g:\svn_working\svn_working_change_the_hijacking_to_jmp\tdifilter\helloddk\objfre_win7_x86\i386\sky.pdb
General
-
Target
c5aea59f7821ca0c8f8b36ddc95933c0N.exe
-
Size
109KB
-
MD5
c5aea59f7821ca0c8f8b36ddc95933c0
-
SHA1
30e02c0569344408b2aea72e4e41c9b99bc33937
-
SHA256
1355f51c12ded1000772d924752b801554f8900999a9ee693711d81e4a4cf6fa
-
SHA512
2a41046ec040ccdbb2069db392c3526dcd902830d37c85560583d3c70733fb11589bb31938f554b52df6dca52f89048602dce7d25fc7700eff9aa515717d6608
-
SSDEEP
3072:KiVr9kVakHZU8lU96xHAFa38OQlGxP9eJZgkW2UHr:dVr+HZzlU+HYeilmwUZB
Score
7/10
Malware Config
Signatures
-
resource yara_rule sample vmprotect -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource c5aea59f7821ca0c8f8b36ddc95933c0N.exe
Files
-
c5aea59f7821ca0c8f8b36ddc95933c0N.exe.sys windows:6 windows x86 arch:x86
1c75aa8f3cf2a8d0dfb3710857e0a6d5
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
PDB Paths
Imports
ntoskrnl.exe
ObReferenceObjectByHandle
ZwCreateFile
RtlInitUnicodeString
ExFreePoolWithTag
ExAllocatePool
memset
KeWaitForSingleObject
IofCallDriver
KeInitializeEvent
ObfDereferenceObject
KeSetEvent
atoi
strstr
IoBuildDeviceIoControlRequest
IoGetLowerDeviceObject
IoGetRelatedDeviceObject
memcpy
MmUnlockPages
MmProbeAndLockPages
IoAllocateMdl
IoFreeMdl
ExAllocatePoolWithTag
sprintf
IoCreateFile
IoFreeIrp
IoAllocateIrp
IoFileObjectType
MmMapLockedPagesSpecifyCache
MmIsAddressValid
ZwMapViewOfSection
DbgPrint
ZwCreateSection
ZwOpenFile
_wcsnicmp
RtlEqualUnicodeString
RtlCopyUnicodeString
ObQueryNameString
ObReferenceObjectByName
IoDriverObjectType
RtlCompareUnicodeString
RtlAppendUnicodeStringToString
IoVolumeDeviceToDosName
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
RtlAppendUnicodeToString
IofCompleteRequest
_stricmp
PsGetProcessImageFileName
IoGetCurrentProcess
wcsrchr
ZwQuerySystemInformation
IoGetDeviceObjectPointer
ZwReadFile
RtlGetVersion
MmGetSystemRoutineAddress
PsTerminateSystemThread
IoDetachDevice
KeUnstackDetachProcess
KeStackAttachProcess
RtlFreeUnicodeString
RtlAnsiStringToUnicodeString
RtlInitAnsiString
_strnicmp
PsLookupProcessByProcessId
RtlWriteRegistryValue
swprintf
ZwQueryInformationProcess
ZwClose
ObOpenObjectByPointer
ZwTerminateJobObject
ZwAssignProcessToJobObject
ZwCreateJobObject
ZwQueryInformationFile
ZwWriteFile
ZwFreeVirtualMemory
KeUserModeCallback
wcsncpy
ZwAllocateVirtualMemory
MmMapLockedPages
MmBuildMdlForNonPagedPool
MmCreateMdl
MmUnmapLockedPages
ZwDeviceIoControlFile
ZwEnumerateKey
ZwQueryKey
ZwOpenKey
ZwSetValueKey
ZwQueryValueKey
PsGetVersion
ZwUnmapViewOfSection
ProbeForRead
PsLookupThreadByThreadId
PsThreadType
KeInsertQueueApc
KeInitializeApc
RtlEqualString
ZwQueryInformationThread
PsGetThreadTeb
IoAttachDevice
IoCreateDevice
RtlTimeToTimeFields
ExSystemTimeToLocalTime
KeQuerySystemTime
ExfInterlockedInsertTailList
rand
srand
ExfInterlockedRemoveHeadList
KefReleaseSpinLockFromDpcLevel
KefAcquireSpinLockAtDpcLevel
IoDeleteDevice
IoCreateSymbolicLink
ZwDeleteKey
ZwCreateKey
ZwDeleteFile
ZwTerminateProcess
ZwQueryObject
ZwDuplicateObject
PsProcessType
PsGetProcessId
IoUnregisterShutdownNotification
ExGetPreviousMode
PsSetCreateProcessNotifyRoutine
IoRegisterShutdownNotification
ExQueueWorkItem
PsCreateSystemThread
PsSetLoadImageNotifyRoutine
IoRegisterFsRegistrationChange
KeTickCount
KeBugCheckEx
RtlUnwind
_allmul
KeDelayExecutionThread
ZwOpenProcess
KeGetCurrentThread
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
ExAllocatePool
ExFreePool
NtQuerySystemInformation
hal
KfLowerIrql
KeGetCurrentIrql
KeRaiseIrqlToDpcLevel
HalMakeBeep
Sections
.text Size: - Virtual size: 53KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: - Virtual size: 56KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
INIT Size: - Virtual size: 3KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.vmp0 Size: - Virtual size: 7KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.vmp1 Size: 107KB - Virtual size: 107KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 512B - Virtual size: 200B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ