1.exe

First submission 2022-08-03 14:41:02

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
File type:	113.0 KB (115712 bytes)
Compile time:	2020-08-29 08:54:20
MD5:	24124eba208a4cbfb5fd03185c7b130d
SHA1:	2f722b6719b6774e18a77d59ffdc91b22dba6b81
SHA256:	5c42e1fd2ed113fb92328e888276f41c3fe43042486714d04fb8b440f5a43014
Import Hash :	51a1d638436da72d7fa5fb524e02d427
Sections 6	.text .rdata .data .rsrc .reloc .bss
Directories 4	import resource debug relocation
Virus Total:	59/71 VT report date: 2022-08-03 12:15:10

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://jg.studio/1.exe	jg.studio	2022-08-03 14:41:02

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x12eab	77824	7dbf751a5a00ac84ae1fc0c5ad26154c2aab2c78	6dbe7c9f7981297db465fd69821e1c4b
.rdata	0x14000	0x49ce	18944	6acfa20b7ae4a749e66a0c6332d2f2d5e6bc4004	1271925bf242f5dd778122d822dac6d9
.data	0x19000	0x1350d8	1536	f9506537e8a22c2e00b554ac719b4b918be43450	0e383bc5047fd3f1a7a5e78591f96b14
.rsrc	0x14f000	0x2c70	11776	52e5b1c4d939b10ac7de4810fb56390ff0434d24	cdd112e1df434d31179f9eee936b7ff7
.reloc	0x152000	0xfa8	4096	0441dbebd2baa1cd80fdd6e53190a76bad472a3a	d7f0f9f1a21533bcdc70c4c071cede21
.bss	0x153000	0x1000	512	a9e9787230b2ca86fc5cfb24b66fc05697cfd86a	ea6055936be5a3306e5f5411fa876860

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
WM_DSP	LANG_ENGLISH	SUBLANG_ARABIC_QATAR	0x14f070	11264	PE Resource: WM_DSP - Data MZ@ !L!This program cannot be run in DOS mode. $YKKKJK>KK.KKK?K\JK\BKK\JKRichKPEL=f[.P @`l&d@p$$@ .text `.rdata @@.datax0@.rsrcp@@@jRQ(3@Ux0@3EWjx @jj$P(3@jj<P(3@Ph @jjh @p @tQP$Ph @Ph!@\| @hPQPh @jhX7@\ @jhP(3@hP @Ph @jP\ @jjPQ8PQTPQPQP<@"@` @_ttjP @ @tQPtQPtQPt @M3j]UEVuN;Hu*hh;@F$PP7@h"@F,PP7@E^]E2^]V43@jhhh;@(3@hhh;@$ @h$"@hh;@ @v83@Fhh;@8PP7@Fhh;@@PP7@v03@Vh @j<3@^U0@3EVWh@"@jej @VjD @VjH @W,3@ @jhhX7@T7@(3@hX7@h @hP"@hX7@ @jhjjjhhX7@ @jP5,3@5T7@V@ @= @VjhP(3@Ph @hl"@P @jhjjjhP @jPhh"@V@ @V_^M3<]U0@3EVWhh@3@j< @= @h @h @5( @Ph @h @43@Ph!@h @83@Ph !@h @03@Ph8!@h @P7@PhH!@h @(3@Ph`!@h @P<3@X @uQRhP @h"@P @j, @jjh"@jh @j, @; 0@u(UjL @uP @h 4 @P0 @]U$jtjY)1@ 1@1@0@50@=0@f 1@f 1@f0@f0@f%0@f-0@1@E1@E1@E1@X0@1@0@0@ 0@0@jXk0@jXk 0@LjX 0@Lh @]%8 @''''''''(,(D(V(d)P)x)r'f'(T'2))((r(((((@mCBUa{_z\ LKouU:WPHw[ 0@X0@RtlGetCurrentPebntdll.dllRtlEnterCriticalSectionRtlLeaveCriticalSectionRtlInitUnicodeStringRtlFillMemoryNtAllocateVirtualMemoryLdrEnumerateLoadedModulesElevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}explorer.exe\explorer.exeWM_DISPdismcore.dllellocnak.xml\pkgmgr.exe/n:%temp%\ellocnak.xmlHey I'm Admin<?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <servicing> <package action="install"> <assemblyIdentity name="Package_1_for_KB929761" version="6.0.1.1" language="neutral" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35"/> <source location="%configsetroot%\Windows6.0-KB929761-x86.CAB" /> </package> </servicing> </unattend> =f[ p%p0@ @GCTL.text$mn .idata$5 .00cfg .rdatap%.rdata$zzzdbgl&P.idata$2&.idata$3&.idata$4T'@.idata$60.data0p.bss@p.rsrc$01p@.rsrc$02&d( 8'(h ('(X @')p ''''''''(,(D(V(d)P)x)r'f'(T'2))((r(((((SizeofResource%WriteFileGetModuleFileNameWGetTempPathWWaitForSingleObjectCreateFileWpGetSystemDirectoryW?lstrcatWTLockResourceRCloseHandle?LoadLibraryWALoadResourceNFindResourceWGetWindowsDirectoryWEGetProcAddressExitProcessKERNEL32.dllMessageBoxWUSER32.dllSHCreateItemFromParsingName!ShellExecuteExWSHELL32.dll>CoInitializelCoUninitializeCoCreateInstance5CoGetObjectole32.dllUnhandledExceptionFilterSetUnhandledExceptionFilterGetCurrentProcessTerminateProcessIsProcessorFeaturePresentN@DXe0 @Hp@WM_DISPMZ@ !L!This program cannot be run in DOS mode. $w\|3/3/3/ .2/ .6/\.4/3/ /r.2/r.2/Rich3/PEL=f[! P@d"P@ @ X.text~ `.rdata @@.data,0@.reloc@@BU$C03EmSVWtM_^3[]D@u@uDP< @uhPh 4 M=BPhjhh h u/PPjjh PP jh,j hPS =8 u^hPS uKVP( u&pPh jV0 VhPS tSPPPjjjjjjP$ tj ; 0u(UjD uH h @ P0 ]U$jtjY)1 11151=0f(1f 1f0f0f%0f-0 1E1E1E$1`0100 0 0jXk$0jXk 0LjX 0Lh` ]%, QL$+#%;rY$-##$\#x##N####$:####~$`$D$$$}0`0SOFTWARE\_rptlsInstall%systemroot%\system32\=f[ ! 0X GCTL~.text$mn X.idata$5X .00cfg` 0.rdata!.rdata$zzzdbgd"<.idata$2".idata$3"X.idata$4#.idata$60.data0.bss"# "$ #8$P ##$\#x##N####$:####~$`$D$$$GetStartupInfoW`ExpandEnvironmentStringsWTerminateProcessOpenProcessCreateToolhelp32Snapshot'Process32NextW%Process32FirstWCloseHandle\ExitProcessCreateProcessW(lstrcmpWKERNEL32.dllRegQueryValueExWRegOpenKeyExW[RegCloseKeyADVAPI32.dllMPathFindFileNameWSHLWAPI.dllUnhandledExceptionFiltereSetUnhandledExceptionFilterGetCurrentProcessIsProcessorFeaturePresentN@Dp0~00000111)1E1U1[1n11111122(212<2C2c2i2o2u2{22222222222222222233.373F3 X0`0d0,181

Name

Language

Sublanguage

Offset

Size

Data

WM_DSP

LANG_ENGLISH

SUBLANG_ARABIC_QATAR

0x14f070

11264

MZ@	!L!This program cannot be run in DOS mode.

$YKKKJK>KK.KKK?K\JK\BKK\JKRichKPEL=f[.P @`l&d@p$$@ .text `.rdata	 
@@.datax0@.rsrcp@@@jRQ(3@Ux0@3EWjx @jj$P(3@jj<P(3@Ph @jjh @p @tQP$Ph @Ph!@| @hPQPh @jhX7@\ @jhP(3@hP @Ph @jP\ @jjPQ8PQTPQPQP<@"@` @_ttjP @ @tQPtQPtQPt @M3j]UEVuN;Hu*hh;@F$PP7@h"@F,PP7@E^]E2^]V43@jhhh;@(3@hhh;@$ @h$"@hh;@ @v83@Fhh;@8PP7@Fhh;@@PP7@v03@Vh @j<3@^U0@3EVWh@"@jej  @VjD @VjH @W,3@ @jhhX7@T7@(3@hX7@h @hP"@hX7@ @jhjjjhhX7@ @jP5,3@5T7@V@ @= @VjhP(3@Ph @hl"@P @jhjjjhP @jPhh"@V@ @V_^M3<]U0@3EVWhh@3@j< @= @h @h @5( @Ph @h @43@Ph!@h @83@Ph !@h @03@Ph8!@h @P7@PhH!@h @(3@Ph`!@h @P<3@X @uQRhP @h"@P @j, @jjh"@jh @j, @;
0@u(UjL @uP @h	4 @P0 @]U$jtjY)1@
1@1@0@50@=0@f 1@f
1@f0@f0@f%0@f-0@1@E1@E1@E1@X0@1@0@0@	0@0@jXk0@jXk
0@LjX
0@Lh @]%8 @''''''''(,(D(V(d)P)x)r'f'(T'2))((r(((((@mCBUa{_z\
LKouU:WPHw[	0@X0@RtlGetCurrentPebntdll.dllRtlEnterCriticalSectionRtlLeaveCriticalSectionRtlInitUnicodeStringRtlFillMemoryNtAllocateVirtualMemoryLdrEnumerateLoadedModulesElevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}explorer.exe\explorer.exeWM_DISPdismcore.dllellocnak.xml\pkgmgr.exe/n:%temp%\ellocnak.xmlHey I'm Admin<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <servicing>
        <package action="install">
            <assemblyIdentity  name="Package_1_for_KB929761" version="6.0.1.1" language="neutral" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35"/>
            <source location="%configsetroot%\Windows6.0-KB929761-x86.CAB" />
        </package>
     </servicing>
</unattend>

=f[
p%p0@ @GCTL.text$mn .idata$5 .00cfg .rdatap%.rdata$zzzdbgl&P.idata$2&.idata$3&.idata$4T'@.idata$60.data0p.bss@p.rsrc$01p@.rsrc$02&d( 8'(h ('(X @')p ''''''''(,(D(V(d)P)x)r'f'(T'2))((r(((((SizeofResource%WriteFileGetModuleFileNameWGetTempPathWWaitForSingleObjectCreateFileWpGetSystemDirectoryW?lstrcatWTLockResourceRCloseHandle?LoadLibraryWALoadResourceNFindResourceWGetWindowsDirectoryWEGetProcAddressExitProcessKERNEL32.dllMessageBoxWUSER32.dllSHCreateItemFromParsingName!ShellExecuteExWSHELL32.dll>CoInitializelCoUninitializeCoCreateInstance5CoGetObjectole32.dllUnhandledExceptionFilterSetUnhandledExceptionFilterGetCurrentProcessTerminateProcessIsProcessorFeaturePresentN@DXe0	@Hp@WM_DISPMZ@	!L!This program cannot be run in DOS mode.

$w|3/3/3/ .2/ .6/\.4/3/ /r.2/r.2/Rich3/PEL=f[! P@d"P@  @ X.text~ `.rdata @@.data,0@.reloc@@BU$C03EmSVWtM_^3[]D@u@uDP< 
@uhPh 4 M=BPhjhh h u/PPjjh   PP jh,j hPS =8 u^hPS uKVP( u&pPh jV0 VhPS tSPPPjjjjjjP$ tj  ;
0u(UjD uH h	@ P0 ]U$jtjY)1
11151=0f(1f
1f0f0f%0f-0 1E1E1E$1`0100	0 0jXk$0jXk
0LjX
0Lh` ]%, QL$+#%;rY$-##$\#x##N####$:####~$`$D$$$}0`0SOFTWARE\_rptlsInstall%systemroot%\system32\=f[
!	0X GCTL~.text$mn X.idata$5X .00cfg` 0.rdata!.rdata$zzzdbgd"<.idata$2".idata$3"X.idata$4#.idata$60.data0.bss"# "$ #8$P ##$\#x##N####$:####~$`$D$$$GetStartupInfoW`ExpandEnvironmentStringsWTerminateProcessOpenProcessCreateToolhelp32Snapshot'Process32NextW%Process32FirstWCloseHandle\ExitProcessCreateProcessW(lstrcmpWKERNEL32.dllRegQueryValueExWRegOpenKeyExW[RegCloseKeyADVAPI32.dllMPathFindFileNameWSHLWAPI.dllUnhandledExceptionFiltereSetUnhandledExceptionFilterGetCurrentProcessIsProcessorFeaturePresentN@Dp0~00000111)1E1U1[1n11111122(212<2C2c2i2o2u2{22222222222222222233.373F3 X0`0d0,181

Packers detected 1

Borland Delphi 3.0 (???)

Anti debug functions 6

GetLastError
Process32First
Process32FirstW
Process32Next
Process32NextW
TerminateProcess

Strings analysis - File found

Database
Asend.db
find.db
XML
ellocnak.xml
/n:%temp%\ellocnak.xml
Library
Duser32.dll
vcruntime140.dll
\sqlmap.dll
nss3.dll
ntdll.dll
msvcr120.dll
freebl3.dll
dismcore.dll
msvcp120.dll
mozglue.dll
msvcp140.dll
\rfxvmt.dll
softokn3.dll
USER32.dll
ADVAPI32.dll
ole32.dll
SHLWAPI.dll
SHELL32.dll
bcrypt.dll
Crypt32.dll
vaultcli.dll
PSAPI.DLL
C:\Windows\System32\USER32.dll
NETAPI32.dll
OLEAUT32.dll
KERNEL32.dll
urlmon.dll
WS2_32.dll

Strings analysis - Possible IPs found 3

1.2.3.4
127.0.0.2
6.0.1.1

Strings analysis - Possible URLs found 1

https://github.com/syohex/java-simple-mine-sweeper

Import functions

OLEAUT32.dll 1 KERNEL32.dll 106 urlmon.dll 1 CRYPT32.dll 3 WS2_32.dll 15 SHELL32.dll 8 PSAPI.DLL 1 SHLWAPI.dll 7 ADVAPI32.dll 30 USER32.dll 21 bcrypt.dll 4 NETAPI32.dll 2 ole32.dll 5

Function	Address	Souspicious	Anti Debug
VariantInit	0x414244

Function	Address	Souspicious	Anti Debug
HeapFree	0x41408c
VirtualAlloc	0x414090
HeapReAlloc	0x414094
VirtualQuery	0x414098
TerminateThread	0x41409c
CreateThread	0x4140a0
WriteProcessMemory	0x4140a4
GetCurrentProcess	0x4140a8
OpenProcess	0x4140ac
GetWindowsDirectoryA	0x4140b0
VirtualProtectEx	0x4140b4
VirtualAllocEx	0x4140b8
CreateRemoteThread	0x4140bc
CreateProcessA	0x4140c0
GetModuleHandleW	0x4140c4
IsWow64Process	0x4140c8
WriteFile	0x4140cc
CreateFileW	0x4140d0
LoadLibraryW	0x4140d4
GetLocalTime	0x4140d8
GetCurrentThreadId	0x4140dc
GetCurrentProcessId	0x4140e0
ReadFile	0x4140e4
FindFirstFileA	0x4140e8
GetBinaryTypeW	0x4140ec
FindNextFileA	0x4140f0
GetFullPathNameA	0x4140f4
GetTempPathW	0x4140f8
GetPrivateProfileStringW	0x4140fc
CreateFileA	0x414100
GlobalAlloc	0x414104
GetCurrentDirectoryW	0x414108
SetCurrentDirectoryW	0x41410c
GetFileSize	0x414110
FreeLibrary	0x414114
SetDllDirectoryW	0x414118
GetFileSizeEx	0x41411c
LoadLibraryA	0x414120
LocalFree	0x414124
WaitForSingleObject	0x414128
WaitForMultipleObjects	0x41412c
CreatePipe	0x414130
PeekNamedPipe	0x414134
DuplicateHandle	0x414138
SetEvent	0x41413c
GetStartupInfoA	0x414140
CreateEventA	0x414144
GetModuleFileNameW	0x414148
LoadResource	0x41414c
FindResourceW	0x414150
GetComputerNameW	0x414154
GlobalMemoryStatusEx	0x414158
LoadLibraryExW	0x41415c
FindFirstFileW	0x414160
FindNextFileW	0x414164
SetFilePointer	0x414168
GetLogicalDriveStringsW	0x41416c
DeleteFileW	0x414170
CopyFileW	0x414174
GetDriveTypeW	0x414178
EnterCriticalSection	0x41417c
LeaveCriticalSection	0x414180
InitializeCriticalSection	0x414184
DeleteCriticalSection	0x414188
GetProcessHeap	0x41418c
ReleaseMutex	0x414190
TerminateProcess	0x414194
CreateToolhelp32Snapshot	0x414198
Process32NextW	0x41419c
Process32FirstW	0x4141a0
SizeofResource	0x4141a4
VirtualProtect	0x4141a8
GetSystemDirectoryW	0x4141ac
LockResource	0x4141b0
GetWindowsDirectoryW	0x4141b4
Process32First	0x4141b8
Process32Next	0x4141bc
WinExec	0x4141c0
GetTempPathA	0x4141c4
HeapAlloc	0x4141c8
lstrcmpW	0x4141cc
GetTickCount	0x4141d0
lstrcpyW	0x4141d4
WideCharToMultiByte	0x4141d8
lstrcpyA	0x4141dc
Sleep	0x4141e0
MultiByteToWideChar	0x4141e4
GetCommandLineA	0x4141e8
GetModuleHandleA	0x4141ec
ExitProcess	0x4141f0
CreateProcessW	0x4141f4
lstrcatA	0x4141f8
lstrcmpA	0x4141fc
lstrlenA	0x414200
ExpandEnvironmentStringsW	0x414204
lstrlenW	0x414208
CloseHandle	0x41420c
lstrcatW	0x414210
GetLastError	0x414214
VirtualFree	0x414218
GetProcAddress	0x41421c
SetLastError	0x414220
GetModuleFileNameA	0x414224
CreateDirectoryW	0x414228
LocalAlloc	0x41422c
CreateMutexA	0x414230

Function	Address	Souspicious	Anti Debug
URLDownloadToFileW	0x41435c

Function	Address	Souspicious	Anti Debug
CryptUnprotectData	0x41407c
CryptStringToBinaryA	0x414080
CryptStringToBinaryW	0x414084

Function	Address	Souspicious	Anti Debug
htons	0x4142f0
recv	0x4142f4
connect	0x4142f8
socket	0x4142fc
send	0x414300
WSAStartup	0x414304
shutdown	0x414308
closesocket	0x41430c
WSACleanup	0x414310
InetNtopW	0x414314
gethostbyname	0x414318
inet_addr	0x41431c
getaddrinfo	0x414320
setsockopt	0x414324
freeaddrinfo	0x414328

Function	Address	Souspicious	Anti Debug
ShellExecuteExA	0x414254
ShellExecuteExW	0x414258
None	0x41425c
SHGetSpecialFolderPathW	0x414260
SHCreateDirectoryExW	0x414264
ShellExecuteW	0x414268
SHGetFolderPathW	0x41426c
SHGetKnownFolderPath	0x414270

Function	Address	Souspicious	Anti Debug
GetModuleFileNameExW	0x41424c

Function	Address	Souspicious	Anti Debug
StrStrW	0x414278
PathRemoveFileSpecA	0x41427c
StrStrA	0x414280
PathCombineA	0x414284
PathFindFileNameW	0x414288
PathFileExistsW	0x41428c
PathFindExtensionW	0x414290

Function	Address	Souspicious	Anti Debug
RegDeleteKeyW	0x414000
RegCreateKeyExW	0x414004
RegSetValueExA	0x414008
RegDeleteValueW	0x41400c
LookupPrivilegeValueW	0x414010
AdjustTokenPrivileges	0x414014
AllocateAndInitializeSid	0x414018
OpenProcessToken	0x41401c
InitializeSecurityDescriptor	0x414020
RegDeleteKeyA	0x414024
SetSecurityDescriptorDacl	0x414028
RegOpenKeyExW	0x41402c
RegOpenKeyExA	0x414030
RegEnumKeyExW	0x414034
RegQueryValueExA	0x414038
RegQueryInfoKeyW	0x41403c
RegCloseKey	0x414040
OpenServiceW	0x414044
ChangeServiceConfigW	0x414048
QueryServiceConfigW	0x41404c
EnumServicesStatusExW	0x414050
StartServiceW	0x414054
RegSetValueExW	0x414058
RegCreateKeyExA	0x41405c
OpenSCManagerW	0x414060
CloseServiceHandle	0x414064
GetTokenInformation	0x414068
LookupAccountSidW	0x41406c
FreeSid	0x414070
RegQueryValueExW	0x414074

Function	Address	Souspicious	Anti Debug
GetKeyState	0x414298
GetMessageA	0x41429c
DispatchMessageA	0x4142a0
CreateWindowExW	0x4142a4
CallNextHookEx	0x4142a8
GetAsyncKeyState	0x4142ac
RegisterClassW	0x4142b0
GetRawInputData	0x4142b4
MapVirtualKeyA	0x4142b8
DefWindowProcA	0x4142bc
RegisterRawInputDevices	0x4142c0
TranslateMessage	0x4142c4
GetForegroundWindow	0x4142c8
GetKeyNameTextW	0x4142cc
PostQuitMessage	0x4142d0
MessageBoxA	0x4142d4
GetLastInputInfo	0x4142d8
wsprintfW	0x4142dc
GetWindowTextW	0x4142e0
wsprintfA	0x4142e4
ToUnicode	0x4142e8

Function	Address	Souspicious	Anti Debug
BCryptSetProperty	0x414330
BCryptGenerateSymmetricKey	0x414334
BCryptOpenAlgorithmProvider	0x414338
BCryptDecrypt	0x41433c

Function	Address	Souspicious	Anti Debug
NetLocalGroupAddMembers	0x414238
NetUserAdd	0x41423c

Function	Address	Souspicious	Anti Debug
CoInitializeSecurity	0x414344
CoCreateInstance	0x414348
CoInitialize	0x41434c
CoUninitialize	0x414350
CoTaskMemFree	0x414354

Name	Latest seen	MD5
a1.exe	2021-12-08 11:18:08	485aa72d1122385d41fdefb74722a5e0
coo.exe	2022-01-05 19:01:01	e400649bd2020d87ed05e5d863949546
files.exe	2022-01-07 16:01:03	d629825af74644d518bd2aa80c1030d7
5755_1641595330_3394.exe	2022-01-08 06:42:03	495587163ddf94aaceb6a5e68af05f7a
Lion2.exe	2022-01-11 19:20:01	91a75581a2d902f52d5965157fce495f
New_RAW.exe	2022-05-29 22:45:01	230ba9735b656ab22cc089ecb30c1648
ZdNRJ.exe	2022-06-24 22:03:02	ce49d7b247e770f39b6d8eac10fa5403
qWDXb.exe	2022-07-08 14:26:03	0b756fd941b8e7bb06b00769a7ea11ea
JeQSQ.exe	2022-07-14 08:21:02	9e3206fa9eaf7993d1347e4916855b71
BcHxN.exe	2022-07-25 18:53:03	7d2787b309fc3755d14c56931ae9625e
PoRZQ.exe	2022-08-02 19:52:02	e2beefa8a1b15424661216d91f306b8d