PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 261,27 KB
SHA-256 Hash: BC68C8D86F2522FB4C58C6F482C5CACB284E5EF803D41A63142677855934D969
SHA-1 Hash: B341CC1C299C07624814F35A35A4D505E65D3B67
MD5 Hash: 015C238D56B8657C0946EC45B131362A
Imphash: E42646AF54F7999FC51FC06C9287D5EC
MajorOSVersion: 5
CheckSum: 000458EA
EntryPoint (rva): 376E
SizeOfHeaders: 400
SizeOfImage: 47000
ImageBase: 400000
Architecture: x86
ExportTable: 39BF0
ImportTable: 38BA4
Characteristics: 102
TimeDateStamp: 52AEEE75
Date: 16/12/2013 12:13:41
File Type: EXE
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	30E00	1000	30DAC
.rdata	40000040	31200	7E00	32000	7C46
.data	C0000040 (Writeable)	39000	1400	3A000	42A4
.rsrc	40000040	3A400	4200	3F000	40D0
.reloc	42000040	3E600	2200	44000	2142

Description:

CompanyName: Cypress Semiconductor Corporation
LegalCopyright: Copyright (c) 2012 Cypress Semiconductor Corporation
ProductName: Trackpad Bus Monitor
FileVersion: 2.5.0.16
FileDescription: Trackpad Bus Monitor
ProductVersion: 2.5.0.16
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 2B6E
Code -> E8ACA60000E989FEFFFF8BFF558BEC8B450833C93B04CD58A0430074134183F92D72F18D48ED83F911770E6A0D585DC38B04
• CALL 0XB6B1
• JMP 0XE93
• MOV EDI, EDI
• PUSH EBP
• MOV EBP, ESP
• MOV EAX, DWORD PTR [EBP + 8]
• XOR ECX, ECX
• CMP EAX, DWORD PTR [ECX*8 + 0X43A058]
• JE 0X1030
• INC ECX
• CMP ECX, 0X2D
• JB 0X1014
• LEA ECX, [EAX - 0X13]
• CMP ECX, 0X11
• JA 0X1039
• PUSH 0XD
• POP EAX
• POP EBP
• RET

Signatures:

Rich Signature Analyzer:
Code -> A8B961CEECD80F9DECD80F9DECD80F9DE5A08B9DEDD80F9DE5A08C9DEDD80F9D83AEA49DE9D80F9DF745A49DC7D80F9DF745919DF8D80F9DF745A59D9BD80F9DE5A09C9DFBD80F9DECD80E9D5ED80F9DF745A09DFDD80F9DF745949DEDD80F9DF745929DEDD80F9D52696368ECD80F9D
Footprint md5 Hash -> 4898C17A5929FE87D547401C6D365F46
• The Rich header apparently has not been modified

Packer/Compiler:

Compiler: Microsoft Visual C ++
Detect It Easy (die)
• PE: compiler: EP:Microsoft Visual C/C++(2008-2010)[EXE32]
• PE: compiler: Microsoft Visual C/C++(2010 SP1)[libcmt]
• PE: linker: Microsoft Linker(10.0)[EXE32,signed]
• PE: Sign tool: Windows Authenticode(2.0)[PKCS 7]
• Entropy: 6.64272

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.

File Access:

MebQGHrh.exe
SHLWAPI.dll
gdiplus.dll
WINHTTP.dll
WS2_32.dll
OLEAUT32.dll
ole32.dll
SHELL32.dll
ADVAPI32.dll
GDI32.dll
USER32.dll
KERNEL32.dll
Temp

File Access (UNICODE):

C$@CorExitProcessmscoree.dll
%s\%S.exe
%s\%d.bat
Temp

SQL Queries:

Select * FROM Win32_ProcessorCaption
Select * FROM Win32_OperatingSystemCSDVersion
Select * FROM Win32_TimeZone

Interest's Words:

PADDINGX
exec
start
shutdown
systeminfo
ping
expand

Interest's Words (UNICODE):

start

URLs:

http://www.usertrust.com10
http://crl.usertrust.com/UTN-USERFirst-Object.crl
http://crt.usertrust.com/UTNAddTrustObject_CA.crt
http://ocsp.usertrust.com
http://crl.comodoca.com/COMODOCodeSigningCA2.crl
http://crt.comodoca.com/COMODOCodeSigningCA2.crt
http://ocsp.comodoca.com
https://secure.comodo.net/CPS0A

IP Addresses:

2.5.0.16
46.4.69.25
2.5.0.16

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): Registry (RegOpenKeyEx)
• Rule Text (Ascii): File (GetTempPath)
• Rule Text (Ascii): File (CreateFile)
• Rule Text (Ascii): File (WriteFile)
• Rule Text (Ascii): File (ReadFile)
• Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
• Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
• Rule Text (Ascii): Anti-Analysis VM (GlobalMemoryStatusEx)
• Rule Text (Ascii): Stealth (VirtualAlloc)
• Rule Text (Ascii): Stealth (VirtualProtect)
• Rule Text (Ascii): Execution (CreateProcessW)
• Rule Text (Ascii): Antivirus Software (comodo)
• Rule Text (Unicode): WMI execution (ROOT\CIMV2)
• EP Rules: Microsoft Visual C++ 8
• EP Rules: Microsoft Visual C++ 8
• EP Rules: VC8 -> Microsoft Corporation

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\1033	3F190	25A8	3A590	2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000	(...0........ ......%............................
\ICON\2\1033	41738	10A8	3CB38	2800000020000000400000000100200000000000802500000000000000000000000000000000000000000000000000000000	(... ...@..... ......%............................
\ICON\3\1033	427E0	468	3DBE0	2800000010000000200000000100200000000000802500000000000000000000000000000000000000000000000000000000	(....... ..... ......%............................
\GROUP_ICON\1\0	42C48	30	3E048	0000010003003030000001002000A825000001002020000001002000A810000002001010000001002000680400000300	......00.... ..%.... .... ............. .h.....
\VERSION\1\0	42C78	2FC	3E078	FC0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000500	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	42F74	15A	3E374	3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122	<assembly xmlns="urn:schemas-microsoft-com:asm.v1"

Intelligent String:

• 2.5.0.16
• mscoree.dll
• ADVAPI32.DLL
• %s\%s%x%x.tmp
• %s\%d.bat
• %s\%S.exe
• 46.4.69.25
• http://%S
• /dispatch.asp
• KERNEL32.dll
• USER32.dll
• WS2_32.dll
• .CT.CH.C8.C$.C.C

Flow Anomalies:

Offset	RVA	Section	Description
344D	??	.text	CALL DWORD PTR [EAX +68h] \| Displacement form
4B1C	??	.text	CALL DWORD PTR [EAX +68h] \| Displacement form
5B01	??	.text	JMP DWORD PTR [EAX] \| Indirect jump via pointer at address in EAX
BF25	??	.text	JMP DWORD PTR [EAX] \| Indirect jump via pointer at address in EAX
155E3	??	.text	CALL DWORD PTR [EAX +8h] \| Displacement form
1F665	??	.text	CALL DWORD PTR [EAX -18h] \| Displacement form
2765A	??	.text	CALL DWORD PTR [EAX +68h] \| Displacement form
294D1	??	.text	CALL DWORD PTR [ECX -47h] \| Displacement form
2989B	??	.text	CALL DWORD PTR [ECX -48h] \| Displacement form
29BC5	??	.text	CALL DWORD PTR [EAX -48h] \| Displacement form
2A942	??	.text	CALL DWORD PTR [ECX +68h] \| Displacement form
40800	??	Overlay	100D00000002020030820D0006092A864886F70D \| ........0.....*.H...

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	151879	56,7696%
Null Byte Code	40468	15,1262%