a[.]zip | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

a.zip
Size

157KB
MD5

35e85927ef12150ed6806ca18a030fd8
SHA1

b381a8eac9ed5adabf5417351309d450d7209b1b
SHA256

fe032e79d2dbdd45d0fe1be11a7dadc1426408f12fa9f12ce1d4c8a0cad0d52f
SHA512

751b8a600a9605174fb70151da0e16ce2e856268155b3f63171c75f3fe5a96643c77775540e1a7844b7eae233c59b7f3483a32aaa893eedd6bca74703b1303a9
SSDEEP

3072:rDN3mZn2BAFbqmIPtPWJE5QWSspcjowwkbyXiZKr6SoL3ZG/p7J:rxmZgBmKPmEWx3zyXicmrEp7J

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/a/MoneyGrabber.exe

Files

a.zip
.zip

Password: infected
a/MoneyGrabber.exe
.exe windows:6 windows x64 arch:x64

Password: infected

e66278f854c104d7b78ef218d184f1c6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

bof_server.pdb

Imports

ws2_32

WSACleanup
WSAGetLastError
WSASocketW
WSAStartup
accept
bind
closesocket
freeaddrinfo
getaddrinfo
listen
recv
send
shutdown
socket

api-ms-win-crt-heap-l1-1-0

_set_new_mode
calloc
free
malloc

api-ms-win-crt-private-l1-1-0

__C_specific_handler

api-ms-win-crt-runtime-l1-1-0

__p___argc
__p___argv
__p___wargv
_cexit
_configure_narrow_argv
_configure_wide_argv
_crt_at_quick_exit
_crt_atexit
_exit
_initialize_narrow_environment
_initialize_wide_environment
_initterm
_set_app_type
_set_invalid_parameter_handler
abort
exit
signal

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func
__p__commode
__p__fmode
__stdio_common_vfprintf
__stdio_common_vfwprintf
fwrite

api-ms-win-crt-string-l1-1-0

strlen
strncmp
strncpy

kernel32

AcquireSRWLockExclusive
CloseHandle
CreatePipe
CreateThread
DeleteCriticalSection
EnterCriticalSection
ExitProcess
GetCurrentThreadId
GetExitCodeProcess
GetLastError
GetModuleHandleA
GetProcAddress
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
ReadFile
ReleaseSRWLockExclusive
SetUnhandledExceptionFilter
Sleep
TlsGetValue
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForSingleObject
WriteFile

ole32

CoInitializeEx
CoUninitialize

ntdll

NtAssignProcessToJobObject
NtClose
NtCreateJobObject
NtResumeThread
NtSetInformationJobObject
NtTerminateProcess
RtlCloneUserProcess
RtlWaitOnAddress
RtlWakeAddressAll

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-environment-l1-1-0

__p__environ
__p__wenviron

api-ms-win-crt-time-l1-1-0

__daylight
__timezone
__tzname
_tzset

Sections

.text
Size: 282KB - Virtual size: 282KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 75KB - Virtual size: 75KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.buildid
Size: 512B - Virtual size: 67B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 224B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
a/flag4.txt
a/myDriver.inf
a/myDriver.sys
.sys windows:10 windows x64 arch:x64

d0455d1f3fcee9ae0d2f1420cbba51a0

Code Sign

53:ec:c0:bc:e2:0e:59:ba:41:0a:ec:a3:c6:2d:4d:80
Certificate

Issuer

CN=WDKTestCert Plankton\,133579655003140504

Not Before

19-04-2024 01:58

Not After

18-04-2034 00:00

Subject

CN=WDKTestCert Plankton\,133579655003140504

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageKeyEncipherment
KeyUsageDataEncipherment

4d:3d:c6:65:a9:c5:75:e9:5d:76:10:84:57:42:0a:4b:04:36:59:35:0b:57:72:ad:d7:94:58:f0:ac:49:c6:c7
Signer

Actual PE Digest

4d:3d:c6:65:a9:c5:75:e9:5d:76:10:84:57:42:0a:4b:04:36:59:35:0b:57:72:ad:d7:94:58:f0:ac:49:c6:c7

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Plankton\Desktop\definitelyNoSuspiciousDriver\x64\Release\myDriver.pdb

Imports

ntoskrnl.exe

KeReleaseMutex
ProbeForWrite
MmMapLockedPagesSpecifyCache
KeInitializeMutex
ZwClose
RtlIpv4StringToAddressA
RtlEqualUnicodeString
RtlInitUnicodeString
_wcsupr
wcsstr
__C_specific_handler
IoReuseIrp
IoFreeMdl
IoFreeIrp
IoAllocateMdl
IoAllocateIrp
MmUnlockPages
MmProbeAndLockPages
ExFreePoolWithTag
ExAllocatePool2
RtlCopyUnicodeString
DbgPrintEx
KeWaitForSingleObject
KeSetEvent
KeResetEvent
PsCreateSystemThread
KeInitializeEvent

fltmgr.sys

FltUnregisterFilter
FltStartFiltering
FltGetFileNameInformation
FltReleaseFileNameInformation
FltParseFileNameInformation
FltLockUserBuffer
FltRegisterFilter

netio.sys

WskCaptureProviderNPI
WskRegister
WskReleaseProviderNPI
WskDeregister

wdfldr.sys

WdfLdrQueryInterface
WdfVersionUnbind
WdfVersionBind
WdfVersionBindClass
WdfVersionUnbindClass

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 492B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 60B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
a/mydriver.cat

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

e66278f854c104d7b78ef218d184f1c6

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

kernel32

ole32

ntdll

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-time-l1-1-0

Sections

.text Size: 282KB - Virtual size: 282KB

.rdata Size: 75KB - Virtual size: 75KB

.buildid Size: 512B - Virtual size: 67B

.data Size: 1KB - Virtual size: 6KB

.pdata Size: 7KB - Virtual size: 6KB

.tls Size: 512B - Virtual size: 24B

.reloc Size: 512B - Virtual size: 224B

d0455d1f3fcee9ae0d2f1420cbba51a0

Code Sign

53:ec:c0:bc:e2:0e:59:ba:41:0a:ec:a3:c6:2d:4d:80Certificate

Extended Key Usages

Key Usages

4d:3d:c6:65:a9:c5:75:e9:5d:76:10:84:57:42:0a:4b:04:36:59:35:0b:57:72:ad:d7:94:58:f0:ac:49:c6:c7Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

fltmgr.sys

netio.sys

wdfldr.sys

Sections

.text Size: 7KB - Virtual size: 6KB

.rdata Size: 3KB - Virtual size: 3KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 512B - Virtual size: 492B

INIT Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 60B

.text
Size: 282KB - Virtual size: 282KB

.rdata
Size: 75KB - Virtual size: 75KB

.buildid
Size: 512B - Virtual size: 67B

.data
Size: 1KB - Virtual size: 6KB

.pdata
Size: 7KB - Virtual size: 6KB

.tls
Size: 512B - Virtual size: 24B

.reloc
Size: 512B - Virtual size: 224B

53:ec:c0:bc:e2:0e:59:ba:41:0a:ec:a3:c6:2d:4d:80
Certificate

4d:3d:c6:65:a9:c5:75:e9:5d:76:10:84:57:42:0a:4b:04:36:59:35:0b:57:72:ad:d7:94:58:f0:ac:49:c6:c7
Signer

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 3KB - Virtual size: 3KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 512B - Virtual size: 492B

INIT
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 60B