32
CreateMutexA
CloseHandle
ReleaseMutex
OpenMutexA
Process32Next
Process32First
CreateToolhelp32Snapshot
GetModuleHandleA
GetStartupInfoA
GetLastError
user32
SendMessageA
AppendMenuA
GetSystemMenu
DrawIcon
GetClientRect
GetSystemMetrics
IsIconic
KillTimer
EnableWindow
LoadIconA
SetTimer
Sections
.text Size: 4KB - Virtual size: 2KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 4KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 4KB - Virtual size: 348B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 104KB - Virtual size: 101KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
-
_sogou_pinyin_Release_13.8.0.8160_1111.exe.exe windows x86
Code Sign
04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08Certificate
IssuerCN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=USNot Before22-10-2013 12:00Not After22-10-2028 12:00SubjectCN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=USExtended Key Usages
ExtKeyUsageCodeSigning
Key Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
08:90:b9:34:84:e6:f1:8e:fe:9f:43:68:3a:5f:49:d8Certificate
IssuerCN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=USNot Before25-05-2021 00:00Not After21-08-2024 23:59SubjectCN=Beijing Sogou Technology Development Co.\, Ltd.,O=Beijing Sogou Technology Development Co.\, Ltd.,ST=Beijing,C=CNExtended Key Usages
ExtKeyUsageCodeSigning
Key Usages
KeyUsageDigitalSignature
05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate
IssuerCN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=USNot Before14-07-2023 00:00Not After13-10-2034 23:59SubjectCN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate
IssuerCN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=USNot Before23-03-2022 00:00Not After22-03-2037 23:59SubjectCN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate
IssuerCN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=USNot Before01-08-2022 00:00Not After09-11-2031 23:59SubjectCN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=USKey Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
56:54:8f:ad:be:13:af:c8:cc:0b:85:fb:26:c1:24:2e:a6:c1:8f:01:92:75:14:39:f7:e9:82:b4:e4:32:c3:1cSigner
Actual PE Digest56:54:8f:ad:be:13:af:c8:cc:0b:85:fb:26:c1:24:2e:a6:c1:8f:01:92:75:14:39:f7:e9:82:b4:e4:32:c3:1cDigest Algorithmsha256PE Digest MatchestrueHeaders
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Sections
UPX0 Size: - Virtual size: 2.7MB
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
UPX1 Size: 23KB - Virtual size: 24KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 133KB - Virtual size: 136KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
-
wips.map