4c0aa757592fb4013c385dbe819998c7_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

4c0aa757592fb4013c385dbe819998c7_JaffaCakes118
Size

1.1MB
MD5

4c0aa757592fb4013c385dbe819998c7
SHA1

2beeecdbbb4a6c0236c453a2b5d667e3e8ddf65e
SHA256

6e50e51fe27f45fe6de13f7aa71eef6e7735b22dc4126ef4d56d9470219e4da2
SHA512

d1eb9dfcf8de969fb3a7aafcc92838d42a5c1b2f9a43c649a9e75e894ed17ab6dea3b6d0fd5c67a937d652c71a9afa7b026c7af9cc41a6784fc99a1c97188416
SSDEEP

24576:mI7rhi3/QahDGEVPZTALUYTeNI2QO4hsPaTGERsOwrIJ6WoDd4+57zj:zhi3/Q+DFMTYIc4lAU+J

Score

3^/10

Malware Config

Signatures

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
4c0aa757592fb4013c385dbe819998c7_JaffaCakes118
unpack001/$PLUGINSDIR/System.dll
unpack001/$PLUGINSDIR/nsDialogs.dll
unpack001/VChatApp.exe
unpack001/VRSupport5.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
sample	nsis_installer_1
sample	nsis_installer_2

Files

4c0aa757592fb4013c385dbe819998c7_JaffaCakes118
.exe windows:4 windows x86 arch:x86

57e98d9a5a72c8d7ad8fb7a6a58b3daf

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetEnvironmentVariableA
CreateFileA
GetFileSize
GetModuleFileNameA
ReadFile
GetCurrentProcess
CopyFileA
Sleep
GetTickCount
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
lstrlenA
GetVersion
SetErrorMode
lstrcpynA
ExitProcess
SetCurrentDirectoryA
GlobalLock
CreateThread
GetLastError
CreateDirectoryA
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
WriteFile
lstrcpyA
MoveFileExA
lstrcatA
GetSystemDirectoryA
GetProcAddress
GetExitCodeProcess
WaitForSingleObject
CompareFileTime
SetFileAttributesA
GetFileAttributesA
GetShortPathNameA
MoveFileA
GetFullPathNameA
SetFileTime
SearchPathA
CloseHandle
lstrcmpiA
GlobalUnlock
GetDiskFreeSpaceA
lstrcmpA
FindFirstFileA
FindNextFileA
DeleteFileA
SetFilePointer
GetPrivateProfileStringA
FindClose
MultiByteToWideChar
FreeLibrary
MulDiv
WritePrivateProfileStringA
LoadLibraryExA
GetModuleHandleA
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA

user32

ScreenToClient
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
PostQuitMessage
GetWindowRect
EnableMenuItem
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
ReleaseDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndDialog
RegisterClassA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
ExitWindowsEx
GetDC
CreateDialogParamA
SetTimer
GetDlgItem
SetWindowLongA
SetForegroundWindow
LoadImageA
IsWindow
SendMessageTimeoutA
FindWindowExA
OpenClipboard
TrackPopupMenu
AppendMenuA
EndPaint
DestroyWindow
wsprintfA
ShowWindow
SetWindowTextA

gdi32

SelectObject
SetBkMode
CreateFontIndirectA
SetTextColor
DeleteObject
GetDeviceCaps
CreateBrushIndirect
SetBkColor

shell32

SHGetSpecialFolderLocation
ShellExecuteExA
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
SHFileOperationA

advapi32

AdjustTokenPrivileges
RegCreateKeyExA
RegOpenKeyExA
SetFileSecurityA
OpenProcessToken
LookupPrivilegeValueA
RegEnumValueA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegEnumKeyA

comctl32

ImageList_Create
ImageList_AddMasked
ImageList_Destroy
ord17

ole32

OleUninitialize
OleInitialize
CoTaskMemFree
CoCreateInstance

Sections

.text
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 68KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

8c8a576201f68de1a3f26fc723b9f30f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

MultiByteToWideChar
GlobalFree
GlobalSize
lstrcpynA
lstrcpyA
GetProcAddress
VirtualFree
FreeLibrary
lstrlenA
LoadLibraryA
GetModuleHandleA
GlobalAlloc
WideCharToMultiByte
VirtualAlloc
VirtualProtect
GetLastError

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store
StrAlloc

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 867B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 636B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/modern-wizard.bmp
$PLUGINSDIR/nsDialogs.dll
.dll windows:4 windows x86 arch:x86

ebc2d915841be8afc8fa1ee9f6850960

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetFileAttributesA
lstrcpyA
MulDiv
lstrlenA
HeapFree
GetCurrentDirectoryA
lstrcmpiA
GetProcessHeap
HeapReAlloc
GlobalFree
lstrcpynA
GlobalAlloc
SetCurrentDirectoryA
HeapAlloc

user32

DestroyWindow
CallWindowProcA
SetCursor
LoadCursorA
GetPropA
CharPrevA
DrawFocusRect
GetWindowLongA
DrawTextA
GetClientRect
SetWindowLongA
GetDlgItem
GetSysColor
SetWindowPos
CreateDialogParamA
MapDialogRect
GetWindowRect
SetPropA
CreateWindowExA
IsWindow
SetTimer
KillTimer
DispatchMessageA
TranslateMessage
GetMessageA
IsDialogMessageA
ShowWindow
wsprintfA
CharNextA
SendMessageA
MapWindowPoints
RemovePropA
GetWindowTextA

gdi32

SetTextColor

shell32

SHBrowseForFolderA
SHGetPathFromIDListA

comdlg32

GetSaveFileNameA
GetOpenFileNameA
CommDlgExtendedError

ole32

CoTaskMemFree

Exports

Exports

Create
CreateControl
CreateItem
CreateTimer
GetUserData
KillTimer
OnBack
OnChange
OnClick
OnNotify
SelectFileDialog
SelectFolderDialog
SetRTL
SetUserData
Show

Sections

.text
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 628B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
LICENSE.txt
VChatApp.exe
.exe windows:4 windows x86 arch:x86

143463c0a3a7f388cd4453efe6d517ae

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaVarTstGt
__vbaVarSub
ord690
__vbaStrI2
_CIcos
_adj_fptan
__vbaHresultCheck
__vbaStrI4
__vbaVarMove
__vbaVarVargNofree
__vbaFreeVar
__vbaAryMove
__vbaLineInputStr
__vbaLateIdCall
__vbaLenBstr
__vbaStrVarMove
ord696
__vbaFreeVarList
_adj_fdiv_m64
ord698
ord512
__vbaNextEachVar
ord621
__vbaFreeObjList
ord516
__vbaVarIndexLoadRef
ord517
__vbaStrErrVarCopy
_adj_fprem1
__vbaRecAnsiToUni
ord518
ord519
ord628
__vbaVarCmpNe
__vbaStrCat
ord553
__vbaLsetFixstr
ord661
__vbaSetSystemError
__vbaHresultCheckObj
__vbaLenBstrB
ord557
__vbaLenVar
__vbaVargVarCopy
_adj_fdiv_m32
__vbaAryVar
__vbaAryDestruct
ord591
__vbaVarIndexLoadRefLock
__vbaLateMemSt
__vbaExitProc
ord300
ord595
__vbaObjSet
__vbaOnError
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaVarIndexLoad
ord598
ord306
__vbaStrFixstr
ord520
__vbaRefVarAry
__vbaVarTstLt
__vbaBoolVarNull
_CIsin
ord631
__vbaErase
ord525
ord632
__vbaVargVarMove
__vbaVarCmpGt
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaStrCmp
__vbaVarTstEq
ord560
__vbaObjVar
__vbaI2I4
DllFunctionCall
__vbaVarOr
ord670
ord563
ord564
__vbaCastObjVar
__vbaLbound
__vbaRedimPreserve
_adj_fpatan
__vbaR4Var
__vbaLateIdCallLd
__vbaRedim
__vbaRecUniToAnsi
EVENT_SINK_Release
__vbaNew
ord600
ord601
_CIsqrt
__vbaVarAnd
__vbaObjIs
EVENT_SINK_QueryInterface
__vbaExceptHandler
ord711
ord712
__vbaStrToUnicode
__vbaDateStr
ord606
_adj_fprem
_adj_fdivr_m64
ord607
ord608
ord716
__vbaFPException
__vbaInStrVar
__vbaUbound
__vbaStrVarVal
__vbaVarCat
__vbaI2Var
__vbaMidStmtBstrB
ord537
ord644
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaVarLateMemCallLdRf
ord648
ord570
__vbaNew2
__vbaVar2Vec
__vbaInStr
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaVarSetObj
ord573
__vbaStrCopy
__vbaI4Str
ord681
__vbaVarCmpLt
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord685
ord100
__vbaVarTstNe
__vbaI4Var
ord689
__vbaVarCmpEq
ord610
__vbaVarAdd
__vbaLateMemCall
__vbaAryLock
__vbaStrToAnsi
__vbaVarDup
__vbaVarTstGe
__vbaVarLateMemCallLd
__vbaFpI4
ord616
__vbaVarCopy
__vbaLateMemCallLd
ord617
_CIatan
__vbaAryCopy
__vbaCastObj
__vbaStrMove
ord618
__vbaForEachVar
ord619
__vbaStrVarCopy
ord650
_allmul
__vbaLenVarB
_CItan
ord546
__vbaAryUnlock
_CIexp
__vbaFreeStr
__vbaFreeObj
ord581

Sections

.text
Size: 152KB - Virtual size: 148KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 24KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
VRSupport5.exe
.exe windows:4 windows x86 arch:x86

d2c2a0f8dce4d9e07a4a61c24b6de4db

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

ord690
__vbaStrI2
_CIcos
_adj_fptan
__vbaStrI4
__vbaVarMove
__vbaVarVargNofree
__vbaAryMove
__vbaFreeVar
__vbaLenBstr
__vbaStrVarMove
__vbaLineInputStr
__vbaFreeVarList
_adj_fdiv_m64
ord512
__vbaFreeObjList
ord516
__vbaStrErrVarCopy
_adj_fprem1
__vbaRecAnsiToUni
ord518
ord519
ord628
__vbaVarCmpNe
__vbaStrCat
__vbaLsetFixstr
ord660
ord661
__vbaSetSystemError
__vbaLenBstrB
__vbaHresultCheckObj
ord662
ord557
__vbaVargVarCopy
_adj_fdiv_m32
__vbaAryVar
__vbaAryDestruct
__vbaExitProc
ord300
__vbaOnError
__vbaObjSet
ord595
_adj_fdiv_m16i
ord303
__vbaObjSetAddref
_adj_fdivr_m16i
ord598
ord306
__vbaStrFixstr
ord520
ord309
__vbaFpR8
__vbaBoolVarNull
_CIsin
__vbaErase
ord631
ord632
ord525
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaStrCmp
__vbaVarTstEq
__vbaI2I4
DllFunctionCall
ord563
__vbaLbound
__vbaRedimPreserve
_adj_fpatan
__vbaStrR8
__vbaRedim
__vbaRecUniToAnsi
EVENT_SINK_Release
__vbaNew
ord600
_CIsqrt
__vbaVarAnd
EVENT_SINK_QueryInterface
__vbaExceptHandler
ord711
ord712
__vbaStrToUnicode
ord606
__vbaDateStr
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaUbound
__vbaStrVarVal
ord534
__vbaVarCat
__vbaDateVar
__vbaMidStmtBstrB
ord537
ord644
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaVar2Vec
__vbaNew2
__vbaInStr
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord685
ord100
__vbaI4Var
ord689
ord610
__vbaAryLock
__vbaVarDup
__vbaStrToAnsi
__vbaVarCopy
__vbaVarTstGe
ord616
ord617
_CIatan
ord618
__vbaStrMove
__vbaAryCopy
__vbaCastObj
__vbaStrVarCopy
ord650
_allmul
_CItan
ord546
__vbaAryUnlock
_CIexp
__vbaFreeStr
__vbaFreeObj
ord581

Sections

.text
Size: 144KB - Virtual size: 143KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 28KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
msg.wav
screenhooks32.dll
.dll windows:5 windows x86 arch:x86

0101d2319e8d5729b16442497b88c849

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2e:f2:be:0c:29:bd:08:b9:57:17:2f:ed:0b:e6:a0:36
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

27/03/2013, 00:00

Not After

29/03/2014, 23:59

Subject

CN=GlavSoft LLC.,O=GlavSoft LLC.,L=Tomsk,ST=Tomsk,C=RU

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

96:ed:cf:f8:57:52:27:23:d1:ad:18:b1:e1:13:2c:a4:83:0a:df:88
Signer

Actual PE Digest

96:ed:cf:f8:57:52:27:23:d1:ad:18:b1:e1:13:2c:a4:83:0a:df:88

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

Y:\build\tightvnc-2.7.10\Release\screenhooks32.pdb

Imports

user32

RegisterWindowMessageW
ClientToScreen
GetWindowRect
PostMessageW
CallNextHookEx
GetClientRect
SetWindowsHookExW
UnhookWindowsHookEx
GetSystemMetrics

kernel32

GetEnvironmentStrings
LCMapStringW
LCMapStringA
GetStringTypeW
MultiByteToWideChar
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCurrentThreadId
GetCommandLineA
GetLastError
HeapFree
HeapAlloc
HeapReAlloc
RaiseException
RtlUnwind
GetModuleHandleW
GetProcAddress
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
InterlockedDecrement
Sleep
ExitProcess
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
HeapCreate
HeapDestroy
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
WriteFile
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapSize
LoadLibraryA
InitializeCriticalSectionAndSpinCount
GetLocaleInfoA
GetStringTypeA

Exports

Exports

setHook
unsetHook

Sections

.text
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.shared
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
tvnserver.exe
.exe windows:5 windows x86 arch:x86

b3c6e6dc14f762fa69b3e08bc6eec76e

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2e:f2:be:0c:29:bd:08:b9:57:17:2f:ed:0b:e6:a0:36
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

27/03/2013, 00:00

Not After

29/03/2014, 23:59

Subject

CN=GlavSoft LLC.,O=GlavSoft LLC.,L=Tomsk,ST=Tomsk,C=RU

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

f6:fa:b8:80:30:37:88:6e:88:a3:7c:45:57:92:77:99:21:c4:52:11
Signer

Actual PE Digest

f6:fa:b8:80:30:37:88:6e:88:a3:7c:45:57:92:77:99:21:c4:52:11

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

Y:\build\tightvnc-2.7.10\Release\tvnserver.pdb

Imports

psapi

GetModuleFileNameExW

kernel32

QueryPerformanceCounter
GlobalUnlock
SetNamedPipeHandleState
CreatePipe
SetHandleInformation
DeleteFileW
FindNextFileW
RemoveDirectoryW
FindClose
MoveFileW
SetFileTime
CreateDirectoryW
GetLogicalDriveStringsW
SetErrorMode
FindFirstFileW
GetFileSizeEx
GetLocalTime
FileTimeToSystemTime
SystemTimeToFileTime
SetEnvironmentVariableA
CompareStringW
CompareStringA
FlushFileBuffers
CreateFileA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
GetConsoleMode
GetConsoleCP
SetFilePointer
GlobalAlloc
GetLocaleInfoA
GetStringTypeW
GetStringTypeA
MultiByteToWideChar
WideCharToMultiByte
LCMapStringA
RtlUnwind
InitializeCriticalSectionAndSpinCount
LoadLibraryA
HeapReAlloc
VirtualAlloc
LCMapStringW
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
RaiseException
HeapAlloc
GetTickCount
VirtualFree
HeapCreate
GetStartupInfoA
GetFileType
SetHandleCount
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
GetStdHandle
ExitProcess
HeapSize
InterlockedDecrement
SetLastError
InterlockedIncrement
TlsFree
GlobalLock
DisconnectNamedPipe
LocalAlloc
ReadFile
WriteFile
GetOverlappedResult
CreateNamedPipeW
ConnectNamedPipe
CreateFileMappingW
UnmapViewOfFile
OpenThread
OpenProcess
DuplicateHandle
WaitForMultipleObjects
TerminateProcess
GetExitCodeProcess
CreateProcessW
GetProcAddress
LoadLibraryW
FreeLibrary
GetModuleFileNameW
GetVersionExW
GetComputerNameW
CreateEventW
SetEvent
FormatMessageW
LocalFree
CreateThread
GetModuleHandleA
ResumeThread
ReleaseMutex
GetLastError
WaitForSingleObject
CreateMutexW
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
GetModuleHandleW
ProcessIdToSessionId
Sleep
GetCurrentProcessId
CloseHandle
GetCurrentThreadId
CreateFileW
GetCurrentProcess
SetUnhandledExceptionFilter
LockResource
LoadResource
FindResourceW
FreeResource
MapViewOfFile
TlsSetValue
TlsAlloc
TlsGetValue
HeapFree
GetSystemTimeAsFileTime
IsDebuggerPresent
UnhandledExceptionFilter
GetStartupInfoW

user32

MapVirtualKeyW
GetKeyState
GetKeyboardLayout
ToUnicodeEx
EnumDisplayMonitors
GetClientRect
VkKeyScanExW
UnregisterClassW
EnumChildWindows
MapWindowPoints
MoveWindow
GetDlgItem
KillTimer
SetTimer
SendMessageW
IsWindow
RegisterWindowMessageW
LoadIconW
MessageBoxW
DestroyIcon
TrackPopupMenu
GetSubMenu
LoadMenuW
GetCursorPos
RemoveMenu
SetMenuDefaultItem
EnumDisplayDevicesW
ChangeDisplaySettingsExW
EnumWindows
IsWindowVisible
DrawIconEx
GetIconInfo
GetCursorInfo
FindWindowExW
GetClassNameW
GetWindowInfo
GetDC
CloseClipboard
IsClipboardFormatAvailable
GetClipboardData
EmptyClipboard
ChangeClipboardChain
OpenClipboard
SetClipboardData
SetClipboardViewer
CallNextHookEx
WaitMessage
PeekMessageW
PostThreadMessageW
SetWindowsHookExW
UnhookWindowsHookEx
GetWindowRect
SendInput
GetSystemMetrics
GetWindowThreadProcessId
GetWindow
FindWindowW
LockWorkStation
ExitWindowsEx
SetProcessWindowStation
CloseWindowStation
OpenWindowStationW
SystemParametersInfoW
GetMessageW
PostQuitMessage
PostMessageW
TranslateMessage
IsDialogMessageW
CreateWindowExW
RegisterClassW
DefWindowProcW
DispatchMessageW
GetThreadDesktop
OpenInputDesktop
OpenDesktopW
CloseDesktop
SetThreadDesktop
GetUserObjectInformationW
SetForegroundWindow
SetFocus
GetForegroundWindow
InvalidateRect
GetWindowTextW
ShowWindow
SetWindowTextW
DestroyWindow
DialogBoxParamW
GetWindowLongW
SetClassLongW
SetWindowLongW
EndDialog
CreateDialogParamW

gdi32

CreateDCW
GetBitmapBits
GetObjectW
BitBlt
DeleteDC
CreateDIBSection
ExtEscape
CreateCompatibleDC
DeleteObject
GetCurrentObject
SelectObject
GetDIBits

advapi32

RegCreateKeyExW
SetEntriesInAclW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
ConvertStringSidToSidW
CopySid
GetTokenInformation
ImpersonateNamedPipeClient
RevertToSelf
ImpersonateLoggedOnUser
DuplicateToken
OpenThreadToken
DuplicateTokenEx
SetTokenInformation
CreateProcessAsUserW
OpenProcessToken
RegSetValueExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
RegOpenKeyW
RegQueryValueExW
RegEnumKeyW
RegCreateKeyW
ControlService
QueryServiceStatusEx
StartServiceW
ChangeServiceConfig2W
OpenServiceW
OpenSCManagerW
DeleteService
CloseServiceHandle
CreateServiceW
RegisterServiceCtrlHandlerW
SetServiceStatus
StartServiceCtrlDispatcherW
SetSecurityInfo
ReportEventW
RegisterEventSourceW

shell32

CommandLineToArgvW
Shell_NotifyIconW
SHGetSpecialFolderPathW
ShellExecuteExW
ShellExecuteW
ord680

ws2_32

connect
select
getsockname
shutdown
setsockopt
recv
bind
socket
__WSAFDIsSet
closesocket
WSAGetLastError
listen
accept
gethostname
ntohl
htons
ntohs
gethostbyname
inet_ntoa
inet_addr
WSAStartup
send
WSACleanup
htonl

comctl32

InitCommonControlsEx

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

Sections

.text
Size: 775KB - Virtual size: 774KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 747KB - Virtual size: 746KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 23KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 42KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 56KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

57e98d9a5a72c8d7ad8fb7a6a58b3daf

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

Sections

.text Size: 24KB - Virtual size: 24KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 106KB

.ndata Size: - Virtual size: 68KB

.rsrc Size: 17KB - Virtual size: 16KB

8c8a576201f68de1a3f26fc723b9f30f

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

ole32

Exports

Exports

Sections

.text Size: 8KB - Virtual size: 7KB

.rdata Size: 1024B - Virtual size: 867B

.data Size: 512B - Virtual size: 104B

.reloc Size: 1024B - Virtual size: 636B

ebc2d915841be8afc8fa1ee9f6850960

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

comdlg32

ole32

Exports

Exports

Sections

.text Size: 4KB - Virtual size: 4KB

.rdata Size: 2KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 152B

.reloc Size: 1024B - Virtual size: 628B

143463c0a3a7f388cd4453efe6d517ae

Headers

File Characteristics

Imports

msvbvm60

Sections

.text Size: 152KB - Virtual size: 148KB

.data Size: 4KB - Virtual size: 4KB

.rsrc Size: 24KB - Virtual size: 22KB

d2c2a0f8dce4d9e07a4a61c24b6de4db

Headers

File Characteristics

Imports

msvbvm60

Sections

.text Size: 144KB - Virtual size: 143KB

.data Size: 4KB - Virtual size: 7KB

.rsrc Size: 28KB - Virtual size: 24KB

0101d2319e8d5729b16442497b88c849

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

.text
Size: 24KB - Virtual size: 24KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 106KB

.ndata
Size: - Virtual size: 68KB

.rsrc
Size: 17KB - Virtual size: 16KB

.text
Size: 8KB - Virtual size: 7KB

.rdata
Size: 1024B - Virtual size: 867B

.data
Size: 512B - Virtual size: 104B

.reloc
Size: 1024B - Virtual size: 636B

.text
Size: 4KB - Virtual size: 4KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 152B

.reloc
Size: 1024B - Virtual size: 628B

.text
Size: 152KB - Virtual size: 148KB

.data
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 24KB - Virtual size: 22KB

.text
Size: 144KB - Virtual size: 143KB

.data
Size: 4KB - Virtual size: 7KB

.rsrc
Size: 28KB - Virtual size: 24KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

2e:f2:be:0c:29:bd:08:b9:57:17:2f:ed:0b:e6:a0:36
Certificate

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

96:ed:cf:f8:57:52:27:23:d1:ad:18:b1:e1:13:2c:a4:83:0a:df:88
Signer

.text
Size: 40KB - Virtual size: 39KB

.rdata
Size: 13KB - Virtual size: 12KB

.data
Size: 3KB - Virtual size: 6KB

.shared
Size: 512B - Virtual size: 16B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 5KB - Virtual size: 5KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

2e:f2:be:0c:29:bd:08:b9:57:17:2f:ed:0b:e6:a0:36
Certificate

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

f6:fa:b8:80:30:37:88:6e:88:a3:7c:45:57:92:77:99:21:c4:52:11
Signer

.text
Size: 775KB - Virtual size: 774KB

.rdata
Size: 747KB - Virtual size: 746KB

.data
Size: 23KB - Virtual size: 94KB

.rsrc
Size: 42KB - Virtual size: 42KB

.reloc
Size: 56KB - Virtual size: 55KB