PESCAN.IO — Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Executable header (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 5,02 MB
SHA-256 Hash: 1D9427B7739D112E11FEFE58ECE6D8D3758E10198D978C4CC812A10EAAC0941C
SHA-1 Hash: 184421FC1D2CD5A54AE31B73E25DF68908BB1654
MD5 Hash: 7C72FFEDF679CBE21C41D0CA593DFED6
Imphash: 2E5708AE5FED0403E8117C645FB23E5B
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 11E9
SizeOfHeaders: 1000
SizeOfImage: 506000
ImageBase: 10000000
Architecture: x86
ExportTable: 2190
ImportTable: 203C
IAT: 2000
Characteristics: 210E
TimeDateStamp: 59145751
Date: 11/05/2017 12:21:37
File Type: DLL
Number Of Sections: 5
ASLR: Disabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	60000020 (Code, Executable, Readable)	1000	1000	1000	28C	1.443	769060
.rdata	40000040 (Initialized Data, Readable)	2000	1000	2000	1D8	0.7346	906659.63
.data	C0000040 (Initialized Data, Readable, Writeable)	3000	1000	3000	154	0.0852	1030197.13
.rsrc	40000040 (Initialized Data, Readable)	4000	501000	4000	500060	6.2998	139600200.84
.reloc	42000040 (Initialized Data, GP-Relative, Readable)	505000	1000	505000	2AC	0	1044480

Binder/Joiner/Crypter

5 Executable files found
Dropper code detected (EOF) - 3 Bytes

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 11E9
Code -> 558BEC538B5D08568B750C578B7D1085F67509833D4031001000EB2683FE01740583FE027522A15031001085C07409575653

Assembler

|PUSH EBP

|MOV EBP, ESP

|PUSH EBX

|MOV EBX, DWORD PTR [EBP + 8]

|PUSH ESI

|MOV ESI, DWORD PTR [EBP + 0XC]

|PUSH EDI

|MOV EDI, DWORD PTR [EBP + 0X10]

|TEST ESI, ESI

|JNE 0X101C

|CMP DWORD PTR [0X10003140], 0

|JMP 0X1042

|CMP ESI, 1

|JE 0X1026

|CMP ESI, 2

|JNE 0X1048

|MOV EAX, DWORD PTR [0X10003150]

|TEST EAX, EAX

|JE 0X1038

|PUSH EDI

|PUSH ESI

|PUSH EBX

Signatures

Rich Signature Analyzer:
Code -> 7D9C725F39FD1C0C39FD1C0C39FD1C0CD1E2160C3DFD1C0C39FD1D0C36FD1C0CFAF2410C3AFD1C0CD1E2170C38FD1C0C81FB1A0C38FD1C0CD1E2180C3AFD1C0C5269636839FD1C0C
Footprint md5 Hash -> FBA6D12346A0C99D94A960A31BFAD9CB
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual C ++
Compiler: Microsoft Visual C ++ 6 DLL
Detect It Easy (die)
• PE: compiler: EP:Microsoft Visual C/C++(6.0 (1720-8966))[DLL32]
• PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt]
• PE: linker: Microsoft Linker(6.0)[-]
• Entropy: 6.28306

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	CopyFileA	Copies an existing file to a new file.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateFileA	Creates or opens a file or I/O device.
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
ADVAPI32.DLL	CryptEncrypt	Performs a cryptographic operation on data in a data block.
ADVAPI32.DLL	CryptDecrypt	Performs a cryptographic operation on data in a data block.
ADVAPI32.DLL	RegSetValueExA	Sets the data and type of a specified value under a registry key.

ET Functions (carving)

Original Name -> launcher.dll
PlayGame

File Access

tasksche.exe
cmd.exe
mssecsvc.exe
kernel32.dll
advapi32.dll
MSVCP60.dll
MSVCRT.dll
WS2_32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
msvcrtd.dll
msvcrt.dll
launcher.dll
WININET.dll
iphlpapi.dll
@.dat
.dat
PPh.dat
Temp

File Access (UNICODE)

CreateFileACreateProcessAkernel32.dll
USER32.DLL
CorExitProcessmscoree.dll
Temp

Interest's Words

Encrypt
Decrypt
attrib
start
cacls
icacls
systeminfo
replace

URLs

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

IP Addresses

172.16.99.5
192.168.56.20

PE Carving

Start Offset Header	End Offset	Size (Bytes)
0	4064	4064
4064	F084	B020
F084	130E4	4060
130E4	36108	23024
36108	506003	4CFEFB

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	Registry (RegSetValueEx)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CopyFile)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Service (OpenSCManager)
Text	Ascii	Service (CreateService)
Text	Ascii	Service (StartServiceCtrlDispatcher)
Text	Ascii	Encryption (Microsoft Base Cryptographic Provider v1.0)
Text	Ascii	Encryption (Microsoft Enhanced RSA and AES Cryptographic Provider)
Text	Ascii	Encryption API (CryptAcquireContext)
Text	Ascii	Encryption API (CryptGenKey)
Text	Ascii	Encryption API (CryptDecrypt)
Text	Ascii	Encryption API (CryptReleaseContext)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (IsBadReadPtr)
Text	Ascii	Stealth (VirtualAlloc)
Text	Ascii	Stealth (VirtualProtect)
Text	Ascii	Execution (CreateProcessA)
Text	Ascii	Malware that monitors and collects user data (Spy)
Entry Point	Hex Pattern	Armadillov1xxv2xx
Entry Point	Hex Pattern	Microsoft Visual C++ 6.0 DLL
Entry Point	Hex Pattern	Microsoft Visual C++ 6.0
Entry Point	Hex Pattern	Microsoft Visual C++ 8
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	Microsoft Visual C++ v6.0 DLL

Resources

Path	DataRVA	Size	FileOffset	Code	Text	PE/Payload
\W\101\1033	4060	500000	4060	00D038004D5A90000300000004000000FFFF0000B80000000000000040000000000000000000000000000000000000000000	..8.MZ......................@.....................	(Executable found)

Intelligent String

• msvcrtd.dll
• msvcrt.dll
• KERNEL32.dll
• WINDOWSmssecsvc.exe
• WS2_32.dll
• ADVAPI32.dll
• mscoree.dll
• USER32.DLL
• msvcrt.dll
• /iC:\%s\qeriuwjhrf
• WINDOWStasksche.exe
• kernel32.dll
• http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
• advapi32.dll
• .der
• .pfx
• .key
• .crt
• .csr
• .pem
• .odt
• .ott
• .sxw
• .stw
• .uot
• .max
• .ods
• .ots
• .sxc
• .stc
• .dif
• .slk
• .odp
• .otp
• .sxd
• .std
• .uop
• .odg
• .otg
• .sxm
• .mml
• .lay
• .asc
• .sql
• .mdb
• .dbf
• .odb
• .frm
• .myd
• .myi
• .ibd
• .mdf
• .ldf
• .sln
• .suo
• .cpp
• .pas
• .asm
• .cmd
• .bat
• .ps1
• .vbs
• .dip
• .dch
• .sch
• .brd
• .jsp
• .php
• .asp
• .jar
• .wav
• .swf
• .fla
• .wmv
• .mpg
• .vob
• .asf
• .avi
• .mov
• .mkv
• .flv
• .wma
• .mid
• .svg
• .psd
• .nef
• .tif
• .cgm
• .raw
• .gif
• .png
• .bmp
• .jpg
• .vcd
• .iso
• .zip
• .rar
• .tgz
• .tar
• .bak
• .tbk
• .PAQ
• .ARC
• .aes
• .gpg
• .vmx
• .vdi
• .sti
• .sxi
• .hwp
• .snt
• .dwg
• .pdf
• .wks
• .rtf
• .csv
• .txt
• .vsd
• .edb
• .eml
• .msg
• .ost
• .pst
• .pps
• .pot
• .ppt
• .xlc
• .xlm
• .xlt
• .xlw
• .xls
• .dot
• .doc
• CreateFileWkernel32.dll
• cmd.exe /c "%s"XIA115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
• Global\MsWinZonesCacheCounterMutexAtasksche.exe
• icacls . /grant Everyone:F /T /C /Qattrib +h .WNcry@2ol7

Flow Anomalies

Offset	RVA	Section	Description
1026	10002018	.text	CALL [static] \| Indirect call to absolute memory address
1039	10002014	.text	CALL [static] \| Indirect call to absolute memory address
1044	10002010	.text	CALL [static] \| Indirect call to absolute memory address
1057	1000200C	.text	CALL [static] \| Indirect call to absolute memory address
107C	10002008	.text	CALL [static] \| Indirect call to absolute memory address
1096	10002004	.text	CALL [static] \| Indirect call to absolute memory address
109D	10002000	.text	CALL [static] \| Indirect call to absolute memory address
10F3	1000201C	.text	CALL [static] \| Indirect call to absolute memory address
1128	10002034	.text	CALL [static] \| Indirect call to absolute memory address
116C	1000202C	.text	CALL [static] \| Indirect call to absolute memory address
11D4	10002024	.text	CALL [static] \| Indirect call to absolute memory address
1286	10002028	.text	JMP [static] \| Indirect jump to absolute memory address
5162	40A0B8	.rsrc	CALL [static] \| Indirect call to absolute memory address
5185	40A0B4	.rsrc	CALL [static] \| Indirect call to absolute memory address
5625	40A0C4	.rsrc	CALL [static] \| Indirect call to absolute memory address
564E	40A0C4	.rsrc	CALL [static] \| Indirect call to absolute memory address
56AE	40A0A4	.rsrc	CALL [static] \| Indirect call to absolute memory address
5722	40A0A4	.rsrc	CALL [static] \| Indirect call to absolute memory address
5747	40A094	.rsrc	CALL [static] \| Indirect call to absolute memory address
5763	40A0A4	.rsrc	CALL [static] \| Indirect call to absolute memory address
57AE	40A098	.rsrc	CALL [static] \| Indirect call to absolute memory address
57CA	40A0A4	.rsrc	CALL [static] \| Indirect call to absolute memory address
584A	40A10C	.rsrc	CALL [static] \| Indirect call to absolute memory address
B04F	40A08C	.rsrc	CALL [static] \| Indirect call to absolute memory address
B2F0	40A090	.rsrc	CALL [static] \| Indirect call to absolute memory address
B5D6	40A114	.rsrc	CALL [static] \| Indirect call to absolute memory address
B66F	40A110	.rsrc	CALL [static] \| Indirect call to absolute memory address
B6B9	40A088	.rsrc	CALL [static] \| Indirect call to absolute memory address
B6CE	40A118	.rsrc	CALL [static] \| Indirect call to absolute memory address
B6DB	40A080	.rsrc	CALL [static] \| Indirect call to absolute memory address
B6EF	40A020	.rsrc	CALL [static] \| Indirect call to absolute memory address
B6FA	40A084	.rsrc	CALL [static] \| Indirect call to absolute memory address
B734	40A11C	.rsrc	CALL [static] \| Indirect call to absolute memory address
B749	40A030	.rsrc	CALL [static] \| Indirect call to absolute memory address
B759	40A054	.rsrc	CALL [static] \| Indirect call to absolute memory address
B760	40A078	.rsrc	CALL [static] \| Indirect call to absolute memory address
B76B	40A07C	.rsrc	CALL [static] \| Indirect call to absolute memory address
B773	40A110	.rsrc	CALL [static] \| Indirect call to absolute memory address
B848	40A034	.rsrc	CALL [static] \| Indirect call to absolute memory address
B84F	40A078	.rsrc	CALL [static] \| Indirect call to absolute memory address
B85F	40A110	.rsrc	CALL [static] \| Indirect call to absolute memory address
B8CA	40A128	.rsrc	CALL [static] \| Indirect call to absolute memory address
B8D3	40A03C	.rsrc	CALL [static] \| Indirect call to absolute memory address
B8DB	40A038	.rsrc	CALL [static] \| Indirect call to absolute memory address
B8EE	40A124	.rsrc	CALL [static] \| Indirect call to absolute memory address
B99C	40A10C	.rsrc	CALL [static] \| Indirect call to absolute memory address
B9E7	40A10C	.rsrc	CALL [static] \| Indirect call to absolute memory address
BA17	40A11C	.rsrc	CALL [static] \| Indirect call to absolute memory address
BA2C	40A030	.rsrc	CALL [static] \| Indirect call to absolute memory address
BA3C	40A054	.rsrc	CALL [static] \| Indirect call to absolute memory address
BA43	40A078	.rsrc	CALL [static] \| Indirect call to absolute memory address
BA4B	40A0A4	.rsrc	CALL [static] \| Indirect call to absolute memory address
BA6A	40A0A4	.rsrc	CALL [static] \| Indirect call to absolute memory address
BAD9	40A090	.rsrc	CALL [static] \| Indirect call to absolute memory address
BB47	40A048	.rsrc	CALL [static] \| Indirect call to absolute memory address
BB78	40A044	.rsrc	CALL [static] \| Indirect call to absolute memory address
BB93	40A040	.rsrc	CALL [static] \| Indirect call to absolute memory address
BBA0	40A078	.rsrc	CALL [static] \| Indirect call to absolute memory address
BBDC	40A078	.rsrc	CALL [static] \| Indirect call to absolute memory address
BCBA	40A10C	.rsrc	CALL [static] \| Indirect call to absolute memory address
BCCC	40A010	.rsrc	CALL [static] \| Indirect call to absolute memory address
BCFF	40A014	.rsrc	CALL [static] \| Indirect call to absolute memory address
BD16	40A01C	.rsrc	CALL [static] \| Indirect call to absolute memory address
BD53	40A064	.rsrc	CALL [static] \| Indirect call to absolute memory address
BDD8	40A05C	.rsrc	CALL [static] \| Indirect call to absolute memory address
BDEA	40A058	.rsrc	CALL [static] \| Indirect call to absolute memory address
BDF9	40A0A0	.rsrc	CALL [static] \| Indirect call to absolute memory address
BE0D	40A050	.rsrc	CALL [static] \| Indirect call to absolute memory address
BE90	40A04C	.rsrc	CALL [static] \| Indirect call to absolute memory address
BEA7	431458	.rsrc	CALL [static] \| Indirect call to absolute memory address
BEC5	431460	.rsrc	CALL [static] \| Indirect call to absolute memory address
BECC	43144C	.rsrc	CALL [static] \| Indirect call to absolute memory address
BF4C	431478	.rsrc	CALL [static] \| Indirect call to absolute memory address
BF5B	43144C	.rsrc	CALL [static] \| Indirect call to absolute memory address
BF66	43144C	.rsrc	CALL [static] \| Indirect call to absolute memory address
BFE4	40A00C	.rsrc	CALL [static] \| Indirect call to absolute memory address
C058	40A008	.rsrc	CALL [static] \| Indirect call to absolute memory address
C0A7	40A004	.rsrc	CALL [static] \| Indirect call to absolute memory address
C0D2	40A00C	.rsrc	CALL [static] \| Indirect call to absolute memory address
C0E2	40A0A4	.rsrc	CALL [static] \| Indirect call to absolute memory address
C0EA	40A068	.rsrc	CALL [static] \| Indirect call to absolute memory address
C103	40A06C	.rsrc	CALL [static] \| Indirect call to absolute memory address
C109	40A12C	.rsrc	CALL [static] \| Indirect call to absolute memory address
C127	40A010	.rsrc	CALL [static] \| Indirect call to absolute memory address
C140	40A028	.rsrc	CALL [static] \| Indirect call to absolute memory address
C18A	40A000	.rsrc	CALL [static] \| Indirect call to absolute memory address
C1DF	40A134	.rsrc	CALL [static] \| Indirect call to absolute memory address
C1F8	40A138	.rsrc	CALL [static] \| Indirect call to absolute memory address
C29C	40A0B8	.rsrc	CALL [static] \| Indirect call to absolute memory address
C2CE	40A0B4	.rsrc	CALL [static] \| Indirect call to absolute memory address
C687	40A0B8	.rsrc	CALL [static] \| Indirect call to absolute memory address
CA05	40A0B4	.rsrc	CALL [static] \| Indirect call to absolute memory address
D1EC	40A074	.rsrc	CALL [static] \| Indirect call to absolute memory address
D20C	40A070	.rsrc	CALL [static] \| Indirect call to absolute memory address
D328	40A074	.rsrc	CALL [static] \| Indirect call to absolute memory address
D3C3	40A070	.rsrc	CALL [static] \| Indirect call to absolute memory address
D4BB	40A070	.rsrc	CALL [static] \| Indirect call to absolute memory address
D814	40A144	.rsrc	JMP [static] \| Indirect jump to absolute memory address
D81A	40A148	.rsrc	JMP [static] \| Indirect jump to absolute memory address
D820	40A14C	.rsrc	JMP [static] \| Indirect jump to absolute memory address
506000	N/A	Overlay	000000 \| ...

Extra Analysis

Metric	Value	Percentage
Ascii Code	2465828	46,8125%
Null Byte Code	1728003	32,8052%
NOP Cave Found	0x9090909090	Block Count: 68 \| Total: 0,0032%

PESCAN.IO - Analysis Report Basic