PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Valid Code

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Size: 820,00 KB
SHA-256 Hash: C9A5FFF84AEF8B46605C9414B3D20E1F190E902454757C1F89179C5436422109
SHA-1 Hash: 88F8F5DFFD4A0A9E6DD62A0D2F7153E9FE91597E
MD5 Hash: FD6FDDA8BE62A95BE3FE1DD45FB93A1C
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): CE3F2
SizeOfHeaders: 200
SizeOfImage: D4000
ImageBase: 400000
Architecture: x86
ImportTable: CE39E
Characteristics: 102
TimeDateStamp: A6951DC8
Date: 25/07/2058 2:39:04
File Type: EXE
Number Of Sections: 3
ASLR: Enabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	200	CC400	2000	CC3F8
.rsrc	40000040	CC600	800	D0000	628
.reloc	42000040	CCE00	200	D2000	C

Description:

InternalName: XWga.exe
OriginalFilename: XWga.exe
CompanyName: Microsoft Corporation
LegalCopyright: Copyright Microsoft Corporation. All rights reserved.
ProductName: Storage Engine
FileVersion: 1.0.0.0

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - CC5F2
Code -> FF25002040000000000000000000000000000000000000000000000002001000000020000080180000005000008000000000
• JMP DWORD PTR [0X402000]
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD AL, BYTE PTR [EAX]
• ADC BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• AND BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX + 0X18], AL
• PUSH EAX
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], 0
• ADD BYTE PTR [EAX], AL

Signatures:

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: False
• Version: v4.0
Detect It Easy (die)
• PE: library: .NET(v4.0.30319)[-]
• PE: compiler: VB.NET(-)[-]
• PE: linker: Microsoft Linker(48.0)[EXE32]
• Entropy: 7.57408

File Access:

XWga.exe
mscoree.dll
Temp

File Access (UNICODE):

XWga.exe
A\CokluSaglikArsivi\Alerjiler.txt
G\CokluSaglikArsivi\MideHastalik.txt
O\CokluSaglikArsivi\VitaminTakviyesi.txt
9\CokluSaglikArsivi\Vucut.txt
C\CokluSaglikArsivi\BebekBakim.txt
9\CokluSaglikArsivi\Diyet.txt
M\CokluSaglikArsivi\KulakBurunBogaz.txt
5\CokluSaglikArsivi\Sac.txt
\CokluSaglikArsivi\Cildiye.txt
\CokluSaglikArsivi\AgizDis.txt

SQL Queries:

Select * from KasakasaDurum'
Select * from HastaHastaIdHastaAdHastaSoyadinsert into Kasa values (@hastaTc,@barkod,@kasaGiris,@KasaDurum, @tarih)@hastaTc@barkod@kasaGiris@KasaDurum@tarih%
Select * from IlacReceteKodStokIlacAdReceteDurumuKategoriNameFirmaDevletDestekFiyatIndirilmisFiyatGramrn Stokta Yok5
Select * From YoneticiGirisBilgiler where yoneticiGirisAd='5' and yoneticiGirisSifre='Kullan1c1 Ad1ifreYoneticiGirisiIEczaneOtomasyon.Properties.ResourcesjjNCXS-
Select * from PersonelPersonelIdPersonelAdPersonelSoyadPersonelTarihOkuduguYerMezunYilYasad1g1YerOzgecmisNotOrtSifre_
Select * From IlacIlacIdO
Select * From Ilac where IlacAd LIKE '%/%' order by IlacId DESC[
Select * From Ilac where KategoriName LIKE '%UPDATE Ilac set IlacAd=@ilacAd, ReceteDurumu=@ReceteDurum,ReceteKod=@ReceteKod,KategoriName=@kategoriAd,Firma=@firma,DevletDestek=@DevletDestek,Fiyat=@Fiyat,IndirilmisFiyat=@inFiyat,Stok=@stok,Gram=@gram WHERE IlacId=@ilacId@ilacIdKDELETE FROM Ilac where IlacId=@ilacIdHasta BilgileriHasta 0smi 'dgwHastaGoruntulemeHastaBilgileriCinsiyetHastaDogumTelefonHastaliklarRaporluIlacAdresSaglikGuvenceAlerjiS
Select * from IlacDisiUrun where Ad like '%g
Select * from IlacDisiUrun where KategoriId like '%insert into IlacDisiUrun values (@KategoriId ,@Ad,@Firma,@Fiyat,@BarkodNo, @Stok)@KategoriId@Ad@Firma@BarkodNo@StokUpdate IlacDisiUrun set KategoriId=@KategoriId, Ad=@Ad, Firma=@Firma, Fiyat=@Fiyat, BarkodNo=@BarkodNo , Stok=@Stok where DisId=@DisId @DisIdYDelete from IlacDisiUrun where DisId=@DisIdOrn Sistemimize Ba_ar1yla Silinmi_tir.Kategori isim:1dgwKategoriUrunGoruntuleKATEGOR0 KAYIT%KategoriUrunEkleme5
Select * from KategoriUruncinsert into KategoriUrun values (@UrunKategoriAd)Update KategoriUrun set UrunKategoriAd=@UrunKategoriAd where UrunKategoriId=@UrunKategoriId}Delete from KategoriUrun where UrunKategoriId=@UrunKategoriIdASeiminiz ba_ar1yla silinmi_tir.)Anla_mal1 HastanelerhstnTelNoTxtHastane TelefonhstnAdresTxthstnAdTxtHastane AdresHastane Ad11anlasmaliHastaneDatagridbtnHstnSilbtnHstnKyt!AnlasmaliHastane+
Insert into IlacDisiUrun values (@KategoriId ,@Ad,@Firma,@Fiyat,@BarkodNo, @Stok)@KategoriId@Ad@Firma@BarkodNo@StokUpdate IlacDisiUrun set KategoriId=@KategoriId, Ad=@Ad, Firma=@Firma, Fiyat=@Fiyat, BarkodNo=@BarkodNo , Stok=@Stok where DisId=@DisId @DisIdYDelete from IlacDisiUrun where DisId=@DisIdOrn Sistemimize Ba_ar1yla Silinmi_tir.Kategori isim:1dgwKategoriUrunGoruntuleKATEGOR0 KAYIT%KategoriUrunEkleme5Select * from KategoriUrunc
Insert into KategoriUrun values (@UrunKategoriAd)Update KategoriUrun set UrunKategoriAd=@UrunKategoriAd where UrunKategoriId=@UrunKategoriId}Delete from KategoriUrun where UrunKategoriId=@UrunKategoriIdASeiminiz ba_ar1yla silinmi_tir.)Anla_mal1 HastanelerhstnTelNoTxtHastane TelefonhstnAdresTxthstnAdTxtHastane AdresHastane Ad11anlasmaliHastaneDatagridbtnHstnSilbtnHstnKyt!AnlasmaliHastane+Select * From HastaneHastaneIdHastaneAd

Interest's Words:

PassWord
exec
attrib
start

Interest's Words (UNICODE):

ping

IP Addresses:

16.0.0.0
16.10.0.0

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): WinAPI Sockets (connect)
• Rule Text (Ascii): WinAPI Sockets (send)
• Rule Text (Ascii): Keyboard Key (Scroll)

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\VERSION\1\0	D0090	398	CC690	980334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	D0438	1EA	CCA38	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65	...<?xml version="1.0" encoding="UTF-8" standalone

Intelligent String:

• 1.0.0.0
• XWga.exe
• girissark1.png
• 'shopping-basket.png
• .jpg
• =\CokluSaglikArsivi\AgizDis.txt
• =\CokluSaglikArsivi\Cildiye.txt
• 5\CokluSaglikArsivi\Sac.txt
• M\CokluSaglikArsivi\KulakBurunBogaz.txt
• 9\CokluSaglikArsivi\Diyet.txt
• C\CokluSaglikArsivi\BebekBakim.txt
• 9\CokluSaglikArsivi\Vucut.txt
• O\CokluSaglikArsivi\VitaminTakviyesi.txt
• G\CokluSaglikArsivi\MideHastalik.txt
• A\CokluSaglikArsivi\Alerjiler.txt
• excercise.png
• baby.png
• !hair-washing.png
• _CorExeMainmscoree.dll

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	527817	62,8593%
Null Byte Code	75620	9,0058%

PESCAN.IO - Analysis Report Valid Code