17ce2461cf41dc55fd1432dd9b461086_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

17ce2461cf41dc55fd1432dd9b461086_JaffaCakes118
Size

3.2MB
MD5

17ce2461cf41dc55fd1432dd9b461086
SHA1

6548f1d8eb93f7847d43de307c9fcf783983b042
SHA256

b9968149cdedf77356e26d68d82bc47ac20d11a14763c026ec36b842850b4af0
SHA512

93f725bd9d74da2191e2e658f6ac73df8da86bdfc371a8610f32bdc4fc19363b76802ac219ba2172abee3bb794c66fcbe3db932b8ecc17220ce32537de6b3add
SSDEEP

98304:XbLB5a8V1wMQlFvacoQpOLVLTAr9PtganH9:rLB5lwMQwbL0kc9

Score

5^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
sample	upx

Unsigned PE 7 IoCs

Checks for missing Authenticode signature.

resource
unpack001/$PLUGINSDIR/InstallOptions.dll
unpack001/$PLUGINSDIR/System.dll
unpack001/$PLUGINSDIR/UserInfo.dll
unpack001/bomgar-plk.exe
unpack001/bomgar-sjp.exe
unpack001/nsnetpush.exe
unpack001/out.upx

NSIS installer 1 IoCs

installer

resource	yara_rule
static1/unpack001/out.upx	nsis_installer_2

Files

17ce2461cf41dc55fd1432dd9b461086_JaffaCakes118
.exe windows:4 windows x86 arch:x86

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

21-05-2009 00:00

Not After

20-05-2019 23:59

Subject

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

26:36:a4:11:29:b4:e0:ae:32:42:18:a9:c3:82:52:c3
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

03-02-2010 00:00

Not After

12-02-2013 23:59

Subject

CN=Bomgar Corporation,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Remote Support,O=Bomgar Corporation,L=Ridgeland,ST=Mississippi,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

e3:ff:7e:64:e3:8c:f9:8b:a4:7d:f8:46:63:79:6e:87:df:b6:f3:3f
Signer

Actual PE Digest

e3:ff:7e:64:e3:8c:f9:8b:a4:7d:f8:46:63:79:6e:87:df:b6:f3:3f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 176KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 17KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 6KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
$PLUGINSDIR/InstallOptions.dll
.dll windows:4 windows x86 arch:x86

b1cd0d78f652ce5fc63f0879371af012

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

SetCurrentDirectoryA
GetCurrentDirectoryA
MultiByteToWideChar
GetPrivateProfileIntA
GlobalLock
GetModuleHandleA
lstrcmpiA
GetPrivateProfileStringA
lstrcatA
lstrcpynA
WritePrivateProfileStringA
lstrlenA
lstrcpyA
GlobalFree
GlobalUnlock
GlobalAlloc

user32

MapWindowPoints
GetDlgCtrlID
CloseClipboard
GetClipboardData
OpenClipboard
PtInRect
SetWindowRgn
LoadIconA
LoadImageA
SetWindowLongA
CreateWindowExA
MapDialogRect
SetWindowPos
GetWindowRect
CreateDialogParamA
ShowWindow
EnableMenuItem
GetSystemMenu
EnableWindow
GetDlgItem
DestroyIcon
DestroyWindow
DispatchMessageA
TranslateMessage
GetMessageA
IsDialogMessageA
LoadCursorA
SetCursor
DrawTextA
GetWindowLongA
DrawFocusRect
CallWindowProcA
PostMessageA
MessageBoxA
CharNextA
wsprintfA
GetWindowTextA
SetWindowTextA
SendMessageA
GetClientRect

gdi32

SetTextColor
CreateCompatibleDC
GetObjectA
GetDIBits
CreateRectRgn
CombineRgn
DeleteObject
SelectObject

shell32

SHBrowseForFolderA
SHGetDesktopFolder
SHGetPathFromIDListA
ShellExecuteA

comdlg32

GetOpenFileNameA
GetSaveFileNameA
CommDlgExtendedError

ole32

CoTaskMemFree

Exports

Exports

dialog
initDialog
show

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

2017f2acbdaa42ab3e4adeb8b4c37e7b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalSize
GetLastError
lstrcpyA
lstrcpynA
FreeLibrary
lstrcatA
GetProcAddress
LoadLibraryA
GetModuleHandleA
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
VirtualAlloc
VirtualProtect

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 784B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 100B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 520B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/UserInfo.dll
.dll windows:4 windows x86 arch:x86

afa8e526425f3585465337467d0b5909

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetVersion
GetCurrentThread
lstrcpynA
GetCurrentProcess
GetModuleHandleA
GetProcAddress
GetLastError
GlobalFree
CloseHandle
GlobalAlloc

advapi32

OpenProcessToken
GetTokenInformation
AllocateAndInitializeSid
EqualSid
FreeSid
GetUserNameA
OpenThreadToken

Exports

Exports

GetAccountType
GetName
GetOriginalAccountType

Sections

.text
Size: 1024B - Virtual size: 741B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 673B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 190B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/ioSpecial.ini
$PLUGINSDIR/modern-wizard.bmp
bomgar-jpt.exe
.exe windows:4 windows x86 arch:x86

d0a2d10a1d049c1e5179dda836195376

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

21-05-2009 00:00

Not After

20-05-2019 23:59

Subject

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

26:36:a4:11:29:b4:e0:ae:32:42:18:a9:c3:82:52:c3
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

03-02-2010 00:00

Not After

12-02-2013 23:59

Subject

CN=Bomgar Corporation,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Remote Support,O=Bomgar Corporation,L=Ridgeland,ST=Mississippi,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

d3:b6:96:d7:f7:4a:23:60:5c:ef:fa:27:f7:3e:01:b8:92:63:a1:06
Signer

Actual PE Digest

d3:b6:96:d7:f7:4a:23:60:5c:ef:fa:27:f7:3e:01:b8:92:63:a1:06

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

bomgar-jpt.pdb

Imports

ws2_32

accept
listen
socket
send
getsockname
getpeername
bind
connect
select
__WSAFDIsSet
recv
ioctlsocket
closesocket
WSAAsyncSelect
WSAStartup
gethostname
WSACleanup
shutdown
WSASetLastError
ntohs
getservbyport
gethostbyaddr
htons
getservbyname
htonl
inet_ntoa
gethostbyname
WSAGetLastError
inet_addr
setsockopt

user32

GetIconInfo
CreateIconIndirect
SetCursorPos
DestroyCursor
CreateCursor
FlashWindowEx
GetCaretBlinkTime
GetSysColor
MessageBeep
GetParent
WindowFromPoint
GetKeyState
GetCursorPos
ClipCursor
GetSysColorBrush
GetDoubleClickTime
LoadImageW
SetDoubleClickTime
GetClassInfoW
GetWindowRgn
SetCaretBlinkTime
EndPaint
BeginPaint
InvalidateRgn
GetUpdateRect
ScreenToClient
SetParent
UpdateWindow
ShowWindow
ScrollWindowEx
IsWindowVisible
EnableMenuItem
GetSystemMenu
ClientToScreen
GetWindowRect
GetClientRect
SetWindowPlacement
SetWindowPos
GetWindowPlacement
AdjustWindowRectEx
DrawIconEx
GetDesktopWindow
InvalidateRect
MoveWindow
GetSystemMetrics
IsZoomed
IsIconic
SetForegroundWindow
ReleaseCapture
SetWindowRgn
SetCursor
SendMessageW
DestroyIcon
SetWindowTextW
SystemParametersInfoW
IsChild
GetActiveWindow
ReleaseDC
SetFocus
GetDC
GetFocus
SetTimer
SetWindowLongW
CreateWindowExW
RegisterClassW
CallNextHookEx
GetQueueStatus
DefWindowProcW
GetWindowLongW
KillTimer
PostMessageW
PeekMessageW
UnregisterClassW
DestroyWindow
UnhookWindowsHookEx
DispatchMessageW
TranslateMessage
MsgWaitForMultipleObjectsEx
SetWindowsHookExW
CharNextExA
RegisterClipboardFormatW
GetKeyboardLayoutList
RegisterWindowMessageW
SetCaretPos
DestroyCaret
CreateCaret
HideCaret
ToUnicode
SetMenuItemInfoW
TrackPopupMenuEx
GetKeyboardLayout
GetKeyboardState
MapVirtualKeyW
ToAscii
GetMenu
LoadIconW
ChangeClipboardChain
SetClipboardViewer
GetClipboardFormatNameW
PostQuitMessage
ValidateRgn
SetCapture

shell32

SHFileOperationW
ShellExecuteW
SHGetPathFromIDListW
SHGetFileInfoW
SHGetSpecialFolderLocation

kernel32

LCMapStringA
CreateProcessW
WaitForSingleObject
GetExitCodeProcess
SetFileTime
GetDateFormatA
GetTimeFormatA
SetStdHandle
SetFileAttributesW
GetCurrentDirectoryA
GetConsoleMode
GetConsoleCP
LCMapStringW
GetCPInfo
GetStringTypeA
MoveFileA
SystemTimeToFileTime
LocalFileTimeToFileTime
GetStringTypeW
CompareStringA
HeapDestroy
HeapCreate
CloseHandle
GetCurrentThread
GetLastError
Sleep
GetSystemDirectoryA
LoadLibraryA
FreeLibrary
GetProcAddress
WideCharToMultiByte
GetCurrentProcess
TerminateProcess
GetLogicalDriveStringsA
GetDriveTypeA
GetDiskFreeSpaceExA
GetFileAttributesW
MultiByteToWideChar
VirtualFree
GetACP
GetOEMCP
IsValidCodePage
HeapSize
GetStdHandle
FreeEnvironmentStringsA
FindFirstChangeNotificationW
FindCloseChangeNotification
FindNextChangeNotification
QueryPerformanceFrequency
EnumSystemLocalesA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetEnvironmentVariableA
FlushFileBuffers
QueryPerformanceCounter
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
ExitProcess
GetTimeZoneInformation
CreateThread
ExitThread
HeapReAlloc
GetStartupInfoA
GetProcessHeap
GetVersionExA
GetCommandLineA
VirtualQuery
GetModuleHandleA
VirtualAlloc
VirtualProtect
HeapAlloc
IsDebuggerPresent
UnhandledExceptionFilter
RtlUnwind
GetSystemTimeAsFileTime
HeapFree
GetLocaleInfoA
InterlockedExchange
InterlockedCompareExchange
InterlockedIncrement
CreateNamedPipeW
ConnectNamedPipe
PeekNamedPipe
GetOverlappedResult
WaitNamedPipeW
DisconnectNamedPipe
GetEnvironmentStrings
GetComputerNameA
lstrlenA
lstrcatA
SetLastError
GetTempFileNameW
OpenEventW
GetComputerNameW
lstrcpynW
lstrcpyW
lstrcatW
CreateProcessA
LocalAlloc
OpenProcess
SetFilePointer
GetTickCount
CreateMutexW
ReleaseMutex
SetUnhandledExceptionFilter
GetModuleFileNameA
DeleteFileA
CreateFileA
RaiseException
GetDriveTypeW
lstrcmpW
GlobalFree
GlobalSize
ExpandEnvironmentStringsW
GetUserDefaultLangID
IsValidLocale
IsValidLanguageGroup
GlobalAlloc
GlobalUnlock
GlobalLock
InterlockedDecrement
GetVolumeInformationW
FindNextFileW
MapViewOfFile
DeleteFileW
CreateFileMappingW
GetFileType
GetFileTime
SystemTimeToTzSpecificLocalTime
WriteFile
FileTimeToSystemTime
SetEndOfFile
ReadFile
SetFilePointerEx
GetFileInformationByHandle
FindClose
FindFirstFileW
GetFileAttributesExW
CreateFileW
GetFullPathNameW
DeviceIoControl
LoadLibraryW
GetLogicalDrives
GetTempPathW
GetCurrentDirectoryW
SetCurrentDirectoryW
RemoveDirectoryW
CreateDirectoryW
MoveFileW
UnmapViewOfFile
CopyFileW
SetErrorMode
ReleaseSemaphore
CreateSemaphoreW
OutputDebugStringW
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
GetModuleHandleW
GetModuleFileNameW
GetVersionExW
CompareStringW
GetUserDefaultLCID
GetCommandLineW
GetCurrentProcessId
GetSystemInfo
GetThreadPriority
SetThreadPriority
ResumeThread
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
DuplicateHandle
GetCurrentThreadId
CreateEventW
SetEvent
WaitForMultipleObjects
GetLocalTime
GetLocaleInfoW
ResetEvent
GetDateFormatW
GetTimeFormatW
FormatMessageW
LocalFree

advapi32

CryptGenRandom
CryptReleaseContext
CryptAcquireContextA
RegCreateKeyExW
RegQueryInfoKeyW
RegEnumValueW
RegEnumKeyExW
RegCloseKey
RegDeleteKeyW
RegQueryValueExW
RegDeleteValueW
GetSecurityDescriptorLength
MakeSelfRelativeSD
RegEnumKeyW
RegSetKeySecurity
RegConnectRegistryW
RegSetValueExW
RegFlushKey
LookupPrivilegeValueA
AdjustTokenPrivileges
FreeSid
AllocateAndInitializeSid
DuplicateToken
LookupAccountSidW
RevertToSelf
GetUserNameW
ImpersonateLoggedOnUser
AccessCheck
IsValidSecurityDescriptor
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
AddAccessAllowedAce
SetServiceStatus
QueryServiceStatus
CloseServiceHandle
OpenServiceW
OpenSCManagerW
ControlService
StartServiceA
RegOpenKeyExW
AddAce
InitializeAcl
GetAclInformation
GetSecurityDescriptorControl
MakeAbsoluteSD
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
InitializeSecurityDescriptor
OpenProcessToken
OpenThreadToken
GetLengthSid
IsValidSid
CopySid
SetSecurityDescriptorDacl
GetSidSubAuthority
InitializeSid
GetSidLengthRequired
GetTokenInformation
OpenServiceA
DeleteService
CreateServiceW
RegisterServiceCtrlHandlerW
StartServiceCtrlDispatcherW
RegEnumKeyExA
RegOpenKeyExA
RegQueryValueExA
RegOpenKeyA

mpr

WNetCancelConnection2W
WNetAddConnection2W
WNetOpenEnumW
WNetGetLastErrorW
WNetEnumResourceW
WNetCloseEnum
WNetGetResourceInformationW

crypt32

CryptHashPublicKeyInfo
CryptProtectData

userenv

UnloadUserProfile
LoadUserProfileW

rpcrt4

UuidToStringW
RpcStringFreeW

wininet

DetectAutoProxyUrl

urlmon

URLDownloadToFileA

gdi32

SelectClipRgn
GetDeviceCaps
CombineRgn
OffsetRgn
DeleteObject
CreateRectRgn
GetRegionData
SelectPalette
RealizePalette
GetStockObject
GetObjectW
PtInRegion
DeleteDC
CreateDIBSection
GetDIBits
CreateBitmap
CreateCompatibleBitmap
SelectObject
BitBlt
CreateFontIndirectW
GetFontData
EnumFontFamiliesExW
GetTextMetricsW
GetTextFaceW
GetCharABCWidthsW
SetTextColor
SetBkMode
SetTextAlign
ExtTextOutW
GetOutlineTextMetricsW
GetTextExtentPoint32W
SetGraphicsMode
SetWorldTransform
GetGlyphOutlineW
GetCharABCWidthsFloatW
CreatePalette
GetPaletteEntries
GdiFlush
CreateCompatibleDC

comdlg32

GetOpenFileNameW

oleaut32

SysFreeString
VariantInit
SysStringLen
SysAllocStringByteLen
SysAllocString

imm32

ImmAssociateContext
ImmSetCandidateWindow
ImmSetCompositionWindow
ImmSetCompositionFontW
ImmGetCompositionStringW
ImmNotifyIME
ImmReleaseContext
ImmGetContext
ImmGetDefaultIMEWnd

winmm

timeGetTime
PlaySoundW

ole32

CoGetMalloc
StringFromGUID2
CoCreateInstance
CoInitialize
CoUninitialize
CoLockObjectExternal
RegisterDragDrop
RevokeDragDrop
CoCreateGuid
OleInitialize
OleUninitialize
ReleaseStgMedium
DoDragDrop
OleGetClipboard
OleSetClipboard
OleFlushClipboard
OleIsCurrentClipboard
CoTaskMemFree

Sections

.text
Size: 5.3MB - Virtual size: 5.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 51KB - Virtual size: 84KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
bomgar-plk.exe
.exe windows:4 windows x86 arch:x86

350bb30b62d434659154a6499fc5adc5

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateEventA
CreateThread
GetVersionExA
GetProcAddress
LoadLibraryA
FreeLibrary
FormatMessageA
GetPrivateProfileStringA
GetModuleFileNameA
TerminateProcess
GetCurrentProcess
WaitForMultipleObjects
GetCurrentThreadId
GetFileType
GetLastError
CreateProcessA
SetHandleInformation
CreatePipe
ClearCommBreak
SetCommTimeouts
SetCommState
GetCommState
CreateFileA
SetCommBreak
SetLastError
GetLocalTime
WaitForSingleObject
GetOverlappedResult
SetEvent
CloseHandle
WriteFile
GetStdHandle
GetConsoleMode
SetConsoleMode
ReadFile
GetTickCount
IsDebuggerPresent
OpenEventA
UnhandledExceptionFilter
GetTimeFormatA
GetDateFormatA
EnterCriticalSection
LeaveCriticalSection
HeapAlloc
HeapReAlloc
HeapFree
SetUnhandledExceptionFilter
GetModuleHandleA
ExitProcess
ExitThread
GetCurrentProcessId
GetSystemTimeAsFileTime
GetCommandLineA
GetProcessHeap
RtlUnwind
SetHandleCount
GetStartupInfoA
DeleteCriticalSection
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
WideCharToMultiByte
GetConsoleCP
FlushFileBuffers
Sleep
GetTimeZoneInformation
LCMapStringA
MultiByteToWideChar
LCMapStringW
VirtualFree
VirtualAlloc
HeapDestroy
HeapCreate
HeapSize
InitializeCriticalSection
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
SetFilePointer
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetStdHandle
CompareStringA
CompareStringW
SetEnvironmentVariableA
SetEndOfFile

advapi32

RegQueryValueExA
RegOpenKeyA
RegSetValueExA
RegCreateKeyA
RegCloseKey
CryptReleaseContext
CryptAcquireContextA
CryptGenRandom
InitializeSecurityDescriptor
SetSecurityDescriptorDacl

Sections

.text
Size: 252KB - Virtual size: 251KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 64KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
bomgar-sjp.exe
.exe windows:4 windows x86 arch:x86

9817e4ba95c7c5d1342a63f1b73b90e4

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\Source\maintenance-ingredi-10.5\networkstreaming\trymax\push_agent\win32\bomgar-sjp.pdb

Imports

kernel32

SizeofResource
lstrcmpiW
FreeLibrary
WaitForSingleObject
GetModuleHandleW
FindResourceW
InterlockedIncrement
LoadLibraryExW
CreateEventW
GetModuleFileNameW
LeaveCriticalSection
DeleteCriticalSection
GetCommandLineW
lstrlenW
RaiseException
EnterCriticalSection
SetEvent
InterlockedDecrement
CloseHandle
OpenEventW
InitializeCriticalSection
LoadResource
MultiByteToWideChar
GetLastError
ReadFile
WriteFile
WideCharToMultiByte
TerminateProcess
GetCurrentProcess
GetThreadLocale
SetEnvironmentVariableA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
GetLocaleInfoW
IsValidLocale
EnumSystemLocalesA
GetUserDefaultLCID
GetProcAddress
LoadLibraryA
SetLastError
DeleteFileA
GlobalFree
lstrcatA
lstrlenA
GetComputerNameA
QueryPerformanceCounter
QueryPerformanceFrequency
LoadLibraryW
ExpandEnvironmentStringsW
GetTickCount
GetVersionExW
MoveFileW
DeleteFileW
SetEndOfFile
SetFilePointer
CreateFileW
FindClose
FindFirstFileW
GetDriveTypeA
FindNextFileW
GetLogicalDrives
ReleaseMutex
GetCurrentThreadId
CreateMutexW
LocalFree
LocalAlloc
GetCurrentThread
Sleep
GetExitCodeProcess
CreateProcessW
lstrcpyW
GetComputerNameW
ResetEvent
WaitForMultipleObjects
SetCurrentDirectoryW
RemoveDirectoryW
CreateDirectoryW
DuplicateHandle
CreatePipe
OpenProcess
FormatMessageW
GetTempPathW
GetTempFileNameW
GetSystemInfo
GetCurrentProcessId
CreateFileA
GetModuleFileNameA
SetUnhandledExceptionFilter
SetErrorMode
InterlockedCompareExchange
InterlockedExchange
GetLocaleInfoA
HeapFree
UnhandledExceptionFilter
IsDebuggerPresent
GetSystemTimeAsFileTime
HeapAlloc
HeapReAlloc
GetVersionExA
GetProcessHeap
GetStartupInfoW
RtlUnwind
GetTimeZoneInformation
GetFullPathNameW
MoveFileA
ExitThread
CreateThread
VirtualProtect
VirtualAlloc
GetModuleHandleA
VirtualQuery
GetTimeFormatA
GetDateFormatA
GetCPInfo
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
CompareStringA
CompareStringW
GetACP
GetOEMCP
IsValidCodePage
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
GetStdHandle
HeapDestroy
HeapCreate
VirtualFree
HeapSize
ExitProcess
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
SetHandleCount
GetFileType
GetStartupInfoA
GetConsoleCP
GetConsoleMode
FlushFileBuffers
SetStdHandle
GetCurrentDirectoryA

user32

CharNextW
GetSystemMetrics
UnregisterClassA

advapi32

IsValidSid
RegOpenKeyExA
RegQueryValueExA
RegOpenKeyA
CryptAcquireContextA
CryptReleaseContext
CryptGenRandom
RegFlushKey
RegConnectRegistryW
RegQueryValueExW
RegEnumValueW
RegEnumKeyW
FreeSid
AccessCheck
IsValidSecurityDescriptor
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
DuplicateToken
OpenProcessToken
OpenThreadToken
GetUserNameW
SetServiceStatus
AdjustTokenPrivileges
LookupPrivilegeValueA
RegDeleteValueW
RegCreateKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegSetValueExW
RegOpenKeyExW
InitializeSecurityDescriptor
RegDeleteKeyW
SetSecurityDescriptorDacl
RegCloseKey
ImpersonateLoggedOnUser
RevertToSelf
LookupAccountSidW
RegEnumKeyExA
CopySid
GetTokenInformation

ole32

CoInitialize
CoUninitialize
CoCreateGuid
CoCreateInstance
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc

oleaut32

SysAllocString
VarUI4FromStr
SysFreeString

crypt32

CryptHashPublicKeyInfo

ws2_32

recv
send
getsockname
inet_ntoa
ntohs
getpeername
setsockopt
htons
bind
WSAGetLastError
connect
select
__WSAFDIsSet
shutdown
inet_addr
gethostbyname
socket
WSAStartup
WSACleanup
closesocket
ioctlsocket

wininet

DetectAutoProxyUrl

urlmon

URLDownloadToFileA

userenv

LoadUserProfileW
UnloadUserProfile

rpcrt4

UuidToStringW
RpcStringFreeW

winmm

timeGetTime

shell32

SHGetPathFromIDListW
SHGetSpecialFolderLocation

Sections

.text
Size: 732KB - Virtual size: 728KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 160KB - Virtual size: 158KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 176B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
nsnetpush.exe
.exe windows:4 windows x86 arch:x86

09d0478591d4f788cb3e5ea416c25237

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree

Sections

.text
Size: 101KB - Virtual size: 252KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 40KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
pixmaps/banner.png
.png
pixmaps/small_logo.png
.png
preload-en-us.rdf
server.lic
unbomgar.exe.nsis

Sharing

General

Malware Config

Signatures

Files

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5cCertificate

Extended Key Usages

Key Usages

26:36:a4:11:29:b4:e0:ae:32:42:18:a9:c3:82:52:c3Certificate

Extended Key Usages

Key Usages

e3:ff:7e:64:e3:8c:f9:8b:a4:7d:f8:46:63:79:6e:87:df:b6:f3:3fSigner

Headers

DLL Characteristics

File Characteristics

Sections

UPX0 Size: - Virtual size: 176KB

UPX1 Size: 17KB - Virtual size: 20KB

.rsrc Size: 6KB - Virtual size: 8KB

b1cd0d78f652ce5fc63f0879371af012

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

comdlg32

ole32

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 6KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 2KB - Virtual size: 10KB

.rsrc Size: 512B - Virtual size: 152B

.reloc Size: 1KB - Virtual size: 1KB

2017f2acbdaa42ab3e4adeb8b4c37e7b

Headers

File Characteristics

Imports

kernel32

user32

ole32

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 7KB

.rdata Size: 1024B - Virtual size: 784B

.data Size: 512B - Virtual size: 100B

.reloc Size: 1024B - Virtual size: 520B

afa8e526425f3585465337467d0b5909

Headers

File Characteristics

Imports

kernel32

advapi32

Exports

Exports

Sections

.text Size: 1024B - Virtual size: 741B

.rdata Size: 1024B - Virtual size: 673B

.data Size: 512B - Virtual size: 88B

.reloc Size: 512B - Virtual size: 190B

d0a2d10a1d049c1e5179dda836195376

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5cCertificate

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

26:36:a4:11:29:b4:e0:ae:32:42:18:a9:c3:82:52:c3
Certificate

e3:ff:7e:64:e3:8c:f9:8b:a4:7d:f8:46:63:79:6e:87:df:b6:f3:3f
Signer

UPX0
Size: - Virtual size: 176KB

UPX1
Size: 17KB - Virtual size: 20KB

.rsrc
Size: 6KB - Virtual size: 8KB

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 2KB - Virtual size: 10KB

.rsrc
Size: 512B - Virtual size: 152B

.reloc
Size: 1KB - Virtual size: 1KB

.text
Size: 7KB - Virtual size: 7KB

.rdata
Size: 1024B - Virtual size: 784B

.data
Size: 512B - Virtual size: 100B

.reloc
Size: 1024B - Virtual size: 520B

.text
Size: 1024B - Virtual size: 741B

.rdata
Size: 1024B - Virtual size: 673B

.data
Size: 512B - Virtual size: 88B

.reloc
Size: 512B - Virtual size: 190B

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

26:36:a4:11:29:b4:e0:ae:32:42:18:a9:c3:82:52:c3
Certificate

d3:b6:96:d7:f7:4a:23:60:5c:ef:fa:27:f7:3e:01:b8:92:63:a1:06
Signer

.text
Size: 5.3MB - Virtual size: 5.3MB

.rdata
Size: 1.5MB - Virtual size: 1.5MB

.data
Size: 51KB - Virtual size: 84KB

.rsrc
Size: 13KB - Virtual size: 12KB

.text
Size: 252KB - Virtual size: 251KB

.rdata
Size: 64KB - Virtual size: 62KB

.data
Size: 8KB - Virtual size: 26KB

.rsrc
Size: 8KB - Virtual size: 5KB

.text
Size: 732KB - Virtual size: 728KB

.rdata
Size: 160KB - Virtual size: 158KB

.data
Size: 24KB - Virtual size: 40KB

.rsrc
Size: 4KB - Virtual size: 176B