Difference between revisions of "Analysis:20130516-0001"

From Digibase Knowledge Base
Jump to: navigation, search
(Created page with "'''Analysis by:''' ~~~~ ==File Hashes== File hashes are md5 <nowiki> d085f63b8386e0d3337671b75461ff8f daaqvjzgl.ztd d085f63b8386e0d3337671b75461ff8f hirpckeb.tcn d085f63b8...")
 
m
Line 38: Line 38:
 
==File disassembly==
 
==File disassembly==
 
Only checking one file considering all are the same:
 
Only checking one file considering all are the same:
===objdump===
+
===objdump (daaqvjzgl.ztd)===
 
  <nowiki>  
 
  <nowiki>  
 
daaqvjzgl.ztd:    file format pei-i386
 
daaqvjzgl.ztd:    file format pei-i386

Revision as of 17:25, 16 May 2013

Analysis by: Kradorex Xeron (talk) 18:25, 16 May 2013 (EDT)

File Hashes

File hashes are md5 

d085f63b8386e0d3337671b75461ff8f  daaqvjzgl.ztd
d085f63b8386e0d3337671b75461ff8f  hirpckeb.tcn
d085f63b8386e0d3337671b75461ff8f  kvhswkfhdl.ckm
d085f63b8386e0d3337671b75461ff8f  kzenuh.kiy
d085f63b8386e0d3337671b75461ff8f  lyeefmrig.zud
d085f63b8386e0d3337671b75461ff8f  mganoydtxg.pio
d085f63b8386e0d3337671b75461ff8f  qkdefhtrv.dyb
d085f63b8386e0d3337671b75461ff8f  ruqtdtbay.agp
d085f63b8386e0d3337671b75461ff8f  xwnpnoxtg.yyx
d085f63b8386e0d3337671b75461ff8f  zbgwpvm.nwm
d085f63b8386e0d3337671b75461ff8f  zpcfsmdylh.zje
d085f63b8386e0d3337671b75461ff8f  zuwtjqidrj.zyh

This indicates all files have the same content

File Type

File types scanned as: 

daaqvjzgl.ztd:  MS-DOS executable PE  for MS Windows (DLL) (GUI) Intel 80386 32-bit
hirpckeb.tcn:   MS-DOS executable PE  for MS Windows (DLL) (GUI) Intel 80386 32-bit
kvhswkfhdl.ckm: MS-DOS executable PE  for MS Windows (DLL) (GUI) Intel 80386 32-bit
kzenuh.kiy:     MS-DOS executable PE  for MS Windows (DLL) (GUI) Intel 80386 32-bit
lyeefmrig.zud:  MS-DOS executable PE  for MS Windows (DLL) (GUI) Intel 80386 32-bit
mganoydtxg.pio: MS-DOS executable PE  for MS Windows (DLL) (GUI) Intel 80386 32-bit
qkdefhtrv.dyb:  MS-DOS executable PE  for MS Windows (DLL) (GUI) Intel 80386 32-bit
ruqtdtbay.agp:  MS-DOS executable PE  for MS Windows (DLL) (GUI) Intel 80386 32-bit
xwnpnoxtg.yyx:  MS-DOS executable PE  for MS Windows (DLL) (GUI) Intel 80386 32-bit
zbgwpvm.nwm:    MS-DOS executable PE  for MS Windows (DLL) (GUI) Intel 80386 32-bit
zpcfsmdylh.zje: MS-DOS executable PE  for MS Windows (DLL) (GUI) Intel 80386 32-bit
zuwtjqidrj.zyh: MS-DOS executable PE  for MS Windows (DLL) (GUI) Intel 80386 32-bit

File disassembly

Only checking one file considering all are the same:

objdump (daaqvjzgl.ztd)

<nowiki>

daaqvjzgl.ztd: file format pei-i386

Characteristics 0x210e 

       executable
       line numbers stripped
       symbols stripped
       32 bit words
       DLL

Time/Date Tue May 29 07:54:35 2012 Magic 010b (PE32) MajorLinkerVersion 6 MinorLinkerVersion 0 SizeOfCode 00000400 SizeOfInitializedData 00041800 SizeOfUninitializedData 00000000 AddressOfEntryPoint 0000115b BaseOfCode 00001000 BaseOfData 00002000 ImageBase 10000000 SectionAlignment 00001000 FileAlignment 00000200 MajorOSystemVersion 4 MinorOSystemVersion 0 MajorImageVersion 0 MinorImageVersion 0 MajorSubsystemVersion 4 MinorSubsystemVersion 0 Win32Version 00000000 SizeOfImage 00047000 SizeOfHeaders 00000400 CheckSum 00000000 Subsystem 00000002 (Windows GUI) DllCharacteristics 00000000 SizeOfStackReserve 00100000 SizeOfStackCommit 00001000 SizeOfHeapReserve 00100000 SizeOfHeapCommit 00001000 LoaderFlags 00000000 NumberOfRvaAndSizes 00000010

The Data Directory Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)] Entry 1 00002044 00000050 Import Directory [parts of .idata] Entry 2 00004000 00041068 Resource Directory [.rsrc] Entry 3 00000000 00000000 Exception Directory [.pdata] Entry 4 00000000 00000000 Security Directory Entry 5 00046000 00000048 Base Relocation Directory [.reloc] Entry 6 00000000 00000000 Debug Directory Entry 7 00000000 00000000 Description Directory Entry 8 00000000 00000000 Special Directory Entry 9 00000000 00000000 Thread Storage Directory [.tls] Entry a 00000000 00000000 Load Configuration Directory Entry b 00000000 00000000 Bound Import Directory Entry c 00002000 00000044 Import Address Table Directory Entry d 00000000 00000000 Delay Import Directory Entry e 00000000 00000000 CLR Runtime Header Entry f 00000000 00000000 Reserved

There is an import table in .rdata at 0x10002044

The Import Tables (interpreted .rdata section contents) 

vma:            Hint    Time      Forward  DLL       First
                Table   Stamp     Chain    Name      Thunk
00002044       00002094 00000000 00000000 00002174 00002000

       DLL Name: KERNEL32.dll
       vma:  Hint/Ord Member-Name Bound-To
       20d8       98  CreateProcessA
       20ea       49  CloseHandle
       20f8      907  WriteFile
       2104       79  CreateFileA
       2112      336  GetEnvironmentVariableA
       212c      582  LoadResource
       213c      829  SizeofResource
       214e      223  FindResourceA
       215e      635  OutputDebugStringA
       21ba      514  HeapAlloc
       21c6      410  GetProcessHeap

00002058       000020d0 00000000 00000000 00002190 0000203c

       DLL Name: USER32.dll
       vma:  Hint/Ord Member-Name Bound-To
       2182      730  wvsprintfA

0000206c       000020c4 00000000 00000000 000021ae 00002030

       DLL Name: MSVCRT.dll
       vma:  Hint/Ord Member-Name Bound-To
       21a6      720  time
       219c      702  strlen

00002080       00000000 00000000 00000000 00000000 00000000


PE File Base Relocations (interpreted .reloc section contents)

Virtual Address: 00001000 Chunk size 72 (0x48) Number of fixups 32 

       reloc    0 offset    e [100e] HIGHLOW
       reloc    1 offset   15 [1015] HIGHLOW
       reloc    2 offset   21 [1021] HIGHLOW
       reloc    3 offset   2a [102a] HIGHLOW
       reloc    4 offset   35 [1035] HIGHLOW
       reloc    5 offset   49 [1049] HIGHLOW
       reloc    6 offset   56 [1056] HIGHLOW
       reloc    7 offset   62 [1062] HIGHLOW
       reloc    8 offset   79 [1079] HIGHLOW
       reloc    9 offset   7f [107f] HIGHLOW
       reloc   10 offset   92 [1092] HIGHLOW
       reloc   11 offset   ae [10ae] HIGHLOW
       reloc   12 offset   d1 [10d1] HIGHLOW
       reloc   13 offset   dd [10dd] HIGHLOW
       reloc   14 offset   f6 [10f6] HIGHLOW
       reloc   15 offset   fd [10fd] HIGHLOW
       reloc   16 offset  102 [1102] HIGHLOW
       reloc   17 offset  107 [1107] HIGHLOW
       reloc   18 offset  11b [111b] HIGHLOW
       reloc   19 offset  125 [1125] HIGHLOW
       reloc   20 offset  156 [1156] HIGHLOW
       reloc   21 offset  16a [116a] HIGHLOW
       reloc   22 offset  16f [116f] HIGHLOW
       reloc   23 offset  1be [11be] HIGHLOW
       reloc   24 offset  1c9 [11c9] HIGHLOW
       reloc   25 offset  1d1 [11d1] HIGHLOW
       reloc   26 offset  1da [11da] HIGHLOW
       reloc   27 offset  1f9 [11f9] HIGHLOW
       reloc   28 offset  200 [1200] HIGHLOW
       reloc   29 offset  208 [1208] HIGHLOW
       reloc   30 offset  20e [120e] HIGHLOW
       reloc   31 offset    0 [1000] ABSOLUTE
<nowiki>
Retrieved from "http://kb.digibase.ca/index.php?title=Analysis:20130516-0001&oldid=62"