fe99a9adad37734b6d278f8a7f766bcd_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

fe99a9adad37734b6d278f8a7f766bcd_JaffaCakes118
Size

2.5MB
MD5

fe99a9adad37734b6d278f8a7f766bcd
SHA1

4f2b512b13c92febc62b75c0ea0db46169ab67a1
SHA256

2b2d1dc812a64d147827b9e7521c17ceb9412ae1e20e37e97f6dd099e0f61f30
SHA512

c358dc7372de2fd75c46cd20ee8c228343798c8e02f0b6c0409fe1de6ffdd3253d1ff127f21e75a4dd4e7d5320f630497fb91af878a94d678a7271c72f6b474f
SSDEEP

49152:VXmxXkpXwQL7z0eLvtuSlT6gDgPUEbdABLvNgk9WNI/t8Uoe+SBOs13i:ROXOXpz0eISTidABLvNgk9ki8Uoe+yOV

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
static1/unpack001/3.1230/dm.dll	acprotect

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/3.1230/dm.dll	upx

Unsigned PE 7 IoCs

Checks for missing Authenticode signature.

resource
unpack001/3.1230/RegDll.dll
unpack001/3.1230/dm.dll
unpack002/out.upx
unpack001/3.1230/大漠后台系统.exe
unpack001/3.1230/大漠综合工具.exe
unpack001/3.1230/答题器/大漠答题器.exe
unpack001/3.1230/获取本机机器码.exe

Files

fe99a9adad37734b6d278f8a7f766bcd_JaffaCakes118
.rar
3.1230/RegDll.dll
.dll regsvr32 windows:4 windows x86 arch:x86

f076a1e4fbab4d2c4bccbdc4ea8a1b72

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord3831
ord3825
ord3079
ord4080
ord4424
ord614
ord1206
ord2623
ord290
ord825
ord1223
ord4622
ord4226
ord2486
ord4003
ord446
ord743
ord1569
ord1196
ord1168
ord6467
ord4274
ord6375
ord4486
ord2554
ord2512
ord5731
ord3922
ord3830
ord5199
ord2396
ord3346
ord5300
ord5302
ord2725
ord4079
ord4698
ord5307
ord5289
ord5714
ord3262
ord3081
ord3738
ord561
ord815
ord5500
ord1132
ord1131
ord6354
ord1176
ord1575
ord1577
ord1182
ord342
ord1243
ord1197
ord1570
ord1253
ord1255
ord2976
ord2985
ord3136
ord4465
ord3147
ord3259
ord2982
ord1799
ord1089
ord823
ord1578
ord600
ord826
ord269
ord1116

msvcrt

__CxxFrameHandler
wcstombs
__dllonexit
_onexit
free
??1type_info@@UAE@XZ
_adjust_fdiv
malloc
_initterm

kernel32

LocalFree
LoadLibraryA
FreeLibrary
GetProcAddress
LocalAlloc

advapi32

RegSetValueExA
RegCloseKey
RegCreateKeyExA

ole32

OleInitialize
CoTaskMemFree
StringFromCLSID
OleUninitialize

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer

Sections

.text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 722B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
3.1230/dm.dll
.dll regsvr32 windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Exports

Exports

??0CxFile@@QAE@ABV0@@Z
??0CxFile@@QAE@XZ
??0CxIOFile@@QAE@ABV0@@Z
??0CxIOFile@@QAE@PAU_iobuf@@@Z
??0CxMemFile@@QAE@ABV0@@Z
??1CxFile@@UAE@XZ
??1CxIOFile@@UAE@XZ
??1CxImage@@UAE@XZ
??4CxFile@@QAEAAV0@ABV0@@Z
??4CxIOFile@@QAEAAV0@ABV0@@Z
??4CxMemFile@@QAEAAV0@ABV0@@Z
??_7CxFile@@6B@
??_7CxIOFile@@6B@
??_7CxImage@@6B@
??_7CxMemFile@@6B@
??_FCxIOFile@@QAEXXZ
??_FCxImage@@QAEXXZ
??_FCxMemFile@@QAEXXZ
??_OCxImage@@QAEXABV0@@Z
?Close@CxIOFile@@UAE_NXZ
?Eof@CxIOFile@@UAE_NXZ
?Error@CxIOFile@@UAEJXZ
?Flush@CxIOFile@@UAE_NXZ
?GetC@CxIOFile@@UAEJXZ
?GetS@CxIOFile@@UAEPADPADH@Z
?Open@CxIOFile@@QAE_NPBD0@Z
?PutC@CxFile@@UAE_NE@Z
?PutC@CxIOFile@@UAE_NE@Z
?Read@CxIOFile@@UAEIPAXII@Z
?Scanf@CxIOFile@@UAEJPBDPAX@Z
?Seek@CxIOFile@@UAE_NJH@Z
?Size@CxIOFile@@UAEJXZ
?Tell@CxIOFile@@UAEJXZ
?Write@CxIOFile@@UAEIPBXII@Z
CBFunA
CBFunB
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

UPX0
Size: - Virtual size: 680KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 762KB - Virtual size: 764KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 50KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.dll windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.text
Size: 740KB - Virtual size: 737KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 84KB - Virtual size: 82KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 36KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 228KB - Virtual size: 224KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tp0
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.tp1
Size: 168KB - Virtual size: 164KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 36KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
3.1230/修改记录.txt
3.1230/大漠后台系统.exe
.exe windows:4 windows x86 arch:x86

f9a483ccad5ddc854d0524d2698b34b1

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mfc42u

ord2721
ord4269
ord6371
ord4480
ord2546
ord2504
ord5727
ord3917
ord1089
ord5193
ord2388
ord3341
ord5296
ord5298
ord2717
ord4074
ord4692
ord5303
ord5285
ord5710
ord2977
ord3142
ord3254
ord4459
ord3131
ord3257
ord2980
ord3076
ord2971
ord3825
ord3826
ord3820
ord3074
ord4075
ord4616
ord4418
ord3733
ord561
ord825
ord815
ord4041
ord2137
ord2136
ord6221
ord5227
ord5243
ord2124
ord4595
ord6211
ord617
ord5297
ord5208
ord296
ord986
ord520
ord4154
ord6113
ord2613
ord1131
ord823
ord824
ord5431
ord1676
ord1666
ord2620
ord5976
ord2633
ord4117
ord6210
ord6192
ord4293
ord5944
ord3083
ord3866
ord3869
ord3868
ord6194
ord4281
ord4278
ord3132
ord3791
ord5715
ord6088
ord3519
ord4027
ord6091
ord4030
ord2541
ord2425
ord3348
ord3574
ord426
ord726
ord826
ord690
ord1980
ord5352
ord5201
ord389
ord5261
ord4370
ord4847
ord4992
ord4704
ord2506
ord6048
ord4073
ord1767
ord4401
ord5237
ord2377
ord5157
ord6370
ord4347
ord5276
ord3793
ord4831
ord4435
ord2640
ord2047
ord6372
ord3744
ord5059
ord1720
ord5257
ord2438
ord2116
ord2722
ord4621
ord4419
ord3592
ord324
ord641
ord4229
ord1817
ord4233
ord4690
ord3053
ord3060
ord6332
ord2502
ord2534
ord5239
ord5736
ord1739
ord5573
ord3167
ord5649
ord4414
ord4947
ord4852
ord2391
ord4381
ord3449
ord3193
ord6076
ord6171
ord4617
ord4420
ord338
ord652
ord4817
ord6589
ord6791
ord6642
ord6583
ord6798
ord6848
ord6814
ord6846
ord6823
ord6850
ord6858
ord6838
ord6805
ord6830
ord6837
ord6849
ord6807
ord6806
ord6803
ord6836
ord6847
ord4583
ord4582
ord4893
ord4364
ord4886
ord5070
ord4334
ord4341
ord4714
ord4883
ord4525
ord4539
ord4537
ord4520
ord4523
ord4518
ord4957
ord4954
ord4103
ord6050
ord1768
ord5236
ord5277
ord3743
ord1718
ord6683
ord4426
ord6475
ord6510
ord5256
ord800
ord6796
ord537
ord3000
ord2127
ord6799
ord538
ord1594
ord6691
ord6653
ord1834
ord4237
ord2715
ord2382
ord3054
ord5094
ord5097
ord4461
ord4298
ord3345
ord5006
ord975
ord5468
ord3398
ord2874
ord2873
ord4146
ord6051
ord4072
ord5233
ord5278
ord2641
ord1658
ord4430
ord4421
ord366
ord674
ord4451
ord942
ord861
ord5248
ord1569
ord6466
ord2719
ord5273
ord6445
ord1165

msvcrt

_ftol
wcscat
wcscpy
wcsstr
_exit
_XcptFilter
exit
_wcmdln
__wgetmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
__dllonexit
_onexit
_controlfp
malloc
strstr
strncpy
free
__CxxFrameHandler
localtime

kernel32

GetLocalTime
GetStartupInfoW
GetModuleHandleW

user32

PostMessageW
GetClientRect
EnableWindow
wsprintfW
UpdateWindow
MessageBoxW

oleaut32

SysAllocString
VariantInit
SysFreeString

ws2_32

WSAStartup
recvfrom
closesocket
sendto
setsockopt
htonl
htons
inet_addr
socket
WSACleanup
ntohl

Exports

Exports

?interfaceMap@CCustomControlSite@@1UAFX_INTERFACEMAP@@B

Sections

.text
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
3.1230/大漠接口说明.CHM
.chm
3.1230/大漠综合工具.exe
.exe windows:4 windows x86 arch:x86

185d9b647f1a94ce35270ddd6b293f90

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

FormatMessageA
GetLastError
GlobalFree
IsBadReadPtr
SetLastError
InterlockedExchange
OpenEventA
WaitForSingleObject
GetSystemDirectoryA
LoadLibraryA
GetModuleHandleA
MapViewOfFile
ResumeThread
CreateEventA
SetEvent
LocalFree
UnmapViewOfFile
GetHandleInformation
CreateFileMappingA
FlushInstructionCache
ExitThread
VirtualFree
VirtualAlloc
SuspendThread
SetThreadContext
GetThreadContext
InterlockedCompareExchange
GetStartupInfoW
CreateFileA
GetPrivateProfileStringA
GetPrivateProfileIntA
GetModuleFileNameA
WritePrivateProfileStringA
GetProfileIntW
GlobalDeleteAtom
GlobalFindAtomW
GlobalAddAtomW
CopyFileW
Sleep
GetTickCount
OpenEventW
CreateEventW
GetCurrentThread
CreateThread
GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess
WriteFile
IsBadWritePtr
VirtualQuery
FormatMessageW
CreateFileW
SetFilePointer
CloseHandle
SetUnhandledExceptionFilter
GetModuleFileNameW
lstrcatW
lstrlenW
WinExec
lstrcpyW
GetWindowsDirectoryW
LoadLibraryW
FreeLibrary
FindResourceW
SizeofResource
LoadResource
LockResource
MulDiv
GetModuleHandleW
GetProcAddress
lstrcpynW
GetVersionExW
lstrcmpW
GlobalAlloc
GlobalLock
GlobalUnlock
MultiByteToWideChar
WideCharToMultiByte

user32

HideCaret
UnregisterHotKey
RegisterHotKey
ShowWindow
LoadImageW
GetDesktopWindow
GetWindowDC
GetForegroundWindow
EqualRect
GetFocus
LoadMenuW
GetSubMenu
IsChild
MessageBoxA
wvsprintfW
CopyIcon
InflateRect
SetWindowLongW
ReleaseCapture
RedrawWindow
SetCapture
MessageBeep
GetSysColor
DrawTextW
BeginPaint
EndPaint
PostQuitMessage
IsWindowVisible
DefWindowProcW
RegisterClassExW
CreateWindowExW
GetDlgCtrlID
LoadStringW
SetWindowPos
GetParent
PostMessageW
OpenClipboard
EmptyClipboard
GetMessageW
CloseClipboard
ClientToScreen
ShowCursor
GetAsyncKeyState
GetScrollPos
SetScrollPos
SetScrollRange
MessageBoxW
GetKeyState
SetTimer
KillTimer
SetCursorPos
InvalidateRgn
GetCursorPos
IsRectEmpty
GetDC
ReleaseDC
SetCursor
IsWindow
ScreenToClient
SetRect
InvalidateRect
GetWindowRect
PtInRect
GetClientRect
GetDCEx
UpdateWindow
GetCapture
GetClassNameW
GetWindowTextW
GetWindowLongW
SendMessageTimeoutW
GetMessageExtraInfo
SystemParametersInfoW
GetPropA
AdjustWindowRectEx
RemovePropA
PostThreadMessageW
GetIconInfo
GetWindowThreadProcessId
SendMessageA
GetWindow
AttachThreadInput
WindowFromPoint
GetWindowTextA
SetForegroundWindow
GetWindowLongA
UnhookWindowsHookEx
FindWindowA
DestroyCursor
GetActiveWindow
GetWindowPlacement
EnumWindows
MapVirtualKeyExW
GetKeyboardLayout
TranslateAcceleratorA
IsIconic
DispatchMessageW
LoadIconW
GetSystemMetrics
LoadCursorW
SetRectEmpty
EnableWindow
SendMessageW
DrawIcon
SetClipboardData

gdi32

CreateCompatibleBitmap
Rectangle
GetStockObject
GetTextExtentPoint32W
CombineRgn
CreateRectRgnIndirect
GetDIBits
SetDIBits
LineDDA
SetPixelV
CreatePen
GetDeviceCaps
EnumFontFamiliesExW
CreateFontIndirectW
DeleteObject
SetROP2
CreatePatternBrush
CreateBitmap
SelectObject
UnrealizeObject
RealizePalette
SelectPalette
DeleteDC
GetObjectW
CreateCompatibleDC
BitBlt
GetPixel
PatBlt
CreateRectRgn

advapi32

RegOpenKeyExW
RegQueryValueW
RegCloseKey

shell32

ShellExecuteW

ole32

OleInitialize
CoCreateInstance
OleUninitialize

oleaut32

VariantInit
SysAllocString
SysFreeString

mfc42u

ord1131
ord1202
ord389
ord5201
ord5352
ord1980
ord690
ord815
ord561
ord3733
ord4616
ord5710
ord5285
ord5303
ord4692
ord4074
ord5298
ord3341
ord2388
ord5193
ord1089
ord3917
ord5727
ord2504
ord2546
ord4480
ord6371
ord4269
ord927
ord1197
ord2114
ord1088
ord3792
ord3871
ord556
ord2606
ord795
ord809
ord3716
ord3494
ord5785
ord616
ord3577
ord4392
ord2570
ord4213
ord2015
ord2403
ord283
ord6168
ord538
ord1172
ord2354
ord2286
ord3284
ord2916
ord3559
ord956
ord6617
ord4158
ord5651
ord2004
ord5880
ord554
ord2859
ord3798
ord355
ord2507
ord3447
ord3870
ord2290
ord4197
ord6865
ord2756
ord6278
ord6279
ord6654
ord4273
ord692
ord804
ord5296
ord2717
ord941
ord1764
ord6362
ord2016
ord4214
ord2573
ord4395
ord3634
ord2579
ord4400
ord3389
ord3724
ord2281
ord2350
ord6777
ord2745
ord6451
ord6597
ord4215
ord2576
ord3649
ord2430
ord6266
ord2858
ord1637
ord3084
ord6868
ord3785
ord5436
ord6379
ord5446
ord6390
ord4474
ord1263
ord1562
ord1193
ord6115
ord4312
ord6190
ord1563
ord1194
ord1808
ord5857
ord5706
ord4124
ord6874
ord6139
ord2405
ord541
ord801
ord2910
ord5568
ord858
ord2293
ord942
ord5784
ord4292
ord4128
ord3688
ord2854
ord823
ord5261
ord4992
ord2506
ord6048
ord4073
ord1767
ord4401
ord5237
ord2377
ord5157
ord6370
ord4347
ord3793
ord4831
ord4435
ord2640
ord2047
ord6372
ord3744
ord5059
ord1720
ord5257
ord2438
ord2116
ord5273
ord2977
ord3142
ord3254
ord4459
ord3131
ord3257
ord2980
ord3076
ord2971
ord3825
ord3826
ord3820
ord3074
ord4075
ord4621
ord4419
ord3592
ord3701
ord641
ord1634
ord1143
ord1165
ord324
ord825
ord3658
ord3621
ord2406
ord2855
ord2294
ord4229
ord535
ord800
ord940
ord537
ord860
ord540
ord4294
ord6193
ord6376
ord4704
ord2371
ord755
ord470
ord4370
ord613
ord2637
ord289
ord4470
ord640
ord2397
ord5781
ord1633
ord323
ord3614
ord861
ord2810
ord5783
ord5871
ord2235
ord5276
ord6051
ord1768
ord4418
ord3605
ord567
ord656
ord4270
ord6195
ord5286
ord4847
ord2362
ord3397
ord3706
ord783
ord807
ord6871
ord3087
ord6211
ord2078
ord4219
ord5977
ord3566
ord2746
ord2634
ord4688
ord3747
ord5142
ord6330
ord1569

msvcrt

wcslen
swprintf
strstr
free
strchr
??0exception@@QAE@ABQBD@Z
??1exception@@UAE@XZ
_CxxThrowException
strlen
??0exception@@QAE@ABV0@@Z
_controlfp
??1type_info@@UAE@XZ
_onexit
__dllonexit
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__wgetmainargs
_wcmdln
exit
_XcptFilter
_exit
memmove
_strupr
_findfirst
_findnext
_findclose
time
remove
fopen
vsprintf
_itoa
strrchr
floor
atof
fprintf
atol
fseek
ftell
fread
wcscat
strncmp
sscanf
srand
rand
_wsplitpath
strncpy
_wcsdup
wcsrchr
wcsstr
sprintf
fwrite
_wfopen
wcscpy
fclose
wcscmp
_ftol
swscanf
malloc
__CxxFrameHandler

Sections

.text
Size: 204KB - Virtual size: 201KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 52KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 122.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 548KB - Virtual size: 546KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
3.1230/注册大漠插件到系统.bat
3.1230/答题器/alarm.mp3
3.1230/答题器/大漠答题器.exe
.exe windows:4 windows x86 arch:x86

f5f3db2b537e0ffb6ad6f32548601413

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mfc42u

ord1764
ord6362
ord2405
ord2016
ord4214
ord2573
ord4395
ord3634
ord692
ord823
ord2371
ord3566
ord3621
ord3658
ord755
ord640
ord2397
ord2406
ord2745
ord5781
ord1634
ord1633
ord323
ord470
ord3867
ord4606
ord4604
ord4269
ord6371
ord4480
ord2546
ord2504
ord5727
ord3917
ord1089
ord5193
ord2388
ord3341
ord5296
ord5298
ord2717
ord4074
ord4692
ord5303
ord5285
ord5710
ord4616
ord3733
ord815
ord561
ord6211
ord2910
ord617
ord5297
ord5208
ord296
ord986
ord520
ord4154
ord6113
ord2613
ord1131
ord4370
ord4847
ord1817
ord4233
ord4690
ord3053
ord3060
ord6332
ord2502
ord2534
ord5239
ord5736
ord1739
ord5573
ord4118
ord5649
ord4414
ord4947
ord4852
ord2391
ord4381
ord3449
ord3193
ord6076
ord6171
ord4617
ord4420
ord652
ord338
ord4817
ord1937
ord4268
ord4583
ord4582
ord4893
ord4364
ord4886
ord5070
ord4335
ord4343
ord4717
ord4884
ord4525
ord4539
ord4537
ord4520
ord4523
ord4518
ord4958
ord4955
ord4103
ord5236
ord3743
ord1719
ord4426
ord813
ord560
ord5256
ord2078
ord4294
ord1834
ord4237
ord2715
ord2382
ord3054
ord5094
ord5097
ord4461
ord4298
ord3345
ord5006
ord975
ord5468
ord3398
ord2874
ord2873
ord4146
ord4072
ord5233
ord5278
ord2641
ord1658
ord4430
ord4421
ord674
ord366
ord5248
ord4331
ord535
ord537
ord1569
ord942
ord2859
ord3084
ord5276
ord3871
ord3870
ord5977
ord4219
ord4704
ord2810
ord3087
ord2634
ord6195
ord6330
ord3312
ord4229
ord2294
ord2293
ord2354
ord2362
ord2355
ord825
ord324
ord567
ord540
ord861
ord641
ord818
ord616
ord800
ord3577
ord4418
ord4621
ord4075
ord3074
ord3820
ord3826
ord3825
ord3397
ord2971
ord3076
ord2980
ord3257
ord3131
ord4459
ord3254
ord3142
ord2977
ord5273
ord2116
ord2438
ord5257
ord1720
ord5059
ord3744
ord6372
ord2047
ord2640
ord4435
ord4831
ord3793
ord5286
ord4347
ord6370
ord5157
ord2377
ord5237
ord4392
ord1768
ord4073
ord6051
ord2570
ord4213
ord2015
ord2403
ord3592
ord4419
ord4401
ord1767
ord6048
ord2506
ord4992
ord3167
ord5261
ord1165

msvcrt

_controlfp
_onexit
__dllonexit
?terminate@@YAXXZ
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__CxxFrameHandler
sprintf
strstr
wcscmp
wcslen
atoi
wcscat
wcsrchr
free
swprintf
_purecall
fclose
_wfopen
fread
fwrite
fseek
ftell
__setusermatherr
_initterm
__wgetmainargs
_wcmdln
exit
_XcptFilter
_exit
vsprintf
fflush
fputc
getc
fgets
fscanf
malloc
strncmp
_wsplitpath
rand
srand
wcscpy
strrchr
_itoa
strncpy
strncat
??1type_info@@UAE@XZ
getenv
sscanf
strtod
gmtime
_iob
fprintf
_snprintf
realloc
floor
_ftol
wcsncpy
calloc
_wcsnicmp
_CIpow
ldiv
_CIacos
_CIfmod
qsort
_cabs
ceil
longjmp
_setjmp3
__CxxLongjmpUnwind
_CxxThrowException
printf
isprint
abort

kernel32

MultiByteToWideChar
WideCharToMultiByte
WaitForSingleObject
PostQueuedCompletionStatus
InterlockedDecrement
VirtualFree
VirtualAlloc
LeaveCriticalSection
EnterCriticalSection
CloseHandle
GetStartupInfoW
CreateThread
Sleep
Beep
GetModuleFileNameW
GetLocalTime
CreateDirectoryW
GetModuleHandleW
GetTickCount
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
LockResource
LoadResource
SizeofResource
SetUnhandledExceptionFilter
SetFilePointer
CreateFileW
FormatMessageW
VirtualQuery
IsBadWritePtr
WriteFile
WritePrivateProfileStringA
GetModuleFileNameA
GetPrivateProfileIntA
GetPrivateProfileStringA
CreateDirectoryA
SetCurrentDirectoryA
GetLastError
CreateFileA
InitializeCriticalSection
DeleteCriticalSection
CreateEventW
GetSystemInfo
InterlockedExchange
CreateIoCompletionPort
SetEvent
OpenEventW
InterlockedIncrement
GetQueuedCompletionStatus

user32

SendMessageW
GetFocus
PostMessageW
KillTimer
SetTimer
GetParent
InvalidateRect
GetClientRect
UpdateWindow
ScreenToClient
GetWindowRect
AdjustWindowRectEx
GetWindowLongW
MessageBoxW
ReleaseDC
GetDC
GetIconInfo
DrawTextW
wvsprintfW
EnableWindow

gdi32

CreateRectRgn
CreateFontIndirectW
GetStockObject
SetTextColor
SetBkMode
StretchDIBits
RectVisible
CreateBitmap
SetBkColor
StretchBlt
SaveDC
GetClipBox
CreateRectRgnIndirect
ExtSelectClipRgn
SetStretchBltMode
SetDIBitsToDevice
RestoreDC
RealizePalette
GetDIBits
CreateDIBSection
CreateDIBPatternBrushPt
SetBrushOrgEx
PatBlt
DeleteObject
CreateCompatibleDC
CreateCompatibleBitmap
GetObjectW
SelectObject
BitBlt
DeleteDC
CombineRgn

winmm

mciSendCommandW

ws2_32

gethostbyname
gethostname
WSARecv
ntohs
inet_ntoa
WSAGetLastError
WSASend
closesocket
WSAIoctl
listen
bind
htons
inet_addr
socket
setsockopt
recv
getsockopt
send
WSACleanup
WSAStartup

Exports

Exports

??0CxFile@@QAE@ABV0@@Z
??0CxFile@@QAE@XZ
??0CxIOFile@@QAE@ABV0@@Z
??0CxIOFile@@QAE@PAU_iobuf@@@Z
??0CxMemFile@@QAE@ABV0@@Z
??1CxFile@@UAE@XZ
??1CxIOFile@@UAE@XZ
??1CxImage@@UAE@XZ
??4CxFile@@QAEAAV0@ABV0@@Z
??4CxIOFile@@QAEAAV0@ABV0@@Z
??4CxMemFile@@QAEAAV0@ABV0@@Z
??_7CxFile@@6B@
??_7CxIOFile@@6B@
??_7CxImage@@6B@
??_7CxMemFile@@6B@
??_FCxIOFile@@QAEXXZ
??_FCxImage@@QAEXXZ
??_FCxMemFile@@QAEXXZ
??_OCxImage@@QAEXABV0@@Z
?Close@CxIOFile@@UAE_NXZ
?Eof@CxIOFile@@UAE_NXZ
?Error@CxIOFile@@UAEJXZ
?Flush@CxIOFile@@UAE_NXZ
?GetC@CxIOFile@@UAEJXZ
?GetS@CxIOFile@@UAEPADPADH@Z
?Open@CxIOFile@@QAE_NPBG0@Z
?PutC@CxFile@@UAE_NE@Z
?PutC@CxIOFile@@UAE_NE@Z
?Read@CxIOFile@@UAEIPAXII@Z
?Scanf@CxIOFile@@UAEJPBDPAX@Z
?Seek@CxIOFile@@UAE_NJH@Z
?Size@CxIOFile@@UAEJXZ
?Tell@CxIOFile@@UAEJXZ
?Write@CxIOFile@@UAEIPBXII@Z

Sections

.text
Size: 392KB - Virtual size: 391KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 40KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
3.1230/答题器/答题器使用说明.txt
3.1230/获取本机机器码.exe
.exe windows:4 windows x86 arch:x86

5c1d3119517289b75a05ec7926a7c0e8

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mfc42u

ord3142
ord3254
ord4459
ord3131
ord3257
ord2980
ord3076
ord2971
ord3825
ord3826
ord3820
ord3074
ord4075
ord4616
ord4418
ord3733
ord561
ord825
ord815
ord641
ord2506
ord2613
ord1131
ord861
ord5261
ord4370
ord4847
ord4992
ord6048
ord4073
ord1767
ord4401
ord5237
ord2977
ord5157
ord6370
ord4347
ord5276
ord3793
ord4831
ord4435
ord2640
ord2047
ord6372
ord3744
ord5059
ord1720
ord5257
ord2438
ord2116
ord5273
ord4621
ord4419
ord3592
ord1143
ord1165
ord324
ord4229
ord800
ord3087
ord6195
ord2810
ord540
ord4704
ord2371
ord755
ord470
ord5710
ord5285
ord5303
ord4692
ord4074
ord2717
ord5298
ord5296
ord3341
ord2388
ord5193
ord1089
ord3917
ord5727
ord2504
ord2546
ord4480
ord6371
ord4269
ord2377
ord4667
ord1569

msvcrt

_controlfp
_onexit
__dllonexit
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__wgetmainargs
_wcmdln
wcscpy
__CxxFrameHandler
wcslen
_exit
_XcptFilter
exit

kernel32

GetModuleHandleW
GetFileAttributesW
GlobalUnlock
GetModuleFileNameW
GlobalAlloc
WideCharToMultiByte
GetStartupInfoW
LoadLibraryW
FreeLibrary
GetProcAddress
GetVersion
GlobalLock
CloseHandle
GetCurrentProcess

user32

GetClientRect
GetSystemMetrics
IsIconic
DrawIcon
EmptyClipboard
SetClipboardData
CloseClipboard
LoadIconW
MessageBoxW
OpenClipboard
SendMessageW
EnableWindow

advapi32

GetTokenInformation
RegOpenKeyA
RegQueryValueExA
RegCloseKey
OpenProcessToken

ole32

CLSIDFromProgID
CoInitialize
OleInitialize
OleUninitialize
CoCreateInstance
CoUninitialize

Sections

.text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 956B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f076a1e4fbab4d2c4bccbdc4ea8a1b72

Headers

File Characteristics

Imports

mfc42

msvcrt

kernel32

advapi32

ole32

Exports

Exports

Sections

.text Size: 4KB - Virtual size: 3KB

.rdata Size: 4KB - Virtual size: 2KB

.data Size: 4KB - Virtual size: 4KB

.rsrc Size: 4KB - Virtual size: 2KB

.reloc Size: 4KB - Virtual size: 722B

Headers

File Characteristics

Exports

Exports

Sections

UPX0 Size: - Virtual size: 680KB

UPX1 Size: 762KB - Virtual size: 764KB

.rsrc Size: 50KB - Virtual size: 52KB

Headers

File Characteristics

Sections

.text Size: 740KB - Virtual size: 737KB

.rdata Size: 84KB - Virtual size: 82KB

.data Size: 36KB - Virtual size: 108KB

.rsrc Size: 228KB - Virtual size: 224KB

.tp0 Size: 48KB - Virtual size: 44KB

.tp1 Size: 168KB - Virtual size: 164KB

.reloc Size: 36KB - Virtual size: 33KB

f9a483ccad5ddc854d0524d2698b34b1

Headers

File Characteristics

Imports

mfc42u

msvcrt

kernel32

user32

oleaut32

ws2_32

Exports

Exports

Sections

.text Size: 12KB - Virtual size: 8KB

.rdata Size: 8KB - Virtual size: 5KB

.data Size: 4KB - Virtual size: 3KB

.rsrc Size: 8KB - Virtual size: 5KB

185d9b647f1a94ce35270ddd6b293f90

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

mfc42u

msvcrt

Sections

.text Size: 204KB - Virtual size: 201KB

.rdata Size: 52KB - Virtual size: 48KB

.data Size: 8KB - Virtual size: 122.5MB

.rsrc Size: 548KB - Virtual size: 546KB

f5f3db2b537e0ffb6ad6f32548601413

Headers

File Characteristics

Imports

mfc42u

.text
Size: 4KB - Virtual size: 3KB

.rdata
Size: 4KB - Virtual size: 2KB

.data
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 722B

UPX0
Size: - Virtual size: 680KB

UPX1
Size: 762KB - Virtual size: 764KB

.rsrc
Size: 50KB - Virtual size: 52KB

.text
Size: 740KB - Virtual size: 737KB

.rdata
Size: 84KB - Virtual size: 82KB

.data
Size: 36KB - Virtual size: 108KB

.rsrc
Size: 228KB - Virtual size: 224KB

.tp0
Size: 48KB - Virtual size: 44KB

.tp1
Size: 168KB - Virtual size: 164KB

.reloc
Size: 36KB - Virtual size: 33KB

.text
Size: 12KB - Virtual size: 8KB

.rdata
Size: 8KB - Virtual size: 5KB

.data
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 8KB - Virtual size: 5KB

.text
Size: 204KB - Virtual size: 201KB

.rdata
Size: 52KB - Virtual size: 48KB

.data
Size: 8KB - Virtual size: 122.5MB

.rsrc
Size: 548KB - Virtual size: 546KB

.text
Size: 392KB - Virtual size: 391KB

.rdata
Size: 40KB - Virtual size: 36KB

.data
Size: 24KB - Virtual size: 23KB

.rsrc
Size: 8KB - Virtual size: 7KB

.text
Size: 4KB - Virtual size: 3KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 4KB - Virtual size: 956B

.rsrc
Size: 4KB - Virtual size: 2KB