89e109e8f91df5f5e2fc179b4f3276c0_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

89e109e8f91df5f5e2fc179b4f3276c0_JaffaCakes118
Size

2.4MB
MD5

89e109e8f91df5f5e2fc179b4f3276c0
SHA1

95c6e10def9f436765324a38302ad116a3733bc8
SHA256

17b297b2a49347c27cdc23da4a3b48c1598fc28a8747bfb91c714b042daeaa51
SHA512

765837461d331ee611374b7b13d77381e0ddb062d16237e6e7e7606385234e3863206606b4916a763a851b9084206adf1d2adfb331c7567a5a35e1757be03ae5
SSDEEP

49152:+oj4DYuXdc2mVzpr7wKDD94yw3P2cTk57tuVzQo3P/IBBL21:D1kc2m7lH94ywf2cTI7odfgbS1

Score

3^/10

Malware Config

Signatures

Unsigned PE 8 IoCs

Checks for missing Authenticode signature.

resource
unpack001/CleanTool.exe
unpack001/Install_Loader.exe
unpack001/Menu.exe
unpack001/Uninstall_Loader.exe
unpack001/data/Server/bootinst.exe
unpack001/data/Vista/bootinst.exe
unpack001/data/XP/amd64.btm
unpack001/data/data.btm.link

Files

89e109e8f91df5f5e2fc179b4f3276c0_JaffaCakes118
.rar
CleanTool.exe
.exe windows:4 windows x86 arch:x86

019b2329de338153bb9b9818e43fc267

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

oleaut32

SysFreeString
SysReAllocStringLen
SysAllocStringLen
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey

user32

GetKeyboardType
DestroyWindow
LoadStringA
MessageBoxA
CharNextA
MessageBoxA
LoadStringA
GetSystemMetrics
CharPrevA
CharNextA
CharToOemA

kernel32

GetACP
Sleep
VirtualFree
VirtualAlloc
GetCurrentThreadId
InterlockedDecrement
InterlockedIncrement
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
WriteFile
WaitForSingleObject
VirtualQuery
SizeofResource
SetFilePointer
SetFileAttributesA
SetEvent
SetEnvironmentVariableA
SetEndOfFile
ResetEvent
ReadFile
LockResource
LoadResource
LeaveCriticalSection
InitializeCriticalSection
GetWindowsDirectoryA
GetVersionExA
GetThreadLocale
GetTempFileNameA
GetStdHandle
GetShortPathNameA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetFullPathNameA
GetFileAttributesA
GetExitCodeProcess
GetEnvironmentVariableA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCommandLineA
GetCPInfo
FreeResource
FreeLibrary
FormatMessageA
FindResourceA
EnumCalendarInfoA
EnterCriticalSection
DeleteFileA
DeleteCriticalSection
CreateProcessA
CreateFileA
CreateEventA
CompareStringA
CloseHandle
Sleep

shfolder

SHGetFolderPathA

Sections

.text
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 22KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 12B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 93KB - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Install_Loader.exe
.exe windows:4 windows x86 arch:x86

019b2329de338153bb9b9818e43fc267

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

oleaut32

SysFreeString
SysReAllocStringLen
SysAllocStringLen
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey

user32

GetKeyboardType
DestroyWindow
LoadStringA
MessageBoxA
CharNextA
MessageBoxA
LoadStringA
GetSystemMetrics
CharPrevA
CharNextA
CharToOemA

kernel32

GetACP
Sleep
VirtualFree
VirtualAlloc
GetCurrentThreadId
InterlockedDecrement
InterlockedIncrement
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
WriteFile
WaitForSingleObject
VirtualQuery
SizeofResource
SetFilePointer
SetFileAttributesA
SetEvent
SetEnvironmentVariableA
SetEndOfFile
ResetEvent
ReadFile
LockResource
LoadResource
LeaveCriticalSection
InitializeCriticalSection
GetWindowsDirectoryA
GetVersionExA
GetThreadLocale
GetTempFileNameA
GetStdHandle
GetShortPathNameA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetFullPathNameA
GetFileAttributesA
GetExitCodeProcess
GetEnvironmentVariableA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCommandLineA
GetCPInfo
FreeResource
FreeLibrary
FormatMessageA
FindResourceA
EnumCalendarInfoA
EnterCriticalSection
DeleteFileA
DeleteCriticalSection
CreateProcessA
CreateFileA
CreateEventA
CompareStringA
CloseHandle
Sleep

shfolder

SHGetFolderPathA

Sections

.text
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 22KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 12B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 158KB - Virtual size: 157KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Menu.exe
.exe windows:4 windows x86 arch:x86

50f081a27f10141fd9672c9b6197d530

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

winmm

PlaySoundA
mciSendStringA

kernel32

RaiseException
HeapReAlloc
HeapSize
GetACP
GetTimeZoneInformation
GetDriveTypeA
GetEnvironmentVariableA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
SetStdHandle
SetHandleCount
GetStdHandle
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetUnhandledExceptionFilter
LCMapStringA
LCMapStringW
GetStringTypeW
IsBadReadPtr
IsBadCodePtr
CompareStringA
CompareStringW
ExitProcess
CloseHandle
GlobalUnlock
LocalFree
LocalAlloc
SetFilePointer
GlobalLock
GlobalAlloc
ReadFile
CreateFileA
GetLocalTime
GetCommandLineA
GetStartupInfoA
GetFileType
HeapAlloc
HeapFree
SetEnvironmentVariableA
RtlUnwind
SetErrorMode
GetOEMCP
GetCPInfo
GetProcessVersion
GlobalFlags
TlsGetValue
LocalReAlloc
TlsSetValue
EnterCriticalSection
LeaveCriticalSection
TlsFree
DeleteCriticalSection
TlsAlloc
InitializeCriticalSection
GetFullPathNameA
SetEndOfFile
UnlockFile
LockFile
FlushFileBuffers
WriteFile
DuplicateHandle
MultiByteToWideChar
WideCharToMultiByte
InterlockedIncrement
InterlockedDecrement
MulDiv
lstrlenA
lstrcpynA
LoadLibraryA
FreeLibrary
GetVersion
lstrcatA
FileTimeToSystemTime
GlobalGetAtomNameA
GlobalAddAtomA
GlobalFindAtomA
lstrcpyA
LockResource
FindResourceA
FileTimeToLocalFileTime
LoadResource
GlobalDeleteAtom
lstrcmpA
GetCurrentThread
GetCurrentThreadId
GetTempPathA
GetTempFileNameA
GlobalReAlloc
GlobalSize
GlobalHandle
GlobalFree
SetLastError
GetCurrentProcess
TerminateProcess
CreateProcessA
GetVersionExA
WritePrivateProfileStringA
GetPrivateProfileIntA
CreateDirectoryA
GetPrivateProfileStringA
lstrcmpiA
GetModuleFileNameA
WinExec
GetShortPathNameA
GetVolumeInformationA
GetModuleHandleA
GetProcAddress
GetWindowsDirectoryA
FindFirstFileA
FindClose
GetCurrentDirectoryA
SetCurrentDirectoryA
CopyFileA
GetFileSize
GetFileAttributesA
GetLastError
GetFileTime
GetStringTypeA

user32

LoadAcceleratorsA
TranslateAcceleratorA
ReleaseCapture
GetDesktopWindow
DestroyMenu
LoadMenuA
SetMenu
ReuseDDElParam
UnpackDDElParam
BringWindowToTop
ClientToScreen
BeginPaint
EndPaint
TabbedTextOutA
GrayStringA
GetClassNameA
GetSysColorBrush
LoadStringA
EndDeferWindowPos
GetTopWindow
GetCapture
WinHelpA
GetClassInfoA
RegisterClassA
GetMenu
GetMenuItemCount
GetSubMenu
GetMenuItemID
CreateWindowExA
GetClassLongA
SetPropA
UnhookWindowsHookEx
GetPropA
CallWindowProcA
RemovePropA
DefWindowProcA
GetMessageTime
GetMessagePos
SetForegroundWindow
GetWindow
RegisterWindowMessageA
SystemParametersInfoA
IsIconic
GetWindowPlacement
EndDialog
SetActiveWindow
IsWindow
MapWindowPoints
DestroyWindow
SetFocus
GetDlgCtrlID
GetWindowTextA
SetWindowTextA
IsDialogMessageA
SetDlgItemTextA
SendDlgItemMessageA
UnregisterClassA
GetMenuCheckMarkDimensions
GetMenuState
ModifyMenuA
SetMenuItemBitmaps
CheckMenuItem
GetFocus
GetNextDlgTabItem
GetMessageA
GetActiveWindow
GetKeyState
CallNextHookEx
ValidateRect
IsWindowVisible
GetCursorPos
SetWindowsHookExA
GetParent
GetLastActivePopup
IsWindowEnabled
ShowOwnedPopups
PostQuitMessage
PeekMessageA
TranslateMessage
DispatchMessageA
FindWindowA
PostMessageA
WaitForInputIdle
CharUpperA
CharLowerA
GetDlgItem
ShowWindow
GetSysColor
MoveWindow
LoadBitmapA
PtInRect
GetWindowRect
GetWindowLongA
SetWindowLongA
SetWindowPos
FrameRect
CopyRect
SetRect
OffsetRect
DrawTextA
GetForegroundWindow
InvalidateRect
GetSystemMetrics
GetDC
GetClientRect
ReleaseDC
SetCursor
SetRectEmpty
AdjustWindowRectEx
ScreenToClient
EqualRect
DeferWindowPos
CreateDialogIndirectParamA
BeginDeferWindowPos
LoadCursorA
LoadIconA
SendMessageA
KillTimer
SetTimer
EnableWindow
wsprintfA
MessageBeep
MessageBoxA
InflateRect
FillRect
UpdateWindow
EnableMenuItem

gdi32

RealizePalette
CreateBrushIndirect
DeleteObject
CreateSolidBrush
GetDeviceCaps
DPtoLP
CreateCompatibleBitmap
RoundRect
Rectangle
SetPixel
GetPixel
DeleteMetaFile
Ellipse
TextOutA
GetTextExtentPoint32A
CreateFontA
SetMetaFileBitsEx
RestoreDC
PlayMetaFile
SetViewportExtEx
SetViewportOrgEx
SetWindowExtEx
SetWindowOrgEx
SetMapMode
SaveDC
AddFontResourceA
CreateBitmap
StretchDIBits
GetStretchBltMode
CreateHalftonePalette
GetClipBox
SetTextColor
SetBkColor
GetStockObject
SetBkMode
OffsetViewportOrgEx
ScaleViewportExtEx
ScaleWindowExtEx
SetStretchBltMode
MoveToEx
LineTo
SetTextCharacterExtra
CreatePen
PtVisible
RectVisible
ExtTextOutA
Escape
StretchBlt
CreateCompatibleDC
SelectObject
GetObjectA
BitBlt
DeleteDC
CreatePalette
CreateDIBitmap
SelectPalette

comdlg32

GetFileTitleA

winspool.drv

ClosePrinter
DocumentPropertiesA
OpenPrinterA

advapi32

RegOpenKeyExA
RegCreateKeyExA
RegOpenKeyA
RegQueryValueExA
RegCreateKeyA
RegSetValueExA
RegCloseKey

shell32

ShellExecuteA
DragFinish
DragQueryFileA

comctl32

ord17

Sections

.text
Size: 232KB - Virtual size: 231KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 36KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 28KB - Virtual size: 127KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 108KB - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Uninstall_Loader.exe
.exe windows:4 windows x86 arch:x86

019b2329de338153bb9b9818e43fc267

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

oleaut32

SysFreeString
SysReAllocStringLen
SysAllocStringLen
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey

user32

GetKeyboardType
DestroyWindow
LoadStringA
MessageBoxA
CharNextA
MessageBoxA
LoadStringA
GetSystemMetrics
CharPrevA
CharNextA
CharToOemA

kernel32

GetACP
Sleep
VirtualFree
VirtualAlloc
GetCurrentThreadId
InterlockedDecrement
InterlockedIncrement
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
WriteFile
WaitForSingleObject
VirtualQuery
SizeofResource
SetFilePointer
SetFileAttributesA
SetEvent
SetEnvironmentVariableA
SetEndOfFile
ResetEvent
ReadFile
LockResource
LoadResource
LeaveCriticalSection
InitializeCriticalSection
GetWindowsDirectoryA
GetVersionExA
GetThreadLocale
GetTempFileNameA
GetStdHandle
GetShortPathNameA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetFullPathNameA
GetFileAttributesA
GetExitCodeProcess
GetEnvironmentVariableA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCommandLineA
GetCPInfo
FreeResource
FreeLibrary
FormatMessageA
FindResourceA
EnumCalendarInfoA
EnterCriticalSection
DeleteFileA
DeleteCriticalSection
CreateProcessA
CreateFileA
CreateEventA
CompareStringA
CloseHandle
Sleep

shfolder

SHGetFolderPathA

Sections

.text
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 22KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 12B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 220KB - Virtual size: 219KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
data/Server/bootinst.exe
.exe windows:6 windows x86 arch:x86

704f7b0cf386fa53083ffa68ba646f50

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

bootsect.pdb

Imports

kernel32

SetFilePointer
LocalFree
FormatMessageW
GetModuleFileNameW
ReadFile
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetModuleHandleA
SetUnhandledExceptionFilter
OutputDebugStringA
InterlockedCompareExchange
Sleep
InterlockedExchange
WriteFile
GetLastError
QueryDosDeviceW
LoadResource
FindResourceExW
LoadLibraryExW
MapViewOfFile
CloseHandle
CreateFileMappingW
CreateFileW
GetLocaleInfoW
FreeLibrary
GetVersionExW
UnmapViewOfFile
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
FindResourceW
SearchPathW
SetLastError

msvcrt

_initterm
_amsg_exit
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
malloc
exit
iswctype
?terminate@@YAXXZ
_controlfp
calloc
isdigit
isxdigit
mbtowc
isleadbyte
localeconv
_snprintf
_itoa
wctomb
ferror
wcstombs
realloc
__badioinfo
__pioinfo
_read
_fileno
_lseeki64
_write
_isatty
ungetc
wcsstr
bsearch
wcsncmp
_XcptFilter
_exit
_cexit
__getmainargs
_iob
__mb_cur_max
_vsnwprintf
_wcslwr
_errno
iswxdigit
memset
printf
_stricmp
isalpha
_wcsnicmp
memcpy
_wcsicmp
free

ntdll

RtlUnwind
NtOpenDirectoryObject
NtQueryDirectoryObject
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
NtCreateEvent
NtDeviceIoControlFile
NtWaitForSingleObject
NtResetEvent
NtQuerySystemInformation
RtlFreeHeap
RtlAllocateHeap
RtlInitUnicodeString
NtOpenFile
RtlNtStatusToDosError
NtClose
NtFsControlFile
NtQueryVolumeInformationFile
NtOpenKey
NtQueryValueKey

advapi32

RegCloseKey
RegOpenKeyExW
RegQueryValueExW

Sections

.text
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 21KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
data/Server/certificate.xrm-ms
.xml
data/Server/data.btm
data/Server/grldr
data/Seven/cache.btm
data/Seven/certificate.xrm-ms
data/Seven/data.btm
data/Vista/bootinst.exe
.exe windows:6 windows x86 arch:x86

704f7b0cf386fa53083ffa68ba646f50

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

bootsect.pdb

Imports

kernel32

SetFilePointer
LocalFree
FormatMessageW
GetModuleFileNameW
ReadFile
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetModuleHandleA
SetUnhandledExceptionFilter
OutputDebugStringA
InterlockedCompareExchange
Sleep
InterlockedExchange
WriteFile
GetLastError
QueryDosDeviceW
LoadResource
FindResourceExW
LoadLibraryExW
MapViewOfFile
CloseHandle
CreateFileMappingW
CreateFileW
GetLocaleInfoW
FreeLibrary
GetVersionExW
UnmapViewOfFile
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
FindResourceW
SearchPathW
SetLastError

msvcrt

_initterm
_amsg_exit
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
malloc
exit
iswctype
?terminate@@YAXXZ
_controlfp
calloc
isdigit
isxdigit
mbtowc
isleadbyte
localeconv
_snprintf
_itoa
wctomb
ferror
wcstombs
realloc
__badioinfo
__pioinfo
_read
_fileno
_lseeki64
_write
_isatty
ungetc
wcsstr
bsearch
wcsncmp
_XcptFilter
_exit
_cexit
__getmainargs
_iob
__mb_cur_max
_vsnwprintf
_wcslwr
_errno
iswxdigit
memset
printf
_stricmp
isalpha
_wcsnicmp
memcpy
_wcsicmp
free

ntdll

RtlUnwind
NtOpenDirectoryObject
NtQueryDirectoryObject
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
NtCreateEvent
NtDeviceIoControlFile
NtWaitForSingleObject
NtResetEvent
NtQuerySystemInformation
RtlFreeHeap
RtlAllocateHeap
RtlInitUnicodeString
NtOpenFile
RtlNtStatusToDosError
NtClose
NtFsControlFile
NtQueryVolumeInformationFile
NtOpenKey
NtQueryValueKey

advapi32

RegCloseKey
RegOpenKeyExW
RegQueryValueExW

Sections

.text
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 21KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
data/Vista/certificate.xrm-ms
.xml
data/Vista/data.btm
data/Vista/grldr
data/XP/amd64.btm
.dll regsvr32 windows:4 windows x64 arch:x64

7be7512539b15faa1d7be075a869faa8

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

lstrlenA
GetTickCount
GetSystemDirectoryA
FindFirstFileA
GetLastError
lstrcmpiA
GetModuleHandleA
FindClose
MoveFileA
GetModuleFileNameA
FindNextFileA
DeleteFileA
VirtualProtect
IsBadReadPtr
CopyFileA
VirtualQuery
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
QueryPerformanceCounter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

advapi32

RegDeleteKeyA
RegSetValueExA
RegCreateKeyExA

user32

GetForegroundWindow
MessageBoxA
GetSystemMetrics

shlwapi

PathAddBackslashA
PathAppendA
PathRemoveFileSpecA
PathStripPathA

shell32

ShellExecuteA

ntdll

_vsnprintf
memset
_strcmpi
_stricmp

Exports

Exports

DllRegisterServer
DllUnregisterServer
onLogon

Sections

.text
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 256B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.CRT
Size: 256B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 768B - Virtual size: 664B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 256B - Virtual size: 42B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
data/XP/data.btm
.vbs
data/XP/ia64.btm
data/data.btm.link
.dll regsvr32 windows:6 windows x86 arch:x86

d79ca260552e6d61bed9c69a3b08af0a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\bt\11\src\client\obfuscate\obj\i386\oLegitCheckControl.pdb

Imports

kernel32

GetProcAddress
GetModuleFileNameW
GetThreadLocale
SetThreadLocale
GetModuleHandleA
LoadLibraryExA
FindResourceA
LoadResource
SizeofResource
FreeLibrary
InterlockedDecrement
InterlockedIncrement
GetSystemDirectoryA
IsDBCSLeadByte
CompareStringW
CompareStringA
GetModuleFileNameA
lstrcmpiA
lstrlenA
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetLastError
RaiseException
lstrlenW
WideCharToMultiByte
CloseHandle
SetEvent
OpenEventW
GetVersionExA
QueryPerformanceCounter
SetEndOfFile
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
MultiByteToWideChar
InterlockedExchange
GetExitCodeThread
GetLogicalDriveStringsA
GlobalMemoryStatus
DeviceIoControl
GetLogicalDriveStringsW
GetDriveTypeW
GetVolumeInformationW
GetProcessAffinityMask
CreateThread
SetThreadAffinityMask
ResumeThread
WaitForSingleObject
ReadFile
GetSystemTime
CreateFileW
DosDateTimeToFileTime
LocalFileTimeToFileTime
SetFileTime
SetFileAttributesW
GetFileSize
CreateFileMappingA
MapViewOfFile
GetACP
GetLocaleInfoA
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
GetCommandLineA
VirtualProtect
VirtualAlloc
GetSystemInfo
VirtualQuery
ExitProcess
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThread
Sleep
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapCreate
VirtualFree
WriteFile
IsDebuggerPresent
GetCPInfo
GetOEMCP
LCMapStringA
LCMapStringW
GetTimeFormatA
GetDateFormatA
LoadLibraryA
SetFilePointer
GetConsoleCP
GetConsoleMode
GetStringTypeA
GetStringTypeW
GetUserDefaultLCID
GetTimeZoneInformation
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
CreateFileA
FlushFileBuffers
SetEnvironmentVariableA
GetVolumeInformationA
ReadProcessMemory
FindClose
FindFirstFileA
FindFirstFileW
GetSystemDirectoryW
GetDriveTypeA
CreateDirectoryW
GetCurrentDirectoryW
CreateDirectoryA
LocalFree
TryEnterCriticalSection
GetComputerNameW
GetPrivateProfileStringW
GetPrivateProfileSectionW
CompareFileTime
SystemTimeToFileTime
GetLocalTime
GetSystemDefaultLangID
UnmapViewOfFile
InitializeCriticalSectionAndSpinCount
GetVersion

ntdll

RtlUnwind

user32

GetDesktopWindow
CharNextA
wsprintfA
BroadcastSystemMessageA
GetSystemMetrics
UnregisterClassA

advapi32

GetCurrentHwProfileW
LookupAccountNameW
CopySid
GetLengthSid
GetTokenInformation
OpenProcessToken
OpenThreadToken
RegSetValueExW
RegQueryValueExW
RegCreateKeyExW
CryptReleaseContext
CryptDestroyKey
CryptGenKey
CryptGetUserKey
CryptGetProvParam
CryptAcquireContextA
CryptDestroyHash
CryptDeriveKey
RegEnumKeyExA
RegQueryInfoKeyA
RegSetValueExA
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey
RegDeleteValueA
RegDeleteKeyA
CryptHashData
CryptCreateHash
CryptDecrypt
CryptGetHashParam
CryptImportKey
CryptExportKey
RegQueryValueExA
RegOpenKeyExW
RegEnumKeyExW
GetCurrentHwProfileA

ole32

CoCreateInstance
StringFromGUID2
CoTaskMemFree
CoSetProxyBlanket
CLSIDFromProgID
CoCreateGuid
CoTaskMemRealloc
CoTaskMemAlloc

oleaut32

SysAllocStringByteLen
SysStringByteLen
SysStringLen
SysFreeString
SysAllocString
LoadTypeLi
UnRegisterTypeLi
RegisterTypeLi
VarUI4FromStr
SysAllocStringLen
LoadRegTypeLi
VariantInit
VariantClear

crypt32

CertComparePublicKeyInfo
CertCloseStore
CertCreateCertificateContext
CertDuplicateCertificateContext
CertGetIssuerCertificateFromStore
CertFreeCertificateContext
CertVerifySubjectCertificateContext
CryptEncodeObject
CryptExportPublicKeyInfo
CryptSignCertificate
CertFindExtension
CertEnumCertificatesInStore
CryptUnprotectData
CryptProtectData
CertOpenStore

wininet

InternetCloseHandle
HttpQueryInfoA
InternetReadFile
InternetErrorDlg
InternetGetConnectedState
InternetAutodial
InternetCrackUrlA
HttpOpenRequestA
HttpSendRequestA
InternetOpenA
InternetConnectA
InternetSetOptionA
InternetQueryOptionA

shlwapi

UrlGetPartW

setupapi

SetupDiCreateDeviceInfoList
SetupDiGetDeviceRegistryPropertyW
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList
SetupDiGetClassDevsA
SetupDiGetDeviceRegistryPropertyA
SetupDiEnumDeviceInfo

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 211KB - Virtual size: 211KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 74KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
data/menu/desktop.ini
data/menu/fonts/corbel.ttf
data/menu/title.bmp
data/menu/title.wav
slcdmenu.cdi

Sharing

General

Malware Config

Signatures

Files

019b2329de338153bb9b9818e43fc267

Headers

File Characteristics

Imports

oleaut32

advapi32

user32

kernel32

shfolder

Sections

.text Size: 80KB - Virtual size: 79KB

.itext Size: 2KB - Virtual size: 2KB

.data Size: 3KB - Virtual size: 3KB

.bss Size: - Virtual size: 22KB

.idata Size: 3KB - Virtual size: 3KB

.tls Size: - Virtual size: 12B

.rdata Size: 512B - Virtual size: 24B

.reloc Size: - Virtual size: 6KB

.rsrc Size: 93KB - Virtual size: 92KB

019b2329de338153bb9b9818e43fc267

Headers

File Characteristics

Imports

oleaut32

advapi32

user32

kernel32

shfolder

Sections

.text Size: 80KB - Virtual size: 79KB

.itext Size: 2KB - Virtual size: 2KB

.data Size: 3KB - Virtual size: 3KB

.bss Size: - Virtual size: 22KB

.idata Size: 3KB - Virtual size: 3KB

.tls Size: - Virtual size: 12B

.rdata Size: 512B - Virtual size: 24B

.reloc Size: - Virtual size: 6KB

.rsrc Size: 158KB - Virtual size: 157KB

50f081a27f10141fd9672c9b6197d530

Headers

File Characteristics

Imports

winmm

kernel32

user32

gdi32

comdlg32

winspool.drv

advapi32

shell32

comctl32

Sections

.text Size: 232KB - Virtual size: 231KB

.rdata Size: 36KB - Virtual size: 32KB

.data Size: 28KB - Virtual size: 127KB

.rsrc Size: 108KB - Virtual size: 106KB

019b2329de338153bb9b9818e43fc267

Headers

File Characteristics

Imports

oleaut32

advapi32

user32

kernel32

shfolder

Sections

.text Size: 80KB - Virtual size: 79KB

.itext Size: 2KB - Virtual size: 2KB

.data Size: 3KB - Virtual size: 3KB

.bss Size: - Virtual size: 22KB

.idata Size: 3KB - Virtual size: 3KB

.tls Size: - Virtual size: 12B

.rdata Size: 512B - Virtual size: 24B

.reloc Size: - Virtual size: 6KB

.rsrc Size: 220KB - Virtual size: 219KB

.text
Size: 80KB - Virtual size: 79KB

.itext
Size: 2KB - Virtual size: 2KB

.data
Size: 3KB - Virtual size: 3KB

.bss
Size: - Virtual size: 22KB

.idata
Size: 3KB - Virtual size: 3KB

.tls
Size: - Virtual size: 12B

.rdata
Size: 512B - Virtual size: 24B

.reloc
Size: - Virtual size: 6KB

.rsrc
Size: 93KB - Virtual size: 92KB

.text
Size: 80KB - Virtual size: 79KB

.itext
Size: 2KB - Virtual size: 2KB

.data
Size: 3KB - Virtual size: 3KB

.bss
Size: - Virtual size: 22KB

.idata
Size: 3KB - Virtual size: 3KB

.tls
Size: - Virtual size: 12B

.rdata
Size: 512B - Virtual size: 24B

.reloc
Size: - Virtual size: 6KB

.rsrc
Size: 158KB - Virtual size: 157KB

.text
Size: 232KB - Virtual size: 231KB

.rdata
Size: 36KB - Virtual size: 32KB

.data
Size: 28KB - Virtual size: 127KB

.rsrc
Size: 108KB - Virtual size: 106KB

.text
Size: 80KB - Virtual size: 79KB

.itext
Size: 2KB - Virtual size: 2KB

.data
Size: 3KB - Virtual size: 3KB

.bss
Size: - Virtual size: 22KB

.idata
Size: 3KB - Virtual size: 3KB

.tls
Size: - Virtual size: 12B

.rdata
Size: 512B - Virtual size: 24B

.reloc
Size: - Virtual size: 6KB

.rsrc
Size: 220KB - Virtual size: 219KB

.text
Size: 47KB - Virtual size: 47KB

.data
Size: 21KB - Virtual size: 25KB

.rsrc
Size: 12KB - Virtual size: 12KB

.reloc
Size: 3KB - Virtual size: 3KB

.text
Size: 47KB - Virtual size: 47KB

.data
Size: 21KB - Virtual size: 25KB

.rsrc
Size: 12KB - Virtual size: 12KB

.reloc
Size: 3KB - Virtual size: 3KB

.text
Size: 6KB - Virtual size: 6KB

.pdata
Size: 256B - Virtual size: 120B

.CRT
Size: 256B - Virtual size: 8B

.rsrc
Size: 768B - Virtual size: 664B

.reloc
Size: 256B - Virtual size: 42B

.text
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 211KB - Virtual size: 211KB

.rsrc
Size: 7KB - Virtual size: 6KB

.reloc
Size: 74KB - Virtual size: 73KB