CKAgentNXE[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

CKAgentNXE.exe
Size

172KB
MD5

750de4c43174dd871e03786114241884
SHA1

2d9a5dde429b1c99b6218e1c25c9c5c7da7b9b26
SHA256

9759475a10a776f50ee2e0dbc1f2745d6890e1868706ff0977a1a0e97d5f2188
SHA512

f9bd963ebaab4cabcb6020a29ffd6b0a9709571258a9ec2d07b23a411067667b0d7de7cb84474ce897f73fbf9470513e062f915a9cf19403bc5fad35b85d05c4
SSDEEP

1536:wgBvm2Z7SDx1qStIaRYDdhQVE2Bro+cCva70jQwZjwwQzkEYGEbiBBbIJutTxYiH:wevm21SDvt/a39LCGtYIB0JutTxYikzg

Score

1^/10

Malware Config

Signatures

Files

CKAgentNXE.exe
.exe windows:4 windows x86 arch:x86

3a7421a945eab7f14bf97a6ec0c0dde5

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

52:47:12:f1:30:a5:2a:c1:53:12:c9:bb:42:59:e8:c7
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

24/02/2016, 00:00

Not After

25/03/2017, 23:59

Subject

CN=RaonSecure Co.\, Ltd.,O=RaonSecure Co.\, Ltd.,L=Anyang-si,ST=Gyeonggi-do,C=KR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

04/03/2014, 00:00

Not After

03/03/2024, 23:59

Subject

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

56:bf:c8:c3:52:6a:a8:6a:de:b3:f8:d4:1e:84:36:ee
Certificate

Issuer

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

06/10/2015, 00:00

Not After

05/10/2017, 23:59

Subject

SERIALNUMBER=138-81-16484,CN=RaonSecure Co.\, Ltd.,O=RaonSecure Co.\, Ltd.,L=Gangnam-gu,ST=Seoul,C=KR,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13024b52

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

70:a0:1c:f4:ea:ef:99:fd:46:6c:ed:16:30:c1:b0:1f
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

11/06/2015, 00:00

Not After

29/12/2020, 23:59

Subject

CN=GeoTrust 2048-bit Timestamping Signer 4,O=GeoTrust Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

01/01/1997, 00:00

Not After

31/12/2020, 23:59

Subject

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

f7:97:58:5c:f7:0e:a5:42:86:e8:58:6f:c9:b0:e3:43:8e:d0:07:21:4d:e2:d3:c9:40:a2:83:19:a5:36:25:b4
Signer

Actual PE Digest

f7:97:58:5c:f7:0e:a5:42:86:e8:58:6f:c9:b0:e3:43:8e:d0:07:21:4d:e2:d3:c9:40:a2:83:19:a5:36:25:b4

Digest Algorithm

sha256

PE Digest Matches

true

fc:96:5c:67:4a:c4:0a:d5:a2:33:55:73:e7:3c:ec:65:7b:5a:3a:b1
Signer

Actual PE Digest

fc:96:5c:67:4a:c4:0a:d5:a2:33:55:73:e7:3c:ec:65:7b:5a:3a:b1

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

InterlockedExchange
GetVersion
GetModuleHandleA
TerminateThread
CreateThread
LoadResource
LockResource
SizeofResource
FindResourceA
FindResourceExA
GetVersionExA
InitializeCriticalSection
SetEvent
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetProcAddress
DeleteFileA
LoadLibraryA
WideCharToMultiByte
MultiByteToWideChar
ReleaseSemaphore
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
FlushFileBuffers
CloseHandle
GetStringTypeW
GetStringTypeA
GetConsoleMode
GetConsoleCP
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
GetFileType
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
LCMapStringW
LCMapStringA
GetStdHandle
IsValidCodePage
GetOEMCP
GetCPInfo
VirtualFree
HeapCreate
ExitProcess
InterlockedDecrement
SetLastError
InterlockedIncrement
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
RtlUnwind
GetStartupInfoA
GetCommandLineA
GetSystemTimeAsFileTime
VirtualAlloc
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetCurrentThreadId
ExitThread
RaiseException
OpenSemaphoreA
Sleep
LocalFree
LocalAlloc
GetExitCodeThread
CreateRemoteThread
OpenProcess
WaitForSingleObject
CreateEventA
GetLastError
FreeLibrary
OpenEventA
GetWindowsDirectoryA
GetModuleFileNameA
ReleaseMutex
CreateMutexA
SetStdHandle
GetProcessHeap
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
HeapDestroy
GetACP
IsBadReadPtr
GetThreadLocale
GetLocaleInfoA
VirtualAllocEx
WriteProcessMemory
VirtualFreeEx
ResetEvent
UnmapViewOfFile
CreateFileMappingA
MapViewOfFile
GetUserDefaultLangID
GetCurrentProcess
GetSystemDirectoryA
WriteFile
CreateFileA
SetFilePointer
ReadFile
FindClose
FindFirstFileA
CreateDirectoryA
GetFileAttributesA

user32

LoadCursorA
RegisterClassExA
GetMessageA
LoadIconA
LoadStringA
ShowWindow
UpdateWindow
DispatchMessageA
DefWindowProcA
EnumChildWindows
TranslateAcceleratorA
LoadImageA
FindWindowExA
AttachThreadInput
LoadAcceleratorsA
FindWindowA
CreateWindowExA
RegisterWindowMessageA
UnregisterClassA
TranslateMessage
SetWindowRgn
GetWindowLongA
SetWindowPos
GetWindowRect
GetMonitorInfoA
MonitorFromPoint
GetDlgItem
SendMessageA
SetWindowLongA
CreateDialogParamA
InvalidateRgn
PostMessageA
MessageBoxA
SendInput
PostQuitMessage
KillTimer
SendMessageTimeoutA
RegisterDeviceNotificationA
SetTimer
DestroyWindow
WindowFromPoint
GetWindowThreadProcessId
IsWindow
GetCursorPos
GetClassNameA

gdi32

CombineRgn
CreateRectRgn
ExtCreateRegion
DeleteDC
GetDIBits
CreateICA
GetObjectA
DeleteObject

advapi32

SetSecurityDescriptorSacl
GetSecurityDescriptorSacl
ConvertStringSecurityDescriptorToSecurityDescriptorA
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken

shell32

ExtractIconA
Shell_NotifyIconA

imagehlp

CheckSumMappedFile

shlwapi

PathFileExistsA
PathRemoveFileSpecA
PathCombineA

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

wininet

InternetCrackUrlA
InternetCanonicalizeUrlA
HttpOpenRequestA
InternetConnectA
InternetSetOptionA
InternetOpenA
InternetCloseHandle
HttpQueryInfoA
InternetReadFile
HttpSendRequestA

ole32

CoTaskMemFree

Sections

.text
Size: 92KB - Virtual size: 91KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3a7421a945eab7f14bf97a6ec0c0dde5

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5eCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

52:47:12:f1:30:a5:2a:c1:53:12:c9:bb:42:59:e8:c7Certificate

Extended Key Usages

Key Usages

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49Certificate

Extended Key Usages

Key Usages

56:bf:c8:c3:52:6a:a8:6a:de:b3:f8:d4:1e:84:36:eeCertificate

Extended Key Usages

Key Usages

70:a0:1c:f4:ea:ef:99:fd:46:6c:ed:16:30:c1:b0:1fCertificate

Extended Key Usages

Key Usages

Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

f7:97:58:5c:f7:0e:a5:42:86:e8:58:6f:c9:b0:e3:43:8e:d0:07:21:4d:e2:d3:c9:40:a2:83:19:a5:36:25:b4Signer

fc:96:5c:67:4a:c4:0a:d5:a2:33:55:73:e7:3c:ec:65:7b:5a:3a:b1Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

imagehlp

shlwapi

version

wininet

ole32

Sections

.text Size: 92KB - Virtual size: 91KB

.rdata Size: 20KB - Virtual size: 18KB

.data Size: 8KB - Virtual size: 28KB

.rsrc Size: 24KB - Virtual size: 21KB

.reloc Size: 12KB - Virtual size: 10KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

52:47:12:f1:30:a5:2a:c1:53:12:c9:bb:42:59:e8:c7
Certificate

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

56:bf:c8:c3:52:6a:a8:6a:de:b3:f8:d4:1e:84:36:ee
Certificate

70:a0:1c:f4:ea:ef:99:fd:46:6c:ed:16:30:c1:b0:1f
Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

f7:97:58:5c:f7:0e:a5:42:86:e8:58:6f:c9:b0:e3:43:8e:d0:07:21:4d:e2:d3:c9:40:a2:83:19:a5:36:25:b4
Signer

fc:96:5c:67:4a:c4:0a:d5:a2:33:55:73:e7:3c:ec:65:7b:5a:3a:b1
Signer

.text
Size: 92KB - Virtual size: 91KB

.rdata
Size: 20KB - Virtual size: 18KB

.data
Size: 8KB - Virtual size: 28KB

.rsrc
Size: 24KB - Virtual size: 21KB

.reloc
Size: 12KB - Virtual size: 10KB