Description

Idetification

Antivirus detection

Defensive capabilities

Packer

The malware is packed with UPX.

$ ./upx -d /data/tmp/1.exe -o /data/tmp/1-unpacked.exe 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.09        Markus Oberhumer, Laszlo Molnar & John Reiser   Feb 18th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     82844 <-     48540   58.59%    win32/pe     1-unpacked.exe

Unpacked 1 file.

Dynamic Analysis

Network indicators

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Files

Embedded PE

ResourceHacker and pescanner confirm the presence of 3 executable resources in the executable:

Resource Hacker

$ ./pescanner.py /data/tmp/1-unpacked.exe 
[SNIP]
Signature scans
================================================================================
YARA: embedded_exe
   0x4e => This program cannot be run in DOS mode
   0x175e => This program cannot be run in DOS mode
   0x4f5e => This program cannot be run in DOS mode
   0x775e => This program cannot be run in DOS mode


Resource entries
================================================================================
Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
TLS                0x20b110 0xc800   LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
TLS                0x205110 0x3800   LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
TLS                0x208910 0x2800   LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
RT_MANIFEST        0x217910 0x292    LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED XML  document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
[SNIP]

whhfd028.ocx

The following file is created:

00178B47ce.dll

Registry keys

Following keys are created:

Static Analysis

Sections (unpacked version)

Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
.text      0x1000       0x9e0        0xa00        5.971897    
.bss       0x2000       0x2005f0     0x0          0.000000
.data      0x203000     0x514        0x600        4.316239    
.CRT       0x204000     0x4          0x200        0.061163
.rsrc      0x205000     0x12ba8      0x12c00      6.332730    

Strings (unpacked version)

[email protected]
5h0`
5p0`
>SSj
_^[]
h<1`
FGKJ
_^[]
FGKJ
_^[]
QQS3
WSSj
5$0`
=l0`
PWVS
VhX$`
5`0`
X_^[
PRRh
[email protected]
5x0`
jfPS
jgPS
jiPS
hx1`
hl1`
hP1`
X_^[
.ocx
whh27018
SeDebugPrivilege
kernel32
IsWow64Process
ConsentPromptBehaviorAdmin
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
\system32\
CSOL
%s "%s" pfjaoidjglkajd %s
%s "%s" m3
%s "%s" pfjieaoidjglkajd
%08Xce.dll
whh98%s.ocx
whhfd%s.ocx
CloseHandle
ReadFile
CreateFileA
GetTickCount
WriteFile
FindClose
FindFirstFileA
GetWindowsDirectoryA
SetFilePointer
SetFileTime
GetFileTime
GetFileSize
GetModuleFileNameA
GetModuleHandleA
FreeResource
LoadResource
SizeofResource
FindResourceA
GetProcAddress
GetCurrentProcess
CreateProcessA
ExitProcess
KERNEL32.DLL
wsprintfA
USER32.dll
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegSetValueExA
RegOpenKeyExA
ADVAPI32.dll
SHELL32.dll
sprintf
strchr
strlen
memcpy
MSVCRT.dll
WSOCK32.dll
!This program cannot be run in DOS mode.
Rich=
.text
`.bss
.data
.rsrc
@.reloc
[email protected]
SVWj
X_^[
YYWS
[email protected]~>
t<~:
[email protected]
h4A 
[email protected] 
[email protected]
h<A 
[email protected]
[email protected] 
[email protected] 
SVW3
hHA 
VWj>Y3
[email protected] 
[email protected]
hXA 
H_^t
hXA 
PhpA 
[email protected] 
%|@ 
%[email protected] 
% @ 
.ocx
IME File
%s%s
System\CurrentControlSet\Control\Keyboard Layouts\
Keyboard Layout\Preload
whhfd*
%02x*
win39%08x.dll
MSGO
Chinese( PRC )
SeDebugPrivilege
\system32\
CloseHandle
CopyFileA
GetTickCount
FindClose
FindNextFileA
FindFirstFileA
GetWindowsDirectoryA
GetProcAddress
LoadLibraryA
LocalAlloc
lstrcpyA
lstrcatA
TerminateProcess
GetCurrentProcess
GetModuleFileNameA
MultiByteToWideChar
GetTempPathA
KERNEL32.dll
ActivateKeyboardLayout
SystemParametersInfoA
GetKeyboardLayoutList
GetKeyboardLayout
RegisterClassExA
LoadCursorA
UnregisterClassA
MessageBoxA
USER32.dll
RegSetValueExA
RegCloseKey
RegQueryValueExA
RegOpenKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
ADVAPI32.dll
SHELL32.dll
sprintf
memset
strcpy
strlen
strrchr
strcat
strchr
MSVCRT.dll
ImmIsIME
IMM32.dll
IMEHost.dll
CandWndProc
CompWndProc
IMEClearPubString
IMESetPubString
ImeConversionList
ImeEnumRegisterWord
ImeInquire
ImeRegisterWord
ImeUnregisterWord
StatusWndProc
UIWndProc
pfjieaoidjglkajd
ImeConfigure
ImeDestroy
ImeEscape
ImeGetRegisterWordStyle
ImeProcessKey
ImeSelect
ImeSetActiveContext
ImeSetCompositionString
ImeToAsciiEx
NotifyIME
1)101C1u1
1#2T2r2
2h3o3
4&4T4a4
8%838
8e:q:x:
 0^0i0
0v2|2
!This program cannot be run in DOS mode.
Rich
.bss
.data
.reloc
.ocx
SeDebugPrivilege
WSPStartup
%02x*
win%08x.dll
[email protected]
5$  
SVWj/3
[email protected]! 
[email protected] 
SVWj
h ! 
[email protected]
h,! 
SVW3
=\  
h4! 
Hu8V
=D  
%t  
%x  
%|  
%l  
%d  
%`  
CloseHandle
CopyFileA
GetTickCount
FindClose
FindNextFileA
FindFirstFileA
GetWindowsDirectoryA
GetModuleFileNameA
LoadLibraryA
MultiByteToWideChar
GetProcAddress
GetLastError
GlobalAlloc
GlobalFree
LoadLibraryW
ExpandEnvironmentStringsW
GetModuleFileNameW
KERNEL32.dll
wsprintfW
USER32.dll
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
ADVAPI32.dll
SHELL32.dll
sprintf
memset
strcpy
_except_handler3
strchr
swprintf
memcmp
wcscpy
memcpy
strcat
strstr
MSVCRT.dll
WSCWriteProviderOrder
WSCInstallProvider
WSCEnumProtocols
WSCGetProviderPath
WS2_32.dll
UuidCreate
RPCRT4.dll
LSP.dll
WSPStartup
D1H1Z1
2=2M2\2
6P7v7
7<8M8V8]8
9&9A9~9	:
;D<i<o<y<
<,=2=B=H=N=T=
!This program cannot be run in DOS mode.
Rich
.bss
.data
.CRT
.vmp0
`.reloc
SeDebugPrivilege
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
WININET.dll
%02X
CSOL
%s_%d.jpg
WinInet
POST
HttpSendRequestEx
other
Type
Option
action=getRate
%02X%02X%02X%02X%02X%02X
CSOL_%s.tmp
%s%s
\\.\
ServiceName
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
cstrike-online.exe
hw.dll
nmconew.dll
jahCSOL27018_rel_regamle_%08d_
Counter-Strike Online
Value001
QQVh
t?Ht*Ht
:MZu
WVVV
=40 
t$$VV
}"j(V
t$ j
t$$VV
580 
SVWh
5<0 
H_H^
u8!E
QQSVW3
Xf9E
HH_^][
FGKJ
_^[]
QQS3
WSSj
5t0 
=p0 
PWVS
<1&u
1|A;
t[BS
QZ^&
jxY+
WQhD: 
FYYj
[email protected]
=4  
[email protected]
VPPPhSU 
WSSj
SQVPW
SVWj
D$ hKk
[email protected]/f!
SVWj?3
Phd  
h<: 
@_^[
VVVVh
t$Vh
QSV3
VVVVV
tOWVh
t.9u
SVWj?3
5<0 
SSSSh
jPXSSj
tgSh
=4  
=4  
_u.9]
=   
=   
Yv;V
=T1 
Y~!V
[email protected]
5T1 
=4  
Y_^[
[email protected]
j PSh
h ; 
Yu&;
t'Ht
Hu7h
5d0 
Yt>8
=X  
PPPh
SVW3
u+WP
SVWj
h(  
[email protected]
Ph$; 
[email protected] 
5T1 
SVW3
QQSVW3
Vh4; 
95P  
F;5P  
=\  
5<0 
=\  
=\  
=<  
D$$P
%D  
=<  
D$$P
%L  
[email protected]
h\; 
[email protected]
hh; 
[email protected]
hh; 
[email protected]
5t1 
ht; 
hl; 
[email protected]; 
[email protected]; 
hd  
Shd  
VWj?
hd  
h,! 
Vh|! 
%|# 
5D" 
VVVhv} 
PPPhc} 
5D" 
5d0 
VWhH< 
=,< 
[email protected]< 
h < 
=L< 
_^t-Ht"Ht
8MZu
FF9]
X_^[
s<[email protected]
vTSP
QQS3
tXVWSP
SPVW
 SVW
=(0 
etAS
X_^[
YYt 
[u&3
5x1 
5d0 
SWj>3
=(0 
Yt&S
Yt&S
[email protected]
[email protected]
tAj\
%`0 
% 1 
%$1 
%(1 
%,1 
%X1 
AddVectoredExceptionHandler
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
Thread32Next
CloseHandle
SetThreadContext
GetThreadContext
OpenThread
GetCurrentProcessId
Thread32First
CreateToolhelp32Snapshot
VirtualProtect
GetProcessHeap
HeapAlloc
Process32Next
Process32First
GetFileSize
CreateFileA
GetModuleFileNameA
LoadLibraryA
GetModuleHandleA
WideCharToMultiByte
MultiByteToWideChar
GetProcAddress
FindClose
FindFirstFileA
OpenProcess
GetTempPathA
GetCurrentProcess
ReleaseMutex
GetLastError
CreateMutexA
Sleep
DeleteFileA
GetLocalTime
ReadFile
SetFilePointer
IsBadReadPtr
VirtualFree
VirtualAlloc
SetThreadPriority
CreateThread
GetTickCount
GetPrivateProfileStringA
ExitProcess
TerminateProcess
WritePrivateProfileStringA
DeviceIoControl
lstrcmpiA
SetUnhandledExceptionFilter
KERNEL32.dll
wsprintfA
GetWindow
PostMessageA
GetClassNameA
GetWindowTextA
GetDesktopWindow
FindWindowA
USER32.dll
GDI32.dll
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegEnumKeyExA
ADVAPI32.dll
SHELL32.dll
memset
memcpy
_except_handler3
strcat
strlen
_itoa
_stricmp
free
malloc
strchr
sprintf
strncpy
isspace
isalnum
atoi
strcpy
[email protected]@Z
[email protected]@Z
strstr
sscanf
_vsnprintf
rand
srand
strrchr
_strlwr
MSVCRT.dll
WSOCK32.dll
gdiplus.dll
_strupr
_strcmpi
Stolor.dll
pfjaoidjgfdjkj
pfjaoidjglkajd
t)at
$}ve]
GPh/
l$(Qf
${+`f
h;q:
l$ Yf
D$0R
|$Lf
D$$`
l$$C
WhfhW
T$(P
5Y6q
hz50b
59; 
SThZ
ha=g
L$(f
#$A8
l]tV
@\l[
x4[I
/\l1
L!, 
c-7X
StQYI
ihA'
i1X&
 Xq+
$&~D
\-\.
-}@TW`h>
D$(Jh
#"'!S
DCge
h0A	(d
A-L)
0s=wvS
FT! *6
@<;/+
h[;v
}\@jbEL
L]S#
[email protected]
hp*~	d
wSl$
!l[_3>
P8K~DE
6]:O
[email protected])
f!gH:
kFED
D$<J
J->/J
}ZO2
<JRw
qH0z
_,N60H"/
UV&{.W
$\l1
],3|
gDc>+
65(Z
NG$M,
HRMm
{XQZLd
#.;(
-83T
NQc+
E#6w2
D*"\l
B|U!
ny/k
"\l0
WV4L
s'N;&
zj?)Q`
D$$J(g
Rn|X
~F$!X=ZS
/835
g x.,p
u~0l
1&CS
uu{K
4u82
) Ai
\l|w
o7sY
wrYP
I8V`{C
UG~-
D$<J
D$<5
AuU \
C8Kwr
A?8nRx
XrG6
a50V$W
2]Dw
\l}C'
Qyal
I|-V
>xYP
wvT"n
H%eLK?
D$ Jh
eamXS
x.l	
(GG>
582|Y1M
5q9p
|<v<-
[email protected]
]lcd
Ta9ox
hJ(5
H}-l}
0}|.
54vy,
Cw``
`ZZ8rc
+c9P
7TY!
\Z4C
$j(8
u3|6
NI>Y6
[email protected]@
`k%2
D$ J
D$$7A
[email protected]
e%P9
|,["
Q8)O\$
:-l>9
x&$	
>|*@
.' Z
Ut]M
axa$
4?fA
^maXX
"IBE
61v.
$J(5
M}uT}
D$ J
@ueK
[email protected]
k=COyz
D$$}
a]vq
*N<9P
-X<B
x1R<
l>lbh
yp[s
Ls$0
)a14#
L9K?z
[email protected]^D
#xZ0
AIIj32
9QY0Y
Cdb/K
[email protected]
yKbe
XNKW$
qXNOs$
&F&_!0X
8NGw$
yPzA
qhNFS$2
,odF
(NKf$
P{fd
S?YO
!J{vA
[email protected]
Upfl
J^v+
;hugH
]/dQ
NC_$
[{fY
GE]Y,
s| ]6.n
OM!l
%?Lm}~
[email protected]
Dw>h
R}fC
=%=9=H=^=k=v=
>.>3>9>
>g?p?
0d0k0
102=2D2s2
2&353;3E3J3W3d3v3
334?4c4
6M6m7
7\8t8
535y5
9~9-:4:;:z:
?!?(?I?b?
L0b0v0
0$1[1o1
[email protected]
4%4,4[4t4{4
5E5k5w5
616]6
8,92:E:P:W:\:r:
>V>^>g>m>s>y>
? ?*?[?
2&3:3a3p3x3
5$5E5O5\5
5f6q6}6
747?7F7
8/848:8a8
:[:`:f:|:
;1;:;I;
<$<><L<R<]<p<z<
='=9=A=H=V=^=d=y=
>;>B>Q>^>e>y>
?0?E?Z?
0"1k1k2
3)3/3A3R3h3
3#4(4D4W4
4B5H5N5T5c5o5v5
6?6E6S6o6
6c7t7
8?8T8a8
:!:':2:::B:L:V:^:s:z:
;,;4;;;O;T;
<*<J<`<~<
="=(=.=4=:[email protected]=F=L=
6+:7:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0"
     processorArchitecture="X86"
     name="IsUserAdmin"
     type="win32"/>
  <description>Description of your application</description>
  <!-- Identify the application security requirements. -->
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel
          level="highestAvailable"
          uiAccess="false"/>
        </requestedPrivileges>
       </security>
  </trustInfo>
</assembly>

IAT (unpacked version)

Comments