PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Size: 395,50 KB
SHA-256 Hash: C1BEC281621AE508E2BA724AE053D850906B07176956853DCF76DDF2B5EEB743
SHA-1 Hash: B4A44D15A45093EC804535D2E712C6669E2D680A
MD5 Hash: DE06C64594B1B10EF8A138926118D307
Imphash: 00219850BF4AB7FFBF75DD73110E50F5
MajorOSVersion: 4
CheckSum: 0006AC7A
EntryPoint (rva): 36680
SizeOfHeaders: 400
SizeOfImage: 68000
ImageBase: 0000000010000000
Architecture: x64
ExportTable: 5EA20
ImportTable: 5E064
Characteristics: 2022
TimeDateStamp: 453C0B52
Date: 23/10/2006 0:22:42
File Type: DLL
Number Of Sections: 6
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	43000	1000	42FCA
.rdata	40000040	43400	1B000	44000	1AE3B
.data	C0000040 (Writeable)	5E400	1800	5F000	37A8
.pdata	40000040	5FC00	2600	63000	24B4
.rsrc	40000040	62200	400	66000	3D8
.reloc	42000040	62600	800	67000	6F4

Description:

InternalName: EACLIB
OriginalFilename: EACDLL.dll
LegalCopyright: Copyright (C) 2006 by Andre Wiethoff
ProductName: EAC Dynamic Link Library
FileVersion: 2, 0, 2, 0

Entry Point:

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 35A80
Code -> 4883EC2883FA0148895C2438488974244048897C24488BDA488BF1498BF87505E85B4400004C8BC78BD3488BCE488B7C2448
• SUB RSP, 0X28
• CMP EDX, 1
• MOV QWORD PTR [RSP + 0X38], RBX
• MOV QWORD PTR [RSP + 0X40], RSI
• MOV QWORD PTR [RSP + 0X48], RDI
• MOV EBX, EDX
• MOV RSI, RCX
• MOV RDI, R8
• JNE 0X1025
• CALL 0X5480
• MOV R8, RDI
• MOV EDX, EBX
• MOV RCX, RSI
• MOV RDI, QWORD PTR [RSP + 0X48]

Signatures:

Rich Signature Analyzer:
Code -> A9DD0655EDBC6806EDBC6806EDBC6806CA7A1506E5BC6806CA7A0606C5BC6806CA7A0506B4BC6806EDBC690696BC68069B211306E8BC6806CA7A1A06FEBC6806CA7A1206ECBC6806CA7A1406ECBC6806CA7A1006ECBC680652696368EDBC6806
Footprint md5 Hash -> 1B5F514BB5A48F88075C1E1A1DB40881
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Microsoft Visual C ++
Compiler: Microsoft Visual C ++ 8 DLL
Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(2005)[-]
• PE+(64): linker: Microsoft Linker(8.0 or 11.0)[DLL64]
• Entropy: 6.06993

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateFileA	Creates or opens a file or I/O device.
KERNEL32.DLL	DeleteFileA	Deletes an existing file.
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
Ws2_32.DLL	connect	Establish a connection to a specified socket.

ET Functions (carving):

Original Name -> EACLIB.dll
EACDLL_CloseTray
EACDLL_DetectDriveFeatures
EACDLL_Extract
EACDLL_GetCDDBInfo
EACDLL_GetCDText
EACDLL_GetDriveBCDSetting
EACDLL_GetDriveFeatures
EACDLL_GetDriveID
EACDLL_GetDriveOptions
EACDLL_GetExtTOC
EACDLL_GetExtTrack
EACDLL_GetGlobalOptions
EACDLL_GetGlobalOptionsEx
EACDLL_GetPos
EACDLL_GetTOC
EACDLL_GetUPCISRC
EACDLL_GetVersion
EACDLL_OpenTray
EACDLL_PauseCDPlay
EACDLL_ResumeCDPlay
EACDLL_RetrieveCDDB
EACDLL_RetrieveCDDBEx
EACDLL_RetrieveCDDBProxy
EACDLL_ScanAudio
EACDLL_SetDriveBCDSetting
EACDLL_SetDriveOptions
EACDLL_SetDriveSpeed
EACDLL_SetGlobalOptions
EACDLL_SetGlobalOptionsEx
EACDLL_SetSecureLevel
EACDLL_StartCDPlay
EACDLL_StopCDPlay
EACDLL_TestUnit

File Access:

EACLIB.dll
KERNEL32.dll
WS2_32.dll
ASAPI.DLL
WNASPI32.DLL
t initialise WINSOCK.DLL
Wrong WINSOCK.DLL
USER32.DLL
mscoree.dll
Temp

File Access (UNICODE):

EACDLL.dll

Interest's Words:

PADDINGX
exec
start
pause

URLs:

http://freedb.freedb.org:80/~cddb/cddb.cgi

Payloads:

Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): WinAPI Sockets (connect)
• Rule Text (Ascii): File (CreateFile)
• Rule Text (Ascii): File (WriteFile)
• Rule Text (Ascii): File (ReadFile)
• Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
• Rule Text (Ascii): Anti-Analysis VM (GetVersion)
• Rule Text (Ascii): Related to a particular nation or its government (National)
• EP Rules: Microsoft Visual C++ 8.0 (DLL)
• EP Rules: Microsoft Visual C++ 8.0 (DLL)
• EP Rules: Windows or OS/2 Graphics format
• EP Rules: XE Executable Image (using DOSExtender)

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\VERSION\1\1031	660A0	2E0	622A0	E00234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\2\1033	66380	56	62580	3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122	<assembly xmlns="urn:schemas-microsoft-com:asm.v1"

Intelligent String:

• KERNEL32.DLL
• mscoree.dll
• kernel32.dll
• USER32.DLL
• Logical unit not ready, initializing cmd required
• ExactAudioCopy v0.90b3http://freedb.freedb.org:80/~cddb/cddb.cgi
• HTTP://Closing Connecting...
• .raw
• .WAV
• freedb.freedb.org
• WNASPI32.DLL
• ASAPI.DLL
• WS2_32.dll
• KERNEL32.dll
• EACDLL.dll

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	223677	55,23%
Null Byte Code	97706	24,1254%