81c627b450172567f6aafb70af0bb5cdd2b3d32dae29858942e72b23797914c8

Sharing

Copy URL Twitter E-mail

General

Target

81c627b450172567f6aafb70af0bb5cdd2b3d32dae29858942e72b23797914c8
Size

687KB
MD5

d0c7ed8fa6c25609c1d52379da8bc3be
SHA1

ad80d8e9be8d9d5ff6a3e98c26a3e8e9914bae18
SHA256

81c627b450172567f6aafb70af0bb5cdd2b3d32dae29858942e72b23797914c8
SHA512

c0b87e2a31262c4bf67fb2be6883e3873808043a03bf96ede86e3cf67f05d37bb6e0b91faecfe67aade79bf6159ef19c3fb9720922b8b20cbeb88a79261ea671
SSDEEP

12288:zVqX6Zu5vTvM/VPefwicy8Ks55n1WJmAsSrXYXTmPIuZEKqZUgqZP:TZu5vLM/VPe/cPKs5GJCUKTmPZicJ

Score

1^/10

Malware Config

Signatures

Files

81c627b450172567f6aafb70af0bb5cdd2b3d32dae29858942e72b23797914c8
.sys windows:6 windows x64 arch:x64

3f05fcf3c54690c6d5a9339c11feaa9f

Code Sign

35:a4:51:e3:23:1a:87:cc:55:bd:21:5f:a1:23:80:ac
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

15/12/2014, 00:00

Not After

15/12/2015, 23:59

Subject

CN=儋州邦海网络科技有限责任公司,O=儋州邦海网络科技有限责任公司,L=儋州市,ST=儋州市,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1e:b1:32:d5:7e:79:68:96:0d:f2:6e:85:4e:b0:dd:a6
Certificate

Issuer

CN=JemmyLoveJenny SHA1 TimeStamping Services CA,OU=pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Not Before

01/01/2000, 00:00

Not After

31/12/2099, 23:59

Subject

CN=Fake TimeStamp Responder,OU=timestamp.pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1e:b1:32:d5:7e:79:68:96
Certificate

Issuer

CN=JemmyLoveJenny EV Root CA,OU=pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Not Before

01/01/2000, 00:00

Not After

31/12/2099, 23:59

Subject

CN=JemmyLoveJenny SHA1 TimeStamping Services CA,OU=pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

35:a4:51:e3:23:1a:87:cc:55:bd:21:5f:a1:23:80:ac
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

15/12/2014, 00:00

Not After

15/12/2015, 23:59

Subject

CN=儋州邦海网络科技有限责任公司,O=儋州邦海网络科技有限责任公司,L=儋州市,ST=儋州市,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1e:b1:32:d5:7e:79:68:96:0d:f2:6e:85:4e:b0:dd:a6
Certificate

Issuer

CN=JemmyLoveJenny SHA1 TimeStamping Services CA,OU=pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Not Before

01/01/2000, 00:00

Not After

31/12/2099, 23:59

Subject

CN=Fake TimeStamp Responder,OU=timestamp.pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

1e:b1:32:d5:7e:79:68:96
Certificate

Issuer

CN=JemmyLoveJenny EV Root CA,OU=pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Not Before

01/01/2000, 00:00

Not After

31/12/2099, 23:59

Subject

CN=JemmyLoveJenny SHA1 TimeStamping Services CA,OU=pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

78:13:ad:4f:de:8b:6b:6f:31:70:c6:81:e3:73:55:2e:d4:f8:26:50:a0:70:2e:b5:39:9a:92:9c:21:a8:b8:6c
Signer

Actual PE Digest

78:13:ad:4f:de:8b:6b:6f:31:70:c6:81:e3:73:55:2e:d4:f8:26:50:a0:70:2e:b5:39:9a:92:9c:21:a8:b8:6c

Digest Algorithm

sha256

PE Digest Matches

true

5e:1f:9f:1b:af:11:fb:a3:85:3b:ab:54:31:3a:8f:12:ea:fb:6b:d6
Signer

Actual PE Digest

5e:1f:9f:1b:af:11:fb:a3:85:3b:ab:54:31:3a:8f:12:ea:fb:6b:d6

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

g:\analyzenet\analyzenet\objfre_win7_amd64\amd64\AnalyzeNet.pdb

Imports

ntoskrnl.exe

RtlCreateRegistryKey
PsGetProcessPeb
PsProcessType
_vsnprintf_s
PsLookupProcessByProcessId
KeSetEvent
KeUnstackDetachProcess
KeDelayExecutionThread
ZwWaitForSingleObject
_vsnprintf
KeQueryTimeIncrement
ZwOpenProcess
ZwQueryInformationThread
ObOpenObjectByPointer
KeStackAttachProcess
PsGetProcessWow64Process
ZwAllocateVirtualMemory
ExAcquireResourceExclusiveLite
IoThreadToProcess
ObRegisterCallbacks
ObUnRegisterCallbacks
ZwQuerySystemInformation
PsSetCreateProcessNotifyRoutineEx
ExReleaseResourceLite
PsThreadType
ExDeleteResourceLite
wcsncmp
PsGetProcessId
RtlFreeUnicodeString
CmRegisterCallbackEx
CmCallbackGetKeyObjectID
CmUnRegisterCallback
ZwEnumerateKey
MmUnmapLockedPages
_wcsicmp
ProbeForRead
PsWrapApcWow64Thread
MmMapLockedPages
KeInitializeApc
ZwMapViewOfSection
KeInsertQueueApc
PsSuspendProcess
MmGetSystemRoutineAddress
ZwDeleteValueKey
PsResumeProcess
MmProtectMdlSystemAddress
ZwOpenThread
MmBuildMdlForNonPagedPool
IoFreeMdl
ZwSetInformationFile
KeSetTimerEx
MmMapLockedPagesSpecifyCache
ZwUnmapViewOfSection
ZwFreeVirtualMemory
RtlRandomEx
ZwEnumerateValueKey
MmProbeAndLockPages
ZwDeleteFile
MmUnlockPages
ZwCreateSection
ZwTerminateProcess
KeInitializeTimerEx
RtlImageNtHeader
ZwQueryInformationFile
RtlMultiByteToUnicodeN
ZwDeleteKey
IoAllocateMdl
ZwQueryKey
ZwOpenKey
strchr
ExAcquireResourceSharedLite
sscanf_s
atoi
tolower
swscanf_s
isspace
ZwLoadDriver
RtlCompareMemory
strncmp
KeLeaveCriticalRegion
IoDetachDevice
KeEnterCriticalRegion
strncpy
IoAttachDevice
IofCallDriver
wcschr
RtlAnsiStringToUnicodeString
ZwQuerySymbolicLinkObject
ZwReadFile
RtlMultiByteToUnicodeSize
IoCreateFile
RtlQueryRegistryValues
NtShutdownSystem
RtlInitAnsiString
RtlGetVersion
RtlInitString
RtlUTF8ToUnicodeN
MmUnmapIoSpace
ZwOpenSymbolicLinkObject
RtlUnicodeToUTF8N
ZwOpenDirectoryObject
LdrAccessResource
IoFileObjectType
ZwQueryValueKey
MmMapIoSpace
RtlAppendUnicodeStringToString
ObReferenceObjectByHandle
RtlEqualString
ZwDeviceIoControlFile
ZwQueryInformationProcess
ZwOpenFile
MmGetPhysicalMemoryRanges
ZwWriteFile
IoQueryFileDosDeviceName
LdrFindResource_U
ExQueueWorkItem
KeAreApcsDisabled
IoCancelIrp
IoFreeIrp
IoAllocateIrp
sprintf
_strnicmp
RtlxAnsiStringToUnicodeSize
NlsMbOemCodePageTag
RtlCreateUnicodeString
MmSystemRangeStart
ExReleaseRundownProtectionEx
PsRemoveCreateThreadNotifyRoutine
PsSetCreateThreadNotifyRoutine
PsSetCreateProcessNotifyRoutine
ExAcquireRundownProtectionEx
MmHighestUserAddress
SeCreateAccessState
IoGetFileObjectGenericMapping
ObCreateObject
KeBugCheckEx
_vsnwprintf_s
RtlCheckRegistryKey
KeAcquireSpinLockRaiseToDpc
PsRemoveLoadImageNotifyRoutine
KeReleaseSpinLock
wcsncpy
_wcsnicmp
PsSetLoadImageNotifyRoutine
PsGetCurrentProcessId
PsInitialSystemProcess
RtlWriteRegistryValue
ExQueryDepthSList
_vsnwprintf
IoGetCurrentProcess
ExAllocatePool
IoVolumeDeviceToDosName
ExpInterlockedPopEntrySList
PsGetThreadId
ZwSetValueKey
RtlAppendUnicodeToString
ExpInterlockedPushEntrySList
IoReplaceFileObjectName
ExGetPreviousMode
ZwCreateKey
PsLookupThreadByThreadId
ExDeleteNPagedLookasideList
DbgPrint
ExInitializeResourceLite
IoCreateDevice
ObfDereferenceObject
MmIsAddressValid
RtlCopyUnicodeString
IoCreateSymbolicLink
PoCallDriver
RtlFreeAnsiString
RtlTimeToTimeFields
KeWaitForSingleObject
IofCompleteRequest
ZwClose
PoStartNextPowerIrp
InitSafeBootMode
PsTerminateSystemThread
ExSystemTimeToLocalTime
PsCreateSystemThread
wcsstr
wcsrchr
ZwCreateFile
_wcslwr
RtlUnicodeStringToAnsiString
KeInitializeEvent
IoDeleteDevice
RtlInitUnicodeString
KeSetPriorityThread
NtBuildNumber
IoRegisterDriverReinitialization
_strlwr
ExInitializeNPagedLookasideList
ExFreePoolWithTag
IoDeleteSymbolicLink
isdigit
ExAllocatePoolWithTag
__C_specific_handler
__chkstk

ndis.sys

NdisGetDataBuffer
NdisFreeMemory
NdisAllocateMemoryWithTag

tdi.sys

TdiMapUserRequest

fltmgr.sys

FltClose
FltCreateFile
FltUnregisterFilter
FltGetDeviceObject
FltGetVolumeInformation
FltSetCallbackDataDirty
FltGetDiskDeviceObject
FltGetVolumeProperties
FltReleaseContext
FltAllocateContext
FltGetFileNameInformation
FltRegisterFilter
FltReleaseFileNameInformation
FltParseFileNameInformation
FltStartFiltering
FltSetVolumeContext
FltGetFileNameInformationUnsafe

netio.sys

WskCaptureProviderNPI
WskDeregister
WskRegister

fwpkclnt.sys

FwpmFilterAdd0
FwpmEngineOpen0
FwpmTransactionAbort0
FwpsCalloutRegister0
FwpmTransactionBegin0
FwpmBfeStateSubscribeChanges0
FwpmCalloutAdd0
FwpsCopyStreamDataToBuffer0
FwpmTransactionCommit0
FwpmSubLayerAdd0
FwpmBfeStateUnsubscribeChanges0
FwpsCalloutUnregisterById0
FwpsFlowAssociateContext0
FwpmEngineClose0
FwpmBfeStateGet0

Sections

.text
Size: 566KB - Virtual size: 565KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 49KB - Virtual size: 93KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 496B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3f05fcf3c54690c6d5a9339c11feaa9f

Code Sign

35:a4:51:e3:23:1a:87:cc:55:bd:21:5f:a1:23:80:acCertificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

1e:b1:32:d5:7e:79:68:96:0d:f2:6e:85:4e:b0:dd:a6Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

1e:b1:32:d5:7e:79:68:96Certificate

Extended Key Usages

Key Usages

35:a4:51:e3:23:1a:87:cc:55:bd:21:5f:a1:23:80:acCertificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

1e:b1:32:d5:7e:79:68:96:0d:f2:6e:85:4e:b0:dd:a6Certificate

Extended Key Usages

Key Usages

1e:b1:32:d5:7e:79:68:96Certificate

Extended Key Usages

Key Usages

78:13:ad:4f:de:8b:6b:6f:31:70:c6:81:e3:73:55:2e:d4:f8:26:50:a0:70:2e:b5:39:9a:92:9c:21:a8:b8:6cSigner

5e:1f:9f:1b:af:11:fb:a3:85:3b:ab:54:31:3a:8f:12:ea:fb:6b:d6Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

ndis.sys

tdi.sys

fltmgr.sys

netio.sys

fwpkclnt.sys

Sections

.text Size: 566KB - Virtual size: 565KB

.rdata Size: 28KB - Virtual size: 28KB

.data Size: 49KB - Virtual size: 93KB

.pdata Size: 12KB - Virtual size: 12KB

INIT Size: 7KB - Virtual size: 7KB

.rsrc Size: 512B - Virtual size: 496B

.reloc Size: 4KB - Virtual size: 4KB

35:a4:51:e3:23:1a:87:cc:55:bd:21:5f:a1:23:80:ac
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

1e:b1:32:d5:7e:79:68:96:0d:f2:6e:85:4e:b0:dd:a6
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

1e:b1:32:d5:7e:79:68:96
Certificate

35:a4:51:e3:23:1a:87:cc:55:bd:21:5f:a1:23:80:ac
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

1e:b1:32:d5:7e:79:68:96:0d:f2:6e:85:4e:b0:dd:a6
Certificate

1e:b1:32:d5:7e:79:68:96
Certificate

78:13:ad:4f:de:8b:6b:6f:31:70:c6:81:e3:73:55:2e:d4:f8:26:50:a0:70:2e:b5:39:9a:92:9c:21:a8:b8:6c
Signer

5e:1f:9f:1b:af:11:fb:a3:85:3b:ab:54:31:3a:8f:12:ea:fb:6b:d6
Signer

.text
Size: 566KB - Virtual size: 565KB

.rdata
Size: 28KB - Virtual size: 28KB

.data
Size: 49KB - Virtual size: 93KB

.pdata
Size: 12KB - Virtual size: 12KB

INIT
Size: 7KB - Virtual size: 7KB

.rsrc
Size: 512B - Virtual size: 496B

.reloc
Size: 4KB - Virtual size: 4KB