PESCAN.IO — Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Executable header (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 1,16 MB
SHA-256 Hash: DC5B215A6A23E5B7C34A982638F7F5B1902B36D0334796DB9B0037DF2A579A25
SHA-1 Hash: 5754400C51BACDC8DB20E6514D978D6157B08B52
MD5 Hash: 1D862D095CF40976C445C429981BA9C9
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 0012A330
EntryPoint (rva): 11D89E
SizeOfHeaders: 200
SizeOfImage: 12A000
ImageBase: 400000
Architecture: x86
ImportTable: 11D844
IAT: 2000
Characteristics: 102
TimeDateStamp: 51F00614
Date: 24/07/2013 16:51:32
File Type: EXE
Number Of Sections: 3
ASLR: Enabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	60000020 (Code, Executable, Readable)	200	11BA00	2000	11B8A4	6,4495	19632399,38
.rsrc	40000040 (Initialized Data, Readable)	11BC00	9A00	11E000	99B8	5,5762	1274330,34
.reloc	42000040 (Initialized Data, GP-Relative, Readable)	125600	200	128000	C	0,1019	128015,00

Description

OriginalFilename: CDCE62005_GUI.exe
LegalCopyright: Copyright 2012
ProductName: CDCE62005_GUI
FileVersion: 1.0.0.0
FileDescription: CDCE62005_GUI
ProductVersion: 1.0.0.0
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 11BA9E
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
• JMP DWORD PTR [0X402000]
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL

Signatures

Certificate - Digital Signature:
• The file is signed and the signature is correct

Packer/Compiler

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: False
• Version: v4.0
Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE: Protector: Eziriz .NET Reactor(6.x.x.x)[By Dr.FarFar]
• PE: library: .NET(v4.0.30319)[-]
• PE: linker: Microsoft Linker(8.0)[-]
• PE: Sign tool: Windows Authenticode(2.0)[PKCS 7]
• Entropy: 6.44338

File Access

CDCE62005_GUI.exe
mscoree.dll
TIHera.dll
AppData

File Access (UNICODE)

CDCE62005_GUI.exe
\savedData.ini
ini)|*.INI

Interest's Words

PassWord
<input
<main
exec
attrib
start
ping

Interest's Words (UNICODE)

PassWord

URLs

http://ocsp.thawte.com
http://crl.thawte.com/ThawteTimestampingCA.crl
http://ts-ocsp.ws.symantec.com
http://ts-aia.ws.symantec.com/tss-ca-g2.cer
http://ts-crl.ws.symantec.com/tss-ca-g2.crl
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl
http://csc3-2010-crl.verisign.com/CSC3-2010.crl
http://ocsp.verisign.com
http://csc3-2010-aia.verisign.com/CSC3-2010.cer
http://logo.verisign.com/vslogo.gif04
http://crl.verisign.com/pca3-g5.crl
https://www.verisign.com/rpa
https://www.verisign.com/rpa0
https://www.verisign.com/cps0*
https://www.verisign.com/rpa0

IP Addresses

10.0.0.0

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (send)
Text	Ascii	Antivirus Software (Symantec)
Text	Ascii	Keyboard Key (Scroll)
Text	Unicode	Keyboard Key (Scroll)
Text	Ascii	Technique used to circumvent security measures (Bypass)
Text	Unicode	Technique used to circumvent security measures (Bypass)
Entry Point	Hex Pattern	Microsoft Visual C / Basic .NET
Entry Point	Hex Pattern	Microsoft Visual C++ 8
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	Microsoft Visual C v7.0 / Basic .NET
Entry Point	Hex Pattern	Microsoft Visual Studio .NET
Entry Point	Hex Pattern	.NET executable

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\2\0	11E5B0	668	11C1B0	2800000030000000600000000100040000000000000600000000000000000000100000000000000000000000000080000080	(...0............................................
\ICON\3\0	11EC18	2E8	11C818	2800000020000000400000000100040000000000800200000000000000000000100000000000000000000000000080000080	(... ...@.........................................
\ICON\4\0	11EF00	128	11CB00	2800000010000000200000000100040000000000C00000000000000000000000100000000000000000000000000080000080	(....... .........................................
\ICON\5\0	11F028	EA8	11CC28	2800000030000000600000000100080000000000800A00000000000000000000000100000000000000000000D7563A00D856	(...0.......................................V:..V
\ICON\6\0	11FED0	8A8	11DAD0	2800000020000000400000000100080000000000800400000000000000000000000100000000000000000000D7573A00D856	(... ...@....................................W:..V
\ICON\7\0	120778	568	11E378	2800000010000000200000000100080000000000400100000000000000000000000100000000000000000000D7563A00D856	(....... ...........@........................V:..V
\ICON\8\0	120CE0	2F95	11E8E0	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A86600002F5C4944415478DAED9D0B9C53C5D9	.PNG........IHDR.............\r.f../\IDATx.....S..
\ICON\9\0	123C78	25A8	121878	2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000	(...0........ ......%............................
\ICON\10\0	126220	10A8	123E20	2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\11\0	1272C8	468	124EC8	2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000000000	(....... ..... .....@.............................
\GROUP_ICON\32512\0	127730	92	125330	000001000A0030301000010004006806000002002020100001000400E8020000030010101000010004002801000004003030	......00......h..... ....................(.....00
\VERSION\1\0	11E2E0	2D0	11BEE0	D00234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	1277C8	1EA	1253C8	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65	...<?xml version="1.0" encoding="UTF-8" standalone

Intelligent String

• 1.0.0.0
• CDCE62005_GUI.exe
• /INI Files (*.ini)|*.INI
• \savedData.ini
• .ini
• /HEX Files (*.hex)|*.HEX
• .hex
• /INI Files (*.bin)|*.BIN
• D:\Clocks & Opticals\Projects\CDCE62005\GUI Elements\C\CDCE62005_GUI\CDCE62005_GUI\obj\x86\Release\CDCE62005_GUI.pdb
• _CorExeMainmscoree.dll

Flow Anomalies

Offset	RVA	Section	Description
2DDEE	1277C8	.text	JMP [static] \| Indirect jump to absolute memory address
34AA1	41E8770B	.text	CALL [static] \| Indirect call to absolute memory address
3BBB5	41E8770B	.text	JMP [static] \| Indirect jump to absolute memory address
45185	41E8770B	.text	JMP [static] \| Indirect jump to absolute memory address
4E5E5	41E8770B	.text	JMP [static] \| Indirect jump to absolute memory address
57AFD	41E8770B	.text	JMP [static] \| Indirect jump to absolute memory address
612D2	41E8770B	.text	JMP [static] \| Indirect jump to absolute memory address
6B457	58DA9F3B	.text	JMP [static] \| Indirect jump to absolute memory address
7606D	58DA9F3B	.text	JMP [static] \| Indirect jump to absolute memory address
7F4CD	58DA9F3B	.text	JMP [static] \| Indirect jump to absolute memory address
88AC4	58DA9F3B	.text	JMP [static] \| Indirect jump to absolute memory address
98F2C	219B33AD	.text	JMP [static] \| Indirect jump to absolute memory address
99492	40F0E7DF	.text	CALL [static] \| Indirect call to absolute memory address
A0D70	2B9C4E27	.text	JMP [static] \| Indirect jump to absolute memory address
A57DA	707EF8AA	.text	CALL [static] \| Indirect call to absolute memory address
A8AB6	3FC204D	.text	JMP [static] \| Indirect jump to absolute memory address
AB897	3FC204D	.text	CALL [static] \| Indirect call to absolute memory address
B6ACA	238F33B2	.text	CALL [static] \| Indirect call to absolute memory address
C5616	41E8770B	.text	CALL [static] \| Indirect call to absolute memory address
CF3F5	41E8770B	.text	JMP [static] \| Indirect jump to absolute memory address
D9765	41E8770B	.text	JMP [static] \| Indirect jump to absolute memory address
DE7F8	619861FA	.text	JMP [static] \| Indirect jump to absolute memory address
E3EE5	619861FA	.text	JMP [static] \| Indirect jump to absolute memory address
ED4B5	619861FA	.text	JMP [static] \| Indirect jump to absolute memory address
F6EF5	619861FA	.text	JMP [static] \| Indirect jump to absolute memory address
FB745	C3F1CCE	.text	CALL [static] \| Indirect call to absolute memory address
FB833	C3F1CCE	.text	CALL [static] \| Indirect call to absolute memory address
100F15	C3F1CCE	.text	JMP [static] \| Indirect jump to absolute memory address
11BA9E	402000	.text	JMP [static] \| Indirect jump to absolute memory address
120E6E	402000	.rsrc	JMP [static] \| Indirect jump to absolute memory address
125800	N/A	Overlay	F83A00000002020030823AEB06092A864886F70D \| .:......0.:...*.H...

Extra Analysis

Metric	Value	Percentage
Ascii Code	667110	54,8037%
Null Byte Code	311843	25,6182%

PESCAN.IO - Analysis Report Basic