f97f261075ab2aa2bffa7e55db878dd9_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

f97f261075ab2aa2bffa7e55db878dd9_JaffaCakes118
Size

341KB
MD5

f97f261075ab2aa2bffa7e55db878dd9
SHA1

09dbd7df952f5f3ab1b6ee6e4198a9458266d7a2
SHA256

2693c1048a5575cbb920552530ee1f8ff2599099dc079888e63f39aadb884382
SHA512

fd5ba2b8fb1782103f0a37e915fbb3fd7f860f814e9da29df9a7baceaeae78f83fa731ed8db5da098c705c4a9c020d6ced52a833f967ad49c93a08fe4072a9b3
SSDEEP

6144:JPCganNi8Kyg7TP3r3RpUDbzYsxf00vhau4TagGr2nBPsZ5m4sVKozq1WiLXb3:HanE85g3Pb3rsA0JaOgtZOOKzwiLXD

Score

3^/10

Malware Config

Signatures

Unsigned PE 8 IoCs

Checks for missing Authenticode signature.

resource
f97f261075ab2aa2bffa7e55db878dd9_JaffaCakes118
unpack001/$APPDATA/scriptlibrary/MCppCodeDomProvider.dll
unpack001/$APPDATA/scriptlibrary/autolaytui.dll
unpack001/$APPDATA/stow/gutils.dll
unpack001/$TEMP/TenrecSaggar.dll
unpack001/$TEMP/crm/IEExecRemote.dll
unpack001/$TEMP/crm/StoreAdm.exe
unpack001/$TEMP/redesign/pbo/ProjWizUI.dll

NSIS installer 2 IoCs

installer

resource	yara_rule
sample	nsis_installer_1
sample	nsis_installer_2

Files

f97f261075ab2aa2bffa7e55db878dd9_JaffaCakes118
.exe windows:4 windows x86 arch:x86

7c2c71dfce9a27650634dc8b1ca03bf0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetEnvironmentVariableA
CreateFileA
GetFileSize
GetModuleFileNameA
ReadFile
GetCurrentProcess
CopyFileA
Sleep
GetTickCount
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
lstrlenA
GetVersion
SetErrorMode
lstrcpynA
ExitProcess
SetFileAttributesA
GlobalLock
CreateThread
GetLastError
CreateDirectoryA
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
WriteFile
lstrcpyA
MoveFileExA
lstrcatA
GetSystemDirectoryA
GetProcAddress
GetExitCodeProcess
WaitForSingleObject
CompareFileTime
SetFileTime
GetFileAttributesA
SetCurrentDirectoryA
MoveFileA
GetFullPathNameA
GetShortPathNameA
SearchPathA
CloseHandle
lstrcmpiA
GlobalUnlock
GetDiskFreeSpaceA
lstrcmpA
DeleteFileA
FindFirstFileA
FindNextFileA
FindClose
SetFilePointer
GetPrivateProfileStringA
WritePrivateProfileStringA
MulDiv
MultiByteToWideChar
FreeLibrary
LoadLibraryExA
GetModuleHandleA
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA

user32

GetSystemMenu
SetClassLongA
EnableMenuItem
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
ScreenToClient
GetWindowRect
GetDlgItem
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
GetDC
ReleaseDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
EndDialog
RegisterClassA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
ExitWindowsEx
LoadImageA
CreateDialogParamA
SetTimer
SetWindowTextA
SetForegroundWindow
ShowWindow
SetWindowLongA
SendMessageTimeoutA
FindWindowExA
IsWindow
AppendMenuA
TrackPopupMenu
CreatePopupMenu
DrawTextA
EndPaint
DestroyWindow
wsprintfA
PostQuitMessage

gdi32

SelectObject
SetTextColor
SetBkMode
CreateFontIndirectA
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor

shell32

SHGetSpecialFolderLocation
ShellExecuteExA
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
SHFileOperationA

advapi32

AdjustTokenPrivileges
RegCreateKeyExA
RegOpenKeyExA
SetFileSecurityA
OpenProcessToken
LookupPrivilegeValueA
RegEnumValueA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegEnumKeyA

comctl32

ImageList_Create
ImageList_AddMasked
ord17
ImageList_Destroy

ole32

OleUninitialize
OleInitialize
CoTaskMemFree
CoCreateInstance

Sections

.text
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 149KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 40KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$APPDATA/scriptlibrary/39.opends60.dll
$APPDATA/scriptlibrary/MCppCodeDomProvider.dll
.dll windows:4 windows x86 arch:x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

f:\binaries.x86ret\bin\i386\Microsoft.VisualC.VSCodeProvider.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 36KB - Virtual size: 34KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$APPDATA/scriptlibrary/appledouble.xml
.xml
$APPDATA/scriptlibrary/autolaytui.dll
.dll windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

f:\binaries.x86ret\bin\i386\VC7\VCPackages\1033\autolaytui.pdb

Sections

.text
Size: 512B - Virtual size: 115B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$APPDATA/scriptlibrary/org.gnome.desktop.datetime.gschema.xml
.xml
$APPDATA/scriptlibrary/previewobjectbar.xml
.xml
$APPDATA/stow/gutils.dll
.dll windows:5 windows x86 arch:x86

8992e0e73338e8ec5646ea66e35aece0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetTickCount
GetLastError
Sleep
GetProcAddress
QueryPerformanceCounter
GetCurrentThreadId
GetModuleHandleA
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
WriteFile
FlushFileBuffers
GetACP
WideCharToMultiByte
MultiByteToWideChar
SetFilePointer
ReadFile
IsDBCSLeadByte
lstrlenA
lstrcpyA
GetComputerNameA
OutputDebugStringA
GlobalAlloc
InitializeCriticalSection
ExitProcess
DeleteCriticalSection
GlobalHandle
GlobalUnlock
GlobalFree
CloseHandle
GlobalLock
EnterCriticalSection
LeaveCriticalSection
MulDiv
CreateFileA
GetCurrentProcessId

msvcrt

wcspbrk
wcslen
memmove
_snprintf

user32

RegisterClassA
LoadCursorA
SetScrollInfo
SetScrollPos
SetCursor
SetScrollRange
RegisterWindowMessageA
GetSysColor
FillRect
DrawFocusRect
InvertRect
DispatchMessageA
TranslateMessage
IsDialogMessageA
PeekMessageA
EndDialog
DestroyWindow
SetDlgItemTextA
EnableWindow
ShowWindow
CreateDialogParamA
ValidateRect
ScrollWindow
GetKeyState
SystemParametersInfoA
CharNextA
GetDlgItemTextA
DialogBoxParamA
GetFocus
GetWindowLongA
SetWindowLongA
PtInRect
DefWindowProcA
RedrawWindow
InvalidateRect
GetParent
SendMessageA
SetCapture
BeginPaint
EndPaint
DrawTextA
GetClientRect
GetDC
ReleaseDC
CreateWindowExA
CharLowerBuffA
wsprintfA
LoadStringA
MessageBoxA
ReleaseCapture

gdi32

DeleteDC
SetBkColor
GetStockObject
GetDeviceCaps
CreatePen
CreateSolidBrush
DeleteObject
LineTo
MoveToEx
GetTextExtentPointA
GetTextMetricsA
Rectangle
ExtTextOutA
ExtTextOutW
GetTextExtentPoint32A
GetTextExtentPoint32W
SetTextColor
SetROP2
EndPage
StartPage
EndDoc
AbortDoc
StartDocA
SetAbortProc
SelectObject

wsock32

htons
listen
accept
socket
WSAGetLastError
gethostbyname
closesocket
connect
bind

comdlg32

GetSaveFileNameA
PrintDlgA
GetOpenFileNameA

Exports

Exports

AbortDlg
AbortProc
Format
List_AddAfter
List_AddBefore
List_AddFirst
List_AddLast
List_Card
List_Check
List_Clear
List_Create
List_Delete
List_DeleteFirst
List_DeleteLast
List_Destroy
List_Dump
List_First
List_Init
List_InsertListAfter
List_InsertListBefore
List_IsEmpty
List_IsOK
List_ItemLength
List_Join
List_Last
List_MakeOK
List_NewAfter
List_NewBefore
List_NewFirst
List_NewLast
List_Next
List_Prev
List_Show
List_SplitAfter
List_SplitBefore
List_Term
SocketConnect
SocketListen
StatusAddItem
StatusAlloc
StatusCreate
StatusHeight
StatusWndProc
StringInput
Trace_Close
Trace_Error
Trace_File
Trace_Unattended
checksum_file
ctree_create
ctree_delete
ctree_find
ctree_getcount
ctree_update
dodlg_stringin
gbit_alloc
gbit_findfree
gbit_free
gbit_init
gdate_daytodmy
gdate_dmytoday
gdate_monthdays
gdate_weekday
gfile_new
gfile_open
gmem_free
gmem_freeall
gmem_get
gmem_init
gmem_time
gtab_wndproc
hash_string
readfile_delete
readfile_new
readfile_next
readfile_setdelims
tree_addafter
tree_create
tree_delete
tree_find
tree_search
tree_update
utils_CompPath
utils_isblank

Sections

.text
Size: 35KB - Virtual size: 34KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$APPDATA/stow/model40.xml
.xml
$APPDATA/with/count/ConmanClient2.exe
.exe windows:5 windows x86 arch:x86

4cb3e4d7adf4bf7704cb1da2096dfea2

Code Sign

2b:26:8d:91:45:18:ae:4f:bd:86:cb:4b:ca:51:7f:55
Certificate

Issuer

CN=Microsoft Visual Studio Root Signing Authority,OU=Visual Studio for Devices,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

11-10-2004 22:51

Not After

31-12-2039 23:59

Subject

CN=Microsoft Visual Studio Root Signing Authority,OU=Visual Studio for Devices,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

63:47:d6:92:67:86:c9:ac:4d:fc:73:56:dd:21:89:d7
Certificate

Issuer

CN=Microsoft Visual Studio Root Signing Authority,OU=Visual Studio for Devices,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

11-10-2004 22:51

Not After

31-12-2039 23:59

Subject

CN=Microsoft Visual Studio Intermediate Signing Authority,OU=Visual Studio for Devices,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

47:d3:5b:42:01:53:0b:5a:b4:13:8d:cd:4e:31:18:4d
Certificate

Issuer

CN=Microsoft Visual Studio Intermediate Signing Authority,OU=Visual Studio for Devices,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

11-10-2004 22:52

Not After

31-12-2039 23:59

Subject

CN=Microsoft Visual Studio Signing Authority,OU=Visual Studio for Devices,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

ConmanClient2.pdb

Imports

coredll

ord494
ord553
ord530
ord516
ord69
ord537
ord1047
ord529
ord528
ord161
ord180
ord181
ord165
ord167
ord49
ord46
ord50
ord5
ord4
ord455
ord463
ord461
ord497
ord495
ord492
ord496
ord1094
ord3
ord1533
ord1584
ord1530
ord498
ord2
ord1585
ord1529
ord555
ord1046
ord1054
ord1041
ord1018
ord1095
ord78
ord59
ord229
ord77
ord464
ord456
ord458
ord174
ord168
ord170
ord544
ord509
ord493
ord519
ord177
ord169
ord1677
ord542
ord717
ord88
ord89
ord215
ord213
ord25
ord457
ord197
ord1044
ord163
ord56
ord230
ord1234
ord184
ord171
ord29
ord1443
ord1474
ord557
ord606
ord1645
ord2038
ord2037
ord36
ord543
ord517
ord160
ord175
ord173
ord541
ord196
ord1107
ord1147
ord202
ord74
ord172
ord1459
ord1460
ord33
ord1461
ord533
ord532
ord166
ord34
ord35
ord1132

Sections

.text
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$APPDATA/with/count/MicrosoftWindowsCEForms.dll
.dll windows:4 windows x86 arch:x86

dae02f32a21e03ce65412f6e56942daa

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04-12-2003 00:00

Not After

03-12-2008 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10-01-1997 07:00

Not After

31-12-2020 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

6a:0b:99:4f:c0:00:fa:aa:11:d7:13:01:30:93:20:84
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

15-12-2002 08:00

Not After

20-12-2012 08:00

Subject

CN=Microsoft Mobile Device Privileged Component PCA,OU=Copyright (c) 2002 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

61:05:f9:0d:00:00:00:00:00:07
Certificate

Issuer

CN=Microsoft Mobile Device Privileged Component PCA,OU=Copyright (c) 2002 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

14-07-2005 16:59

Not After

14-11-2007 17:09

Subject

CN=Microsoft Mobile Device Privileged Publisher,OU=Copyright (c) 2005 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

48:27:82:e8:7b:6c:ee:f6:81:27:f2:fc:dc:7b:7a:c2:c6:71:47:5b
Signer

Actual PE Digest

48:27:82:e8:7b:6c:ee:f6:81:27:f2:fc:dc:7b:7a:c2:c6:71:47:5b

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mscoree

_CorDllMain

Sections

.text
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/Euchre
$TEMP/TenrecSaggar.dll
.dll windows:5 windows x86 arch:x86

a3810d07530dbe9e584367ce431db16a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

gdi32

FrameRgn

ws2_32

sendto
WSAAsyncGetProtoByName

kernel32

HeapSize
GetStringTypeW
MultiByteToWideChar
GetModuleHandleA
WaitForDebugEvent
GlobalFindAtomW
GetProcAddress
DuplicateHandle
SetThreadAffinityMask
GetCurrentThreadId
DecodePointer
GetCommandLineA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
GetModuleHandleW
SetLastError
GetLastError
InterlockedDecrement
HeapFree
Sleep
ExitProcess
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
HeapCreate
HeapDestroy
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapAlloc
HeapReAlloc
LoadLibraryW
WriteFile
GetModuleFileNameW
RtlUnwind
LCMapStringW
IsProcessorFeaturePresent

Exports

Exports

Output
Russky

Sections

.text
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/crm/IEExecRemote.dll
.dll windows:4 windows x86 arch:x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

IEExecRemote.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/crm/StoreAdm.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

storeadm.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/crm/type-windows.xml
.xml
$TEMP/crm/wikipedia-zh-TW.xml
$TEMP/redesign/pbo/ProjWizUI.dll
.dll windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/redesign/pbo/ram.xml
.xml
$TEMP/redesign/pbo/x-ocl.xml
.xml

Sharing

General

Malware Config

Signatures

Files

7c2c71dfce9a27650634dc8b1ca03bf0

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

Sections

.text Size: 25KB - Virtual size: 25KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 1KB - Virtual size: 149KB

.ndata Size: - Virtual size: 40KB

.rsrc Size: 16KB - Virtual size: 16KB

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 36KB - Virtual size: 34KB

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 12B

Headers

DLL Characteristics

File Characteristics

PDB Paths

Sections

.text Size: 512B - Virtual size: 115B

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 512B - Virtual size: 8B

8992e0e73338e8ec5646ea66e35aece0

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcrt

user32

gdi32

wsock32

comdlg32

Exports

Exports

Sections

.text Size: 35KB - Virtual size: 34KB

.data Size: 512B - Virtual size: 1KB

.rsrc Size: 3KB - Virtual size: 2KB

.reloc Size: 2KB - Virtual size: 1KB

4cb3e4d7adf4bf7704cb1da2096dfea2

Code Sign

2b:26:8d:91:45:18:ae:4f:bd:86:cb:4b:ca:51:7f:55Certificate

63:47:d6:92:67:86:c9:ac:4d:fc:73:56:dd:21:89:d7Certificate

47:d3:5b:42:01:53:0b:5a:b4:13:8d:cd:4e:31:18:4dCertificate

Signer

Headers

File Characteristics

PDB Paths

Imports

coredll

Sections

.text Size: 41KB - Virtual size: 40KB

.data Size: 1024B - Virtual size: 3KB

.rsrc Size: 1KB - Virtual size: 1KB

dae02f32a21e03ce65412f6e56942daa

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

.text
Size: 25KB - Virtual size: 25KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1KB - Virtual size: 149KB

.ndata
Size: - Virtual size: 40KB

.rsrc
Size: 16KB - Virtual size: 16KB

.text
Size: 36KB - Virtual size: 34KB

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 12B

.text
Size: 512B - Virtual size: 115B

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 512B - Virtual size: 8B

.text
Size: 35KB - Virtual size: 34KB

.data
Size: 512B - Virtual size: 1KB

.rsrc
Size: 3KB - Virtual size: 2KB

.reloc
Size: 2KB - Virtual size: 1KB

2b:26:8d:91:45:18:ae:4f:bd:86:cb:4b:ca:51:7f:55
Certificate

63:47:d6:92:67:86:c9:ac:4d:fc:73:56:dd:21:89:d7
Certificate

47:d3:5b:42:01:53:0b:5a:b4:13:8d:cd:4e:31:18:4d
Certificate

.text
Size: 41KB - Virtual size: 40KB

.data
Size: 1024B - Virtual size: 3KB

.rsrc
Size: 1KB - Virtual size: 1KB

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

6a:0b:99:4f:c0:00:fa:aa:11:d7:13:01:30:93:20:84
Certificate

61:05:f9:0d:00:00:00:00:00:07
Certificate

48:27:82:e8:7b:6c:ee:f6:81:27:f2:fc:dc:7b:7a:c2:c6:71:47:5b
Signer

.text
Size: 10KB - Virtual size: 10KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 20KB - Virtual size: 19KB

.rdata
Size: 8KB - Virtual size: 8KB

.data
Size: 11KB - Virtual size: 14KB

.reloc
Size: 2KB - Virtual size: 2KB

.text
Size: 5KB - Virtual size: 5KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 16KB - Virtual size: 16KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 8B