iWatchDVRAX[.]cab

Sharing

Copy URL Twitter E-mail

General

Target

iWatchDVRAX.cab
Size

125KB
MD5

15118eda122a6bc2eee05616fc199e8b
SHA1

a6df2f259dfa4580a84a5a19312a3e20f3eea443
SHA256

bf3f929dbf4684fa3849791cb84ce9a94205b70b6f076b88dcde0180b6d47785
SHA512

973dc0bcb4e3290808a973a0b937bcf593fe7f129c7d947ba622e6b5b0c07eb34aa721e9cb6a043984de9908a174497728a0a7af33dff19c2f0849840b532afb
SSDEEP

3072:GdMWAj/vft6hUSIrbgFPXty8pvJpSpSLmqbDzVD8SH9q/TDv:qATt62lXgF/tysHzVIS4/Xv

Score

1^/10

Malware Config

Signatures

Files

iWatchDVRAX.cab
.cab
iWatchDVRAX.dll
.dll regsvr32 windows:5 windows x86 arch:x86

2818484ca21edea416e3a3cf69b4d480

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

01/05/2012, 00:00

Not After

31/12/2012, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7b:1b:3e:76:2c:b2:22:e7:4b:7e:2d:6f:ca:78:59:79
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

25/07/2010, 00:00

Not After

18/10/2013, 23:59

Subject

CN=iCatch Inc.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=iCatch Inc.,ST=taiwan,C=TW

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

21/05/2009, 00:00

Not After

20/05/2019, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

e3:92:cb:a7:f1:55:e2:bb:5e:4a:d4:90:14:3a:7a:01:1e:4a:fe:0b
Signer

Actual PE Digest

e3:92:cb:a7:f1:55:e2:bb:5e:4a:d4:90:14:3a:7a:01:1e:4a:fe:0b

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

gdiplus

GdipCloneImage
GdipAlloc
GdipFree
GdipCreateBitmapFromStreamICM
GdiplusShutdown
GdipDisposeImage
GdipCreateBitmapFromScan0
GdipGetImageGraphicsContext
GdipDrawImageRectI
GdipCreateFont
GdiplusStartup
GdipDeleteGraphics
GdipCreateFromHDC
GdipMeasureString
GdipDrawString
GdipCloneBrush
GdipDeleteBrush
GdipCreateSolidFill
GdipDeleteFont
GdipCreateFontFamilyFromName
GdipDeleteFontFamily
GdipGetGenericFontFamilySansSerif

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

ws2_32

send
inet_addr
htonl
htons
closesocket
socket
connect
gethostbyname
recv
WSAStartup
WSACleanup

kernel32

GetConsoleCP
SetFilePointer
RtlUnwind
GetStringTypeW
IsValidCodePage
DeleteCriticalSection
RaiseException
GetThreadLocale
SetThreadLocale
EnterCriticalSection
LeaveCriticalSection
GetLastError
InitializeCriticalSectionAndSpinCount
GetProcAddress
GetModuleHandleW
lstrlenW
GetModuleFileNameW
FreeLibrary
lstrcmpiW
MultiByteToWideChar
SizeofResource
LoadResource
FindResourceW
LoadLibraryExW
InterlockedIncrement
InterlockedDecrement
LoadLibraryW
CreateDirectoryW
LockResource
GetCurrentProcess
MulDiv
FlushInstructionCache
SetLastError
GetCurrentThreadId
lstrcpyW
lstrcmpW
lstrcatW
WideCharToMultiByte
GetLocalTime
GetConsoleMode
GetOEMCP
GetACP
GetCPInfo
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
GetStartupInfoW
GetFileType
SetHandleCount
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
HeapReAlloc
GetStdHandle
WriteFile
HeapDestroy
HeapCreate
ExitProcess
HeapSize
Sleep
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetCommandLineA
DecodePointer
EncodePointer
InterlockedPopEntrySList
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
HeapAlloc
GetProcessHeap
HeapFree
InterlockedPushEntrySList
InterlockedCompareExchange
LCMapStringW
SetStdHandle
WriteConsoleW
ReadFile
CreateFileW
CloseHandle
FlushFileBuffers
CreateEventW
WaitForSingleObject
ResumeThread
InitializeCriticalSection
ExitThread
CreateThread
SetEndOfFile

user32

GetFocus
SetFocus
ShowWindow
GetClientRect
UnregisterClassA
DestroyWindow
CharNextW
IsChild
IntersectRect
PostMessageW
DefWindowProcW
LoadStringW
CallWindowProcW
EqualRect
CreateWindowExW
IsWindow
SetWindowPos
SetWindowLongW
ReleaseDC
GetWindowLongW
InvalidateRect
UnionRect
OffsetRect
RegisterClassExW
GetDC
GetClassInfoExW
GetPropW
GetWindow
RemovePropW
SetPropW
MoveWindow
LoadIconW
wsprintfW
wvsprintfA
CharLowerW
EndPaint
SetWindowRgn
GetKeyState
LoadCursorW
BeginPaint
PtInRect

gdi32

SetWindowOrgEx
SetViewportOrgEx
LPtoDP
DeleteDC
GetDeviceCaps
CreateDCW
CreateRectRgnIndirect
SetMapMode
SaveDC
SetTextAlign
TextOutW
RestoreDC
GetStockObject

advapi32

RegCreateKeyExW
RegSetValueExW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegCloseKey
RegDeleteKeyW
RegDeleteValueW

shell32

ord680
SHGetFolderPathW

ole32

StringFromGUID2
CoCreateInstance
CoTaskMemFree
CoTaskMemRealloc
CoTaskMemAlloc
CoInitialize
CoUninitialize
CreateOleAdviseHolder
WriteClassStm
OleRegGetUserType
OleRegEnumVerbs
ReadClassStm
OleSaveToStream
OleRegGetMiscStatus

oleaut32

VariantInit
LoadTypeLi
SysAllocString
SysFreeString
SysStringLen
RegisterTypeLi
VarUI4FromStr
LoadRegTypeLi
SysStringByteLen
OleCreatePropertyFrame
VariantChangeType
UnRegisterTypeLi
SysAllocStringByteLen
VariantClear
SysAllocStringLen
VarBstrCat

shlwapi

StrCpyW
StrCpyNW
StrCmpIW
PathAppendW

rpcrt4

RpcStringFreeW
UuidCreate
UuidToStringW

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllInstall
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 168KB - Virtual size: 168KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 37KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
iWatchDVRAX.inf

Sharing

General

Malware Config

Signatures

Files

2818484ca21edea416e3a3cf69b4d480

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:edCertificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

7b:1b:3e:76:2c:b2:22:e7:4b:7e:2d:6f:ca:78:59:79Certificate

Extended Key Usages

Key Usages

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5cCertificate

Extended Key Usages

Key Usages

e3:92:cb:a7:f1:55:e2:bb:5e:4a:d4:90:14:3a:7a:01:1e:4a:fe:0bSigner

Headers

DLL Characteristics

File Characteristics

Imports

gdiplus

version

ws2_32

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

shlwapi

rpcrt4

Exports

Exports

Sections

.text Size: 168KB - Virtual size: 168KB

.rdata Size: 37KB - Virtual size: 37KB

.data Size: 8KB - Virtual size: 15KB

.rsrc Size: 13KB - Virtual size: 13KB

.reloc Size: 16KB - Virtual size: 16KB

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

7b:1b:3e:76:2c:b2:22:e7:4b:7e:2d:6f:ca:78:59:79
Certificate

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

e3:92:cb:a7:f1:55:e2:bb:5e:4a:d4:90:14:3a:7a:01:1e:4a:fe:0b
Signer

.text
Size: 168KB - Virtual size: 168KB

.rdata
Size: 37KB - Virtual size: 37KB

.data
Size: 8KB - Virtual size: 15KB

.rsrc
Size: 13KB - Virtual size: 13KB

.reloc
Size: 16KB - Virtual size: 16KB