54c69c38254e69861f085689e7b9f0151deb18629aa8f60e384cdc317384083e

Sharing

Copy URL Twitter E-mail

General

Target

54c69c38254e69861f085689e7b9f0151deb18629aa8f60e384cdc317384083e
Size

3.2MB
MD5

a86d2c09ecc428a6287f729de6d8eae3
SHA1

0f61504bbeb2df1281b203fcc815ce0b38127274
SHA256

54c69c38254e69861f085689e7b9f0151deb18629aa8f60e384cdc317384083e
SHA512

3bbc04329a127bbeb84a5a8bb6d2f053bdc7e0ad22a32bb1bab713ea229307b0551dee079de1739c6b7c2d5919fa8dbff7c479f069edd7c05d0bb9ee52ad3758
SSDEEP

98304:IqL6j6/399dZSfQsAjhcB1usuTHXmT8DS9gg9QZCzNAV7:vC6/N9dXFZaoDS9A

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/滑鼠移动v2版本/Oykyo.sys
unpack001/滑鼠移动v2版本/lenovo_mapper.exe

Files

54c69c38254e69861f085689e7b9f0151deb18629aa8f60e384cdc317384083e
.zip
滑鼠移动v2版本/InstallOykyo.bat
滑鼠移动v2版本/Oykyo.sys
.sys windows:10 windows x64 arch:x64

d5e90601da448613a1aa254ac5f0ae08

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

RtlInitAnsiString
RtlInitUnicodeString
MmGetSystemRoutineAddress
RtlAnsiStringToUnicodeString
KeLowerIrql
KfRaiseIrql
ExAllocatePool
ExFreePoolWithTag
MmProbeAndLockPages
MmUnlockPages
MmProtectMdlSystemAddress
MmMapLockedPagesSpecifyCache
MmUnmapLockedPages
IoAllocateMdl
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoFreeMdl
IoGetCurrentProcess
ObfDereferenceObject
MmCopyMemory
PsLookupProcessByProcessId
PsGetProcessSectionBaseAddress
MmCopyVirtualMemory
ObReferenceObjectByName
IoCreateDriver

Sections

.text
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 844B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 176B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 844B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.n.?
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 168B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
滑鼠移动v2版本/d60b1d7ffd29c5a5167a14b501f4b7d7.pdb
滑鼠移动v2版本/lenovo_mapper.exe
.exe windows:6 windows x64 arch:x64

d061708e6e0174acd8e8154b96e82418

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\cs2\lenovo_mapper-main\output\build\lenovo_mapper.pdb

Imports

kernel32

CreateFileA
LocalFree
GetCurrentProcessId
CreateDirectoryA
HeapFree
DeviceIoControl
GetLastError
LoadLibraryA
HeapAlloc
GetProcAddress
GetProcessHeap
FreeLibrary
OpenProcess
GetCurrentDirectoryA
SetLastError
GetFileAttributesExA
CloseHandle
VirtualAlloc
GetCurrentProcess
GetCurrentThreadId
VirtualFree
CreateFileW
GetFileAttributesW
GetFileAttributesExW
GetFullPathNameW
SetFileInformationByHandle
GetTempPathW
AreFileApisANSI
GetFileInformationByHandleEx
MultiByteToWideChar
WideCharToMultiByte
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
GetModuleHandleW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
FormatMessageA

advapi32

LookupPrivilegeValueW
AdjustTokenPrivileges
RegCloseKey
RegOpenKeyA
RegDeleteKeyA
RegSetValueExA
OpenProcessToken
RegCreateKeyA

ole32

StringFromGUID2

msvcp140

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@J@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Winerror_map@std@@YAHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Xlength_error@std@@YAXPEBD@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ

ntdll

RtlAnsiStringToUnicodeString
NtUnloadDriver
NtQuerySystemInformation
NtLoadDriver
RtlInitAnsiString

dbghelp

SymCleanup
SymSetOptions
SymInitialize
SymFromName
SymUnloadModule64
SymGetTypeInfo
SymGetTypeFromName
SymLoadModuleEx

urlmon

URLDownloadToFileA

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memset
__current_exception_context
__current_exception
__C_specific_handler
strstr
_CxxThrowException
__std_exception_copy
__std_exception_destroy
memmove
memcpy
__std_terminate

api-ms-win-crt-stdio-l1-1-0

_fseeki64
fread
fsetpos
ungetc
__stdio_common_vsprintf
_get_stream_buffer_pointers
setvbuf
fgetpos
fwrite
__p__commode
_set_fmode
fgetc
fputc
fclose
fflush

api-ms-win-crt-heap-l1-1-0

malloc
free
_callnewh
_set_new_mode

api-ms-win-crt-utility-l1-1-0

rand
srand

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_lock_file

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-runtime-l1-1-0

__p___argc
_crt_atexit
_cexit
_register_thread_local_exe_atexit_callback
_exit
exit
_c_exit
_register_onexit_function
_initialize_narrow_environment
_configure_narrow_argv
_initterm_e
terminate
_initialize_onexit_table
_invalid_parameter_noinfo_noreturn
_initterm
_get_initial_narrow_environment
__p___argv
_set_app_type
_seh_filter_exe

api-ms-win-crt-convert-l1-1-0

wcstombs_s
_itoa_s

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
___lc_codepage_func

api-ms-win-crt-math-l1-1-0

__setusermatherr

Sections

.text
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 41KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d5e90601da448613a1aa254ac5f0ae08

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 3KB - Virtual size: 2KB

.rdata Size: 1024B - Virtual size: 844B

.data Size: 512B - Virtual size: 176B

.pdata Size: 512B - Virtual size: 120B

INIT Size: 1024B - Virtual size: 844B

.n.? Size: 1.0MB - Virtual size: 1.0MB

.reloc Size: 512B - Virtual size: 168B

d061708e6e0174acd8e8154b96e82418

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

ole32

msvcp140

ntdll

dbghelp

urlmon

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

Sections

.text Size: 47KB - Virtual size: 47KB

.rdata Size: 21KB - Virtual size: 21KB

.data Size: 41KB - Virtual size: 42KB

.pdata Size: 3KB - Virtual size: 2KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 512B - Virtual size: 248B

.text
Size: 3KB - Virtual size: 2KB

.rdata
Size: 1024B - Virtual size: 844B

.data
Size: 512B - Virtual size: 176B

.pdata
Size: 512B - Virtual size: 120B

INIT
Size: 1024B - Virtual size: 844B

.n.?
Size: 1.0MB - Virtual size: 1.0MB

.reloc
Size: 512B - Virtual size: 168B

.text
Size: 47KB - Virtual size: 47KB

.rdata
Size: 21KB - Virtual size: 21KB

.data
Size: 41KB - Virtual size: 42KB

.pdata
Size: 3KB - Virtual size: 2KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 512B - Virtual size: 248B