7a5da47fa10cf2ebb7d438e626424a93

Sharing

Copy URL Twitter E-mail

General

Target

7a5da47fa10cf2ebb7d438e626424a93
Size

331KB
MD5

7a5da47fa10cf2ebb7d438e626424a93
SHA1

44fe9c70a7280e4ecd9ff753c98309da4f14df84
SHA256

6e5905123f8ff6ee6b4bdf10cbbec44ac00a12010bc86051439a1d8205510d54
SHA512

3b0f17b08d65716d8bc3d9241287200cc6e59024651739ba758c92deeda332e7f4951a04691796dacc22b77eb518d7305f229439eb131f5e4f8e95d9c69d7a04
SSDEEP

6144:LkfXIszC5WlYOvvVpGsQZTwXoAZo04YjmkUMFLJXLW/ulEk/iyb:LadM8YOnVpeTqoTjzkUEdbW/ulj/i0

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/AntiARP-DNS.exe	upx

Unsigned PE 7 IoCs

Checks for missing Authenticode signature.

resource
unpack001/AntiARP-DNS.exe
unpack002/out.upx
unpack001/AntiIPErr.dll
unpack001/Plug/gpupdate.exe
unpack001/Plug/ipseccmd.exe
unpack001/Plug/polstore.dll
unpack001/Plug/winipsec.dll

Files

7a5da47fa10cf2ebb7d438e626424a93
.rar
AntiARP-DNS.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 692KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 208KB - Virtual size: 208KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 28KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 836KB - Virtual size: 835KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 32KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
AntiIPErr.dll
.dll windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Exports

Exports

DisableAnti

Sections

JiaJia0
Size: - Virtual size: 52KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

JiaJia1
Size: 15KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

JiaJia2
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
IPMAC.set
Plug/Win 服务器过滤策略.bat
Plug/gpupdate.exe
.exe windows:5 windows x86 arch:x86

30ce53551eb068df0751508714087698

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

FormatMessageW
CloseHandle
WaitForSingleObject
OpenEventW
GetLastError
GlobalFree
WaitForMultipleObjects
CreateThread
GetCurrentProcess
GetModuleHandleW
lstrlenW
GetConsoleOutputCP
GetProcAddress
GetModuleHandleA
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
SetUnhandledExceptionFilter
LocalAlloc
LocalReAlloc
GetCommandLineW
LocalFree
SetThreadUILanguage
GetCommandLineA
HeapFree
GetVersionExA
HeapAlloc
GetProcessHeap
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
HeapDestroy
HeapCreate
VirtualFree
MultiByteToWideChar
Sleep
LCMapStringA
LCMapStringW
LoadLibraryA
GetACP
GetOEMCP
GetCPInfo
VirtualAlloc
HeapReAlloc
RtlUnwind
InterlockedExchange
VirtualQuery
ReadFile
FlushFileBuffers
GetStringTypeA
GetStringTypeW
VirtualProtect
GetSystemInfo
GetLocaleInfoA
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
IsValidCodePage
SetFilePointer
SetStdHandle
GetLocaleInfoW

advapi32

LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken

user32

LoadStringW
ExitWindowsEx

userenv

ForceSyncFgPolicy
RefreshPolicyEx

shlwapi

wvnsprintfW

shell32

CommandLineToArgvW

ntdll

RtlCopySid
RtlLengthSid
NtQueryInformationToken
RtlConvertSidToUnicodeString

Sections

.text
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Plug/ipseccmd.exe
.exe windows:5 windows x86 arch:x86

06e28cc5468c27081f2546bbda798b1d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

_XcptFilter
_exit
__initenv
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
exit
fwprintf
_strdup
??2@YAPAXI@Z
_cexit
_c_exit
__set_app_type
_controlfp
_except_handler3
wprintf
fopen
strtok
printf
_flushall
fgets
realloc
isdigit
isalpha
_stricmp
strrchr
atoi
free
strchr
strncmp
atol
sprintf
fprintf
wcstol
wcschr
towlower
tolower
wcscpy
wcsncmp
wcslen
swprintf
wcscmp
??3@YAXPAX@Z
_iob

advapi32

StartServiceW
OpenSCManagerW
OpenServiceW
QueryServiceStatus
CloseServiceHandle

kernel32

GetModuleHandleA
GetModuleHandleW
GetLastError
FormatMessageW
LocalFree
MultiByteToWideChar
Sleep

ws2_32

inet_ntoa
gethostbyname
WSACleanup
WSAStartup
inet_addr

rpcrt4

UuidCreate
UuidIsNil
UuidCompare
UuidFromStringA
UuidCreateNil

msvcirt

?cin@@3Vistream_withassign@@A
??5istream@@QAEAAV0@AAD@Z
?cerr@@3Vostream_withassign@@A
?endl@@YAAAVostream@@AAV1@@Z
??6ostream@@QAEAAV0@PBD@Z
??6ostream@@QAEAAV0@P6AAAV0@AAV0@@Z@Z
?cout@@3Vostream_withassign@@A

ole32

StringFromGUID2

crypt32

CertNameToStrW
CertStrToNameW

winipsec

ord39
ord56
ord61
ord55
ord62
ord69
ord70
ord40
ord71
ord72
ord25
ord73
ord74
ord65
ord35
ord49
ord30
ord24
ord64
ord48
ord34
ord29
ord47
ord33
ord28
ord38
ord23
ord63
ord46
ord51
ord45
ord22

polstore

IPSecEnumPolicyData
IPSecCopyPolicyData
IPSecEnumNFAData
IPSecGetISAKMPData
IPSecGetNegPolData
IPSecFreePolicyData
IPSecAllocPolStr
IPSecSetPolicyData
IPSecFreeMulPolicyData
IPSecAllocPolMem
IPSecCreatePolicyData
IPSecClosePolicyStore
IPSecOpenPolicyStore
IPSecDeleteISAKMPData
IPSecCreateISAKMPData
IPSecFreeISAKMPData
IPSecFreePolMem
IPSecDeleteNegPolData
IPSecDeleteFilterData
IPSecSetNFAData
IPSecCreateFilterData
IPSecCreateNegPolData
IPSecFreePolStr
IPSecFreeNegPolData
IPSecFreeFilterData
IPSecCreateNFAData
IPSecUnassignPolicy
IPSecGetAssignedPolicyData
IPSecAssignPolicy
IPSecDeletePolicyData
IPSecDeleteNFAData
IPSecGetFilterData

Sections

.text
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Plug/polstore.dll
.dll regsvr32 windows:5 windows x86 arch:x86

913093b352fdd20d8149a67afb567f89

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

_except_handler3
_wremove
wcschr
_wcsicmp
time
wcsstr
_itow
wcscat
_wtol
wcslen
wcscpy

advapi32

RegQueryValueExW
RegSaveKeyW
RegRestoreKeyW
RegCreateKeyExW
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
RegConnectRegistryW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegCloseKey
RegOpenKeyExW
CloseServiceHandle
ControlService
StartServiceA
QueryServiceStatus
OpenServiceA
OpenSCManagerW
RegSetValueExW

kernel32

LocalAlloc
GetCurrentThread
CloseHandle
GetCurrentProcess
LocalFree
GetModuleHandleW
GetLastError
DisableThreadLibraryCalls
FormatMessageW

rpcrt4

UuidToStringW
UuidCreate
RpcStringFreeW

netapi32

DsGetDcNameW
NetApiBufferFree

wldap32

ord26
ord208
ord27
ord97
ord140
ord77
ord142
ord16
ord73
ord41
ord36
ord224
ord79
ord69
ord157
ord113
ord13
ord88
ord14
ord145
ord210

Exports

Exports

DllRegisterServer
DllUnregisterServer
IPSecAllocPolMem
IPSecAllocPolStr
IPSecAssignPolicy
IPSecClosePolicyStore
IPSecCopyAuthMethod
IPSecCopyFilterData
IPSecCopyFilterSpec
IPSecCopyISAKMPData
IPSecCopyNFAData
IPSecCopyNegPolData
IPSecCopyPolicyData
IPSecCreateFilterData
IPSecCreateISAKMPData
IPSecCreateNFAData
IPSecCreateNegPolData
IPSecCreatePolicyData
IPSecDeleteFilterData
IPSecDeleteISAKMPData
IPSecDeleteNFAData
IPSecDeleteNegPolData
IPSecDeletePolicyData
IPSecEnumFilterData
IPSecEnumISAKMPData
IPSecEnumNFAData
IPSecEnumNegPolData
IPSecEnumPolicyData
IPSecExportPolicies
IPSecFreeFilterData
IPSecFreeFilterSpec
IPSecFreeFilterSpecs
IPSecFreeISAKMPData
IPSecFreeMulFilterData
IPSecFreeMulISAKMPData
IPSecFreeMulNFAData
IPSecFreeMulNegPolData
IPSecFreeMulPolicyData
IPSecFreeNFAData
IPSecFreeNegPolData
IPSecFreePolMem
IPSecFreePolStr
IPSecFreePolicyData
IPSecGetAssignedDomainPolicyName
IPSecGetAssignedPolicyData
IPSecGetFilterData
IPSecGetISAKMPData
IPSecGetNegPolData
IPSecImportPolicies
IPSecIsDomainPolicyAssigned
IPSecIsLocalPolicyAssigned
IPSecOpenPolicyStore
IPSecReallocatePolMem
IPSecReallocatePolStr
IPSecRestoreDefaultPolicies
IPSecSetFilterData
IPSecSetISAKMPData
IPSecSetNFAData
IPSecSetNegPolData
IPSecSetPolicyData
IPSecUnassignPolicy

Sections

.text
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 220B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Plug/run.bat
Plug/winipsec.dll
.dll windows:5 windows x86 arch:x86

e0cf5626e368af92842b2bcc431c9339

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ntdll

RtlUnwind

kernel32

LocalFree
DisableThreadLibraryCalls
LocalAlloc

rpcrt4

RpcBindingSetOption
RpcBindingFromStringBindingW
NdrClientCall2
RpcSsDestroyClientContext
RpcStringFreeW
RpcMgmtInqServerPrincNameW
RpcStringBindingComposeW
RpcBindingFree
RpcBindingSetAuthInfoW
RpcRaiseException

ws2_32

ntohl

Exports

Exports

AddMMAuthMethods
AddMMFilter
AddMMPolicy
AddQMPolicy
AddTransportFilter
AddTunnelFilter
CloseMMFilterHandle
CloseTransportFilterHandle
CloseTunnelFilterHandle
DeleteMMAuthMethods
DeleteMMFilter
DeleteMMPolicy
DeleteQMPolicy
DeleteTransportFilter
DeleteTunnelFilter
EnumIPSecInterfaces
EnumMMAuthMethods
EnumMMFilters
EnumMMPolicies
EnumQMPolicies
EnumQMSAs
EnumTransportFilters
EnumTunnelFilters
GetMMAuthMethods
GetMMFilter
GetMMPolicy
GetMMPolicyByID
GetQMPolicy
GetQMPolicyByID
GetTransportFilter
GetTunnelFilter
IPSecAddSAs
IPSecCloseIKENegotiationHandle
IPSecCloseNotifyHandle
IPSecDeleteMMSAs
IPSecDeleteQMSAs
IPSecEnumMMSAs
IPSecInitiateIKENegotiation
IPSecQueryIKENegotiationStatus
IPSecQueryIKEStatistics
IPSecQueryNotifyData
IPSecRegisterIKENotifyClient
InitializeDll
MatchMMFilter
MatchTransportFilter
MatchTunnelFilter
OpenMMFilterHandle
OpenTransportFilterHandle
OpenTunnelFilterHandle
QueryIPSecStatistics
SPDApiBufferAllocate
SPDApiBufferFree
SetMMAuthMethods
SetMMFilter
SetMMPolicy
SetQMPolicy
SetTransportFilter
SetTunnelFilter

Sections

.text
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 36B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 700B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Plug/关闭网上邻居及服务器端口.bat
Plug/开放网上邻居及服务器端口.bat
Plug/拒绝服务网端口滤策略.bat
Plug/新云软件.url
.url
Plug/普通PC安全过滤策略.bat
Plug/说明.txt
Set.ini
WebDNS.Log
说明.txt

Sharing

General

Malware Config

Signatures

Files

Headers

File Characteristics

Sections

UPX0 Size: - Virtual size: 692KB

UPX1 Size: 208KB - Virtual size: 208KB

.rsrc Size: 28KB - Virtual size: 32KB

Headers

File Characteristics

Sections

.text Size: 836KB - Virtual size: 835KB

.data Size: 4KB - Virtual size: 23KB

.rsrc Size: 32KB - Virtual size: 28KB

Headers

File Characteristics

Exports

Exports

Sections

JiaJia0 Size: - Virtual size: 52KB

JiaJia1 Size: 15KB - Virtual size: 16KB

JiaJia2 Size: - Virtual size: 4KB

30ce53551eb068df0751508714087698

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

user32

userenv

shlwapi

shell32

ntdll

Sections

.text Size: 45KB - Virtual size: 45KB

.data Size: 3KB - Virtual size: 10KB

.rsrc Size: 17KB - Virtual size: 16KB

06e28cc5468c27081f2546bbda798b1d

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

advapi32

kernel32

ws2_32

rpcrt4

msvcirt

ole32

crypt32

winipsec

polstore

Sections

.text Size: 62KB - Virtual size: 62KB

.data Size: 2KB - Virtual size: 3KB

.rsrc Size: 4KB - Virtual size: 3KB

913093b352fdd20d8149a67afb567f89

Headers

File Characteristics

Imports

msvcrt

advapi32

kernel32

rpcrt4

netapi32

wldap32

Exports

Exports

Sections

.text Size: 76KB - Virtual size: 76KB

.data Size: 512B - Virtual size: 220B

.rsrc Size: 5KB - Virtual size: 4KB

.reloc Size: 2KB - Virtual size: 2KB

e0cf5626e368af92842b2bcc431c9339

Headers

File Characteristics

UPX0
Size: - Virtual size: 692KB

UPX1
Size: 208KB - Virtual size: 208KB

.rsrc
Size: 28KB - Virtual size: 32KB

.text
Size: 836KB - Virtual size: 835KB

.data
Size: 4KB - Virtual size: 23KB

.rsrc
Size: 32KB - Virtual size: 28KB

JiaJia0
Size: - Virtual size: 52KB

JiaJia1
Size: 15KB - Virtual size: 16KB

JiaJia2
Size: - Virtual size: 4KB

.text
Size: 45KB - Virtual size: 45KB

.data
Size: 3KB - Virtual size: 10KB

.rsrc
Size: 17KB - Virtual size: 16KB

.text
Size: 62KB - Virtual size: 62KB

.data
Size: 2KB - Virtual size: 3KB

.rsrc
Size: 4KB - Virtual size: 3KB

.text
Size: 76KB - Virtual size: 76KB

.data
Size: 512B - Virtual size: 220B

.rsrc
Size: 5KB - Virtual size: 4KB

.reloc
Size: 2KB - Virtual size: 2KB

.text
Size: 21KB - Virtual size: 21KB

.data
Size: 512B - Virtual size: 36B

.rsrc
Size: 1024B - Virtual size: 1016B

.reloc
Size: 1024B - Virtual size: 700B