dfshim[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

dfshim.dll
Size

1.1MB
MD5

8580484193ce0a0788830fbab97cf13b
SHA1

a90288372d38cbfb8ef9492787dc722efd06afa2
SHA256

a1e5ff4d390576af8e5205361713f9e1f24db2eace18a355d7a9a27c9fbe5e79
SHA512

1dbda80e03262eb09a206340ca546d9f7812478e20983ba06e291859f0c6dafd09f5f6212d4affc177715f021eea6a9284a53070f1359a6ae84530772579eb1b
SSDEEP

12288:pY3gb3yC24AsoWXB3gc0ZqBurZo42wFxC6c3kIoDcdclu2eX3fmojY3cWuQTlXUK:pEC24OQ71oNXVTCnldclbeXyPTdU/DuR

Score

1^/10

Malware Config

Signatures

Files

dfshim.dll
.dll windows:5 windows x86 arch:x86

610e22ed90917f19fef70f5a47ad703d

Code Sign

33:00:00:00:4c:a1:e8:4d:cc:b4:74:7b:3b:00:00:00:00:00:4c
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

11/11/2013, 22:11

Not After

11/02/2015, 22:11

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:C0F4-3086-DEF8,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:ca
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/04/2014, 17:39

Not After

22/07/2015, 17:39

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c8:e8:a7:6b:78:7f:d4:d7:35:54:fa:07:14:25:e3:2b:5e:04:b8:af
Signer

Actual PE Digest

c8:e8:a7:6b:78:7f:d4:d7:35:54:fa:07:14:25:e3:2b:5e:04:b8:af

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

dfshim.pdb

Imports

ntdll

RtlUnwind

kernel32

TlsFree
ExitProcess
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
HeapCreate
HeapDestroy
VirtualFree
LeaveCriticalSection
EnterCriticalSection
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
VirtualAlloc
HeapReAlloc
WriteFile
IsDebuggerPresent
LoadLibraryA
InitializeCriticalSectionAndSpinCount
GetLocaleInfoA
GetStringTypeA
MultiByteToWideChar
GetStringTypeW
LCMapStringA
LCMapStringW
HeapSize
TlsAlloc
TlsGetValue
GetModuleHandleW
GetCommandLineA
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetVersion
GetModuleFileNameW
SetLastError
InterlockedCompareExchange
LoadLibraryExW
FreeLibrary
GetProcAddress
GetEnvironmentVariableA
GetVersionExA
CreateMutexA
CreateMutexW
CloseHandle
ReleaseMutex
WaitForSingleObject
AreFileApisANSI
GetModuleHandleA
LoadLibraryExA
FindClose
CreateDirectoryW
CreateDirectoryA
CreateFileW
CreateFileA
DeleteFileW
DeleteFileA
SetFileAttributesW
SetFileAttributesA
CopyFileW
CopyFileA
GetFileAttributesW
GetFileAttributesA
RemoveDirectoryW
RemoveDirectoryA
GetFullPathNameW
GetFullPathNameA
GetFileInformationByHandle
ReadFile
FindNextFileW
FindNextFileA
FindFirstFileW
FindFirstFileA
SetEndOfFile
DebugBreak
RaiseException
OutputDebugStringA
GetProcessTimes
OpenProcess
lstrlenW
LoadLibraryW
SetFilePointer
GetSystemDirectoryA
GetFileSize
InitializeCriticalSection
GetConsoleCP
GetConsoleMode
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
GetLastError
InterlockedExchange
Sleep
HeapFree
GetProcessHeap
HeapAlloc
DisableThreadLibraryCalls
InterlockedIncrement
InterlockedDecrement
TlsSetValue

rpcrt4

UuidToStringW
RpcStringFreeW

ole32

CoTaskMemFree

shell32

SHParseDisplayName

mscoree

GetRequestedRuntimeInfo

urlmon

CoInternetCreateSecurityManager

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

shlwapi

SHStrDupW

advapi32

RegCreateKeyExW
RegSetValueExA
RegSetValueExW
RegQueryValueExA
RegQueryValueExW
RegEnumValueA
RegEnumValueW
RegEnumKeyExA
RegEnumKeyExW
RegOpenKeyExW
RegOpenKeyExA
RegDeleteKeyW
RegDeleteKeyA
RegDeleteValueW
RegDeleteValueA
RegQueryInfoKeyA
RegCloseKey
CryptGetHashParam
CryptCreateHash
CryptAcquireContextA
CryptHashData
CryptReleaseContext
CryptDestroyHash
CryptGenRandom
RegCreateKeyExA

Exports

Exports

CleanOnlineAppCache
CreateActContext
CreateCMSFromXml
DllCanUnloadNow
DllGetClassObject
GetCurrentActContext
GetDeploymentDataFromManifest
GetUserStateManager
GetUserStore
KillService
LaunchApplication
ParseManifest
ShArpMaintain
ShArpMaintainW
ShOpenVerbApplication
ShOpenVerbApplicationW
ShOpenVerbExtension
ShOpenVerbExtensionW
ShOpenVerbShortcut
ShOpenVerbShortcutW

Sections

.text
Size: 1013KB - Virtual size: 1013KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 33KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

610e22ed90917f19fef70f5a47ad703d

Code Sign

33:00:00:00:4c:a1:e8:4d:cc:b4:74:7b:3b:00:00:00:00:00:4cCertificate

Extended Key Usages

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:caCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

c8:e8:a7:6b:78:7f:d4:d7:35:54:fa:07:14:25:e3:2b:5e:04:b8:afSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

kernel32

rpcrt4

ole32

shell32

mscoree

urlmon

version

shlwapi

advapi32

Exports

Exports

Sections

.text Size: 1013KB - Virtual size: 1013KB

.data Size: 20KB - Virtual size: 21KB

.rsrc Size: 33KB - Virtual size: 32KB

.reloc Size: 31KB - Virtual size: 30KB

33:00:00:00:4c:a1:e8:4d:cc:b4:74:7b:3b:00:00:00:00:00:4c
Certificate

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:ca
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

c8:e8:a7:6b:78:7f:d4:d7:35:54:fa:07:14:25:e3:2b:5e:04:b8:af
Signer

.text
Size: 1013KB - Virtual size: 1013KB

.data
Size: 20KB - Virtual size: 21KB

.rsrc
Size: 33KB - Virtual size: 32KB

.reloc
Size: 31KB - Virtual size: 30KB