27b6ea4d15167ed33ca8e2041973b020_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

27b6ea4d15167ed33ca8e2041973b020_JaffaCakes118
Size

20.8MB
MD5

27b6ea4d15167ed33ca8e2041973b020
SHA1

8845c2ad9c1517aacf67ce828c72e0afae8cf118
SHA256

616d6a038c34d15e9ee55e239a36fccaa61a887ff622d752172858abf1d4d37d
SHA512

836efadb92c7818d032c1302396107a839fef50cc703f3ed68538e869ab783a764f3db83f3856a6e4dbc2154fa5d8229d0a4fc89d729a3eead0b1961a86c550f
SSDEEP

393216:qMHAHyDWZ/K8qok83TD1tfiUMCQT9X+oIJFXyNvbqIe9mP9uQn1p:qMHeyyA8VR3LiDCecTENjynQ1p

Score

7^/10

upx aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
static1/unpack001/hdzhspy/PlayGame.exe	aspack_v212_v242

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/hdzhspy/DoyoGameLauncher/Launcher.exe	upx
static1/unpack001/安装程序.exe	upx

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/hdzhspy/皇帝之横世霸业.exe
unpack003/out.upx

Files

27b6ea4d15167ed33ca8e2041973b020_JaffaCakes118
.rar
hdzhspy/BIGMAP00.bmp
hdzhspy/BIGMAP01.bmp
hdzhspy/BIGMAP02.bmp
hdzhspy/BIGMAP10.bmp
hdzhspy/BIGMAP11.bmp
hdzhspy/BIGMAP12.bmp
hdzhspy/BIGMAP20.bmp
hdzhspy/BIGMAP21.bmp
hdzhspy/BIGMAP22.bmp
hdzhspy/BIGMAP30.bmp
hdzhspy/BIGMAP31.bmp
hdzhspy/BIGMAP32.bmp
hdzhspy/BIGMAP57.bmp
hdzhspy/BIGMAP58.bmp
hdzhspy/BIGMAP59.bmp
hdzhspy/BIGMAP60.bmp
hdzhspy/BIGMAP61.bmp
hdzhspy/BIGMAP62.bmp
hdzhspy/BIGMAP63.bmp
hdzhspy/BIGMAP64.bmp
hdzhspy/BIGMAP65.bmp
hdzhspy/BIGMAP66.bmp
hdzhspy/BIGMAP67.bmp
hdzhspy/BIGMAP68.bmp
hdzhspy/BIGMAP69.bmp
hdzhspy/BIGMAP70.bmp
hdzhspy/BIGMAP71.bmp
hdzhspy/BIGMAP72.bmp
hdzhspy/BIGMAP74.bmp
hdzhspy/BIGMAP75.bmp
hdzhspy/Bigmap73.bmp
hdzhspy/Chinese.fnt
hdzhspy/Chinese.idx
hdzhspy/Cursor.bmp
hdzhspy/Desktop.bmp
hdzhspy/DoyoGameLauncher/Launcher.exe
.exe windows:4 windows x86 arch:x86

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

01/05/2012, 00:00

Not After

31/12/2012, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

19:9d:f8:8e
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2024, 01:00

Subject

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

09:94:95:00:06:2b:71
Certificate

Issuer

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Not Before

01/09/2011, 10:16

Not After

02/09/2012, 11:23

Subject

CN=BeiJing Doyo Networking Technologies Ltd.,O=BeiJing Doyo Networking Technologies Ltd.,L=Beijing,ST=Beijing,C=CN,1.2.840.113549.1.9.1=#0c15646f796f7365727669636540676d61696c2e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageDigitalSignature

3d
Certificate

Issuer

CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Not Before

01/03/2011, 01:00

Not After

01/03/2016, 01:00

Subject

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

6a:04:75:40:a1:f6:95:be:c6:0d:e0:16:96:f4:a0:e0:a2:a6:67:9f
Signer

Actual PE Digest

6a:04:75:40:a1:f6:95:be:c6:0d:e0:16:96:f4:a0:e0:a2:a6:67:9f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 252KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 131KB - Virtual size: 132KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 30KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
hdzhspy/DoyoGameLauncher/config.ini
hdzhspy/DoyoGameLauncher/loading.swf
hdzhspy/Graphics.dat
hdzhspy/Inst01.bmp
hdzhspy/Inst02.bmp
hdzhspy/Inst03.bmp
hdzhspy/Inst04.bmp
hdzhspy/InstallCfg.config
hdzhspy/PlayGame.exe
.exe windows:4 windows x86 arch:x86

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

6d:b1:93:a7:41:09:c3:69:9c:ec:1a:a4:ea:94:38:33
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

07/08/2013, 00:00

Not After

07/08/2015, 23:59

Subject

CN=Wuhan Weijun Technology Co. Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=技术部,O=Wuhan Weijun Technology Co. Ltd.,L=Wuhan,ST=Hubei,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

30:6d:20:74:43:60:3f:cd:67:fb:f3:5f:d5:9f:80:fe:86:09:4b:75
Signer

Actual PE Digest

30:6d:20:74:43:60:3f:cd:67:fb:f3:5f:d5:9f:80:fe:86:09:4b:75

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 406KB - Virtual size: 1.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

DATA
Size: 6KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 8KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.9MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.aspack
Size: 97KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.adata
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
hdzhspy/ProgrammeMsg.txt
hdzhspy/SpeedSnap.txt
hdzhspy/avi/Cast01.avi
hdzhspy/avi/Cilogo01.avi
hdzhspy/avi/begin01.avi
hdzhspy/avi/credit.avi
hdzhspy/avi/credit01.avi
hdzhspy/avi/finish01.avi
hdzhspy/avi/flag01.avi
hdzhspy/avi/flag02.avi
hdzhspy/avi/flag03.avi
hdzhspy/avi/flag04.avi
hdzhspy/avi/searun01.avi
hdzhspy/avi/wall01.avi
hdzhspy/avi/wall02.avi
hdzhspy/c_story.bmp
hdzhspy/change.bmp
hdzhspy/credits_bg.bmp
hdzhspy/data.txt
hdzhspy/datax.txt
hdzhspy/datay.txt
hdzhspy/doyo_run_param.ini
hdzhspy/doyo_thumbnail.jpg
.jpg
hdzhspy/dynasty.org
hdzhspy/dynastyx.org
hdzhspy/fail00.bmp
hdzhspy/fail01.bmp
hdzhspy/freehead.bmp
hdzhspy/freesetup.bmp
hdzhspy/g_story.bmp
hdzhspy/index.dat
hdzhspy/install.bmp
hdzhspy/install16.bmp
hdzhspy/king01.bmp
hdzhspy/king02.bmp
hdzhspy/king03.bmp
hdzhspy/king04.bmp
hdzhspy/kingdom.atr
hdzhspy/kingdom.cel
hdzhspy/logo.bmp
hdzhspy/lose.bmp
hdzhspy/mainmenu.bmp
hdzhspy/mapgrid.bmp
hdzhspy/play.bat
hdzhspy/readme.txt
hdzhspy/record.sav
hdzhspy/rungame.ini
hdzhspy/s_story.bmp
hdzhspy/score.bmp
hdzhspy/setup.bmp
hdzhspy/snap00.bmp
hdzhspy/stage00.m
hdzhspy/stage00.s
hdzhspy/stage00.x
hdzhspy/stage01.m
hdzhspy/stage01.s
hdzhspy/stage01.txt
hdzhspy/stage01.x
hdzhspy/stage02.m
hdzhspy/stage02.s
hdzhspy/stage02.x
hdzhspy/stage04.m
hdzhspy/stage10.m
hdzhspy/stage10.s
hdzhspy/stage10.x
hdzhspy/stage11.m
hdzhspy/stage11.s
hdzhspy/stage11.x
hdzhspy/stage12.m
hdzhspy/stage12.s
hdzhspy/stage12.x
hdzhspy/stage20.m
hdzhspy/stage20.s
hdzhspy/stage20.x
hdzhspy/stage21.m
hdzhspy/stage21.s
hdzhspy/stage21.x
hdzhspy/stage22.m
hdzhspy/stage22.s
hdzhspy/stage22.x
hdzhspy/stage23.m
hdzhspy/stage30.m
hdzhspy/stage30.s
hdzhspy/stage30.x
hdzhspy/stage31.m
hdzhspy/stage31.s
hdzhspy/stage31.x
hdzhspy/stage32.m
hdzhspy/stage32.s
hdzhspy/stage32.x
hdzhspy/stage57.m
hdzhspy/stage57.s
hdzhspy/stage57.x
hdzhspy/stage579.m
hdzhspy/stage579.s
hdzhspy/stage579.x
hdzhspy/stage58.a
hdzhspy/stage58.m
hdzhspy/stage58.s
hdzhspy/stage58.x
hdzhspy/stage59.a
hdzhspy/stage59.m
hdzhspy/stage59.s
hdzhspy/stage59.x
hdzhspy/stage60.a
hdzhspy/stage60.m
hdzhspy/stage60.s
hdzhspy/stage60.x
hdzhspy/stage61.a
hdzhspy/stage61.m
hdzhspy/stage61.s
hdzhspy/stage61.x
hdzhspy/stage62.a
hdzhspy/stage62.m
hdzhspy/stage62.s
hdzhspy/stage62.x
hdzhspy/stage63.m
hdzhspy/stage63.s
hdzhspy/stage63.x
hdzhspy/stage64.a
hdzhspy/stage64.m
hdzhspy/stage64.s
hdzhspy/stage64.x
hdzhspy/stage65.a
hdzhspy/stage65.m
hdzhspy/stage65.s
hdzhspy/stage65.x
hdzhspy/stage66.a
hdzhspy/stage66.m
hdzhspy/stage66.s
hdzhspy/stage66.x
hdzhspy/stage67.a
hdzhspy/stage67.m
hdzhspy/stage67.s
hdzhspy/stage67.x
hdzhspy/stage68.a
hdzhspy/stage68.m
hdzhspy/stage68.s
hdzhspy/stage68.x
hdzhspy/stage69.a
hdzhspy/stage69.m
hdzhspy/stage69.s
hdzhspy/stage69.x
hdzhspy/stage70.a
hdzhspy/stage70.m
hdzhspy/stage70.s
hdzhspy/stage70.x
hdzhspy/stage71.a
hdzhspy/stage71.m
hdzhspy/stage71.s
hdzhspy/stage71.x
hdzhspy/stage72.a
hdzhspy/stage72.m
hdzhspy/stage72.s
hdzhspy/stage72.x
hdzhspy/stage73.a
hdzhspy/stage73.m
hdzhspy/stage73.s
hdzhspy/stage73.x
hdzhspy/stage74.a
hdzhspy/stage74.m
hdzhspy/stage74.s
hdzhspy/stage74.x
hdzhspy/stage75.a
hdzhspy/stage75.m
hdzhspy/stage75.s
hdzhspy/stage75.x
hdzhspy/stage76.a
hdzhspy/stage76.m
hdzhspy/stage76.s
hdzhspy/stage76.x
hdzhspy/start59.i
hdzhspy/start62.i
hdzhspy/start64.i
hdzhspy/start65.i
hdzhspy/start68.i
hdzhspy/start73.i
hdzhspy/story.bmp
hdzhspy/test.act
hdzhspy/test.anm
hdzhspy/title.bmp
hdzhspy/wav/1-2.wav
hdzhspy/wav/1-3.wav
hdzhspy/wav/1.wav
hdzhspy/wav/10-2.wav
hdzhspy/wav/10-3.wav
hdzhspy/wav/10-4.wav
hdzhspy/wav/10-5.wav
hdzhspy/wav/10-6.wav
hdzhspy/wav/10-7.wav
hdzhspy/wav/10-8.wav
hdzhspy/wav/10-9.wav
hdzhspy/wav/10.wav
hdzhspy/wav/11-2.wav
hdzhspy/wav/11.wav
hdzhspy/wav/13-2.wav
hdzhspy/wav/13-3.wav
hdzhspy/wav/13-4.wav
hdzhspy/wav/13.wav
hdzhspy/wav/14.wav
hdzhspy/wav/15.wav
hdzhspy/wav/16-1.wav
hdzhspy/wav/16.wav
hdzhspy/wav/17.wav
hdzhspy/wav/18.wav
hdzhspy/wav/19-2.wav
hdzhspy/wav/19-3.wav
hdzhspy/wav/19.wav
hdzhspy/wav/2.wav
hdzhspy/wav/20.wav
hdzhspy/wav/21.wav
hdzhspy/wav/22.wav
hdzhspy/wav/23.wav
hdzhspy/wav/24.wav
hdzhspy/wav/25.wav
hdzhspy/wav/26.wav
hdzhspy/wav/27.wav
hdzhspy/wav/28.wav
hdzhspy/wav/29-2.wav
hdzhspy/wav/29.wav
hdzhspy/wav/3.wav
hdzhspy/wav/30.wav
hdzhspy/wav/31.wav
hdzhspy/wav/32.wav
hdzhspy/wav/33.wav
hdzhspy/wav/34.wav
hdzhspy/wav/35.wav
hdzhspy/wav/4-2.wav
hdzhspy/wav/4-3.wav
hdzhspy/wav/4-4.wav
hdzhspy/wav/4-5.wav
hdzhspy/wav/4.wav
hdzhspy/wav/5-2.wav
hdzhspy/wav/5.wav
hdzhspy/wav/6-1.wav
hdzhspy/wav/6-2.wav
hdzhspy/wav/6-3.wav
hdzhspy/wav/6.wav
hdzhspy/wav/7.wav
hdzhspy/wav/8-2.wav
hdzhspy/wav/8.wav
hdzhspy/wav/9-2.wav
hdzhspy/wav/9.wav
hdzhspy/wav/Click11.wav
hdzhspy/wav/bgmusic09.wav
hdzhspy/wav/bgmusic11.wav
hdzhspy/wav/bgmusic13.wav
hdzhspy/wav/car-dead.wav
hdzhspy/wav/catdead.wav
hdzhspy/wav/catwood.wav
hdzhspy/wav/cow.wav
hdzhspy/wav/danger.wav
hdzhspy/wav/dead1.wav
hdzhspy/wav/dead2.wav
hdzhspy/wav/dead3.wav
hdzhspy/wav/dead4.wav
hdzhspy/wav/dead5.wav
hdzhspy/wav/fly.wav
hdzhspy/wav/go-go.wav
hdzhspy/wav/got1.wav
hdzhspy/wav/got2.wav
hdzhspy/wav/horse-dead.wav
hdzhspy/wav/horse-dead2.wav
hdzhspy/wav/horse-short.wav
hdzhspy/wav/map.wav
hdzhspy/wav/mem1.wav
hdzhspy/wav/mem2.wav
hdzhspy/wav/mem3.wav
hdzhspy/wav/mem4.wav
hdzhspy/wav/mem5.wav
hdzhspy/wav/mem6.wav
hdzhspy/wav/metial.wav
hdzhspy/wav/mywar.wav
hdzhspy/wav/new1.wav
hdzhspy/wav/new2.wav
hdzhspy/wav/new3.wav
hdzhspy/wav/rase.wav
hdzhspy/wav/woman-dead1.wav
hdzhspy/wav/woman-dead2.wav
hdzhspy/wav/woman-dead3.wav
hdzhspy/wav/woman-dead4.wav
hdzhspy/wav/wood.wav
hdzhspy/wav/yes.wav
hdzhspy/wav/yes2.wav
hdzhspy/windows.dat
hdzhspy/游戏说明.txt
hdzhspy/皇帝之横世霸业.exe
.exe windows:4 windows x86 arch:x86

440cd43f430761bb8d090218074c1f7a

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateFileA
GlobalFree
GlobalAlloc
GetDriveTypeA
lstrlenA
_lcreat
_lwrite
_lopen
_llseek
_lread
GlobalHandle
_lclose
GlobalUnlock
SetEndOfFile
RtlUnwind
MultiByteToWideChar
IsBadCodePtr
IsBadReadPtr
SetUnhandledExceptionFilter
GetEnvironmentStringsW
GetEnvironmentStrings
WideCharToMultiByte
FreeEnvironmentStringsW
FreeEnvironmentStringsA
GetModuleFileNameA
UnhandledExceptionFilter
WriteFile
SetFilePointer
ReadFile
GetStdHandle
SetHandleCount
GetFileType
SetStdHandle
IsBadWritePtr
HeapReAlloc
VirtualAlloc
VirtualFree
HeapCreate
HeapDestroy
GetProcAddress
GetVersion
GetCommandLineA
GetStartupInfoA
LCMapStringA
LCMapStringW
GlobalLock
LoadLibraryA
GetOEMCP
GetACP
GetCPInfo
FlushFileBuffers
GetStringTypeW
GetStringTypeA
GetModuleHandleA
HeapFree
HeapAlloc
GetLastError
GetCurrentProcess
CloseHandle
TerminateProcess
ExitProcess

user32

DispatchMessageA
SetTimer
PostQuitMessage
DefWindowProcA
UpdateWindow
ShowWindow
UnregisterClassA
CreateWindowExA
RegisterClassA
GetWindowLongA
DestroyWindow
KillTimer
ReleaseDC
GetDC
ShowCursor
MessageBoxA
SendMessageA
SetWindowPos
PostMessageA
GetCursorPos
BeginPaint
EndPaint
LoadIconA
LoadCursorA
SetCursor
PeekMessageA
GetMessageA
TranslateMessage
WaitMessage

gdi32

SetSystemPaletteUse
TextOutA
SetTextColor
GetStockObject
SelectObject
CreateFontIndirectA
SetBkMode
DeleteObject

ddraw

DirectDrawCreate

winmm

timeSetEvent
timeGetTime
timeKillEvent
timeEndPeriod
timeBeginPeriod
timeGetDevCaps
mmioOpenA
mmioDescend
mmioAscend
mciSendCommandA
mmioRead
mmioClose

dsound

ord1

msvfw32

MCIWndCreateA

Sections

.text
Size: 320KB - Virtual size: 317KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 96KB - Virtual size: 174KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
hdzhspy/皇帝之横世霸业.ico
安装程序.exe
.exe windows:5 windows x86 arch:x86

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

6d:b1:93:a7:41:09:c3:69:9c:ec:1a:a4:ea:94:38:33
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

07/08/2013, 00:00

Not After

07/08/2015, 23:59

Subject

CN=Wuhan Weijun Technology Co. Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=技术部,O=Wuhan Weijun Technology Co. Ltd.,L=Wuhan,ST=Hubei,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

37:de:c8:2c:55:6c:6d:1f:20:8c:44:92:45:31:ae:37:b5:c7:83:a2
Signer

Actual PE Digest

37:de:c8:2c:55:6c:6d:1f:20:8c:44:92:45:31:ae:37:b5:c7:83:a2

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 544KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 66KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 400KB - Virtual size: 404KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 142KB - Virtual size: 142KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 399KB - Virtual size: 399KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:edCertificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

19:9d:f8:8eCertificate

Key Usages

09:94:95:00:06:2b:71Certificate

Extended Key Usages

Key Usages

3dCertificate

Key Usages

6a:04:75:40:a1:f6:95:be:c6:0d:e0:16:96:f4:a0:e0:a2:a6:67:9fSigner

Headers

File Characteristics

Sections

UPX0 Size: - Virtual size: 252KB

UPX1 Size: 131KB - Virtual size: 132KB

.rsrc Size: 30KB - Virtual size: 32KB

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78Certificate

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

6d:b1:93:a7:41:09:c3:69:9c:ec:1a:a4:ea:94:38:33Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

30:6d:20:74:43:60:3f:cd:67:fb:f3:5f:d5:9f:80:fe:86:09:4b:75Signer

Headers

File Characteristics

Sections

CODE Size: 406KB - Virtual size: 1.0MB

DATA Size: 6KB - Virtual size: 16KB

BSS Size: - Virtual size: 8KB

.idata Size: 4KB - Virtual size: 12KB

.tls Size: - Virtual size: 4KB

.rdata Size: 512B - Virtual size: 4KB

.reloc Size: - Virtual size: 76KB

.rsrc Size: 1.9MB - Virtual size: 2.3MB

.aspack Size: 97KB - Virtual size: 100KB

.adata Size: - Virtual size: 4KB

440cd43f430761bb8d090218074c1f7a

Headers

File Characteristics

Imports

kernel32

user32

gdi32

ddraw

winmm

dsound

msvfw32

Sections

.text Size: 320KB - Virtual size: 317KB

.rdata Size: 20KB - Virtual size: 17KB

.data Size: 96KB - Virtual size: 174KB

.rsrc Size: 12KB - Virtual size: 11KB

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78Certificate

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

19:9d:f8:8e
Certificate

09:94:95:00:06:2b:71
Certificate

3d
Certificate

6a:04:75:40:a1:f6:95:be:c6:0d:e0:16:96:f4:a0:e0:a2:a6:67:9f
Signer

UPX0
Size: - Virtual size: 252KB

UPX1
Size: 131KB - Virtual size: 132KB

.rsrc
Size: 30KB - Virtual size: 32KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

6d:b1:93:a7:41:09:c3:69:9c:ec:1a:a4:ea:94:38:33
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

30:6d:20:74:43:60:3f:cd:67:fb:f3:5f:d5:9f:80:fe:86:09:4b:75
Signer

CODE
Size: 406KB - Virtual size: 1.0MB

DATA
Size: 6KB - Virtual size: 16KB

BSS
Size: - Virtual size: 8KB

.idata
Size: 4KB - Virtual size: 12KB

.tls
Size: - Virtual size: 4KB

.rdata
Size: 512B - Virtual size: 4KB

.reloc
Size: - Virtual size: 76KB

.rsrc
Size: 1.9MB - Virtual size: 2.3MB

.aspack
Size: 97KB - Virtual size: 100KB

.adata
Size: - Virtual size: 4KB

.text
Size: 320KB - Virtual size: 317KB

.rdata
Size: 20KB - Virtual size: 17KB

.data
Size: 96KB - Virtual size: 174KB

.rsrc
Size: 12KB - Virtual size: 11KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

6d:b1:93:a7:41:09:c3:69:9c:ec:1a:a4:ea:94:38:33
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

37:de:c8:2c:55:6c:6d:1f:20:8c:44:92:45:31:ae:37:b5:c7:83:a2
Signer

UPX0
Size: - Virtual size: 544KB

UPX1
Size: 66KB - Virtual size: 68KB

.rsrc
Size: 400KB - Virtual size: 404KB

.text
Size: 142KB - Virtual size: 142KB

.rdata
Size: 28KB - Virtual size: 27KB

.data
Size: 1024B - Virtual size: 2KB

.rsrc
Size: 399KB - Virtual size: 399KB

.reloc
Size: 15KB - Virtual size: 15KB