84eb4358ecbfa5c2ca3fa58264aa7c3c_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

84eb4358ecbfa5c2ca3fa58264aa7c3c_JaffaCakes118
Size

1.2MB
MD5

84eb4358ecbfa5c2ca3fa58264aa7c3c
SHA1

f0f2f898561d3ae5dd47d13751df793f16e98799
SHA256

7522ed34ab84269983c57dbd26557cd9b2353405c8eef8548abebc0889af8a3a
SHA512

51e72e98d8c1f9f6ea957ec24a7a6840d689faf3b426559e6d2109f7d2d8caa877641fb4cd3ba1ea5c64c73b9ec5336af2f5da287837093a0f747a4941641f3a
SSDEEP

24576:7ynsCwMKROjvqmQwuQ3YVZpc4CGlizdYTkv9DD6Scf0VWeOJAPSVlg4M2iGY:7FCHKEjvEHc4C6CDD1nWma8GY

Score

3^/10

Malware Config

Signatures

Unsigned PE 10 IoCs

Checks for missing Authenticode signature.

resource
unpack001/$PLUGINSDIR/InstallOptions.dll
unpack001/$PLUGINSDIR/WaitBox.exe
unpack001/$SYSDIR/G2Helper.exe
unpack001/$WINDIR/i2c_aim.dll
unpack001/$WINDIR/i2g_cap.dll
unpack001/$WINDIR/i2g_move.dll
unpack001/$WINDIR/i2u_aim.dll
unpack001/$WINDIR/i2u_close.dll
unpack001/$_3_.exe
unpack001/$_4_.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
sample	nsis_installer_1

Files

84eb4358ecbfa5c2ca3fa58264aa7c3c_JaffaCakes118
.exe windows:4 windows x86 arch:x86

381e79edf6f32b225643e232be0965fa

Code Sign

01
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

01/08/1996, 00:00

Not After

31/12/2020, 23:59

Subject

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

0a
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

06/08/2003, 00:00

Not After

05/08/2013, 23:59

Subject

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

20:63:18
Certificate

Issuer

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Not Before

26/08/2004, 21:53

Not After

26/08/2005, 21:53

Subject

CN=BitSplash Software\, LLC,OU=Secure Application Development,O=BitSplash Software\, LLC,L=Narragansett,ST=Rhode Island,C=US

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

a6:d3:9b:5e:81:41:a8:15:89:31:b0:66:63:ef:cd:8e:88:3b:6d:09
Signer

Actual PE Digest

a6:d3:9b:5e:81:41:a8:15:89:31:b0:66:63:ef:cd:8e:88:3b:6d:09

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
lstrcatA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetFileSize
GetModuleFileNameA
GetTickCount
GetCurrentProcess
CopyFileA
ExitProcess
lstrcpynA
GetCommandLineA
SetFileTime
GetTempPathA
GetUserDefaultLangID
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
GlobalAlloc
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
SetEndOfFile
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
lstrcpyA
lstrlenA
GetSystemDirectoryA
CloseHandle
lstrcmpiA
GetEnvironmentVariableA
ExpandEnvironmentStringsA
GlobalFree
WaitForSingleObject
GetExitCodeProcess
SetErrorMode
GetModuleHandleA
LoadLibraryA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
MulDiv
GetPrivateProfileStringA
WriteFile
ReadFile
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetWindowsDirectoryA

user32

SystemParametersInfoA
RegisterClassA
EndDialog
ScreenToClient
GetWindowRect
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
LoadCursorA
SetCursor
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
CreateWindowExA
OpenClipboard
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxA
CharPrevA
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
ShowWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
IsWindow
GetClassInfoA
DialogBoxParamA
CharNextA
ExitWindowsEx
CreateDialogParamA
EmptyClipboard
DestroyWindow
SetWindowLongA
LoadImageA
GetDC
EnableWindow
PeekMessageA
DispatchMessageA
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
GetDlgItem

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetMalloc
SHGetPathFromIDListA
SHBrowseForFolderA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 52KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/CustomInstallation.ini
$PLUGINSDIR/CustomInstallation2.ini
$PLUGINSDIR/InstallOptions.dll
.dll windows:4 windows x86 arch:x86

9d433976e02d79532f0d635ee81d0b20

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

MultiByteToWideChar
GetModuleHandleA
GetPrivateProfileIntA
GlobalAlloc
GetPrivateProfileStringA
lstrcatA
lstrcpynA
WritePrivateProfileStringA
lstrlenA
lstrcpyA
GlobalFree
lstrcmpiA

user32

GetDlgCtrlID
GetClientRect
SetWindowRgn
LoadIconA
MapWindowPoints
SetWindowLongA
CreateWindowExA
MapDialogRect
SetWindowPos
GetWindowRect
CreateDialogParamA
ShowWindow
EnableWindow
GetDlgItem
DestroyIcon
DestroyWindow
DispatchMessageA
TranslateMessage
GetMessageA
IsDialogMessageA
PtInRect
LoadCursorA
SetCursor
DrawTextA
GetWindowLongA
DrawFocusRect
CallWindowProcA
PostMessageA
MessageBoxA
CharNextA
wsprintfA
GetWindowTextA
SetWindowTextA
SendMessageA
LoadImageA

gdi32

SetTextColor
CreateCompatibleDC
GetObjectA
GetDIBits
CreateRectRgn
CombineRgn
DeleteObject
SelectObject

shell32

SHGetMalloc
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetDesktopFolder
ShellExecuteA

comdlg32

GetOpenFileNameA
GetSaveFileNameA
CommDlgExtendedError

Exports

Exports

dialog
initDialog
show

Sections

.text
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 930B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/InstallationType.ini
$PLUGINSDIR/Monitoring.bmp
$PLUGINSDIR/MonitoringInstallation.ini
$PLUGINSDIR/Personal.bmp
$PLUGINSDIR/PersonalInstallation.ini
$PLUGINSDIR/WaitBox.exe
.exe windows:4 windows x86 arch:x86

a6922c4cebe45f8898a7ea310ab15a2c

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\Source\Output\Release\WaitBox.pdb

Imports

user32

FindWindowA
SendMessageA
LoadCursorA
RegisterClassExA
MessageBoxA
GetSystemMetrics
CreateWindowExA
ShowWindow
UpdateWindow
GetMessageA
TranslateMessage
DispatchMessageA
DefWindowProcA
DestroyWindow
BeginPaint
GetWindowRect
EndPaint
PostQuitMessage

gdi32

CreateSolidBrush
SelectObject
CreatePen
Rectangle
SetBkMode
SetTextColor
TextOutA
DeleteObject
GetTextExtentPoint32A

kernel32

HeapReAlloc
VirtualAlloc
HeapAlloc
HeapSize
GetOEMCP
GetACP
VirtualQuery
InterlockedExchange
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
VirtualProtect
GetSystemInfo
GetCPInfo
GetModuleFileNameA
ExitProcess
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersionExA
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
GetProcAddress
TerminateProcess
GetCurrentProcess
WriteFile
GetStdHandle
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
HeapDestroy
HeapCreate
VirtualFree
HeapFree
LoadLibraryA
RtlUnwind

Sections

.text
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
$PLUGINSDIR/ioSpecial.ini
$PLUGINSDIR/modern-wizard.bmp
$SYSDIR/G2Helper.exe
.exe windows:4 windows x86 arch:x86

0d69abb7b6ffa9969d8799ba91553979

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\Source\Output\Release\Grabber2Helper.pdb

Imports

kernel32

WriteFile
ReadFile
SetFilePointer
LockFile
CloseHandle
GetTempPathA
CreateFileA
GetVersion
GetCurrentProcess
WaitForSingleObject
CreateProcessA
CreateSemaphoreA
Sleep
SetEndOfFile
MoveFileA
DeleteFileA
OpenSemaphoreA
VirtualProtect
GetLocaleInfoA
SetEnvironmentVariableA
CompareStringW
CompareStringA
GetStringTypeW
GetStringTypeA
UnlockFile
GetFileSize
GetWindowsDirectoryA
GetSystemDirectoryA
HeapFree
HeapAlloc
GetSystemTimeAsFileTime
ExitProcess
GetLastError
GetProcAddress
GetModuleHandleA
TerminateProcess
GetStartupInfoA
GetCommandLineA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
WideCharToMultiByte
GetTimeZoneInformation
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetModuleFileNameA
SetHandleCount
GetStdHandle
GetFileType
FlushFileBuffers
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
LoadLibraryA
RtlUnwind
InterlockedExchange
VirtualQuery
SetStdHandle
HeapSize
GetACP
GetOEMCP
GetCPInfo
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetSystemInfo

user32

MessageBoxA
PostMessageA
SendMessageA
FindWindowExA
FindWindowA

Sections

.text
Size: 44KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
$SYSDIR/imgg.cfg
$SYSDIR/imgv.cfg
$WINDIR/$SYSDIR/unIMG.exe.nsis
$WINDIR/i2c_aim.dll
.dll windows:4 windows x86 arch:x86

c993bd80de16dc7f2cbf20fcba053f4a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\Source\Output\Release\i2c_aim.pdb

Imports

kernel32

GetSystemDirectoryA
GetFileSize
UnlockFile
SetEndOfFile
WriteFile
ReadFile
SetFilePointer
LockFile
CloseHandle
GetTempPathA
CreateFileA
HeapFree
HeapAlloc
GetSystemTimeAsFileTime
ExitProcess
GetProcAddress
GetModuleHandleA
TerminateProcess
GetCurrentProcess
RaiseException
RtlUnwind
GetLastError
DeleteFileA
GetCurrentThreadId
GetCommandLineA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
HeapReAlloc
IsBadWritePtr
WideCharToMultiByte
GetTimeZoneInformation
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetModuleFileNameA
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
TlsAlloc
SetLastError
TlsFree
TlsSetValue
TlsGetValue
SetUnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
UnhandledExceptionFilter
HeapSize
InitializeCriticalSection
InterlockedExchange
VirtualQuery
LoadLibraryA
SetStdHandle
FlushFileBuffers
GetACP
GetOEMCP
GetCPInfo
IsBadReadPtr
IsBadCodePtr
GetLocaleInfoA
GetStringTypeA
MultiByteToWideChar
GetStringTypeW
LCMapStringA
LCMapStringW
CompareStringA
CompareStringW
SetEnvironmentVariableA
VirtualProtect
GetSystemInfo

Exports

Exports

create
destroy
get_id
get_version

Sections

.text
Size: 68KB - Virtual size: 65KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$WINDIR/i2g_cap.dll
.dll windows:4 windows x86 arch:x86

b1350e44bfa69f8b811d288d3c08b53c

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\Source\Output\Release\i2g_cap.pdb

Imports

user32

DestroyWindow
DefWindowProcA
DispatchMessageA
TranslateMessage
GetMessageA
SetCursor
wsprintfA
PostQuitMessage
LoadIconA
LoadCursorA
RegisterClassExA
CreateWindowExA
ShowWindow
UpdateWindow

advapi32

StartServiceA
OpenServiceA
CreateServiceA
UnlockServiceDatabase
CloseServiceHandle
OpenSCManagerA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegEnumKeyExA
RegCloseKey
ControlService

iphlpapi

GetAdaptersInfo

ole32

CoCreateInstance
CoInitializeEx
CoUninitialize

kernel32

GetStringTypeA
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
IsValidCodePage
FlushFileBuffers
IsBadReadPtr
IsBadCodePtr
GetACP
GetOEMCP
SetStdHandle
GetLocaleInfoW
CompareStringA
CompareStringW
SetEnvironmentVariableA
GetStringTypeW
InterlockedIncrement
GetLocaleInfoA
VirtualQuery
UnhandledExceptionFilter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
GetSystemDirectoryA
GetFileSize
UnlockFile
SetEndOfFile
WriteFile
ReadFile
SetFilePointer
LockFile
CloseHandle
GetTempPathA
CreateFileA
ReleaseMutex
WaitForSingleObject
FindClose
FindNextFileA
GetLastError
GetProcAddress
LoadLibraryA
FindFirstFileA
GetWindowsDirectoryA
Sleep
CreateThread
CreateMutexA
PulseEvent
GlobalLock
GlobalAlloc
GlobalFree
GlobalUnlock
GlobalHandle
GlobalReAlloc
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSection
GetCurrentProcessId
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
CreateEventA
ResetEvent
DeviceIoControl
SetEvent
TerminateThread
WaitForMultipleObjects
GetSystemInfo
SetThreadPriority
DeleteFileA
lstrcatA
CreateSemaphoreA
ReleaseSemaphore
lstrlenA
lstrcpyA
lstrcmpA
VirtualAlloc
VirtualFree
HeapFree
HeapAlloc
GetProcessHeap
HeapReAlloc
InterlockedDecrement
GetTickCount
GetCurrentProcess
FreeLibrary
GetCurrentThreadId
GetVersionExA
VirtualProtect
InterlockedExchange
GetSystemTimeAsFileTime
ExitProcess
RaiseException
RtlUnwind
GetCommandLineA
GetModuleHandleA
TerminateProcess
LCMapStringA
WideCharToMultiByte
MultiByteToWideChar
LCMapStringW
GetCPInfo
HeapDestroy
HeapCreate
IsBadWritePtr
GetTimeZoneInformation
QueryPerformanceCounter
GetModuleFileNameA
SetUnhandledExceptionFilter
TlsAlloc
SetLastError
TlsFree
TlsSetValue
TlsGetValue
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
HeapSize
FreeEnvironmentStringsA

Exports

Exports

general
getAdapterList
get_id
get_version

Sections

.text
Size: 108KB - Virtual size: 107KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 56KB - Virtual size: 59KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$WINDIR/i2g_move.dll
.dll windows:4 windows x86 arch:x86

1a7c03a22aaca342f7cb8e977692294a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\Source\Output\Release\i2g_move.pdb

Imports

advapi32

RegQueryInfoKeyA
RegQueryValueExA
RegCloseKey
RegOpenKeyExA
RegEnumKeyExA

kernel32

GetVersion
GetSystemDirectoryA
GetFileSize
UnlockFile
SetEndOfFile
WriteFile
ReadFile
SetFilePointer
LockFile
CloseHandle
GetTempPathA
CreateFileA
FormatMessageA
FindClose
FindNextFileA
FindFirstFileA
Sleep
CopyFileA
HeapFree
HeapAlloc
GetSystemTimeAsFileTime
ExitProcess
GetLastError
DeleteFileA
RtlUnwind
RaiseException
GetCurrentThreadId
GetCommandLineA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
HeapReAlloc
IsBadWritePtr
WideCharToMultiByte
GetTimeZoneInformation
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetModuleFileNameA
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
TlsAlloc
SetLastError
TlsFree
TlsSetValue
TlsGetValue
GetProcAddress
GetModuleHandleA
SetUnhandledExceptionFilter
TerminateProcess
GetCurrentProcess
HeapSize
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
UnhandledExceptionFilter
InitializeCriticalSection
InterlockedExchange
VirtualQuery
LoadLibraryA
SetStdHandle
FlushFileBuffers
IsBadReadPtr
IsBadCodePtr
GetACP
GetOEMCP
GetCPInfo
GetLocaleInfoA
GetStringTypeA
MultiByteToWideChar
GetStringTypeW
LCMapStringA
LCMapStringW
CompareStringA
CompareStringW
SetEnvironmentVariableA
VirtualProtect
GetSystemInfo

Exports

Exports

general
get_id
get_version

Sections

.text
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$WINDIR/i2u_aim.dll
.dll windows:4 windows x86 arch:x86

4ee47025cc31da58df9942d18e214bba

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\Source\Output\Release\i2u_aim.pdb

Imports

user32

GetClassNameA
SendMessageA
FindWindowExA
GetWindowTextA

kernel32

SetHandleCount
SetEnvironmentVariableA
CompareStringW
CompareStringA
GetSystemDirectoryA
GetFileSize
UnlockFile
SetEndOfFile
WriteFile
ReadFile
SetFilePointer
LockFile
CloseHandle
GetTempPathA
CreateFileA
Sleep
HeapFree
HeapAlloc
GetSystemTimeAsFileTime
ExitProcess
GetProcAddress
GetModuleHandleA
TerminateProcess
GetCurrentProcess
RaiseException
RtlUnwind
GetCurrentThreadId
GetCommandLineA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
HeapReAlloc
IsBadWritePtr
WideCharToMultiByte
GetTimeZoneInformation
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetModuleFileNameA
GetLastError
GetStdHandle
GetFileType
GetStartupInfoA
TlsAlloc
SetLastError
TlsFree
TlsSetValue
TlsGetValue
SetUnhandledExceptionFilter
LCMapStringA
MultiByteToWideChar
LCMapStringW
HeapSize
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
UnhandledExceptionFilter
InitializeCriticalSection
InterlockedExchange
VirtualQuery
LoadLibraryA
SetStdHandle
FlushFileBuffers
GetACP
GetOEMCP
GetCPInfo
IsBadReadPtr
IsBadCodePtr
GetLocaleInfoA
VirtualProtect
GetSystemInfo
GetStringTypeA
GetStringTypeW

Exports

Exports

general
get_id
get_version

Sections

.text
Size: 72KB - Virtual size: 71KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$WINDIR/i2u_close.dll
.dll windows:4 windows x86 arch:x86

49786ab1beb31662e0cfc71921edff43

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\Source\Output\Release\i2u_close.pdb

Imports

user32

FindWindowExA
GetWindowTextA
SendMessageA

kernel32

TlsGetValue
GetSystemInfo
VirtualProtect
GetSystemDirectoryA
GetFileSize
UnlockFile
SetEndOfFile
WriteFile
ReadFile
SetFilePointer
LockFile
CloseHandle
GetTempPathA
CreateFileA
Sleep
HeapFree
HeapAlloc
GetSystemTimeAsFileTime
ExitProcess
RtlUnwind
RaiseException
GetCurrentThreadId
GetCommandLineA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
HeapReAlloc
IsBadWritePtr
WideCharToMultiByte
GetTimeZoneInformation
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetModuleFileNameA
TlsAlloc
SetLastError
GetLastError
TlsFree
TlsSetValue
GetProcAddress
GetModuleHandleA
SetUnhandledExceptionFilter
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
TerminateProcess
GetCurrentProcess
HeapSize
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
UnhandledExceptionFilter
InitializeCriticalSection
InterlockedExchange
VirtualQuery
LoadLibraryA
IsBadReadPtr
IsBadCodePtr
GetACP
GetOEMCP
GetCPInfo
SetStdHandle
FlushFileBuffers
GetLocaleInfoA
GetStringTypeA
MultiByteToWideChar
GetStringTypeW
LCMapStringA
LCMapStringW
CompareStringA
CompareStringW
SetEnvironmentVariableA

Exports

Exports

general
get_id
get_version

Sections

.text
Size: 48KB - Virtual size: 46KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$_3_.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 1017KB - Virtual size: 1017KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 72KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 16B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 411KB - Virtual size: 411KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$_4_.exe
.exe windows:4 windows x86 arch:x86

a91e8e1017a4de857365b534280e3887

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Source\Output\Release\instant_message_grabber_service.pdb

Imports

advapi32

GetUserNameA
SetServiceStatus
CreateServiceA
CloseServiceHandle
OpenSCManagerA
DeleteService
QueryServiceStatus
OpenServiceA
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA

user32

SendMessageA
FindWindowExA

shell32

ShellExecuteA

kernel32

SetEnvironmentVariableA
CompareStringW
CompareStringA
GetSystemDirectoryA
GetFileSize
UnlockFile
SetEndOfFile
WriteFile
ReadFile
SetFilePointer
LockFile
CloseHandle
GetTempPathA
CreateFileA
GetTickCount
GetVersionExA
GlobalMemoryStatus
GetSystemInfo
GetModuleFileNameA
VirtualQuery
FindClose
FindNextFileA
DeleteFileA
FindFirstFileA
LeaveCriticalSection
EnterCriticalSection
WaitForSingleObject
CreateProcessA
FreeLibrary
GetCurrentProcessId
GetProcAddress
LoadLibraryA
SetEvent
GetLastError
CreateThread
GetWindowsDirectoryA
GetCommandLineA
Sleep
OpenSemaphoreA
InitializeCriticalSection
DeleteCriticalSection
CreateEventA
lstrcmpiA
SetUnhandledExceptionFilter
HeapFree
HeapAlloc
GetSystemTimeAsFileTime
ExitProcess
GetModuleHandleA
TerminateProcess
GetCurrentProcess
RaiseException
RtlUnwind
GetStartupInfoA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
IsBadWritePtr
WideCharToMultiByte
GetTimeZoneInformation
QueryPerformanceCounter
GetCurrentThreadId
SetHandleCount
GetStdHandle
GetFileType
TlsAlloc
SetLastError
TlsFree
TlsSetValue
TlsGetValue
HeapSize
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
InterlockedExchange
MultiByteToWideChar
VirtualProtect
SetStdHandle
FlushFileBuffers
IsBadReadPtr
IsBadCodePtr
GetACP
GetOEMCP
GetCPInfo
GetLocaleInfoA
GetStringTypeA
GetStringTypeW
LCMapStringA
LCMapStringW

Sections

.text
Size: 64KB - Virtual size: 61KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

381e79edf6f32b225643e232be0965fa

Code Sign

01Certificate

0aCertificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

20:63:18Certificate

Extended Key Usages

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88Certificate

Extended Key Usages

Key Usages

a6:d3:9b:5e:81:41:a8:15:89:31:b0:66:63:ef:cd:8e:88:3b:6d:09Signer

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 22KB - Virtual size: 21KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 108KB

.ndata Size: - Virtual size: 52KB

.rsrc Size: 16KB - Virtual size: 16KB

9d433976e02d79532f0d635ee81d0b20

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

comdlg32

Exports

Exports

Sections

.text Size: 6KB - Virtual size: 6KB

.rdata Size: 2KB - Virtual size: 1KB

.data Size: 1KB - Virtual size: 9KB

.rsrc Size: 512B - Virtual size: 152B

.reloc Size: 1024B - Virtual size: 930B

a6922c4cebe45f8898a7ea310ab15a2c

Headers

File Characteristics

PDB Paths

Imports

user32

gdi32

kernel32

Sections

.text Size: 16KB - Virtual size: 15KB

.rdata Size: 8KB - Virtual size: 5KB

.data Size: 4KB - Virtual size: 2KB

0d69abb7b6ffa9969d8799ba91553979

Headers

File Characteristics

PDB Paths

Imports

kernel32

user32

Sections

.text Size: 44KB - Virtual size: 40KB

.rdata Size: 8KB - Virtual size: 6KB

.data Size: 4KB - Virtual size: 8KB

c993bd80de16dc7f2cbf20fcba053f4a

Headers

File Characteristics

01
Certificate

0a
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

20:63:18
Certificate

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

a6:d3:9b:5e:81:41:a8:15:89:31:b0:66:63:ef:cd:8e:88:3b:6d:09
Signer

.text
Size: 22KB - Virtual size: 21KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 108KB

.ndata
Size: - Virtual size: 52KB

.rsrc
Size: 16KB - Virtual size: 16KB

.text
Size: 6KB - Virtual size: 6KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 1KB - Virtual size: 9KB

.rsrc
Size: 512B - Virtual size: 152B

.reloc
Size: 1024B - Virtual size: 930B

.text
Size: 16KB - Virtual size: 15KB

.rdata
Size: 8KB - Virtual size: 5KB

.data
Size: 4KB - Virtual size: 2KB

.text
Size: 44KB - Virtual size: 40KB

.rdata
Size: 8KB - Virtual size: 6KB

.data
Size: 4KB - Virtual size: 8KB

.text
Size: 68KB - Virtual size: 65KB

.rdata
Size: 16KB - Virtual size: 13KB

.data
Size: 8KB - Virtual size: 13KB

.reloc
Size: 8KB - Virtual size: 5KB

.text
Size: 108KB - Virtual size: 107KB

.rdata
Size: 28KB - Virtual size: 25KB

.data
Size: 56KB - Virtual size: 59KB

.reloc
Size: 12KB - Virtual size: 10KB

.text
Size: 52KB - Virtual size: 51KB

.rdata
Size: 12KB - Virtual size: 9KB

.data
Size: 8KB - Virtual size: 11KB

.reloc
Size: 8KB - Virtual size: 4KB

.text
Size: 72KB - Virtual size: 71KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 8KB - Virtual size: 13KB

.reloc
Size: 8KB - Virtual size: 5KB

.text
Size: 48KB - Virtual size: 46KB

.rdata
Size: 12KB - Virtual size: 8KB

.data
Size: 8KB - Virtual size: 10KB

.reloc
Size: 8KB - Virtual size: 4KB