8c800f1482d18a708a40a7ceaa8119eb

Sharing

Copy URL Twitter E-mail

General

Target

8c800f1482d18a708a40a7ceaa8119eb
Size

138KB
MD5

8c800f1482d18a708a40a7ceaa8119eb
SHA1

f800333418c84e941e45f783cc4561b2ebc44568
SHA256

99dd3be3faeea6aa17777f83fd9b977c21236f7c21dbaadcd6cb830cb850356b
SHA512

ddc35957e163e5563281b66a0c31fa14687e010320a82ef7b8069fc8aa8614c52e772413f9a3b4c9d9513eabdfde6b712a4f2d1d682111f1186103c555d15495
SSDEEP

3072:FoZYxRdWy8bl2Ponl6GOC4652IZMvmPxo8DXDXmI8VoeLz/Hz47MPQQoW:FRxRdWRhTY65PeojCI8VoMz/cwrP

Score

3^/10

Malware Config

Signatures

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
unpack001/CNS1.dll
unpack001/CNS1.exe
unpack001/CnsMinKP2K.sys
unpack001/CnsMinKPXP.sys
unpack001/Keepmain.dll

Files

8c800f1482d18a708a40a7ceaa8119eb
.cab
CNS1.dll
.dll regsvr32 windows:4 windows x86 arch:x86

3ac9aa35e8945422ae6ab7a26f950f29

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetModuleHandleA
FreeLibrary
SetLastError
LoadLibraryA
GetLastError
GetFileAttributesW
GetVersion
GetProcAddress
GetModuleHandleW
LoadLibraryW
GetModuleFileNameW
GetVersionExA
CreateFileA
DeviceIoControl
GetCurrentProcessId
OutputDebugStringA
CloseHandle

user32

DialogBoxParamA
IsDlgButtonChecked
GetWindowRect
SetWindowPos
EndDialog
LoadStringA
GetDlgItem
SetWindowTextA
SendDlgItemMessageA
GetPropA
SetPropA
GetDesktopWindow
CheckDlgButton

advapi32

RegEnumKeyA
RegCloseKey
RegOpenKeyA
RegQueryValueExA

shlwapi

SHDeleteKeyA

msvcrt

malloc
_except_handler3
strrchr
_strlwr
_snprintf
strstr
??3@YAXPAX@Z
__dllonexit
_onexit
_initterm
_adjust_fdiv
free

Exports

Exports

DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 860B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1018B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
CNS1.exe
.exe windows:4 windows x86 arch:x86

d7f04ed4d12fece625dfbe57a5470da9

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetModuleHandleA
CreateProcessA
CopyFileA
DeleteFileA
GetTickCount
GetVersionExA
CreateFileA
DeviceIoControl
GetCurrentProcessId
CloseHandle
GetTempPathA
GetStartupInfoA

user32

GetDesktopWindow
DialogBoxParamA
SetPropA
GetPropA
SendDlgItemMessageA
EndDialog
IsDlgButtonChecked
GetWindowRect
ShowWindow
SetWindowPos
SetForegroundWindow
CheckDlgButton
LoadStringA
GetDlgItem
SetWindowTextA

advapi32

RegOpenKeyA
RegQueryValueExA
RegEnumKeyA
RegCloseKey

shlwapi

SHDeleteKeyA

msvcrt

_controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
_onexit
__dllonexit
free
malloc
strrchr
_strlwr
??3@YAXPAX@Z
strstr
_snprintf

Sections

.text
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
CnsMinKP2K.sys
.sys windows:5 windows x86 arch:x86

3c6047d93411381d11cc976328b3a8a8

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

E:\work\CnsMin\FSD\CnsMinKP\200sys\objfre_w2K_x86\i386\CnsMinKP.pdb

Imports

ntoskrnl.exe

PsSetCreateProcessNotifyRoutine
strncmp
IoGetCurrentProcess
_except_handler3
ZwClose
ZwCreateFile
IoRegisterDriverReinitialization
PsSetCreateThreadNotifyRoutine
IoRegisterShutdownNotification
IoRegisterFsRegistrationChange
_wcslwr
ExInitializeNPagedLookasideList
KeInitializeEvent
ExAllocatePoolWithTag
IoCreateSymbolicLink
IoCreateDevice
PsGetVersion
ObfDereferenceObject
IoGetDeviceObjectPointer
IoDetachDevice
ExInterlockedPopEntrySList
ExInterlockedPushEntrySList
IofCallDriver
IofCompleteRequest
IoGetBaseFileSystemDeviceObject
ObReferenceObjectByHandle
IoFileObjectType
RtlAppendUnicodeToString
wcscat
wcslen
wcscpy
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
RtlAnsiStringToUnicodeString
RtlAppendStringToString
_snprintf
RtlCompareString
_strlwr
RtlAppendUnicodeStringToString
ObQueryNameString
RtlCopyUnicodeString
RtlCompareUnicodeString
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
IoAttachDeviceToDeviceStack
ExFreePool
KeSetEvent
IoFreeIrp
KeWaitForSingleObject
KeGetCurrentThread
IoAllocateIrp
memmove
_stricmp
IoCreateNotificationEvent
PsGetCurrentThreadId
PsGetCurrentProcessId
MmIsAddressValid
ExInitializeResourceLite
ExDeleteResourceLite
KeLeaveCriticalRegion
ExAcquireResourceSharedLite
KeEnterCriticalRegion
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
ExQueueWorkItem
ObfReferenceObject
KeDelayExecutionThread
ZwDeleteFile
_snwprintf
RtlFreeUnicodeString
ZwSetValueKey
ZwDeleteValueKey
ZwQueryValueKey
ZwOpenKey
PsLookupProcessByProcessId
ZwQueryInformationProcess
ExGetPreviousMode
ZwTerminateProcess
KeServiceDescriptorTable
wcsncpy
strstr
ZwEnumerateKey
ZwEnumerateValueKey
ZwDeleteKey
strrchr
RtlUnicodeStringToInteger
wcschr
ZwOpenFile
ZwQueryInformationFile
ZwReadFile
ZwCreateKey
RtlInitUnicodeString
IoDeleteSymbolicLink
strncpy
IoDeleteDevice

hal

ExReleaseFastMutex
KeGetCurrentIrql
ExAcquireFastMutex

Sections

.text
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 904B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
CnsMinKPXP.sys
.sys windows:5 windows x86 arch:x86

e287c285123ece1e70cdbff5603cce08

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

E:\work\CnsMin\FSD\CnsMinKP\200sys\objfre_wxp_x86\i386\CnsMinKP.pdb

Imports

ntoskrnl.exe

PsSetCreateProcessNotifyRoutine
strncmp
IoGetCurrentProcess
_except_handler3
ZwClose
ZwCreateFile
IoRegisterDriverReinitialization
PsSetCreateThreadNotifyRoutine
IoRegisterShutdownNotification
IoRegisterFsRegistrationChange
_wcslwr
ExInitializeNPagedLookasideList
KeInitializeEvent
ExAllocatePoolWithTag
IoCreateSymbolicLink
IoCreateDevice
ObfDereferenceObject
IoGetDeviceObjectPointer
MmGetSystemRoutineAddress
IoDetachDevice
InterlockedPopEntrySList
InterlockedPushEntrySList
IofCallDriver
IofCompleteRequest
IoGetBaseFileSystemDeviceObject
ObReferenceObjectByHandle
IoFileObjectType
RtlAppendUnicodeToString
wcscat
wcslen
wcscpy
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
RtlAnsiStringToUnicodeString
RtlAppendStringToString
_snprintf
RtlCompareString
_strlwr
RtlAppendUnicodeStringToString
ObQueryNameString
RtlCopyUnicodeString
RtlCompareUnicodeString
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
IoAttachDeviceToDeviceStack
strncpy
ExFreePoolWithTag
IoFreeIrp
KeWaitForSingleObject
KeGetCurrentThread
IoAllocateIrp
memmove
_stricmp
IoCreateNotificationEvent
PsGetCurrentThreadId
PsGetCurrentProcessId
MmIsAddressValid
ExInitializeResourceLite
ExDeleteResourceLite
KeLeaveCriticalRegion
ExAcquireResourceSharedLite
KeEnterCriticalRegion
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
ExQueueWorkItem
IoBuildDeviceIoControlRequest
RtlEqualUnicodeString
ObfReferenceObject
KeDelayExecutionThread
ZwDeleteFile
_snwprintf
RtlFreeUnicodeString
ZwSetValueKey
ZwDeleteValueKey
ZwQueryValueKey
ZwOpenKey
PsLookupProcessByProcessId
ZwQueryInformationProcess
ExGetPreviousMode
ZwTerminateProcess
KeServiceDescriptorTable
wcsncpy
strstr
ZwEnumerateKey
ZwEnumerateValueKey
ZwDeleteKey
strrchr
RtlUnicodeStringToInteger
wcschr
ZwOpenFile
ZwQueryInformationFile
ZwReadFile
ZwCreateKey
RtlInitUnicodeString
IoDeleteSymbolicLink
KeSetEvent
IoDeleteDevice

hal

ExReleaseFastMutex
KeGetCurrentIrql
ExAcquireFastMutex

Sections

.text
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 936B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
CnsminKP.vxd
Keepmain.dll
.dll regsvr32 windows:4 windows x86 arch:x86

f9efe1d270a52584586a3775b916f85f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

DeleteFileA
CopyFileA
GetWindowsDirectoryA
FindFirstFileA
CreateDirectoryA
SetFileAttributesA
GetVolumeInformationA
FindClose
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
SetFilePointer
ReadFile
CreateFileA
DeviceIoControl
CloseHandle
GetSystemDirectoryA
GetVersionExA

advapi32

QueryServiceStatus
StartServiceA
OpenSCManagerA
CreateServiceA
CloseServiceHandle
OpenServiceA

shlwapi

SHDeleteValueA
SHGetValueA
SHSetValueA
SHDeleteKeyA

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

msvcrt

_strupr
_adjust_fdiv
_initterm
sprintf
strchr
strstr
strncpy
_snprintf
fclose
fseek
_strnicmp
fgets
fopen
toupper
fwrite
ftell
??3@YAXPAX@Z
??2@YAPAXI@Z
free
malloc
__CxxFrameHandler
_strlwr
strrchr

Exports

Exports

DllRegisterServer
DllUnregisterServer
ReInstallKP

Sections

.text
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 944B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
cns1.dat

Sharing

General

Malware Config

Signatures

Files

3ac9aa35e8945422ae6ab7a26f950f29

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shlwapi

msvcrt

Exports

Exports

Sections

.text Size: 8KB - Virtual size: 6KB

.rdata Size: 4KB - Virtual size: 1KB

.data Size: 4KB - Virtual size: 860B

.rsrc Size: 8KB - Virtual size: 4KB

.reloc Size: 4KB - Virtual size: 1018B

d7f04ed4d12fece625dfbe57a5470da9

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shlwapi

msvcrt

Sections

.text Size: 8KB - Virtual size: 4KB

.rdata Size: 4KB - Virtual size: 1KB

.data Size: 4KB - Virtual size: 1008B

.rsrc Size: 8KB - Virtual size: 4KB

3c6047d93411381d11cc976328b3a8a8

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

Sections

.text Size: 28KB - Virtual size: 28KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 5KB - Virtual size: 5KB

INIT Size: 3KB - Virtual size: 3KB

.rsrc Size: 1024B - Virtual size: 904B

.reloc Size: 2KB - Virtual size: 1KB

e287c285123ece1e70cdbff5603cce08

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

Sections

.text Size: 30KB - Virtual size: 30KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 5KB - Virtual size: 5KB

INIT Size: 3KB - Virtual size: 3KB

.rsrc Size: 1024B - Virtual size: 936B

.reloc Size: 2KB - Virtual size: 2KB

f9efe1d270a52584586a3775b916f85f

Headers

File Characteristics

Imports

kernel32

advapi32

shlwapi

version

msvcrt

Exports

Exports

Sections

.text Size: 16KB - Virtual size: 12KB

.rdata Size: 4KB - Virtual size: 1KB

.data Size: 4KB - Virtual size: 1KB

.rsrc Size: 4KB - Virtual size: 944B

.text
Size: 8KB - Virtual size: 6KB

.rdata
Size: 4KB - Virtual size: 1KB

.data
Size: 4KB - Virtual size: 860B

.rsrc
Size: 8KB - Virtual size: 4KB

.reloc
Size: 4KB - Virtual size: 1018B

.text
Size: 8KB - Virtual size: 4KB

.rdata
Size: 4KB - Virtual size: 1KB

.data
Size: 4KB - Virtual size: 1008B

.rsrc
Size: 8KB - Virtual size: 4KB

.text
Size: 28KB - Virtual size: 28KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 5KB - Virtual size: 5KB

INIT
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 1024B - Virtual size: 904B

.reloc
Size: 2KB - Virtual size: 1KB

.text
Size: 30KB - Virtual size: 30KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 5KB - Virtual size: 5KB

INIT
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 1024B - Virtual size: 936B

.reloc
Size: 2KB - Virtual size: 2KB

.text
Size: 16KB - Virtual size: 12KB

.rdata
Size: 4KB - Virtual size: 1KB

.data
Size: 4KB - Virtual size: 1KB

.rsrc
Size: 4KB - Virtual size: 944B

.reloc
Size: 4KB - Virtual size: 1KB