Difference between revisions of "Analysis:20130516-0001"
m |
m |
||
Line 2: | Line 2: | ||
==File Attributes== | ==File Attributes== | ||
+ | File Attribs as follows: | ||
===Hashes=== | ===Hashes=== | ||
Line 53: | Line 54: | ||
267490 324 0 267814 41626 zpcfsmdylh.zje | 267490 324 0 267814 41626 zpcfsmdylh.zje | ||
267490 324 0 267814 41626 zuwtjqidrj.zyh | 267490 324 0 267814 41626 zuwtjqidrj.zyh | ||
− | <nowiki> | + | </nowiki> |
+ | |||
==File disassembly== | ==File disassembly== | ||
Line 254: | Line 256: | ||
CLR Header rva: 0x0 size: 0x0 | CLR Header rva: 0x0 size: 0x0 | ||
rva: 0x0 size: 0x0 | rva: 0x0 size: 0x0 | ||
+ | </nowiki> | ||
+ | |||
+ | ==Resource Extraction== | ||
+ | <nowiki> | ||
+ | e48db15c97c00d7c8d5070d3ef76cba2 daaqvjzgl.ztd_10_BUTTON_0: PE32 executable for MS Windows (console) Intel 80386 32-bit | ||
</nowiki> | </nowiki> |
Revision as of 19:04, 16 May 2013
Analysis by: Kradorex Xeron (talk) 18:25, 16 May 2013 (EDT)
Contents
File Attributes
File Attribs as follows:
Hashes
File hashes are md5
d085f63b8386e0d3337671b75461ff8f daaqvjzgl.ztd d085f63b8386e0d3337671b75461ff8f hirpckeb.tcn d085f63b8386e0d3337671b75461ff8f kvhswkfhdl.ckm d085f63b8386e0d3337671b75461ff8f kzenuh.kiy d085f63b8386e0d3337671b75461ff8f lyeefmrig.zud d085f63b8386e0d3337671b75461ff8f mganoydtxg.pio d085f63b8386e0d3337671b75461ff8f qkdefhtrv.dyb d085f63b8386e0d3337671b75461ff8f ruqtdtbay.agp d085f63b8386e0d3337671b75461ff8f xwnpnoxtg.yyx d085f63b8386e0d3337671b75461ff8f zbgwpvm.nwm d085f63b8386e0d3337671b75461ff8f zpcfsmdylh.zje d085f63b8386e0d3337671b75461ff8f zuwtjqidrj.zyh
This indicates all files have the same content
Type
File types scanned as:
daaqvjzgl.ztd: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit hirpckeb.tcn: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit kvhswkfhdl.ckm: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit kzenuh.kiy: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit lyeefmrig.zud: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit mganoydtxg.pio: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit qkdefhtrv.dyb: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit ruqtdtbay.agp: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit xwnpnoxtg.yyx: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit zbgwpvm.nwm: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit zpcfsmdylh.zje: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit zuwtjqidrj.zyh: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit
Sizes
text data bss dec hex filename 267490 324 0 267814 41626 daaqvjzgl.ztd 267490 324 0 267814 41626 hirpckeb.tcn 267490 324 0 267814 41626 kvhswkfhdl.ckm 267490 324 0 267814 41626 kzenuh.kiy 267490 324 0 267814 41626 lyeefmrig.zud 267490 324 0 267814 41626 mganoydtxg.pio 267490 324 0 267814 41626 qkdefhtrv.dyb 267490 324 0 267814 41626 ruqtdtbay.agp 267490 324 0 267814 41626 xwnpnoxtg.yyx 267490 324 0 267814 41626 zbgwpvm.nwm 267490 324 0 267814 41626 zpcfsmdylh.zje 267490 324 0 267814 41626 zuwtjqidrj.zyh
File disassembly
Only checking one file considering all are the same:
objdump (daaqvjzgl.ztd)
daaqvjzgl.ztd: file format pei-i386 Characteristics 0x210e executable line numbers stripped symbols stripped 32 bit words DLL Time/Date Tue May 29 07:54:35 2012 Magic 010b (PE32) MajorLinkerVersion 6 MinorLinkerVersion 0 SizeOfCode 00000400 SizeOfInitializedData 00041800 SizeOfUninitializedData 00000000 AddressOfEntryPoint 0000115b BaseOfCode 00001000 BaseOfData 00002000 ImageBase 10000000 SectionAlignment 00001000 FileAlignment 00000200 MajorOSystemVersion 4 MinorOSystemVersion 0 MajorImageVersion 0 MinorImageVersion 0 MajorSubsystemVersion 4 MinorSubsystemVersion 0 Win32Version 00000000 SizeOfImage 00047000 SizeOfHeaders 00000400 CheckSum 00000000 Subsystem 00000002 (Windows GUI) DllCharacteristics 00000000 SizeOfStackReserve 00100000 SizeOfStackCommit 00001000 SizeOfHeapReserve 00100000 SizeOfHeapCommit 00001000 LoaderFlags 00000000 NumberOfRvaAndSizes 00000010 The Data Directory Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)] Entry 1 00002044 00000050 Import Directory [parts of .idata] Entry 2 00004000 00041068 Resource Directory [.rsrc] Entry 3 00000000 00000000 Exception Directory [.pdata] Entry 4 00000000 00000000 Security Directory Entry 5 00046000 00000048 Base Relocation Directory [.reloc] Entry 6 00000000 00000000 Debug Directory Entry 7 00000000 00000000 Description Directory Entry 8 00000000 00000000 Special Directory Entry 9 00000000 00000000 Thread Storage Directory [.tls] Entry a 00000000 00000000 Load Configuration Directory Entry b 00000000 00000000 Bound Import Directory Entry c 00002000 00000044 Import Address Table Directory Entry d 00000000 00000000 Delay Import Directory Entry e 00000000 00000000 CLR Runtime Header Entry f 00000000 00000000 Reserved There is an import table in .rdata at 0x10002044 The Import Tables (interpreted .rdata section contents) vma: Hint Time Forward DLL First Table Stamp Chain Name Thunk 00002044 00002094 00000000 00000000 00002174 00002000 DLL Name: KERNEL32.dll vma: Hint/Ord Member-Name Bound-To 20d8 98 CreateProcessA 20ea 49 CloseHandle 20f8 907 WriteFile 2104 79 CreateFileA 2112 336 GetEnvironmentVariableA 212c 582 LoadResource 213c 829 SizeofResource 214e 223 FindResourceA 215e 635 OutputDebugStringA 21ba 514 HeapAlloc 21c6 410 GetProcessHeap 00002058 000020d0 00000000 00000000 00002190 0000203c DLL Name: USER32.dll vma: Hint/Ord Member-Name Bound-To 2182 730 wvsprintfA 0000206c 000020c4 00000000 00000000 000021ae 00002030 DLL Name: MSVCRT.dll vma: Hint/Ord Member-Name Bound-To 21a6 720 time 219c 702 strlen 00002080 00000000 00000000 00000000 00000000 00000000 PE File Base Relocations (interpreted .reloc section contents) Virtual Address: 00001000 Chunk size 72 (0x48) Number of fixups 32 reloc 0 offset e [100e] HIGHLOW reloc 1 offset 15 [1015] HIGHLOW reloc 2 offset 21 [1021] HIGHLOW reloc 3 offset 2a [102a] HIGHLOW reloc 4 offset 35 [1035] HIGHLOW reloc 5 offset 49 [1049] HIGHLOW reloc 6 offset 56 [1056] HIGHLOW reloc 7 offset 62 [1062] HIGHLOW reloc 8 offset 79 [1079] HIGHLOW reloc 9 offset 7f [107f] HIGHLOW reloc 10 offset 92 [1092] HIGHLOW reloc 11 offset ae [10ae] HIGHLOW reloc 12 offset d1 [10d1] HIGHLOW reloc 13 offset dd [10dd] HIGHLOW reloc 14 offset f6 [10f6] HIGHLOW reloc 15 offset fd [10fd] HIGHLOW reloc 16 offset 102 [1102] HIGHLOW reloc 17 offset 107 [1107] HIGHLOW reloc 18 offset 11b [111b] HIGHLOW reloc 19 offset 125 [1125] HIGHLOW reloc 20 offset 156 [1156] HIGHLOW reloc 21 offset 16a [116a] HIGHLOW reloc 22 offset 16f [116f] HIGHLOW reloc 23 offset 1be [11be] HIGHLOW reloc 24 offset 1c9 [11c9] HIGHLOW reloc 25 offset 1d1 [11d1] HIGHLOW reloc 26 offset 1da [11da] HIGHLOW reloc 27 offset 1f9 [11f9] HIGHLOW reloc 28 offset 200 [1200] HIGHLOW reloc 29 offset 208 [1208] HIGHLOW reloc 30 offset 20e [120e] HIGHLOW reloc 31 offset 0 [1000] ABSOLUTE
winedump (daaqvjzgl.ztd)
Contents of daaqvjzgl.ztd: 270336 bytes File Header Machine: 014C (i386) Number of Sections: 5 TimeDateStamp: 4FC4B8FB (Tue May 29 07:54:35 2012) offset 216 PointerToSymbolTable: 00000000 NumberOfSymbols: 00000000 SizeOfOptionalHeader: 00E0 Characteristics: 210E EXECUTABLE_IMAGE LINE_NUMS_STRIPPED LOCAL_SYMS_STRIPPED 32BIT_MACHINE DLL Optional Header (32bit) Magic 0x10B 267 linker version 6.00 size of code 0x400 1024 size of initialized data 0x41800 268288 size of uninitialized data 0x0 0 entrypoint RVA 0x115b 4443 base of code 0x1000 4096 base of data 0x2000 8192 image base 0x10000000 268435456 section align 0x1000 4096 file align 0x200 512 required OS version 4.00 image version 0.00 subsystem version 4.00 Win32 Version 0x0 0 size of image 0x47000 290816 size of headers 0x400 1024 checksum 0x0 0 Subsystem 0x2 (Windows GUI) DLL characteristics: 0x0 stack reserve size 0x100000 1048576 stack commit size 0x1000 4096 heap reserve size 0x100000 1048576 heap commit size 0x1000 4096 loader flags 0x0 0 RVAs & sizes 0x10 16 Data Directory EXPORT rva: 0x0 size: 0x0 IMPORT rva: 0x2044 size: 0x50 RESOURCE rva: 0x4000 size: 0x41068 EXCEPTION rva: 0x0 size: 0x0 SECURITY rva: 0x0 size: 0x0 BASERELOC rva: 0x46000 size: 0x48 DEBUG rva: 0x0 size: 0x0 ARCHITECTURE rva: 0x0 size: 0x0 GLOBALPTR rva: 0x0 size: 0x0 TLS rva: 0x0 size: 0x0 LOAD_CONFIG rva: 0x0 size: 0x0 Bound IAT rva: 0x0 size: 0x0 IAT rva: 0x2000 size: 0x44 Delay IAT rva: 0x0 size: 0x0 CLR Header rva: 0x0 size: 0x0 rva: 0x0 size: 0x0
Resource Extraction
e48db15c97c00d7c8d5070d3ef76cba2 daaqvjzgl.ztd_10_BUTTON_0: PE32 executable for MS Windows (console) Intel 80386 32-bit