XMPSetupKankan[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

XMPSetupKankan.exe
Size

28.3MB
MD5

1233c6abaa32971ca49597373485f6f0
SHA1

339b7e979bdb64aff037be8fb2982bb88e78371d
SHA256

94d6a3e72e8e3479fcf2b3d71ed0e2b91b483c60be298144b41089a61f296055
SHA512

a8b4c6521c6cf80eac0b35da230f11ecc189db226442d9c949a19b273ce3eee5122613f6a617de8e342fe7f91d9dc11cd9f6e789026963e4a105a42204f188a4
SSDEEP

786432:Ga5lhBBZFvYth2C0Ag/nyM7ZdibY83Yd9L4lJkNEXhk5W:h5l7BZSP0AS7ri73b6Khk5W

Score

1^/10

Malware Config

Signatures

Files

XMPSetupKankan.exe
.exe windows:5 windows x86 arch:x86

34693371116e9202b2a2d0771cf6529a

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:25:07:1d:f9:af
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18/11/2009, 10:00

Not After

18/03/2019, 10:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

24/05/2016, 00:00

Not After

24/06/2027, 00:00

Subject

CN=GlobalSign TSA for MS Authenticode - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0f
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

15/06/2016, 00:00

Not After

15/06/2024, 00:00

Subject

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageOCSPSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:29:15:27:00:00:00:00:00:2a
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:55

Not After

15/04/2021, 20:05

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

16:e6:f4:e6:63:82:fb:a8:47:30:d8:99
Certificate

Issuer

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Not Before

08/10/2016, 08:57

Not After

20/05/2017, 06:36

Subject

SERIALNUMBER=440301103773964,CN=深圳市迅雷网络技术有限公司,OU=operate dept,O=深圳市迅雷网络技术有限公司,STREET=南山区科技中二路深圳软件园11号楼7、8层,L=Shen Zhen,ST=Guang Dong,C=CN,1.3.6.1.4.1.311.60.2.1.1=#13085348454e5a48454e,1.3.6.1.4.1.311.60.2.1.2=#13094755414e47444f4e47,1.3.6.1.4.1.311.60.2.1.3=#1302434e,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:25:07:1d:f9:af
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18/11/2009, 10:00

Not After

18/03/2019, 10:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0f
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

15/06/2016, 00:00

Not After

15/06/2024, 00:00

Subject

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageOCSPSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:29:15:27:00:00:00:00:00:2a
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:55

Not After

15/04/2021, 20:05

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

16:e6:f4:e6:63:82:fb:a8:47:30:d8:99
Certificate

Issuer

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Not Before

08/10/2016, 08:57

Not After

20/05/2017, 06:36

Subject

SERIALNUMBER=440301103773964,CN=深圳市迅雷网络技术有限公司,OU=operate dept,O=深圳市迅雷网络技术有限公司,STREET=南山区科技中二路深圳软件园11号楼7、8层,L=Shen Zhen,ST=Guang Dong,C=CN,1.3.6.1.4.1.311.60.2.1.1=#13085348454e5a48454e,1.3.6.1.4.1.311.60.2.1.2=#13094755414e47444f4e47,1.3.6.1.4.1.311.60.2.1.3=#1302434e,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

11:21:b4:55:35:1e:bb:1a:b2:4f:97:ef:07:fe:2a:b3:0b:8a
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

24/05/2016, 00:00

Not After

24/06/2027, 00:00

Subject

CN=GlobalSign TSA for Standard - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:31:a3:c5:a5:41:cc:c7:46:fc:37:a2:b9:7d:13:cf:82:f4:ac:cf:aa:36:7c:09:53:98:fa:8b:fb:bc:eb:38
Signer

Actual PE Digest

41:31:a3:c5:a5:41:cc:c7:46:fc:37:a2:b9:7d:13:cf:82:f4:ac:cf:aa:36:7c:09:53:98:fa:8b:fb:bc:eb:38

Digest Algorithm

sha256

PE Digest Matches

true

23:72:e8:d3:1d:f0:f6:5e:ec:2b:bd:f6:85:43:7b:63:8e:d8:3b:c5
Signer

Actual PE Digest

23:72:e8:d3:1d:f0:f6:5e:ec:2b:bd:f6:85:43:7b:63:8e:d8:3b:c5

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\svn\xmp\jenkins\jobs\XMP5.2.18Lite\workspace\trunk\Symbols\ProductReleaseLite\XmpSetup\pdb\XmpSetup.pdb

Imports

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

kernel32

SetFilePointer
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
OutputDebugStringW
GetCurrentThreadId
GetCurrentProcessId
FindClose
FindNextFileW
DeleteFileW
FindFirstFileW
GetProcAddress
LoadLibraryW
GlobalLock
GlobalAlloc
FlushFileBuffers
WritePrivateProfileStringW
GetTempPathA
CreateFileW
CreateFileA
WritePrivateProfileStringA
GetPrivateProfileIntW
GetPrivateProfileStringA
GetPrivateProfileStringW
CopyFileW
MoveFileW
InitializeCriticalSection
SetEnvironmentVariableW
ReleaseMutex
GetEnvironmentVariableW
WaitForSingleObject
ExitProcess
CreateMutexW
TerminateProcess
GetCurrentProcess
TlsSetValue
FindCloseChangeNotification
FindFirstChangeNotificationW
GetLocalTime
TlsGetValue
TlsAlloc
GetSystemInfo
FreeLibrary
InterlockedDecrement
TlsFree
DeleteCriticalSection
Sleep
CreateThread
GetTickCount
FreeResource
LockResource
LoadResource
SizeofResource
FindResourceW
ExpandEnvironmentStringsW
RemoveDirectoryW
SetFileAttributesW
HeapFree
CreateDirectoryA
GetCommandLineW
RaiseException
GetTempPathW
CloseHandle
GetLongPathNameW
lstrcatW
lstrcpyW
GetSystemDirectoryW
SetPriorityClass
GetDiskFreeSpaceExW
GetFileSize
SetEnvironmentVariableA
CompareStringW
CompareStringA
GetDriveTypeA
GetLocaleInfoW
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
GetTimeZoneInformation
SetEndOfFile
SetStdHandle
LoadLibraryA
InitializeCriticalSectionAndSpinCount
IsValidLocale
EnumSystemLocalesA
WriteFile
ReadFile
GetModuleFileNameW
GlobalUnlock
GlobalFree
VirtualQuery
EnterCriticalSection
LeaveCriticalSection
InterlockedExchangeAdd
GetCurrentDirectoryA
GetFileType
PeekNamedPipe
GetFileInformationByHandle
GetFullPathNameW
IsValidCodePage
GetOEMCP
GetACP
GetUserDefaultLCID
HeapSize
GetStdHandle
HeapReAlloc
VirtualAlloc
VirtualFree
HeapCreate
GetModuleHandleA
GetStringTypeW
GetStringTypeA
GetLocaleInfoA
GetConsoleMode
GetConsoleCP
QueryPerformanceCounter
SetHandleCount
GetEnvironmentStringsW
SetLastError
GetLastError
lstrlenW
GetFileAttributesW
CreateDirectoryW
FreeEnvironmentStringsW
GetEnvironmentStrings
SetCurrentDirectoryW
GetFileAttributesA
GetProcessHeap
InterlockedExchange
InterlockedIncrement
GetVolumeInformationA
GetSystemDirectoryA
GetModuleFileNameA
IsBadCodePtr
lstrcatA
lstrcpyA
DeviceIoControl
GetVersionExA
RtlUnwind
GetSystemTimeAsFileTime
HeapAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
FileTimeToSystemTime
FileTimeToLocalFileTime
GetDriveTypeW
GetCommandLineA
GetStartupInfoA
LCMapStringA
LCMapStringW
GetCPInfo
GetModuleHandleW
FreeEnvironmentStringsA

user32

LoadIconW
PostMessageW
DefWindowProcW
wsprintfW
CharLowerBuffW
MessageBoxW
FindWindowW
SetForegroundWindow
DispatchMessageW
LoadCursorW
RegisterClassExW
CreateWindowExW
GetMessageW
TranslateMessage
PostQuitMessage

gdi32

GetStockObject

advapi32

RegSetValueExW
RegFlushKey
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW

shell32

ord680
SHGetSpecialFolderPathW
ShellExecuteW
CommandLineToArgvW
ord165
SHGetFolderPathW
SHGetSpecialFolderPathA

ole32

CoUninitialize
CoInitialize
CoTaskMemFree

oleaut32

SysStringLen
SysStringByteLen
SysAllocStringByteLen
SysAllocString
VarBstrCmp
SysAllocStringLen
VarBstrCat
SysFreeString

shlwapi

PathRemoveFileSpecW
PathAddBackslashW
PathRemoveExtensionW
PathFileExistsW
PathAppendW
PathRemoveBackslashW
PathFindFileNameW

setupapi

SetupIterateCabinetW

urlmon

URLDownloadToCacheFileW

iphlpapi

GetAdaptersInfo

Sections

.text
Size: 232KB - Virtual size: 232KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 28.0MB - Virtual size: 28.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

34693371116e9202b2a2d0771cf6529a

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7Certificate

Key Usages

04:00:00:00:00:01:25:07:1d:f9:afCertificate

Key Usages

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14Certificate

Extended Key Usages

Key Usages

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0fCertificate

Extended Key Usages

Key Usages

61:29:15:27:00:00:00:00:00:2aCertificate

Key Usages

16:e6:f4:e6:63:82:fb:a8:47:30:d8:99Certificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:25:07:1d:f9:afCertificate

Key Usages

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0fCertificate

Extended Key Usages

Key Usages

61:29:15:27:00:00:00:00:00:2aCertificate

Key Usages

16:e6:f4:e6:63:82:fb:a8:47:30:d8:99Certificate

Extended Key Usages

Key Usages

11:21:b4:55:35:1e:bb:1a:b2:4f:97:ef:07:fe:2a:b3:0b:8aCertificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:2f:4e:e1:52:d7Certificate

Key Usages

41:31:a3:c5:a5:41:cc:c7:46:fc:37:a2:b9:7d:13:cf:82:f4:ac:cf:aa:36:7c:09:53:98:fa:8b:fb:bc:eb:38Signer

23:72:e8:d3:1d:f0:f6:5e:ec:2b:bd:f6:85:43:7b:63:8e:d8:3b:c5Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

version

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

shlwapi

setupapi

urlmon

iphlpapi

Sections

.text Size: 232KB - Virtual size: 232KB

.rdata Size: 60KB - Virtual size: 60KB

.data Size: 11KB - Virtual size: 27KB

.rsrc Size: 28.0MB - Virtual size: 28.0MB

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

04:00:00:00:00:01:25:07:1d:f9:af
Certificate

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0f
Certificate

61:29:15:27:00:00:00:00:00:2a
Certificate

16:e6:f4:e6:63:82:fb:a8:47:30:d8:99
Certificate

04:00:00:00:00:01:25:07:1d:f9:af
Certificate

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0f
Certificate

61:29:15:27:00:00:00:00:00:2a
Certificate

16:e6:f4:e6:63:82:fb:a8:47:30:d8:99
Certificate

11:21:b4:55:35:1e:bb:1a:b2:4f:97:ef:07:fe:2a:b3:0b:8a
Certificate

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

41:31:a3:c5:a5:41:cc:c7:46:fc:37:a2:b9:7d:13:cf:82:f4:ac:cf:aa:36:7c:09:53:98:fa:8b:fb:bc:eb:38
Signer

23:72:e8:d3:1d:f0:f6:5e:ec:2b:bd:f6:85:43:7b:63:8e:d8:3b:c5
Signer

.text
Size: 232KB - Virtual size: 232KB

.rdata
Size: 60KB - Virtual size: 60KB

.data
Size: 11KB - Virtual size: 27KB

.rsrc
Size: 28.0MB - Virtual size: 28.0MB