Penis[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Penis.zip
Size

1.6MB
MD5

8466f1b0bb2cfd2e5d5635823b06a2f6
SHA1

9bf533a238a92574e11095e8437b67de73925269
SHA256

77b3fec984bc0b5d92ef538a7d0e98f4660a9dd8d64f3cea4bb2a341b3909b71
SHA512

f0054c575de315a21858ac78c4716dd21c27bc69624adcf27b4c2254f7748b5eaa94f24f4619b3e6561ff33ddfae31c1bd5a8e9e2626a50c17f9f4dc91dfd363
SSDEEP

49152:IxtTHryBpxtgB0icaBJi2TBhTb8EfqqZl/BplXC38sCVqa:IxNr0pr+0i1BJzjssdp9w52N

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/main.exe

Files

Penis.zip
.zip
Terminator.sys
.sys windows:6 windows x64 arch:x64

1ef6998f22f7e6046b4905d4e21773b7

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

02:10:23:0f:d3:64:b4:69:09:1b:8a:44:40:14:5e:18
Certificate

Issuer

CN=DigiCert High Assurance Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

16/12/2014, 00:00

Not After

20/12/2017, 12:00

Subject

CN=Zemana Ltd.,O=Zemana Ltd.,L=Edirne,C=TR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:20:4d:b4:00:00:00:00:00:27
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:45

Not After

15/04/2021, 19:55

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5f
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

11/02/2011, 12:00

Not After

10/02/2026, 12:00

Subject

CN=DigiCert High Assurance Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:15:b7:de:0f:11:29:b5:40:f4:8d:7a:3c:ba:2c:6b:f5:d4:41:12
Signer

Actual PE Digest

0d:15:b7:de:0f:11:29:b5:40:f4:8d:7a:3c:ba:2c:6b:f5:d4:41:12

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

Z:\Zemana\Projects\AntiMalware\bin\zam64.pdb

Imports

ntoskrnl.exe

FsRtlIsNameInExpression
PsGetProcessImageFileName
ZwQueryInformationProcess
__C_specific_handler
strchr
RtlAppendUnicodeToString
KeInitializeSemaphore
KeReleaseSemaphore
KeWaitForSingleObject
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
PsCreateSystemThread
PsTerminateSystemThread
ZwQueryInformationFile
ZwWriteFile
PsGetCurrentThreadId
ZwDeleteFile
_vsnprintf
PsThreadType
PsSetCreateProcessNotifyRoutine
PsGetProcessSessionId
RtlAppendUnicodeStringToString
ZwDeleteValueKey
ZwSetValueKey
towupper
RtlIntegerToUnicodeString
KeInitializeEvent
KeSetEvent
KeAcquireSpinLockAtDpcLevel
KeReleaseSpinLockFromDpcLevel
MmProbeAndLockPages
IoAllocateIrp
IoAllocateMdl
IofCallDriver
IoFreeIrp
IoFreeMdl
IoGetDeviceObjectPointer
IoGetRelatedDeviceObject
ObCloseHandle
ObfReferenceObject
ZwSetInformationFile
ZwReadFile
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
IoCreateFileSpecifyDeviceObjectHint
IoGetDeviceAttachmentBaseRef
FsRtlGetFileSize
ObQueryNameString
IoFileObjectType
KeReadStateEvent
ExQueueWorkItem
ExGetPreviousMode
MmGetSystemRoutineAddress
NtOpenProcess
ZwCreateEvent
ZwWaitForSingleObject
ZwSetEvent
NtQuerySystemInformation
ExEventObjectType
NtBuildNumber
ZwDeleteKey
ObReferenceObjectByName
IoDriverObjectType
MmIsDriverVerifying
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
RtlSetDaclSecurityDescriptor
MmMapLockedPagesSpecifyCache
PsGetProcessId
IoThreadToProcess
PsGetCurrentProcessSessionId
ZwTerminateProcess
KeStackAttachProcess
KeUnstackDetachProcess
ZwOpenThread
PsProcessType
ExInterlockedInsertHeadList
ExInterlockedRemoveHeadList
CmRegisterCallback
CmUnRegisterCallback
RtlCreateRegistryKey
ZwOpenKey
ZwEnumerateKey
ZwQueryKey
ZwQueryValueKey
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
ProbeForWrite
PsSetLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine
PsGetProcessSectionBaseAddress
MmSystemRangeStart
KeBugCheckEx
PsLookupProcessByProcessId
ZwOpenProcess
PsGetCurrentProcessId
RtlUpcaseUnicodeString
RtlUpperString
ZwClose
ZwCreateFile
ObfDereferenceObject
ObReferenceObjectByHandle
ProbeForRead
ExFreePoolWithTag
ExAllocatePoolWithTag
KeDelayExecutionThread
RtlGetVersion
DbgPrint
RtlCopyUnicodeString
RtlInitUnicodeString
wcsstr
ZwQuerySystemInformation
strstr

fltmgr.sys

FltSendMessage
FltCloseCommunicationPort
FltCreateCommunicationPort
FltReleaseContext
FltGetStreamHandleContext
FltSetStreamHandleContext
FltAllocateContext
FltCancelFileOpen
FltQueryInformationFile
FltReadFile
FltParseFileNameInformation
FltReleaseFileNameInformation
FltGetFileNameInformation
FltFreePoolAlignedWithTag
FltAllocatePoolAlignedWithTag
FltStartFiltering
FltUnregisterFilter
FltRegisterFilter
FltBuildDefaultSecurityDescriptor

Sections

.text
Size: 134KB - Virtual size: 133KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.hook
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 335KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 616B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 96B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
main.exe
.exe windows:6 windows x64 arch:x64

d42595b695fc008ef2c56aabd8efd68e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

WriteFile
WriteConsoleW
WerSetFlags
WerGetFlags
WaitForMultipleObjects
WaitForSingleObject
VirtualQuery
VirtualFree
VirtualAlloc
TlsAlloc
SwitchToThread
SuspendThread
SetWaitableTimer
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
RtlVirtualUnwind
RtlLookupFunctionEntry
ResumeThread
RaiseFailFastException
PostQueuedCompletionStatus
LoadLibraryW
LoadLibraryExW
SetThreadContext
GetThreadContext
GetSystemInfo
GetSystemDirectoryA
GetStdHandle
GetQueuedCompletionStatusEx
GetProcessAffinityMask
GetProcAddress
GetErrorMode
GetEnvironmentStringsW
GetCurrentThreadId
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateWaitableTimerExW
CreateThread
CreateIoCompletionPort
CreateEventA
CloseHandle
AddVectoredExceptionHandler
AddVectoredContinueHandler

Sections

.text
Size: 676KB - Virtual size: 675KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 854KB - Virtual size: 854KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 93KB - Virtual size: 385KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 512B - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

/4
Size: 512B - Virtual size: 332B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/19
Size: 153KB - Virtual size: 153KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/32
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/46
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/65
Size: 435KB - Virtual size: 434KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/78
Size: 143KB - Virtual size: 143KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/90
Size: 55KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.symtab
Size: 113KB - Virtual size: 113KB

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1ef6998f22f7e6046b4905d4e21773b7

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

02:10:23:0f:d3:64:b4:69:09:1b:8a:44:40:14:5e:18Certificate

Extended Key Usages

Key Usages

61:20:4d:b4:00:00:00:00:00:27Certificate

Key Usages

02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5fCertificate

Extended Key Usages

Key Usages

0d:15:b7:de:0f:11:29:b5:40:f4:8d:7a:3c:ba:2c:6b:f5:d4:41:12Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

fltmgr.sys

Sections

.text Size: 134KB - Virtual size: 133KB

.hook Size: 2KB - Virtual size: 2KB

.rdata Size: 18KB - Virtual size: 17KB

.data Size: 26KB - Virtual size: 335KB

.pdata Size: 2KB - Virtual size: 2KB

INIT Size: 4KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 616B

.reloc Size: 512B - Virtual size: 96B

d42595b695fc008ef2c56aabd8efd68e

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Sections

.text Size: 676KB - Virtual size: 675KB

.rdata Size: 854KB - Virtual size: 854KB

.data Size: 93KB - Virtual size: 385KB

.pdata Size: 19KB - Virtual size: 19KB

.xdata Size: 512B - Virtual size: 180B

/4 Size: 512B - Virtual size: 332B

/19 Size: 153KB - Virtual size: 153KB

/32 Size: 30KB - Virtual size: 30KB

/46 Size: 512B - Virtual size: 48B

/65 Size: 435KB - Virtual size: 434KB

/78 Size: 143KB - Virtual size: 143KB

/90 Size: 55KB - Virtual size: 55KB

.idata Size: 1KB - Virtual size: 1KB

.reloc Size: 17KB - Virtual size: 16KB

.symtab Size: 113KB - Virtual size: 113KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

02:10:23:0f:d3:64:b4:69:09:1b:8a:44:40:14:5e:18
Certificate

61:20:4d:b4:00:00:00:00:00:27
Certificate

02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5f
Certificate

0d:15:b7:de:0f:11:29:b5:40:f4:8d:7a:3c:ba:2c:6b:f5:d4:41:12
Signer

.text
Size: 134KB - Virtual size: 133KB

.hook
Size: 2KB - Virtual size: 2KB

.rdata
Size: 18KB - Virtual size: 17KB

.data
Size: 26KB - Virtual size: 335KB

.pdata
Size: 2KB - Virtual size: 2KB

INIT
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 616B

.reloc
Size: 512B - Virtual size: 96B

.text
Size: 676KB - Virtual size: 675KB

.rdata
Size: 854KB - Virtual size: 854KB

.data
Size: 93KB - Virtual size: 385KB

.pdata
Size: 19KB - Virtual size: 19KB

.xdata
Size: 512B - Virtual size: 180B

/4
Size: 512B - Virtual size: 332B

/19
Size: 153KB - Virtual size: 153KB

/32
Size: 30KB - Virtual size: 30KB

/46
Size: 512B - Virtual size: 48B

/65
Size: 435KB - Virtual size: 434KB

/78
Size: 143KB - Virtual size: 143KB

/90
Size: 55KB - Virtual size: 55KB

.idata
Size: 1KB - Virtual size: 1KB

.reloc
Size: 17KB - Virtual size: 16KB

.symtab
Size: 113KB - Virtual size: 113KB