PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 535,27 KB
SHA-256 Hash: 4A53DB7B98AA000AEAA72D6A44004EF9ED3B6C09DD04A3E6015B62D741DE3437
SHA-1 Hash: B7438E699DD54F8B56FC779C1B8B08B1943D9892
MD5 Hash: 53A9E1B59FF37CC2AEFF0391CC546201
Imphash: E42646AF54F7999FC51FC06C9287D5EC
MajorOSVersion: 5
CheckSum: 000955A9
EntryPoint (rva): 376E
SizeOfHeaders: 400
SizeOfImage: 8B000
ImageBase: 400000
Architecture: x86
ExportTable: 39BF0
ImportTable: 38BA4
Characteristics: 102
TimeDateStamp: 52AEEE75
Date: 16/12/2013 12:13:41
File Type: EXE
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	30E00	1000	30DAC
.rdata	40000040	31200	7E00	32000	7C46
.data	C0000040 (Writeable)	39000	1400	3A000	42A4
.rsrc	40000040	3A400	48A00	3F000	489FE
.reloc	42000040	82E00	2200	88000	2142

Description:

CompanyName: Cypress Semiconductor Inc.
LegalCopyright: (c) 2012 Cypress Semiconductor Inc. All rights reserved.
ProductName: Trackpad Gesture Engine Monitor
FileVersion: 2.5.0.16
FileDescription: Trackpad Gesture Engine Monitor
ProductVersion: 2.5.0.16
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 2B6E
Code -> E8ACA60000E989FEFFFF8BFF558BEC8B450833C93B04CD58A0430074134183F92D72F18D48ED83F911770E6A0D585DC38B04
• CALL 0XB6B1
• JMP 0XE93
• MOV EDI, EDI
• PUSH EBP
• MOV EBP, ESP
• MOV EAX, DWORD PTR [EBP + 8]
• XOR ECX, ECX
• CMP EAX, DWORD PTR [ECX*8 + 0X43A058]
• JE 0X1030
• INC ECX
• CMP ECX, 0X2D
• JB 0X1014
• LEA ECX, [EAX - 0X13]
• CMP ECX, 0X11
• JA 0X1039
• PUSH 0XD
• POP EAX
• POP EBP
• RET

Signatures:

Rich Signature Analyzer:
Code -> A8B961CEECD80F9DECD80F9DECD80F9DE5A08B9DEDD80F9DE5A08C9DEDD80F9D83AEA49DE9D80F9DF745A49DC7D80F9DF745919DF8D80F9DF745A59D9BD80F9DE5A09C9DFBD80F9DECD80E9D5ED80F9DF745A09DFDD80F9DF745949DEDD80F9DF745929DEDD80F9D52696368ECD80F9D
Footprint md5 Hash -> 4898C17A5929FE87D547401C6D365F46
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is not signed

Packer/Compiler:

Compiler: Microsoft Visual C ++
Detect It Easy (die)
• PE: compiler: EP:Microsoft Visual C/C++(2008-2010)[EXE32]
• PE: compiler: Microsoft Visual C/C++(2010 SP1)[libcmt]
• PE: linker: Microsoft Linker(10.0)[EXE32]
• PE: Sign tool: Windows Authenticode(2.0)[PKCS 7]
• Entropy: 5.75649

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.

File Access:

U52YGHrh.exe
SHLWAPI.dll
gdiplus.dll
WINHTTP.dll
WS2_32.dll
OLEAUT32.dll
ole32.dll
SHELL32.dll
ADVAPI32.dll
GDI32.dll
USER32.dll
KERNEL32.dll
Temp

File Access (UNICODE):

C$@CorExitProcessmscoree.dll
%s\%S.exe
%s\%d.bat
Temp

SQL Queries:

Select * FROM Win32_ProcessorCaption
Select * FROM Win32_OperatingSystemCSDVersion
Select * FROM Win32_TimeZone

Interest's Words:

exec
start
shutdown
systeminfo
ping
expand

Interest's Words (UNICODE):

start

URLs:

http://www.usertrust.com10
http://crl.usertrust.com/UTN-USERFirst-Object.crl
http://crt.usertrust.com/UTNAddTrustObject_CA.crt
http://ocsp.usertrust.com
http://crl.comodoca.com/COMODOCodeSigningCA2.crl
http://crt.comodoca.com/COMODOCodeSigningCA2.crt
http://ocsp.comodoca.com
https://secure.comodo.net/CPS0A

IP Addresses:

2.5.0.16
46.4.69.25
2.5.0.16

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): Registry (RegOpenKeyEx)
• Rule Text (Ascii): File (GetTempPath)
• Rule Text (Ascii): File (CreateFile)
• Rule Text (Ascii): File (WriteFile)
• Rule Text (Ascii): File (ReadFile)
• Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
• Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
• Rule Text (Ascii): Anti-Analysis VM (GlobalMemoryStatusEx)
• Rule Text (Ascii): Stealth (VirtualAlloc)
• Rule Text (Ascii): Stealth (VirtualProtect)
• Rule Text (Ascii): Execution (CreateProcessW)
• Rule Text (Ascii): Antivirus Software (comodo)
• Rule Text (Unicode): WMI execution (ROOT\CIMV2)
• EP Rules: Microsoft Visual C++ 8
• EP Rules: Microsoft Visual C++ 8
• EP Rules: VC8 -> Microsoft Corporation

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\0	3F2E0	668	3A6E0	2800000030000000600000000100040000000000000000000000000000000000100000000000000000000000800000000080	(...0............................................
\ICON\2\0	3F948	2E8	3AD48	2800000020000000400000000100040000000000000000000000000000000000100000000000000000000000800000000080	(... ...@.........................................
\ICON\3\0	3FC30	128	3B030	2800000010000000200000000100040000000000000000000000000000000000100000000000000000000000800000000080	(....... .........................................
\ICON\4\0	3FD58	EA8	3B158	28000000300000006000000001000800000000000000000000000000000000000001000000000000020262007E827E000202	(...0....................................b.~.~...
\ICON\5\0	40C00	8A8	3C000	28000000200000004000000001000800000000000000000000000000000000000001000000000000020266007E827E000202	(... ...@.................................f.~.~...
\ICON\6\0	414A8	568	3C8A8	280000001000000020000000010008000000000000000000000000000000000000010000000000001A1A1A008A8A8A00C6C6	(....... .........................................
\ICON\7\0	41A10	42028	3CE10	2800000000010000000200000100200000000000000000000000000000000000000000000000000000000000000000000000	(............. ...................................
\ICON\8\0	83A38	25A8	7EE38	2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000	(...0........ ...................................
\ICON\9\0	85FE0	10A8	813E0	2800000020000000400000000100200000000000000000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\10\0	87088	468	82488	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_ICON\1\0	874F0	92	828F0	000001000A0030301000010004006806000001002020100001000400E8020000020010101000010004002801000003003030	......00......h..... ....................(.....00
\VERSION\1\0	87584	320	82984	200334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000500	.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	878A4	15A	82CA4	3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122	<assembly xmlns="urn:schemas-microsoft-com:asm.v1"

Intelligent String:

• 2.5.0.16
• mscoree.dll
• ADVAPI32.DLL
• %s\%s%x%x.tmp
• %s\%d.bat
• %s\%S.exe
• 46.4.69.25
• http://%S
• /dispatch.asp
• KERNEL32.dll
• USER32.dll
• WS2_32.dll
• .CT.CH.C8.C$.C.C

Flow Anomalies:

Offset	RVA	Section	Description
344D	??	.text	CALL DWORD PTR [EAX +68h] \| Displacement form
4B1C	??	.text	CALL DWORD PTR [EAX +68h] \| Displacement form
59B1	??	.reloc	CALL DWORD PTR [EAX] \| Indirect call via pointer at address in EAX
59BD	??	.reloc	JMP DWORD PTR [EAX] \| Indirect jump via pointer at address in EAX
5B01	??	.text	JMP DWORD PTR [EAX] \| Indirect jump via pointer at address in EAX
6EA9	??	.reloc	CALL DWORD PTR [EAX] \| Indirect call via pointer at address in EAX
6EB5	??	.reloc	JMP DWORD PTR [EAX] \| Indirect jump via pointer at address in EAX
8621	??	.rsrc	CALL DWORD PTR [EBX -17h] \| Displacement form
BDDF	??	.reloc	CALL DWORD PTR [EAX] \| Indirect call via pointer at address in EAX
BDEB	??	.reloc	JMP DWORD PTR [EAX] \| Indirect jump via pointer at address in EAX
BF25	??	.text	JMP DWORD PTR [EAX] \| Indirect jump via pointer at address in EAX
155E3	??	.text	CALL DWORD PTR [EAX +8h] \| Displacement form
1BF1D	??	.reloc	CALL DWORD PTR [EAX] \| Indirect call via pointer at address in EAX
1BF29	??	.reloc	JMP DWORD PTR [EAX] \| Indirect jump via pointer at address in EAX
1F665	??	.text	CALL DWORD PTR [EAX -18h] \| Displacement form
2765A	??	.text	CALL DWORD PTR [EAX +68h] \| Displacement form
294D1	??	.text	CALL DWORD PTR [ECX -47h] \| Displacement form
2989B	??	.text	CALL DWORD PTR [ECX -48h] \| Displacement form
29BC5	??	.text	CALL DWORD PTR [EAX -48h] \| Displacement form
2A942	??	.text	CALL DWORD PTR [ECX +68h] \| Displacement form
85000	??	Overlay	100D00000002020030820D0006092A864886F70D \| ........0.....*.H...

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	231860	42,3016%
Null Byte Code	140055	25,5523%