3e4aefa8ed58720e28431fda84bb0be2_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

3e4aefa8ed58720e28431fda84bb0be2_JaffaCakes118
Size

4.7MB
MD5

3e4aefa8ed58720e28431fda84bb0be2
SHA1

adbe4b4cb3bfe9f843e347b87860b6a75b8a6d1f
SHA256

4566878f99644af59af4b31e711d57a39f62af9f819f75b802e99a656ad7c11a
SHA512

2bce439230080c1bfc89e2714a9b1b30e316086af022e866ef024976b9a40400ab1e955fa634552b3fa49fa666403a44fad023ce01266f4a4de9f63c43477d88
SSDEEP

98304:911XaLn/+laUKQ7SmXIEsPgVPynU3dycFuZEGK3WOTlDmkNPQ1XNLBio+:911XaL6aUx7SrFYA8YcFuZ3K3WgD7NoQ

Score

7^/10

vmprotect upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
static1/unpack001/V10.16试用版本/vbs脚本权限/dm.dll	acprotect

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/V10.16试用版本/vbs脚本权限/dm.dll	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
static1/unpack001/V10.16试用版本/KSafeTray.exe	vmprotect

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
unpack001/V10.16试用版本/plugin/FILE.DLL
unpack001/V10.16试用版本/plugin/QSGJ11C.DLL
unpack001/V10.16试用版本/plugin/REGDLL.DLL
unpack001/V10.16试用版本/vbs脚本权限/dm.dll
unpack002/out.upx

Files

3e4aefa8ed58720e28431fda84bb0be2_JaffaCakes118
.rar
V10.16试用版本/KSafeTray.exe
.exe windows:4 windows x86 arch:x86

adf0d6dac985aa5392a1f14aea68a071

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

01/05/2012, 00:00

Not After

31/12/2012, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

20:9e:74:6c:15:a8:5e:54:7a:fa:f6:a4:c3:27:7c:81
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

12/04/2011, 00:00

Not After

11/04/2013, 23:59

Subject

CN=fuzhou tian xia chuang shi digital Co.\,Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=fuzhou tian xia chuang shi digital Co.\,Ltd,L=fuzhou,ST=fujian,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

3d:b8:05:75:b3:12:ab:21:2b:b4:99:ba:e6:a9:38:b2:cd:5c:fc:9c
Signer

Actual PE Digest

3d:b8:05:75:b3:12:ab:21:2b:b4:99:ba:e6:a9:38:b2:cd:5c:fc:9c

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mfc42

ord1640

msvcrt

_onexit

kernel32

GlobalSize
LoadLibraryA
VirtualProtect
GetModuleFileNameA
ExitProcess

user32

GetDC
MessageBoxA

gdi32

GetBkColor

advapi32

ControlService

shell32

SHGetPathFromIDListA

comctl32

ImageList_GetImageCount

ole32

CLSIDFromString

oleaut32

GetErrorInfo

urlmon

URLDownloadToFileA

msvcp60

?_Stinit@?1??_Init@?$basic_filebuf@DU?$char_traits@D@std@@@std@@IAEXPAU_iobuf@@W4_Initfl@23@@Z@4HA

winmm

PlaySoundA

shlwapi

SHDeleteKeyA

ws2_32

ntohs

psapi

EnumProcessModules

rpcrt4

UuidToStringA

imagehlp

MakeSureDirectoryPathExists

dinput8

DirectInput8Create

wininet

InternetSetOptionA

uxtheme

SetThemeAppProperties

comdlg32

GetOpenFileNameA

olepro32

ord251

Exports

Exports

?interfaceMap@CCustomControlSite@@1UAFX_INTERFACEMAP@@B

Sections

.text
Size: 780KB - Virtual size: 777KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 440KB - Virtual size: 439KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 52KB - Virtual size: 314KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp1
Size: 156KB - Virtual size: 153KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
V10.16试用版本/KSafeTray.ini
V10.16试用版本/cfgdll.dll
.dll windows:4 windows x86 arch:x86

e3493c33b4da4c9e132164b491c5d2cc

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

01/05/2012, 00:00

Not After

31/12/2012, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

20:9e:74:6c:15:a8:5e:54:7a:fa:f6:a4:c3:27:7c:81
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

12/04/2011, 00:00

Not After

11/04/2013, 23:59

Subject

CN=fuzhou tian xia chuang shi digital Co.\,Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=fuzhou tian xia chuang shi digital Co.\,Ltd,L=fuzhou,ST=fujian,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

48:46:3f:61:18:dc:9c:9b:07:6e:09:32:5b:4b:d9:b3:e1:3c:ed:49
Signer

Actual PE Digest

48:46:3f:61:18:dc:9c:9b:07:6e:09:32:5b:4b:d9:b3:e1:3c:ed:49

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

MapViewOfFile
OpenFileMappingA
CreateFileMappingA
CloseHandle
UnmapViewOfFile
OpenEventA
CreateEventA
WaitForSingleObject
PulseEvent
GetTimeZoneInformation
GetSystemTime
GetLocalTime
GetCommandLineA
GetVersion
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
GetLastError
ExitProcess
TerminateProcess
GetCurrentProcess
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
GetModuleHandleA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
HeapFree
WriteFile
HeapAlloc
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetCPInfo
GetACP
GetOEMCP
VirtualAlloc
HeapReAlloc
GetProcAddress
LoadLibraryA
RtlUnwind
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
InterlockedDecrement
InterlockedIncrement
CompareStringA
CompareStringW
SetEnvironmentVariableA

user32

UnhookWindowsHookEx
SetWindowsHookExA
CallNextHookEx
PostMessageA

Sections

.text
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
V10.16试用版本/cfgdll.opt
V10.16试用版本/plugin/FILE.DLL
.dll regsvr32 windows:4 windows x86 arch:x86

a10a0592e6925a16bb3205010b141edd

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord533
ord6407
ord2818
ord4278
ord536
ord858
ord535
ord2915
ord6662
ord5194
ord5465
ord924
ord939
ord1997
ord798
ord6354
ord941
ord1131
ord1132
ord5500
ord815
ord561
ord3738
ord3081
ord3262
ord354
ord5186
ord3318
ord1979
ord665
ord3790
ord6153
ord537
ord940
ord540
ord823
ord825
ord860
ord1601
ord800
ord743
ord446
ord2486
ord4226
ord5714
ord5289
ord5307
ord4698
ord4079
ord5302
ord269
ord826
ord600
ord1578
ord6467
ord1255
ord1253
ord1570
ord1197
ord1243
ord342
ord1182
ord1577
ord1168
ord1575
ord1176
ord1116
ord6877
ord859
ord1799
ord2982
ord3147
ord3259
ord4465
ord3136
ord2985
ord2976
ord3830
ord3831
ord3825
ord3079
ord4080
ord4424
ord614
ord1206
ord2623
ord290
ord1223
ord4622
ord4003
ord4274
ord6375
ord4486
ord2554
ord2512
ord5731
ord3922
ord1089
ord5199
ord2396
ord3346
ord5300

msvcrt

_tzset
atoi
sscanf
__CxxFrameHandler
_mkdir
??1type_info@@UAE@XZ
_adjust_fdiv
malloc
_initterm
free
_onexit
__dllonexit
wcstombs
_timezone
strrchr
strchr
rename

kernel32

CloseHandle
CreateFileA
WriteFile
ReadFile
SetFilePointer
SystemTimeToFileTime
OpenFile
SetFileTime
MoveFileA
DeleteFileA
GetFileAttributesA
CopyFileA
GetPrivateProfileStringA
WritePrivateProfileStringA
GetModuleFileNameA
IsDebuggerPresent
LocalFree
LocalAlloc
_lclose

comdlg32

GetOpenFileNameA

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHFileOperationA

advapi32

RegSetValueExA
RegCloseKey
RegOpenKeyA

ole32

StringFromCLSID
CoTaskMemFree

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer

Sections

.text
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
V10.16试用版本/plugin/QSGJ11C.DLL
.dll regsvr32 windows:4 windows x86 arch:x86

4661f84075dd5f4eef26950a2046af1e

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvbvm60

EVENT_SINK_GetIDsOfNames
__vbaVarSub
__vbaVarTstGt
_CIcos
_adj_fptan
__vbaStrI4
__vbaVarMove
__vbaHresultCheck
__vbaVarVargNofree
__vbaFreeVar
__vbaGosubReturn
__vbaStrVarMove
__vbaLenBstr
__vbaAptOffset
__vbaPut3
__vbaFreeVarList
__vbaVarIdiv
_adj_fdiv_m64
EVENT_SINK_Invoke
__vbaRaiseEvent
__vbaFreeObjList
ord516
__vbaStrErrVarCopy
_adj_fprem1
__vbaRecAnsiToUni
ord518
ord626
__vbaCopyBytes
__vbaForEachCollAd
__vbaVarCmpNe
__vbaStrCat
__vbaLsetFixstr
__vbaRecDestruct
__vbaSetSystemError
__vbaHresultCheckObj
ord662
__vbaLenVar
_adj_fdiv_m32
__vbaVarTstLe
__vbaAryVar
Zombie_GetTypeInfo
__vbaVarXor
__vbaAryDestruct
__vbaVarCmpGe
__vbaVarIndexLoadRefLock
__vbaExitProc
__vbaVarForInit
ord593
ord594
__vbaObjSet
__vbaOnError
ord595
_adj_fdiv_m16i
ord303
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaVarIndexLoad
ord598
ord520
ord309
__vbaRefVarAry
__vbaVargVar
__vbaBoolVarNull
__vbaVarTstLt
_CIsin
ord631
ord525
__vbaVargVarMove
__vbaVarCmpGt
ord632
__vbaChkstk
__vbaFileClose
__vbaGosubFree
EVENT_SINK_AddRef
ord527
__vbaGenerateBoundsError
__vbaVarAbs
__vbaExitEachColl
__vbaStrCmp
__vbaPutOwner3
__vbaAryConstruct2
__vbaVarTstEq
__vbaObjVar
__vbaI2I4
DllFunctionCall
__vbaVarOr
__vbaVarLateMemSt
ord564
_adj_fpatan
__vbaFixstrConstruct
Zombie_GetTypeInfoCount
__vbaRedim
__vbaRecUniToAnsi
EVENT_SINK_Release
__vbaNew
ord600
__vbaUI1I2
_CIsqrt
__vbaVarAnd
EVENT_SINK_QueryInterface
__vbaStrUI1
__vbaUI1I4
__vbaVarMul
__vbaExceptHandler
ord711
__vbaStrToUnicode
ord712
_adj_fprem
_adj_fdivr_m64
ord607
ord608
ord716
__vbaVarCmpLe
__vbaFPException
ord717
__vbaInStrVar
ord319
__vbaStrVarVal
__vbaUbound
__vbaVarCat
ord535
__vbaLsetFixstrFree
__vbaI2Var
ord537
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
ord648
__vbaInStr
__vbaVarLateMemCallLdRf
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
ord573
__vbaStrCopy
__vbaI4Str
ord681
__vbaVarCmpLt
__vbaVarNot
__vbaFreeStrList
_adj_fdivr_m32
__vbaPowerR8
_adj_fdiv_r
ord685
__vbaVarTstNe
ord101
__vbaVarSetVar
ord102
__vbaI4Var
ord103
__vbaVarCmpEq
ord104
ord105
__vbaAryLock
__vbaVarAdd
__vbaLateMemCall
ord320
__vbaStrComp
__vbaVarDup
__vbaStrToAnsi
ord321
__vbaFpI2
__vbaVarMod
__vbaFpI4
__vbaVarCopy
__vbaVarTstGe
__vbaVarLateMemCallLd
__vbaRecDestructAnsi
__vbaLateMemCallLd
__vbaVarSetObjAddref
ord617
_CIatan
__vbaStrMove
__vbaAryCopy
__vbaStrVarCopy
ord619
ord650
_allmul
_CItan
__vbaNextEachCollAd
ord546
__vbaUI1Var
__vbaAryUnlock
__vbaFPInt
__vbaVarForNext
_CIexp
__vbaFreeStr
__vbaFreeObj

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 112KB - Virtual size: 108KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
V10.16试用版本/plugin/REGDLL.DLL
.dll regsvr32 windows:4 windows x86 arch:x86

f076a1e4fbab4d2c4bccbdc4ea8a1b72

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord3831
ord3825
ord3079
ord4080
ord4424
ord614
ord1206
ord2623
ord290
ord825
ord1223
ord4622
ord4226
ord2486
ord4003
ord446
ord743
ord1569
ord1196
ord1168
ord6467
ord4274
ord6375
ord4486
ord2554
ord2512
ord5731
ord3922
ord3830
ord5199
ord2396
ord3346
ord5300
ord5302
ord2725
ord4079
ord4698
ord5307
ord5289
ord5714
ord3262
ord3081
ord3738
ord561
ord815
ord5500
ord1132
ord1131
ord6354
ord1176
ord1575
ord1577
ord1182
ord342
ord1243
ord1197
ord1570
ord1253
ord1255
ord2976
ord2985
ord3136
ord4465
ord3147
ord3259
ord2982
ord1799
ord1089
ord823
ord1578
ord600
ord826
ord269
ord1116

msvcrt

__CxxFrameHandler
wcstombs
__dllonexit
_onexit
free
??1type_info@@UAE@XZ
_adjust_fdiv
malloc
_initterm

kernel32

LocalFree
LoadLibraryA
FreeLibrary
GetProcAddress
LocalAlloc

advapi32

RegSetValueExA
RegCloseKey
RegCreateKeyExA

ole32

OleInitialize
CoTaskMemFree
StringFromCLSID
OleUninitialize

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer

Sections

.text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 722B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
V10.16试用版本/txt文本例子.txt
V10.16试用版本/uservar.ini
V10.16试用版本/vbs脚本权限/dm.dll
.dll regsvr32 windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Exports

Exports

??0CxFile@@QAE@ABV0@@Z
??0CxFile@@QAE@XZ
??0CxIOFile@@QAE@ABV0@@Z
??0CxIOFile@@QAE@PAU_iobuf@@@Z
??0CxMemFile@@QAE@ABV0@@Z
??1CxFile@@UAE@XZ
??1CxIOFile@@UAE@XZ
??1CxImage@@UAE@XZ
??4CxFile@@QAEAAV0@ABV0@@Z
??4CxIOFile@@QAEAAV0@ABV0@@Z
??4CxMemFile@@QAEAAV0@ABV0@@Z
??_7CxFile@@6B@
??_7CxIOFile@@6B@
??_7CxImage@@6B@
??_7CxMemFile@@6B@
??_FCxIOFile@@QAEXXZ
??_FCxImage@@QAEXXZ
??_FCxMemFile@@QAEXXZ
??_OCxImage@@QAEXABV0@@Z
?Close@CxIOFile@@UAE_NXZ
?Eof@CxIOFile@@UAE_NXZ
?Error@CxIOFile@@UAEJXZ
?Flush@CxIOFile@@UAE_NXZ
?GetC@CxIOFile@@UAEJXZ
?GetS@CxIOFile@@UAEPADPADH@Z
?Open@CxIOFile@@QAE_NPBD0@Z
?PutC@CxFile@@UAE_NE@Z
?PutC@CxIOFile@@UAE_NE@Z
?Read@CxIOFile@@UAEIPAXII@Z
?Scanf@CxIOFile@@UAEJPBDPAX@Z
?Seek@CxIOFile@@UAE_NJH@Z
?Size@CxIOFile@@UAEJXZ
?Tell@CxIOFile@@UAEJXZ
?Write@CxIOFile@@UAEIPBXII@Z
CBFunA
CBFunB
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

UPX0
Size: - Virtual size: 672KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 759KB - Virtual size: 760KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 50KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.dll windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.text
Size: 736KB - Virtual size: 735KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 84KB - Virtual size: 82KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 36KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 224KB - Virtual size: 223KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tp0
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.tp1
Size: 164KB - Virtual size: 163KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 36KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
V10.16试用版本/vbs脚本权限/运行下vbs脚本权限.bat
V10.16试用版本/提示注册码错误的运行下.bat
V10.16试用版本/游戏设置参考图.jpg
.jpg
V10.16试用版本/采集草药参考图.jpg
.jpg

Sharing

General

Malware Config

Signatures

Files

adf0d6dac985aa5392a1f14aea68a071

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:edCertificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78Certificate

Key Usages

20:9e:74:6c:15:a8:5e:54:7a:fa:f6:a4:c3:27:7c:81Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

3d:b8:05:75:b3:12:ab:21:2b:b4:99:ba:e6:a9:38:b2:cd:5c:fc:9cSigner

Headers

File Characteristics

Imports

mfc42

msvcrt

kernel32

user32

gdi32

advapi32

shell32

comctl32

ole32

oleaut32

urlmon

msvcp60

winmm

shlwapi

ws2_32

psapi

rpcrt4

imagehlp

dinput8

wininet

uxtheme

comdlg32

olepro32

Exports

Exports

Sections

.text Size: 780KB - Virtual size: 777KB

.rdata Size: 440KB - Virtual size: 439KB

.data Size: 52KB - Virtual size: 314KB

.vmp0 Size: 1.4MB - Virtual size: 1.4MB

.vmp1 Size: 156KB - Virtual size: 153KB

.rsrc Size: 1.4MB - Virtual size: 1.4MB

e3493c33b4da4c9e132164b491c5d2cc

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:edCertificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78Certificate

Key Usages

20:9e:74:6c:15:a8:5e:54:7a:fa:f6:a4:c3:27:7c:81Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

48:46:3f:61:18:dc:9c:9b:07:6e:09:32:5b:4b:d9:b3:e1:3c:ed:49Signer

Headers

File Characteristics

Imports

kernel32

user32

Sections

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78
Certificate

20:9e:74:6c:15:a8:5e:54:7a:fa:f6:a4:c3:27:7c:81
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

3d:b8:05:75:b3:12:ab:21:2b:b4:99:ba:e6:a9:38:b2:cd:5c:fc:9c
Signer

.text
Size: 780KB - Virtual size: 777KB

.rdata
Size: 440KB - Virtual size: 439KB

.data
Size: 52KB - Virtual size: 314KB

.vmp0
Size: 1.4MB - Virtual size: 1.4MB

.vmp1
Size: 156KB - Virtual size: 153KB

.rsrc
Size: 1.4MB - Virtual size: 1.4MB

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78
Certificate

20:9e:74:6c:15:a8:5e:54:7a:fa:f6:a4:c3:27:7c:81
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

48:46:3f:61:18:dc:9c:9b:07:6e:09:32:5b:4b:d9:b3:e1:3c:ed:49
Signer

.text
Size: 24KB - Virtual size: 23KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 12KB - Virtual size: 16KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 3KB

.text
Size: 12KB - Virtual size: 10KB

.rdata
Size: 8KB - Virtual size: 4KB

.data
Size: 4KB - Virtual size: 7KB

.rsrc
Size: 8KB - Virtual size: 5KB

.reloc
Size: 4KB - Virtual size: 1KB

.text
Size: 112KB - Virtual size: 108KB

.data
Size: 4KB - Virtual size: 5KB

.rsrc
Size: 12KB - Virtual size: 8KB

.reloc
Size: 8KB - Virtual size: 7KB

.text
Size: 4KB - Virtual size: 3KB

.rdata
Size: 4KB - Virtual size: 2KB

.data
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 722B

UPX0
Size: - Virtual size: 672KB

UPX1
Size: 759KB - Virtual size: 760KB

.rsrc
Size: 50KB - Virtual size: 52KB

.text
Size: 736KB - Virtual size: 735KB

.rdata
Size: 84KB - Virtual size: 82KB

.data
Size: 36KB - Virtual size: 108KB

.rsrc
Size: 224KB - Virtual size: 223KB