rewolf_dirtyjoe_v1[.]7_(c529)_x64[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

rewolf_dirtyjoe_v1.7_(c529)_x64.zip
Size

1.4MB
MD5

a463dfad7183e6d5d57ef76d18e0389c
SHA1

e94bfd5f6689aef425a31a8d401f038d2659e76b
SHA256

64cd55b7ec2acf6968d80f32afcaed7ed81f1d253a35ed85a1a5ed385c257358
SHA512

04442581effc1a2bf102b1ca3e3e1dc3dd94989d4a4f1eab06006f8dd5dce67caeab231ea9633b43182edd06560b2de3e36b343348d6a7f5e0f46b400359d0e5
SSDEEP

24576:Ue3XPMWdFESVPhG4syWv8AC8N4Y6EP6fhvId9pCB1N/BMwmVZpDWVeo:13/MWH1VPhM0Ap4Y6EP6fFIdfCBjZLm8

Score

3^/10

Malware Config

Signatures

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/PyJOE25.dll
unpack001/PyJOE26.dll
unpack001/PyJOE27.dll
unpack001/dirtyJOE.exe

Files

rewolf_dirtyjoe_v1.7_(c529)_x64.zip
.zip
PyJOE25.dll
.dll windows:5 windows x64 arch:x64

b0a6e43690aa3b4a483cc5bb43311d83

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

E:\projects\dirtyJOE\Release_x64\PyJOE25.pdb

Imports

python25

PyObject_GetAttrString
PyString_Type
PyErr_Clear
Py_Finalize
PyErr_Print
Py_InitializeEx
PyList_Type
PyType_IsSubtype
PyImport_ImportModule
PyErr_Occurred
PyImport_ExecCodeModule
Py_NoSiteFlag
PyList_GetItem
Py_CompileStringFlags
PySys_SetObject
PyString_AsString
PyList_Size
PyInt_AsLong
PyInt_Type
PyTuple_SetItem
PyInt_FromLong
PyObject_CallObject
PyTuple_New
PyCallable_Check

kernel32

GetModuleFileNameA
CreateFileW
CloseHandle
WriteConsoleW
SetFilePointerEx
SetStdHandle
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetStringTypeW
LCMapStringW
HeapReAlloc
OutputDebugStringW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
LoadLibraryExW
GetLastError
HeapFree
HeapAlloc
GetCommandLineA
GetCurrentThreadId
EncodePointer
DecodePointer
RtlPcToFileHeader
RaiseException
RtlLookupFunctionEntry
RtlUnwindEx
IsDebuggerPresent
IsProcessorFeaturePresent
GetProcessHeap
ExitProcess
GetModuleHandleExW
GetProcAddress
MultiByteToWideChar
WideCharToMultiByte
GetStdHandle
WriteFile
GetModuleFileNameW
SetLastError
GetFileType
DeleteCriticalSection
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
RtlCaptureContext
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
Sleep
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
HeapSize
EnterCriticalSection
LeaveCriticalSection

Exports

Exports

pyjoe_DecryptBuffer
pyjoe_Deinit
pyjoe_FreeBuffer
pyjoe_GetError
pyjoe_Init

Sections

.text
Size: 59KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
PyJOE26.dll
.dll windows:5 windows x64 arch:x64

2c2895ff6ceb3e168b68188db269af97

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

E:\projects\dirtyJOE\Release_x64\PyJOE26.pdb

Imports

python26

PyObject_GetAttrString
PyErr_Clear
Py_Finalize
PyErr_Print
Py_InitializeEx
PyList_Type
PyImport_ImportModule
PyErr_Occurred
PyImport_ExecCodeModule
Py_NoSiteFlag
PyList_GetItem
Py_CompileStringFlags
PySys_SetObject
PyString_AsString
PyList_Size
PyInt_AsLong
PyInt_Type
PyTuple_SetItem
PyInt_FromLong
PyObject_CallObject
PyTuple_New
PyCallable_Check

kernel32

QueryPerformanceCounter
CreateFileW
CloseHandle
WriteConsoleW
SetFilePointerEx
SetStdHandle
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetStringTypeW
LCMapStringW
HeapReAlloc
OutputDebugStringW
GetCPInfo
GetOEMCP
GetACP
GetLastError
HeapFree
HeapAlloc
GetCommandLineA
GetCurrentThreadId
EncodePointer
DecodePointer
RtlPcToFileHeader
RaiseException
RtlLookupFunctionEntry
RtlUnwindEx
IsDebuggerPresent
IsProcessorFeaturePresent
GetProcessHeap
ExitProcess
GetModuleHandleExW
GetProcAddress
MultiByteToWideChar
WideCharToMultiByte
GetStdHandle
WriteFile
GetModuleFileNameW
SetLastError
GetFileType
DeleteCriticalSection
GetStartupInfoW
GetModuleFileNameA
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
RtlCaptureContext
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
Sleep
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
HeapSize
EnterCriticalSection
LeaveCriticalSection
LoadLibraryExW
IsValidCodePage

Exports

Exports

pyjoe_DecryptBuffer
pyjoe_Deinit
pyjoe_FreeBuffer
pyjoe_GetError
pyjoe_Init

Sections

.text
Size: 59KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
PyJOE27.dll
.dll windows:5 windows x64 arch:x64

4050133f0ce6915fd83a6dce0a99f0f4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

E:\projects\dirtyJOE\Release_x64\PyJOE27.pdb

Imports

python27

PyObject_GetAttrString
PyErr_Clear
Py_Finalize
PyErr_Print
Py_InitializeEx
PyList_Type
PyImport_ImportModule
PyErr_Occurred
PyImport_ExecCodeModule
Py_NoSiteFlag
PyList_GetItem
Py_CompileStringFlags
PySys_SetObject
PyString_AsString
PyList_Size
PyInt_AsLong
PyInt_Type
PyTuple_SetItem
PyInt_FromLong
PyObject_CallObject
PyTuple_New
PyCallable_Check

kernel32

QueryPerformanceCounter
CreateFileW
CloseHandle
WriteConsoleW
SetFilePointerEx
SetStdHandle
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetStringTypeW
LCMapStringW
HeapReAlloc
OutputDebugStringW
GetCPInfo
GetOEMCP
GetACP
GetLastError
HeapFree
HeapAlloc
GetCommandLineA
GetCurrentThreadId
EncodePointer
DecodePointer
RtlPcToFileHeader
RaiseException
RtlLookupFunctionEntry
RtlUnwindEx
IsDebuggerPresent
IsProcessorFeaturePresent
GetProcessHeap
ExitProcess
GetModuleHandleExW
GetProcAddress
MultiByteToWideChar
WideCharToMultiByte
GetStdHandle
WriteFile
GetModuleFileNameW
SetLastError
GetFileType
DeleteCriticalSection
GetStartupInfoW
GetModuleFileNameA
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
RtlCaptureContext
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
Sleep
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
HeapSize
EnterCriticalSection
LeaveCriticalSection
LoadLibraryExW
IsValidCodePage

Exports

Exports

pyjoe_DecryptBuffer
pyjoe_Deinit
pyjoe_FreeBuffer
pyjoe_GetError
pyjoe_Init

Sections

.text
Size: 59KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
dirtyJOE.exe
.exe windows:5 windows x64 arch:x64

ffe186a5f5404bd763753e7127f92dd9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\projects\dirtyJOE\Release_x64\dirtyJOE.pdb

Imports

kernel32

LoadLibraryW
WritePrivateProfileStringW
GetPrivateProfileIntW
SetCurrentDirectoryW
WaitForSingleObject
Sleep
CreateThread
GetExitCodeThread
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalAlloc
GlobalUnlock
GetTempPathW
GetCurrentDirectoryW
GlobalFree
DeleteFileW
WideCharToMultiByte
WriteConsoleW
GetStringTypeW
FlushFileBuffers
SetStdHandle
LCMapStringW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
GetModuleFileNameA
GetFileType
SetFilePointerEx
ReadConsoleW
LeaveCriticalSection
GetCPInfo
GetPrivateProfileStringW
GetACP
IsValidCodePage
GetConsoleMode
GetConsoleCP
GetStartupInfoW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlCaptureContext
HeapReAlloc
WriteFile
HeapSize
GetModuleHandleExW
ExitProcess
RtlUnwindEx
RtlLookupFunctionEntry
GetCommandLineA
RtlPcToFileHeader
IsProcessorFeaturePresent
EncodePointer
VirtualFree
VirtualAlloc
InterlockedPushEntrySList
InterlockedPopEntrySList
InitializeSListHead
GetProcessHeap
HeapFree
HeapAlloc
OutputDebugStringW
IsDebuggerPresent
FreeConsole
SizeofResource
GetModuleHandleW
GetCurrentProcess
LoadLibraryExW
SetEndOfFile
LocalFree
GetCurrentThreadId
lstrcmpiW
GetConsoleScreenBufferInfo
WriteConsoleA
EnterCriticalSection
AttachConsole
SetLastError
GetStdHandle
FlushInstructionCache
MultiByteToWideChar
GetOEMCP
GetModuleFileNameW
LoadResource
FreeLibrary
FindResourceW
GetProcAddress
GetCommandLineW
CloseHandle
CreateFileW
ReadFile
GetFileSize
DeleteCriticalSection
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount

user32

DialogBoxParamW
CharNextW
SetWindowLongPtrW
DefWindowProcW
UnregisterClassW
CloseClipboard
GetActiveWindow
LoadMenuW
GetClipboardData
EmptyClipboard
DestroyWindow
SendMessageW
GetCursorPos
SendDlgItemMessageW
TrackPopupMenuEx
MessageBoxW
OpenClipboard
SetClipboardData
DestroyMenu
GetDlgCtrlID
wsprintfW
GetWindowDC
SendMessageA
GetWindowTextLengthA
GetWindowTextA
SendDlgItemMessageA
GetDesktopWindow
SetWindowPos
TranslateAcceleratorW
DestroyAcceleratorTable
GetSubMenu
DeleteMenu
CallNextHookEx
LoadAcceleratorsW
GetMenu
LoadIconW
InvalidateRect
AppendMenuW
EnableMenuItem
RedrawWindow
GetMenuItemCount
SetWindowsHookExW
UnhookWindowsHookEx
GetWindowTextLengthW
GetDlgItemInt
GetDlgItemTextW
GetWindowTextW
CheckDlgButton
IsDlgButtonChecked
EnableWindow
ScreenToClient
RegisterWindowMessageW
GetParent
SetFocus
SetDlgItemTextA
GetScrollPos
GetKeyState
GetClientRect
SetDlgItemInt
ShowWindow
CreateDialogParamW
SetDlgItemTextW
MoveWindow
SetWindowTextW
GetWindowRect
FillRect
GetDC
ReleaseDC
GetDlgItem
EndDialog

gdi32

BitBlt
SetTextColor
DeleteDC
SetBkMode
SelectObject
CreateCompatibleDC
CreateCompatibleBitmap
CreateFontIndirectW
DeleteObject
GetObjectW
GetStockObject
GetTextExtentPoint32A

comdlg32

GetOpenFileNameW
GetSaveFileNameW
FindTextW
ChooseFontW

advapi32

RegSetValueExW
RegCloseKey
RegEnumKeyExW
RegOpenKeyExW
RegDeleteValueW
RegDeleteKeyW
RegQueryInfoKeyW
RegCreateKeyExW
RegQueryValueExW

shell32

DragFinish
DragQueryFileW
DragAcceptFiles
ShellExecuteW
CommandLineToArgvW

ole32

CoCreateInstance
CoTaskMemAlloc
CoTaskMemFree
CoInitialize
CoTaskMemRealloc
CoUninitialize

oleaut32

VarUI4FromStr

comctl32

InitCommonControlsEx
ord412
ord413
ord410

wininet

DeleteUrlCacheEntryW

urlmon

URLDownloadToFileW

shlwapi

PathIsRelativeW

Sections

.text
Size: 303KB - Virtual size: 303KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 188KB - Virtual size: 188KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 118KB - Virtual size: 118KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
dirtyjoe.chm
.chm
jvmspec.dat
scripts/allatori_decrypt.py
scripts/pyjoe.py
scripts/zkm_decrypt.py

Sharing

General

Malware Config

Signatures

Files

b0a6e43690aa3b4a483cc5bb43311d83

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

python25

kernel32

Exports

Exports

Sections

.text Size: 59KB - Virtual size: 58KB

.rdata Size: 38KB - Virtual size: 38KB

.data Size: 6KB - Virtual size: 15KB

.pdata Size: 3KB - Virtual size: 3KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 2KB - Virtual size: 1KB

2c2895ff6ceb3e168b68188db269af97

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

python26

kernel32

Exports

Exports

Sections

.text Size: 59KB - Virtual size: 58KB

.rdata Size: 38KB - Virtual size: 37KB

.data Size: 6KB - Virtual size: 15KB

.pdata Size: 3KB - Virtual size: 3KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 2KB - Virtual size: 1KB

4050133f0ce6915fd83a6dce0a99f0f4

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

python27

kernel32

Exports

Exports

Sections

.text Size: 59KB - Virtual size: 58KB

.rdata Size: 38KB - Virtual size: 37KB

.data Size: 6KB - Virtual size: 15KB

.pdata Size: 3KB - Virtual size: 3KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 2KB - Virtual size: 1KB

ffe186a5f5404bd763753e7127f92dd9

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

oleaut32

comctl32

wininet

urlmon

shlwapi

Sections

.text Size: 303KB - Virtual size: 303KB

.rdata Size: 188KB - Virtual size: 188KB

.data Size: 13KB - Virtual size: 22KB

.pdata Size: 16KB - Virtual size: 15KB

.rsrc Size: 118KB - Virtual size: 118KB

.text
Size: 59KB - Virtual size: 58KB

.rdata
Size: 38KB - Virtual size: 38KB

.data
Size: 6KB - Virtual size: 15KB

.pdata
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 2KB - Virtual size: 1KB

.text
Size: 59KB - Virtual size: 58KB

.rdata
Size: 38KB - Virtual size: 37KB

.data
Size: 6KB - Virtual size: 15KB

.pdata
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 2KB - Virtual size: 1KB

.text
Size: 59KB - Virtual size: 58KB

.rdata
Size: 38KB - Virtual size: 37KB

.data
Size: 6KB - Virtual size: 15KB

.pdata
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 2KB - Virtual size: 1KB

.text
Size: 303KB - Virtual size: 303KB

.rdata
Size: 188KB - Virtual size: 188KB

.data
Size: 13KB - Virtual size: 22KB

.pdata
Size: 16KB - Virtual size: 15KB

.rsrc
Size: 118KB - Virtual size: 118KB

.reloc
Size: 4KB - Virtual size: 4KB