DEFCON[.]7z | Triage

Sharing

Copy URL Twitter E-mail

General

Target

DEFCON.7z
Size

1.5MB
MD5

a552186fdbdc2fa8ba5cf183ae967cec
SHA1

bb494d077280eeba4b4e2defc1ecd3ac3f34d6a5
SHA256

ccc437c938daba99287f887a7ad08358eba1d5392273981ab9b3e5c415124da6
SHA512

cd5ae08cb26fc735d4547993b0e20c6165d91291ad197e423689c3b842301e2f89dd4a6afbe81debcf85ef62379b1200e15349433de60327cf9aa0c33c79fb95
SSDEEP

24576:NeX1ScGjlqCX5V8M4fYwZlMZgIjw6VyEhkJFqcz5GIAoPfkbBkUCIhCipyEr41Q:Ncwl35VXLwZlMGKwwnkJFqcFG5oPfkV5

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Defcon/Defcon.exe

Files

DEFCON.7z
.7z

Password: cs.rin.ru
Defcon/Defcon.exe
.exe windows:5 windows x86 arch:x86

Password: cs.rin.ru

bbd4340e043a389e2ea700c3777596b3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\Development\Defcon\Defcon.pdb

Imports

wsock32

socket
closesocket
gethostbyname
gethostname
WSAStartup
htons
WSACleanup
sendto
getservbyname
ioctlsocket
getservbyport
gethostbyaddr
inet_addr
WSASetLastError
recvfrom
setsockopt
ntohs
bind
htonl
shutdown
send
__WSAFDIsSet
select
getsockname
WSAGetLastError
connect
inet_ntoa

opengl32

wglDeleteContext
glEnable
glGenTextures
glBindTexture
glTexParameteri
glTexImage2D
glDisable
glIsEnabled
glBegin
glTexCoord2f
glVertex2f
glEnd
glDeleteTextures
glDeleteLists
glGenLists
glMatrixMode
glLoadIdentity
glViewport
glBlendFunc
glHint
glClear
glDepthMask
glColor4ub
glGetIntegerv
glLineWidth
glScissor
glVertex2fv
glReadPixels
wglCreateContext
wglMakeCurrent
glFogf
glFogfv
glFogi
glNewList
glColor4f
glVertex3fv
glEndList
glCallList
glColor3ub
glVertex2i
glShadeModel
glColor4ubv
glFinish

glu32

gluPerspective
gluLookAt
gluOrtho2D
gluBuild2DMipmaps

dsound

ord11

kernel32

IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
GetDateFormatA
GetTimeFormatA
GetCurrentProcessId
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
VirtualAlloc
VirtualFree
HeapDestroy
HeapCreate
GetConsoleCP
GetTimeZoneInformation
SetHandleCount
HeapSize
IsValidCodePage
GetOEMCP
GetACP
InitializeCriticalSectionAndSpinCount
FatalAppExitA
GetCurrentThreadId
SetLastError
TlsFree
GetStringTypeA
TlsAlloc
TlsGetValue
LCMapStringW
LCMapStringA
RaiseException
MoveFileA
RtlUnwind
GetStartupInfoA
GetCommandLineA
HeapAlloc
HeapReAlloc
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
HeapFree
GetSystemTimeAsFileTime
ExitProcess
GetModuleHandleW
InterlockedCompareExchange
InterlockedExchange
InterlockedDecrement
InterlockedIncrement
GetVersionExA
FindFirstFileW
FindNextFileW
GetStringTypeW
GetLocaleInfoW
GetConsoleOutputCP
SetStdHandle
TlsSetValue
WriteConsoleW
CompareStringA
Sleep
OutputDebugStringA
IsBadWritePtr
IsBadReadPtr
QueryPerformanceFrequency
QueryPerformanceCounter
OpenFile
_lclose
DeleteFileA
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
FreeLibrary
GetProcAddress
LoadLibraryA
GetSystemDirectoryA
FormatMessageA
CreateThread
GlobalLock
GlobalUnlock
WaitForSingleObject
CreateMutexA
ReleaseMutex
CloseHandle
GetTickCount
DebugBreak
FindFirstFileA
FindNextFileA
FindClose
GetCPInfo
IsDBCSLeadByte
MultiByteToWideChar
WideCharToMultiByte
GetModuleFileNameA
CreateDirectoryW
CreateDirectoryA
GetFullPathNameW
GetFullPathNameA
SetFileAttributesW
SetFileAttributesA
GetFileAttributesW
GetFileAttributesA
GetModuleHandleA
GetDiskFreeSpaceA
GetDriveTypeA
GetSystemTime
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
LocalFree
SetConsoleCtrlHandler
SetErrorMode
GetCurrentProcess
SetPriorityClass
GetCurrentThread
SetThreadPriority
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadFile
GetStdHandle
WriteFile
CompareStringW
SetEnvironmentVariableA
GetProcessHeap
RemoveDirectoryA
WriteConsoleA
CreateFileW
CreateFileA
GetFileType
GetFileTime
SetFileTime
SetEndOfFile
SetFilePointer
GetLastError
FlushFileBuffers
CreateEventA
WaitForMultipleObjects
SetEvent

user32

SetForegroundWindow
RegisterHotKey
SendMessageA
LoadIconA
SetWindowLongA
GetWindowLongA
UnregisterHotKey
PostQuitMessage
DefWindowProcA
EnumDisplaySettingsA
ChangeDisplaySettingsA
GetDC
ReleaseDC
LoadCursorA
RegisterClassA
AdjustWindowRect
SetFocus
GetWindowRect
CreateWindowExA
CharToOemBuffA
DestroyWindow
PeekMessageA
TranslateMessage
DispatchMessageA
GetClientRect
SetCursorPos
SetCapture
ReleaseCapture
OpenClipboard
IsClipboardFormatAvailable
GetClipboardData
CloseClipboard
GetForegroundWindow
ShowCursor
GetDesktopWindow
MessageBoxA
CharToOemA
OemToCharA
OemToCharBuffA
CharUpperA
CharLowerA
ShowWindow

gdi32

ChoosePixelFormat
GetStockObject
SwapBuffers
SetPixelFormat

shell32

Shell_NotifyIconA
ShellExecuteA

ole32

CoInitialize
CoUninitialize
CoCreateInstance

steam_api

SteamUtils
SteamAPI_RegisterCallback
SteamAPI_UnregisterCallback
SteamUserStats
SteamAPI_Init
SteamGameServer_Init
SteamGameServer_RunCallbacks
SteamUser
SteamAPI_RunCallbacks
SteamGameServer

advapi32

SetFileSecurityW
SetFileSecurityA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges

Sections

.text
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 326KB - Virtual size: 325KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 68KB - Virtual size: 145KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 91KB - Virtual size: 91KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Defcon/changes.txt
Defcon/main.dat
.rar

Password: cs.rin.ru
data/ambx/defcon_1.ambx
data/ambx/defcon_2.ambx
data/ambx/defcon_3.ambx
data/ambx/defcon_4.ambx
data/ambx/defcon_5.ambx
data/ambx/defcon_lobby.ambx
data/ambx/defcon_lobby_retract.ambx
data/ambx/defcon_onload.ambx
data/ambx/general_alert.ambx
data/critical_files.txt
data/earth/africa.bmp
data/earth/ai_markers.bmp
data/earth/cities.dat
data/earth/coastlines-low.dat
data/earth/coastlines.bmp
data/earth/coastlines.dat
data/earth/europe.bmp
data/earth/international.dat
data/earth/northamerica.bmp
data/earth/russia.bmp
data/earth/sailable.bmp
data/earth/southamerica.bmp
data/earth/southasia.bmp
data/earth/travel_nodes.bmp
data/effects.txt
data/fonts/bitlow.bmp
data/fonts/kremlin.bmp
data/fonts/lucon.bmp
data/fonts/zerothre.bmp
data/gameoptions.txt
data/graphics/actionline.bmp
data/graphics/airbase.bmp
data/graphics/airbase_blur.bmp
data/graphics/arrow.bmp
data/graphics/battleship.bmp
data/graphics/battleship_blur.bmp
data/graphics/blip.bmp
data/graphics/blur.bmp
data/graphics/bomber.bmp
data/graphics/bomber_blur.bmp
data/graphics/carrier.bmp
data/graphics/carrier_blur.bmp
data/graphics/city.bmp
data/graphics/cursor_selection.bmp
data/graphics/cursor_target.bmp
data/graphics/depthcharge.bmp
data/graphics/error.bmp
data/graphics/explosion.bmp
data/graphics/fighter.bmp
data/graphics/fighter_blur.bmp
data/graphics/fleet.bmp
data/graphics/laser.bmp
data/graphics/map.bmp
data/graphics/nuke.bmp
data/graphics/nuke_blur.bmp
data/graphics/nukesymbol.bmp
data/graphics/popbutton.bmp
data/graphics/population.bmp
data/graphics/radar.bmp
data/graphics/radarbutton.bmp
data/graphics/radarstation.bmp
data/graphics/radarstation_blur.bmp
data/graphics/sam.bmp
data/graphics/sam_blur.bmp
data/graphics/santa.bmp
data/graphics/saucer.bmp
data/graphics/silo.bmp
data/graphics/silo_blur.bmp
data/graphics/smallbomber.bmp
data/graphics/smallfighter.bmp
data/graphics/smallnuke.bmp
data/graphics/sub.bmp
data/graphics/sub_blur.bmp
data/graphics/sub_surfaced.bmp
data/graphics/sub_surfaced_blur.bmp
data/graphics/targetcursor.bmp
data/graphics/territory.bmp
data/graphics/tornado.bmp
data/graphics/units.bmp
data/graphics/water.bmp
data/graphics/water_shaded.bmp
data/gui/ambrosia.bmp
data/gui/arrow.bmp
data/gui/demo.bmp
data/gui/introversion.bmp
data/gui/lmb.bmp
data/gui/locked.bmp
data/gui/mouse.bmp
data/gui/move.bmp
data/gui/pen.bmp
data/gui/resize_h.bmp
data/gui/resize_hv.bmp
data/gui/resize_v.bmp
data/gui/rmb.bmp
data/gui/tb_alliances.bmp
data/gui/tb_board.bmp
data/gui/tb_comms.bmp
data/gui/tb_eraseall.bmp
data/gui/tb_info.bmp
data/gui/tb_nukes.bmp
data/gui/tb_orders.bmp
data/gui/tb_planning.bmp
data/gui/tb_population.bmp
data/gui/tb_radar.bmp
data/gui/tb_scores.bmp
data/gui/tb_showall.bmp
data/gui/tb_territory.bmp
data/gui/tb_units.bmp
data/gui/tick.bmp
data/language/english.txt
data/language/french.txt
data/language/german.txt
data/language/italian.txt
data/language/spanish.txt
data/prefs_default.txt
data/prefs_default_french.txt
data/prefs_default_macosx.txt
data/prefs_testbed.txt
data/sounds.txt
data/sounds_minimal.txt
data/sounds_nosound.txt
data/styles/blue.txt
data/styles/default.txt
data/styles/green.txt
data/styles/light.txt
data/styles/red.txt
data/tutorial.txt
data/world.dat
Defcon/steam_api.dll
.dll windows:5 windows x86 arch:x86

Password: cs.rin.ru

203e2da973611c33e4bbe741dfe9aaa6

Code Sign

70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

29/01/1996, 00:00

Not After

01/08/2028, 23:59

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

01/05/2012, 00:00

Not After

31/12/2012, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7b:f6:32:6f:70:cb:ec:34:0b:f2:d1:86:8f:e6:5b:1e
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

25/11/2009, 00:00

Not After

23/11/2012, 23:59

Subject

CN=Valve,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Valve,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

21/05/2009, 00:00

Not After

20/05/2019, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

03:d6:90:c2:9b:25:ad:1c:16:fb:4c:ed:71:3e:60:44:23:22:d5:d1
Signer

Actual PE Digest

03:d6:90:c2:9b:25:ad:1c:16:fb:4c:ed:71:3e:60:44:23:22:d5:d1

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

e:\buildslave\steam_rel_client_win32\build\src\steam_api\Release\steam_api.pdb

Imports

kernel32

FreeLibrary
GetModuleFileNameA
GetModuleHandleA
GetCommandLineA
MultiByteToWideChar
GetExitCodeProcess
OpenProcess
OutputDebugStringA
SetEnvironmentVariableA
LoadLibraryExW
LoadLibraryExA
CloseHandle
GetProcAddress
GetProcessHeap
SetEndOfFile
RaiseException
RtlUnwind
GetLastError
HeapFree
HeapAlloc
EnterCriticalSection
LeaveCriticalSection
GetCurrentThreadId
WriteFile
GetStdHandle
GetModuleFileNameW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
GetModuleHandleW
SetLastError
InterlockedDecrement
HeapCreate
HeapDestroy
ExitProcess
Sleep
HeapSize
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TerminateProcess
GetCurrentProcess
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
DeleteCriticalSection
IsProcessorFeaturePresent
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
WideCharToMultiByte
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LoadLibraryW
HeapReAlloc
SetStdHandle
GetConsoleCP
GetConsoleMode
FlushFileBuffers
ReadFile
CreateFileA
LCMapStringW
GetStringTypeW
SetFilePointer
CompareStringW
WriteConsoleW
CreateFileW

advapi32

RegQueryValueExA
RegCloseKey
RegOpenKeyExA

shell32

ShellExecuteA

Exports

Exports

GetHSteamPipe
GetHSteamUser
SteamAPI_GetHSteamPipe
SteamAPI_GetHSteamUser
SteamAPI_GetSteamInstallPath
SteamAPI_Init
SteamAPI_InitSafe
SteamAPI_IsSteamRunning
SteamAPI_RegisterCallResult
SteamAPI_RegisterCallback
SteamAPI_RestartAppIfNecessary
SteamAPI_RunCallbacks
SteamAPI_SetBreakpadAppID
SteamAPI_SetMiniDumpComment
SteamAPI_SetTryCatchCallbacks
SteamAPI_Shutdown
SteamAPI_UnregisterCallResult
SteamAPI_UnregisterCallback
SteamAPI_UseBreakpadCrashHandler
SteamAPI_WriteMiniDump
SteamApps
SteamClient
SteamContentServer
SteamContentServerUtils
SteamContentServer_Init
SteamContentServer_RunCallbacks
SteamContentServer_Shutdown
SteamFriends
SteamGameServer
SteamGameServerApps
SteamGameServerHTTP
SteamGameServerNetworking
SteamGameServerStats
SteamGameServerUtils
SteamGameServer_BSecure
SteamGameServer_GetHSteamPipe
SteamGameServer_GetHSteamUser
SteamGameServer_GetIPCCallCount
SteamGameServer_GetSteamID
SteamGameServer_Init
SteamGameServer_InitSafe
SteamGameServer_RunCallbacks
SteamGameServer_Shutdown
SteamHTTP
SteamMatchmaking
SteamMatchmakingServers
SteamNetworking
SteamRemoteStorage
SteamScreenshots
SteamUser
SteamUserStats
SteamUtils
Steam_GetHSteamUserCurrent
Steam_RegisterInterfaceFuncs
Steam_RunCallbacks
g_pSteamClientGameServer

Sections

.text
Size: 66KB - Virtual size: 65KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: cs.rin.ru

Password: cs.rin.ru

bbd4340e043a389e2ea700c3777596b3

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

wsock32

opengl32

glu32

dsound

kernel32

user32

gdi32

shell32

ole32

steam_api

advapi32

Sections

.text Size: 1.3MB - Virtual size: 1.3MB

.rdata Size: 326KB - Virtual size: 325KB

.data Size: 68KB - Virtual size: 145KB

.rsrc Size: 91KB - Virtual size: 91KB

Password: cs.rin.ru

Password: cs.rin.ru

203e2da973611c33e4bbe741dfe9aaa6

Code Sign

70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bfCertificate

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:edCertificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

7b:f6:32:6f:70:cb:ec:34:0b:f2:d1:86:8f:e6:5b:1eCertificate

Extended Key Usages

Key Usages

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5cCertificate

Extended Key Usages

Key Usages

03:d6:90:c2:9b:25:ad:1c:16:fb:4c:ed:71:3e:60:44:23:22:d5:d1Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

shell32

Exports

Exports

Sections

.text Size: 66KB - Virtual size: 65KB

.rdata Size: 17KB - Virtual size: 16KB

.data Size: 4KB - Virtual size: 12KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 7KB - Virtual size: 6KB

.text
Size: 1.3MB - Virtual size: 1.3MB

.rdata
Size: 326KB - Virtual size: 325KB

.data
Size: 68KB - Virtual size: 145KB

.rsrc
Size: 91KB - Virtual size: 91KB

70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
Certificate

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

7b:f6:32:6f:70:cb:ec:34:0b:f2:d1:86:8f:e6:5b:1e
Certificate

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

03:d6:90:c2:9b:25:ad:1c:16:fb:4c:ed:71:3e:60:44:23:22:d5:d1
Signer

.text
Size: 66KB - Virtual size: 65KB

.rdata
Size: 17KB - Virtual size: 16KB

.data
Size: 4KB - Virtual size: 12KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 7KB - Virtual size: 6KB