Tomcat9[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Tomcat9.exe
Size

111KB
MD5

b825e2991051fb646fc4edac070f15b8
SHA1

28334f8b5a91fe670643a74aa604c371b94880b4
SHA256

ebb5d653efbeb80d7329a263395a2d9107ededb5239ef8dec86f5e30f4df0b6a
SHA512

727f2ab7c883af2117f84246e57b33c69223367788a74f73a79e79563073c8ed5c90310ab758d0579a47729a9cdd278032cf2092c9f8f8b9f38c4058d9d6a4cf
SSDEEP

1536:C1PoOq+IXu5RKS6mKkK1FCmEe/65WxMtebAZUvVdk0B3Ol6QBBOksZ9w7ZjYhfd:CJNq+IXSAcyCmE150Vy06BnsZq7ZYfd

Score

1^/10

Malware Config

Signatures

Files

Tomcat9.exe
.exe windows:5 windows x64 arch:x64

e84f0327f30c1c6b687ffd0ede2ff01b

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

69:5a:a1:2d:85:36:80:0d:57:9b:7a:fc:84:c3:6f:e2
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

07/11/2017, 00:00

Not After

08/11/2018, 23:59

Subject

CN=The Apache Software Foundation,OU=Apache Commons,O=The Apache Software Foundation,L=Wakefield,ST=Massachusetts,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

7c:1b:35:35:4a:e7:db:74:e7:41:5f:11:69:ca:6b:a8
Certificate

Issuer

CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

22/07/2014, 00:00

Not After

21/07/2024, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

67:5b:71:c0:98:38:95:0f:81:e7:7c:12:b6:4e:f4:fe:80:10:5d:fc
Signer

Actual PE Digest

67:5b:71:c0:98:38:95:0f:81:e7:7c:12:b6:4e:f4:fe:80:10:5d:fc

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

SetErrorMode
GetFileAttributesW
GetExitCodeThread
lstrcatA
lstrlenA
FindNextFileA
FindClose
FindFirstFileA
lstrcpyA
lstrcmpA
UnlockFile
SetFilePointer
LockFile
CreateFileW
SystemTimeToFileTime
CreateDirectoryW
GetSystemDirectoryW
GetLocalTime
SetLastError
LeaveCriticalSection
FlushFileBuffers
GetCurrentThreadId
WriteFile
FormatMessageA
EnterCriticalSection
GetStdHandle
InitializeCriticalSection
SetEnvironmentVariableW
GetExitCodeProcess
ReadFile
SetHandleInformation
CreatePipe
TerminateProcess
DuplicateHandle
FreeEnvironmentStringsW
LoadLibraryExW
WaitForMultipleObjects
GetCurrentProcess
CreateProcessW
OutputDebugStringW
GetEnvironmentStringsW
__C_specific_handler
GetProcessHeap
GetTickCount
_local_unwind
WideCharToMultiByte
GetCurrentProcessId
ExpandEnvironmentStringsW
LocalFree
LocalAlloc
GenerateConsoleCtrlEvent
DeleteFileW
AllocConsole
GetConsoleWindow
GetSystemTimeAsFileTime
SetCurrentDirectoryW
SetConsoleCtrlHandler
AttachConsole
ExitProcess
LoadLibraryW
GetProcAddress
FreeLibrary
VirtualFree
GlobalFree
GetSystemInfo
VirtualAlloc
HeapCreate
GetCommandLineW
HeapDestroy
ResumeThread
CreateEventW
Sleep
SetEvent
TerminateThread
WaitForSingleObject
ResetEvent
SwitchToThread
HeapFree
HeapReAlloc
HeapAlloc
CreateThread
CloseHandle
ExitThread
lstrcpyW
lstrcatW
GetEnvironmentVariableW
GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlCaptureContext
RtlLookupFunctionEntry
QueryPerformanceCounter
RtlVirtualUnwind
GetModuleHandleW
GetModuleFileNameW
GetLongPathNameW
lstrcmpiW
lstrlenW
SetStdHandle
lstrcmpW

advapi32

OpenServiceW
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExW
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus
DeleteService
CreateServiceW
StartServiceW
EnumDependentServicesW
ControlService
QueryServiceStatusEx
ChangeServiceConfigW
ChangeServiceConfig2W
QueryServiceStatus
RegCloseKey
QueryServiceConfigW
OpenSCManagerW
CloseServiceHandle
CreateProcessAsUserW
LogonUserW
DuplicateTokenEx
ImpersonateLoggedOnUser
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
RegDeleteKeyW
RegEnumKeyExW
RegDeleteValueW
RegSetValueExW

shell32

CommandLineToArgvW

user32

wvsprintfA
MessageBoxA
WaitForInputIdle
ShowWindow
FindWindowW
SendMessageW
wsprintfW
wsprintfA

msvcrt

_wputenv
setvbuf
_dup2
_fileno
_wfopen
fwprintf
fputc
_snprintf
towupper
_flushall
fprintf
atoi
strncmp
fputs
_unlock
__dllonexit
_lock
_onexit
towlower
_XcptFilter
_exit
_cexit
exit
_initterm
_amsg_exit
__setusermatherr
_commode
_fmode
__set_app_type
?terminate@@YAXXZ
memset
wcsrchr
wcschr
iswctype
fflush
__getmainargs
_iob

Sections

.text
Size: 60KB - Virtual size: 59KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 700B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e84f0327f30c1c6b687ffd0ede2ff01b

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

69:5a:a1:2d:85:36:80:0d:57:9b:7a:fc:84:c3:6f:e2Certificate

Extended Key Usages

Key Usages

7c:1b:35:35:4a:e7:db:74:e7:41:5f:11:69:ca:6b:a8Certificate

Extended Key Usages

Key Usages

67:5b:71:c0:98:38:95:0f:81:e7:7c:12:b6:4e:f4:fe:80:10:5d:fcSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

shell32

user32

msvcrt

Sections

.text Size: 60KB - Virtual size: 59KB

.rdata Size: 23KB - Virtual size: 23KB

.data Size: 12KB - Virtual size: 22KB

.pdata Size: 4KB - Virtual size: 3KB

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 1024B - Virtual size: 700B

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

69:5a:a1:2d:85:36:80:0d:57:9b:7a:fc:84:c3:6f:e2
Certificate

7c:1b:35:35:4a:e7:db:74:e7:41:5f:11:69:ca:6b:a8
Certificate

67:5b:71:c0:98:38:95:0f:81:e7:7c:12:b6:4e:f4:fe:80:10:5d:fc
Signer

.text
Size: 60KB - Virtual size: 59KB

.rdata
Size: 23KB - Virtual size: 23KB

.data
Size: 12KB - Virtual size: 22KB

.pdata
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 1024B - Virtual size: 700B