fc5525429f0c5b410f51ff2314c34971_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

fc5525429f0c5b410f51ff2314c34971_JaffaCakes118
Size

8.5MB
MD5

fc5525429f0c5b410f51ff2314c34971
SHA1

e59190a96d1d1b359e503e78bc4ce3973bed42a4
SHA256

cb24431a2a9a6e897dbc38e8cff9757cffbcc4872c9f83e65bca0edeb1df3c3c
SHA512

3d4a74e279f536d6bf6c055aff357e763d1572d4d4570b09bb7747129bc740e2f6416ec414e1295c2f8deaddb258379e112fbb81d97662e7f526a52514b58d91
SSDEEP

196608:JKyfVV0yP2NfrlLCTOn48iho6IJpaaHAb9fTf9ExxMDA:JK8SVrOOHinIJsYAFbcM8

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
static1/unpack001/DiRT 3/SKIDROW.dll	vmprotect
static1/unpack001/DiRT 3/paul.dll	vmprotect

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/DiRT 3/SKIDROW.dll
unpack001/DiRT 3/binkw32.dll
unpack001/DiRT 3/paul.dll

Files

fc5525429f0c5b410f51ff2314c34971_JaffaCakes118
.rar
DiRT 3/SKIDROW.dll
.dll windows:5 windows x86 arch:x86

ccb8ea8f09f8568c5028627c71dca040

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

TlsGetValue
GetModuleHandleA
LoadLibraryA
LocalAlloc
LocalFree
GetModuleFileNameA
ExitProcess

user32

MessageBoxA

Exports

Exports

SKIDROW
az�!�T��#L��US��6>�<�)4�v�X*s�.v��N�ptqo�3r�C�{t�E�)�n�/}t[5��D*/��2~r��b��Uj��2E�@}�v0��]��o?��a��Qja��]-�'��C]h��|V�5�~�P��$1J�*��R��y�Ǒ>�c��nM6W�*]�Ao�\�l�q��%�sֳ��rJԂ��}y:�~�d�w~_�1�ix5۲)��`2��S*��jq��r�I?��W��n)G��e��@�7s�W7(-�uj��i�*��;��DC��g�s��Ի�ԡ��O^&+�W�E��"`J�}ꡕ�n��7�ɫ��3�2�d@�3�H�p~�� e%S"�V��DvEH��V0.�k�֚�:�*��{"#{�:��D*ۃɺ.�h=o5K�C�ɠ��unR s��Q;� _X%���.E<3I" wʸM%��#P��ܵ��#�G��-��ى��BL��( /z�_�W�юԒ��tmA�3�H�J�#c�b }_�H��Y�ʟ��O��p卩ߦ�Ji. �⟸Q�>��^��zco�<c�t�ͻlGPՆ�?��'aL�tA��]�Ş�;�ˀ\z��W]�J��`��W �6�.6�B203��"Hą*�K� 3@z��K5xCU�2��G7�Ř��Fn�M��p��4�(��a��;��;=��o��R��3��(Op�{� h\@��=��S��& �ٷ��3�A��l�8� ��S�f��.O�J1rs8|�y��i�I�$M�u��ޚ"b��`T��t��t> ��tts ��"�wxHwk�"w+\'��C�ۋ�0R��E� g��ǲ�o��j��l�k��.υ-��PY��M��]�;!��mi�0�¢��dS �liW�ŭY`��,��{"�� VR��ͺ�iH��0�f ƲC��x��M�p'��+�"k��ξa�+�� _��5�k�<7h�W|��<��e\w�q狓��l�W#PT�ύK�E83QZ��C�Ԧ��q��6��Vo�[�ߴ�>Z�sr+z�s�]�\��Kx�~o��%��S�CPd�t6^oA��LOw[eg~� ��mØ{��(��F��AS9уqg1�8f�|!Q�&�� έ;h�P�&��7�\��py��D��gAp�[��:�!0�c<��"��ymż��A �ok%��b0�8�j�&�wG��- ��kZ�e<��.U��V"��iid �Z,�(��,�t��&˼r�%X��T��p�l{�fBx/��Nt?[�)h��N�(9��t��C�� #&�&�I�o:"��0�$�T]��S2@��w`�y�� A��BܟѢt��4�V=��P��]��ڎs�@�K�U�:QEǓ��F"ƙ�/s/�ν�b>h�Ҩ7I��c��&�Z�T��Ԛ��wR�[7�)Z��n��@#��|��,��.��ѐ�z_��V��p�hD>��So��QZ��+�?�<I~�� !p��p�:B��萐�-^JX��'�ٿ��5$q�۔�K�򩢥�Y�1;��ĥ��}��Vx�ݻ�: Y��*�K_�%x��j��}��zZ��t!6�-+�kzu�5ܡs��v��#��)��h��?��]I%"4}��hzֵ��t5��w8�[�9��W��fZ�4G:��oPnz]��ҙ[�Z��B-�>��?<�� N��mu��H+6��p��`4��S��U��Dps�V��9��Wö��_��o��N�k�)F(�uM%�#^w��1)�ޥid�[9ˣ>`c��rWGg�x3�j��Q��?y�!N��OB�)�? ��A�;pM{�޹�iڐ~�B��n�'4�-s�E��L��`�*��?]`!��X�s��(��Ûv)��OB(Q�6]��x�T��@c 0��=w�J�IB�F'Uń�}�Ϥ�h��%A��i��=��*��˥e<�Y��?4�X�u�O��ɛ�^�p��ϐ7`�ѐ��}��/�ON�D�-��j�8v��2��ѓ��}A�$��{t�rJ�UHw�a;��8�}�kh�cn��bRK�.�9�$4MqCk2�Ob��Y��H��k>�` �D��F/�v8f�� n��L�1��H��@�-��X٪��&Yb��ċ��=c�|<�L2֗Ts0¢��robG��S��ԡ�:!<�t��5-;��:��e�.�rl��n�DI�SEu~ڒ��H��;��m�@�[>�b�4,%�p��W��\<��v��l�H]�nXOGI֝��3'3Y��cW7��g�=ʊ��}k�\[$�X6B��V��[a6*=;y� |Ģ�h2�H�:"��3dּN�|#v�=��|)�� ˹�L��5��#oPU�(��o�Ţ��ʭ��tv�j �E��iGsr=-��&��lw�p�V��ځ= ��/:6�;��FEF݁��bIT"��*�k/6�7tn'�`@i�?0��"d�R�Ʒaw�X��>��B��˗:k�pY��S��yCfw$6E�@5�� A��O�\{�<�k��,��(�L��,�ʔ��(�F\�݉y@y]��HV��P�_Lz,��+�! _�$�}cW��w�d�FS,q`�z��&WWp��U�� [/u6��a��>g]g�Մ�/�f��fr�,�R��V�q��#�F*d�-Di@��B�Q��X9g��[<�i~0?�� P��j[��ЦFI�|y�f��%�9S�R�}xY+��Ư�L��2`�@��ʯj��`A�\>Ǘ��4䙶�6��$��'

Sections

.text
Size: - Virtual size: 53KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: - Virtual size: 114KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE

.tls
Size: 512B - Virtual size: 24B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp2
Size: 188KB - Virtual size: 187KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 204B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
DiRT 3/binkw32.dll
.dll windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\devel\projects\bink\build\binkw32.pdb

Exports

Exports

_BinkBufferBlit@12
_BinkBufferCheckWinPos@12
_BinkBufferClear@8
_BinkBufferClose@4
_BinkBufferGetDescription@4
_BinkBufferGetError@0
_BinkBufferLock@4
_BinkBufferOpen@16
_BinkBufferSetDirectDraw@8
_BinkBufferSetHWND@8
_BinkBufferSetOffset@12
_BinkBufferSetResolution@12
_BinkBufferSetScale@12
_BinkBufferUnlock@4
_BinkCheckCursor@20
_BinkClose@4
_BinkCloseTrack@4
_BinkControlBackgroundIO@8
_BinkControlPlatformFeatures@8
_BinkCopyToBuffer@28
_BinkCopyToBufferRect@44
_BinkDDSurfaceType@4
_BinkDX8SurfaceType@4
_BinkDX9SurfaceType@4
_BinkDoFrame@4
_BinkDoFrameAsync@12
_BinkDoFrameAsyncWait@8
_BinkDoFramePlane@8
_BinkFreeGlobals@0
_BinkGetError@0
_BinkGetFrameBuffersInfo@8
_BinkGetKeyFrame@12
_BinkGetPalette@4
_BinkGetPlatformInfo@8
_BinkGetRealtime@12
_BinkGetRects@8
_BinkGetSummary@8
_BinkGetTrackData@8
_BinkGetTrackID@8
_BinkGetTrackMaxSize@8
_BinkGetTrackType@8
_BinkGoto@12
_BinkIsSoftwareCursor@8
_BinkLogoAddress@0
_BinkNextFrame@4
_BinkOpen@8
_BinkOpenDirectSound@4
_BinkOpenMiles@4
_BinkOpenTrack@8
_BinkOpenWaveOut@4
_BinkOpenWithOptions@12
_BinkPause@8
_BinkRegisterFrameBuffers@8
_BinkRequestStopAsyncThread@4
_BinkRestoreCursor@4
_BinkService@4
_BinkServiceSound@0
_BinkSetError@4
_BinkSetFileOffset@8
_BinkSetFrameRate@8
_BinkSetIO@4
_BinkSetIOSize@4
_BinkSetMemory@8
_BinkSetPan@12
_BinkSetSimulate@4
_BinkSetSoundOnOff@8
_BinkSetSoundSystem@8
_BinkSetSoundTrack@8
_BinkSetSpeakerVolumes@20
_BinkSetVideoOnOff@8
_BinkSetVolume@12
_BinkSetWillLoop@8
_BinkShouldSkip@4
_BinkStartAsyncThread@8
_BinkWait@4
_BinkWaitStopAsyncThread@4
_RADTimerRead@0

Sections

.text
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

BINKY12
Size: 512B - Virtual size: 432B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

BINKY16
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

BINKP8
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

BINK16
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

BINK32
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

BINK
Size: 114KB - Virtual size: 113KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

RADCODE
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

BINKBSS
Size: - Virtual size: 26KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BINKCONS
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

BINKDATA
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

RADDATA
Size: 512B - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

RADCONST
Size: 512B - Virtual size: 159B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
DiRT 3/dirt3.exe
.exe windows:4 windows x86 arch:x86

c4a41db4f29cb1018fab1131042a6911

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

4b:e2:be:3f:dd:84:63:e4:83:8f:72:b8:27:32:b8:ec
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

16/09/2008, 00:00

Not After

12/10/2011, 23:59

Subject

CN=Sony DADC Austria AG,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Virtual Factory,O=Sony DADC Austria AG,L=Salzburg,ST=Salzburg,C=AT

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

c1:5a:21:8d:59:e7:f9:59:c1:b9:1f:f0:03:6d:0a:1c:84:f7:a4:e7
Signer

Actual PE Digest

c1:5a:21:8d:59:e7:f9:59:c1:b9:1f:f0:03:6d:0a:1c:84:f7:a4:e7

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

user32

SendMessageA
MessageBoxA
SetWindowTextW
EnableWindow
SetFocus
SetWindowPos
FlashWindow
SetForegroundWindow
SendMessageW
DestroyWindow
CreateWindowExW
ShowWindow
CharLowerBuffA
SetWindowTextA
GetSysColor
GetProcessWindowStation
GetUserObjectInformationW
GetDesktopWindow
SetDlgItemTextA
SetDlgItemTextW
EndDialog
GetKeyboardType
GetSubMenu
UpdateWindow
GetMenu
EnableMenuItem
CheckMenuItem
CharLowerA
LoadCursorA
GetWindowTextA
GetWindowLongA
GetParent
GetClientRect
GetClassNameA
GetClassLongA
EnumChildWindows
DestroyCursor
wsprintfA
GetCursor
GetWindowThreadProcessId
FindWindowExA
FindWindowA
EnumWindows
GetSystemMetrics
UnregisterHotKey
RegisterHotKey
CreateWindowExA
RegisterClassExA
UnregisterClassA
DispatchMessageA
TranslateMessage
GetMessageA
DefWindowProcA
SetCursor
GetDlgItem
GetForegroundWindow
DialogBoxIndirectParamA
SendDlgItemMessageA
GetSysColorBrush
LoadStringA
CopyImage
wsprintfW
LoadImageA
SetSystemCursor
GetMenuState
LoadCursorFromFileA

kernel32

CreateEventA
GetProcAddress
lstrcmpA
lstrlenW
GetCurrentProcessId
VirtualFree
VirtualAlloc
GetCommandLineW
ReadFile
CreateFileW
GetModuleFileNameW
SetLastError
LoadLibraryA
GetModuleHandleA
GetSystemInfo
GetFileAttributesW
ResumeThread
GetExitCodeProcess
SetUnhandledExceptionFilter
Sleep
WaitForSingleObject
GetLastError
CloseHandle
ResetEvent
TerminateProcess
GetCurrentThreadId
SetFilePointer
LocalFree
LocalAlloc
ExitProcess
GetCurrentProcess
GetStartupInfoA
GetCommandLineA
GetVersionExA
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
WriteFile
GetStdHandle
GetModuleFileNameA
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
TlsAlloc
TlsFree
TlsSetValue
TlsGetValue
HeapDestroy
HeapCreate
HeapFree
HeapAlloc
InitializeCriticalSection
RtlUnwind
HeapReAlloc
HeapSize
InterlockedExchange
VirtualQuery
GetACP
GetOEMCP
GetCPInfo
MultiByteToWideChar
SetStdHandle
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
FlushFileBuffers
VirtualProtect
GetFileAttributesA
GetDiskFreeSpaceA
GetDiskFreeSpaceW
GetFullPathNameA
GetFullPathNameW
lstrcmpiA
CreateFileA
GetShortPathNameA
SetEvent
GetComputerNameA
CreateThread
SetNamedPipeHandleState
WaitNamedPipeA
ReleaseMutex
CreateMutexA
GetProcessHeap
FreeLibrary
LoadLibraryW
LoadLibraryExA
LoadLibraryExW
OutputDebugStringA
GetSystemTime
CreateFileMappingA
SetCurrentDirectoryA
GetCurrentDirectoryA
OpenEventA
OpenMutexA
QueryDosDeviceA
SuspendThread
FileTimeToSystemTime
SetThreadAffinityMask
GetProcessAffinityMask
GetCurrentThread
GetTempPathA
CreateDirectoryW
GetThreadContext
IsBadReadPtr
WritePrivateProfileStringA
GetExitCodeThread
MoveFileExW
DeleteFileW
RemoveDirectoryW
FindNextFileW
ConnectNamedPipe
GetStartupInfoW
CreateProcessW
CreateNamedPipeA
GetTempPathW
CopyFileA
GetTempFileNameA
GetSystemDirectoryW
MoveFileExA
GetUserDefaultLangID
LockResource
LoadResource
FindResourceA
GlobalAlloc
GlobalLock
CreateProcessA
DeviceIoControl
FindClose
FindFirstFileA
FindNextFileA
GetDriveTypeA
GetFileSize
GetLocalTime
GetLogicalDrives
GetSystemDirectoryA
GetVolumeInformationA
MapViewOfFile
OpenProcess
SetErrorMode
UnmapViewOfFile
FormatMessageA
DeleteFileA
DuplicateHandle
WaitForMultipleObjects
GetVolumeInformationW
GetFileInformationByHandle
SystemTimeToFileTime
FindFirstFileW
GetEnvironmentVariableA
GetVersion
GetPriorityClass
FlushInstructionCache
lstrlenA
IsBadWritePtr
GetWindowsDirectoryA
GlobalMemoryStatus
RaiseException
GetTimeZoneInformation
IsBadCodePtr
SetConsoleCtrlHandler
SetEndOfFile
CompareStringA
CompareStringW
SetEnvironmentVariableA
FlushConsoleInputBuffer
LocalLock
GlobalUnlock
GlobalFree
LocalUnlock
ReleaseSemaphore
CreateSemaphoreA
ReadConsoleInputA
SetConsoleMode
GetConsoleMode
SetFileAttributesA
CompareFileTime
GetCurrentDirectoryW
GetFileTime
CreateDirectoryA
CopyFileW
FileTimeToLocalFileTime
QueryPerformanceFrequency
SetPriorityClass
GetThreadPriority
SetFileAttributesW
SetThreadPriority

crypt32

CryptMsgGetParam
CertFindCertificateInStore
CertGetNameStringA
CryptDecodeObject
CryptQueryObject

advapi32

InitializeSecurityDescriptor
AllocateAndInitializeSid
SetEntriesInAclA
FreeSid
SetSecurityDescriptorDacl
RegisterEventSourceA
RegEnumValueA
OpenThreadToken
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegOpenKeyA
RegQueryInfoKeyA
RegEnumKeyExA
RegCreateKeyExA
GetSidSubAuthorityCount
GetSidSubAuthority
GetSidIdentifierAuthority
IsValidSid
QueryServiceStatus
CloseServiceHandle
OpenServiceA
OpenSCManagerA
DeleteService
ControlService
StartServiceA
CreateServiceA
DeregisterEventSource
ReportEventA
RegEnumKeyA
RegSetKeySecurity
EqualSid
GetTokenInformation
OpenProcessToken
GetUserNameA
RegDeleteKeyA

comctl32

InitCommonControlsEx
ord17

ole32

CoInitialize
CoUninitialize
CoTaskMemFree

shlwapi

PathFileExistsW
PathCombineA
PathCombineW
PathRemoveExtensionA
PathRemoveExtensionW
PathRemoveFileSpecA
PathFileExistsA
PathStripPathW
PathStripPathA
PathRemoveFileSpecW

shell32

SHGetSpecialFolderPathW
ShellExecuteA
ShellExecuteExA
SHGetMalloc
SHGetSpecialFolderLocation
SHGetPathFromIDListW
SHGetSpecialFolderPathA

wsock32

recv
WSASetLastError
send
shutdown
WSAGetLastError
closesocket

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

Sections

.text
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 468KB - Virtual size: 467KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Stext
Size: 5.0MB - Virtual size: 10.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sitext
Size: 32KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Srdata
Size: 540KB - Virtual size: 538KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Sdata
Size: 1.1MB - Virtual size: 3.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sidata
Size: 28KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.securom
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
DiRT 3/paul.dll
.dll windows:5 windows x86 arch:x86

b04af0503dfd0ef75dcc0951c85297ef

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

FreeEnvironmentStringsW
GetModuleHandleA
LoadLibraryA
LocalAlloc
LocalFree
GetModuleFileNameA
ExitProcess

user32

SetWindowPos

gdi32

GetObjectW

winspool.drv

OpenPrinterW

advapi32

RegCloseKey

shell32

ShellExecuteW

shlwapi

PathFindFileNameW

oleaut32

VariantInit

Exports

Exports

drm_pagui_doit

Sections

.text
Size: - Virtual size: 183KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 510KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 35KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: - Virtual size: 255KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE

.vmp2
Size: 429KB - Virtual size: 429KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 164B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
DiRT 3/说明.txt

Sharing

General

Malware Config

Signatures

Files

ccb8ea8f09f8568c5028627c71dca040

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

Exports

Exports

Sections

.text Size: - Virtual size: 53KB

.rdata Size: - Virtual size: 18KB

.data Size: - Virtual size: 14KB

.rsrc Size: 512B - Virtual size: 436B

.vmp0 Size: - Virtual size: 7KB

.vmp1 Size: - Virtual size: 114KB

.tls Size: 512B - Virtual size: 24B

.vmp2 Size: 188KB - Virtual size: 187KB

.reloc Size: 512B - Virtual size: 204B

Headers

DLL Characteristics

File Characteristics

PDB Paths

Exports

Exports

Sections

.text Size: 5KB - Virtual size: 5KB

BINKY12 Size: 512B - Virtual size: 432B

BINKY16 Size: 2KB - Virtual size: 2KB

BINKP8 Size: 2KB - Virtual size: 2KB

BINK16 Size: 4KB - Virtual size: 4KB

BINK32 Size: 5KB - Virtual size: 4KB

BINK Size: 114KB - Virtual size: 113KB

RADCODE Size: 2KB - Virtual size: 2KB

BINKBSS Size: - Virtual size: 26KB

.rdata Size: 6KB - Virtual size: 6KB

.data Size: 15KB - Virtual size: 14KB

BINKCONS Size: 21KB - Virtual size: 21KB

BINKDATA Size: 12KB - Virtual size: 11KB

RADDATA Size: 512B - Virtual size: 52B

RADCONST Size: 512B - Virtual size: 159B

.rsrc Size: 8KB - Virtual size: 8KB

.reloc Size: 8KB - Virtual size: 8KB

c4a41db4f29cb1018fab1131042a6911

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

4b:e2:be:3f:dd:84:63:e4:83:8f:72:b8:27:32:b8:ecCertificate

Extended Key Usages

Key Usages

c1:5a:21:8d:59:e7:f9:59:c1:b9:1f:f0:03:6d:0a:1c:84:f7:a4:e7Signer

Headers

File Characteristics

Imports

user32

kernel32

crypt32

advapi32

comctl32

ole32

shlwapi

shell32

wsock32

version

Sections

.text Size: 36KB - Virtual size: 35KB

.rdata Size: 12KB - Virtual size: 9KB

.data Size: 12KB - Virtual size: 21KB

.text
Size: - Virtual size: 53KB

.rdata
Size: - Virtual size: 18KB

.data
Size: - Virtual size: 14KB

.rsrc
Size: 512B - Virtual size: 436B

.vmp0
Size: - Virtual size: 7KB

.vmp1
Size: - Virtual size: 114KB

.tls
Size: 512B - Virtual size: 24B

.vmp2
Size: 188KB - Virtual size: 187KB

.reloc
Size: 512B - Virtual size: 204B

.text
Size: 5KB - Virtual size: 5KB

BINKY12
Size: 512B - Virtual size: 432B

BINKY16
Size: 2KB - Virtual size: 2KB

BINKP8
Size: 2KB - Virtual size: 2KB

BINK16
Size: 4KB - Virtual size: 4KB

BINK32
Size: 5KB - Virtual size: 4KB

BINK
Size: 114KB - Virtual size: 113KB

RADCODE
Size: 2KB - Virtual size: 2KB

BINKBSS
Size: - Virtual size: 26KB

.rdata
Size: 6KB - Virtual size: 6KB

.data
Size: 15KB - Virtual size: 14KB

BINKCONS
Size: 21KB - Virtual size: 21KB

BINKDATA
Size: 12KB - Virtual size: 11KB

RADDATA
Size: 512B - Virtual size: 52B

RADCONST
Size: 512B - Virtual size: 159B

.rsrc
Size: 8KB - Virtual size: 8KB

.reloc
Size: 8KB - Virtual size: 8KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

4b:e2:be:3f:dd:84:63:e4:83:8f:72:b8:27:32:b8:ec
Certificate

c1:5a:21:8d:59:e7:f9:59:c1:b9:1f:f0:03:6d:0a:1c:84:f7:a4:e7
Signer

.text
Size: 36KB - Virtual size: 35KB

.rdata
Size: 12KB - Virtual size: 9KB

.data
Size: 12KB - Virtual size: 21KB

.rsrc
Size: 468KB - Virtual size: 467KB

Stext
Size: 5.0MB - Virtual size: 10.1MB

Sitext
Size: 32KB - Virtual size: 28KB

Srdata
Size: 540KB - Virtual size: 538KB

Sdata
Size: 1.1MB - Virtual size: 3.3MB

Sidata
Size: 28KB - Virtual size: 24KB

.securom
Size: 1.6MB - Virtual size: 1.6MB

.text
Size: - Virtual size: 183KB

.rdata
Size: - Virtual size: 47KB

.data
Size: - Virtual size: 34KB

.rsrc
Size: 4KB - Virtual size: 510KB

.vmp0
Size: - Virtual size: 35KB

.vmp1
Size: - Virtual size: 255KB

.vmp2
Size: 429KB - Virtual size: 429KB

.reloc
Size: 512B - Virtual size: 164B