Difference between revisions of "Analysis:20130516-0001"
m |
m |
||
| Line 2: | Line 2: | ||
==File Attributes== | ==File Attributes== | ||
| + | File Attribs as follows: | ||
===Hashes=== | ===Hashes=== | ||
| Line 53: | Line 54: | ||
267490 324 0 267814 41626 zpcfsmdylh.zje | 267490 324 0 267814 41626 zpcfsmdylh.zje | ||
267490 324 0 267814 41626 zuwtjqidrj.zyh | 267490 324 0 267814 41626 zuwtjqidrj.zyh | ||
| − | <nowiki> | + | </nowiki> |
| + | |||
==File disassembly== | ==File disassembly== | ||
| Line 254: | Line 256: | ||
CLR Header rva: 0x0 size: 0x0 | CLR Header rva: 0x0 size: 0x0 | ||
rva: 0x0 size: 0x0 | rva: 0x0 size: 0x0 | ||
| + | </nowiki> | ||
| + | |||
| + | ==Resource Extraction== | ||
| + | <nowiki> | ||
| + | e48db15c97c00d7c8d5070d3ef76cba2 daaqvjzgl.ztd_10_BUTTON_0: PE32 executable for MS Windows (console) Intel 80386 32-bit | ||
</nowiki> | </nowiki> | ||
Revision as of 19:04, 16 May 2013
Analysis by: Kradorex Xeron (talk) 18:25, 16 May 2013 (EDT)
Contents
File Attributes
File Attribs as follows:
Hashes
File hashes are md5
d085f63b8386e0d3337671b75461ff8f daaqvjzgl.ztd d085f63b8386e0d3337671b75461ff8f hirpckeb.tcn d085f63b8386e0d3337671b75461ff8f kvhswkfhdl.ckm d085f63b8386e0d3337671b75461ff8f kzenuh.kiy d085f63b8386e0d3337671b75461ff8f lyeefmrig.zud d085f63b8386e0d3337671b75461ff8f mganoydtxg.pio d085f63b8386e0d3337671b75461ff8f qkdefhtrv.dyb d085f63b8386e0d3337671b75461ff8f ruqtdtbay.agp d085f63b8386e0d3337671b75461ff8f xwnpnoxtg.yyx d085f63b8386e0d3337671b75461ff8f zbgwpvm.nwm d085f63b8386e0d3337671b75461ff8f zpcfsmdylh.zje d085f63b8386e0d3337671b75461ff8f zuwtjqidrj.zyh
This indicates all files have the same content
Type
File types scanned as:
daaqvjzgl.ztd: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit hirpckeb.tcn: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit kvhswkfhdl.ckm: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit kzenuh.kiy: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit lyeefmrig.zud: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit mganoydtxg.pio: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit qkdefhtrv.dyb: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit ruqtdtbay.agp: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit xwnpnoxtg.yyx: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit zbgwpvm.nwm: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit zpcfsmdylh.zje: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit zuwtjqidrj.zyh: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit
Sizes
text data bss dec hex filename 267490 324 0 267814 41626 daaqvjzgl.ztd 267490 324 0 267814 41626 hirpckeb.tcn 267490 324 0 267814 41626 kvhswkfhdl.ckm 267490 324 0 267814 41626 kzenuh.kiy 267490 324 0 267814 41626 lyeefmrig.zud 267490 324 0 267814 41626 mganoydtxg.pio 267490 324 0 267814 41626 qkdefhtrv.dyb 267490 324 0 267814 41626 ruqtdtbay.agp 267490 324 0 267814 41626 xwnpnoxtg.yyx 267490 324 0 267814 41626 zbgwpvm.nwm 267490 324 0 267814 41626 zpcfsmdylh.zje 267490 324 0 267814 41626 zuwtjqidrj.zyh
File disassembly
Only checking one file considering all are the same:
objdump (daaqvjzgl.ztd)
daaqvjzgl.ztd: file format pei-i386
Characteristics 0x210e
executable
line numbers stripped
symbols stripped
32 bit words
DLL
Time/Date Tue May 29 07:54:35 2012
Magic 010b (PE32)
MajorLinkerVersion 6
MinorLinkerVersion 0
SizeOfCode 00000400
SizeOfInitializedData 00041800
SizeOfUninitializedData 00000000
AddressOfEntryPoint 0000115b
BaseOfCode 00001000
BaseOfData 00002000
ImageBase 10000000
SectionAlignment 00001000
FileAlignment 00000200
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 00047000
SizeOfHeaders 00000400
CheckSum 00000000
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 00100000
SizeOfStackCommit 00001000
SizeOfHeapReserve 00100000
SizeOfHeapCommit 00001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010
The Data Directory
Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 00002044 00000050 Import Directory [parts of .idata]
Entry 2 00004000 00041068 Resource Directory [.rsrc]
Entry 3 00000000 00000000 Exception Directory [.pdata]
Entry 4 00000000 00000000 Security Directory
Entry 5 00046000 00000048 Base Relocation Directory [.reloc]
Entry 6 00000000 00000000 Debug Directory
Entry 7 00000000 00000000 Description Directory
Entry 8 00000000 00000000 Special Directory
Entry 9 00000000 00000000 Thread Storage Directory [.tls]
Entry a 00000000 00000000 Load Configuration Directory
Entry b 00000000 00000000 Bound Import Directory
Entry c 00002000 00000044 Import Address Table Directory
Entry d 00000000 00000000 Delay Import Directory
Entry e 00000000 00000000 CLR Runtime Header
Entry f 00000000 00000000 Reserved
There is an import table in .rdata at 0x10002044
The Import Tables (interpreted .rdata section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
00002044 00002094 00000000 00000000 00002174 00002000
DLL Name: KERNEL32.dll
vma: Hint/Ord Member-Name Bound-To
20d8 98 CreateProcessA
20ea 49 CloseHandle
20f8 907 WriteFile
2104 79 CreateFileA
2112 336 GetEnvironmentVariableA
212c 582 LoadResource
213c 829 SizeofResource
214e 223 FindResourceA
215e 635 OutputDebugStringA
21ba 514 HeapAlloc
21c6 410 GetProcessHeap
00002058 000020d0 00000000 00000000 00002190 0000203c
DLL Name: USER32.dll
vma: Hint/Ord Member-Name Bound-To
2182 730 wvsprintfA
0000206c 000020c4 00000000 00000000 000021ae 00002030
DLL Name: MSVCRT.dll
vma: Hint/Ord Member-Name Bound-To
21a6 720 time
219c 702 strlen
00002080 00000000 00000000 00000000 00000000 00000000
PE File Base Relocations (interpreted .reloc section contents)
Virtual Address: 00001000 Chunk size 72 (0x48) Number of fixups 32
reloc 0 offset e [100e] HIGHLOW
reloc 1 offset 15 [1015] HIGHLOW
reloc 2 offset 21 [1021] HIGHLOW
reloc 3 offset 2a [102a] HIGHLOW
reloc 4 offset 35 [1035] HIGHLOW
reloc 5 offset 49 [1049] HIGHLOW
reloc 6 offset 56 [1056] HIGHLOW
reloc 7 offset 62 [1062] HIGHLOW
reloc 8 offset 79 [1079] HIGHLOW
reloc 9 offset 7f [107f] HIGHLOW
reloc 10 offset 92 [1092] HIGHLOW
reloc 11 offset ae [10ae] HIGHLOW
reloc 12 offset d1 [10d1] HIGHLOW
reloc 13 offset dd [10dd] HIGHLOW
reloc 14 offset f6 [10f6] HIGHLOW
reloc 15 offset fd [10fd] HIGHLOW
reloc 16 offset 102 [1102] HIGHLOW
reloc 17 offset 107 [1107] HIGHLOW
reloc 18 offset 11b [111b] HIGHLOW
reloc 19 offset 125 [1125] HIGHLOW
reloc 20 offset 156 [1156] HIGHLOW
reloc 21 offset 16a [116a] HIGHLOW
reloc 22 offset 16f [116f] HIGHLOW
reloc 23 offset 1be [11be] HIGHLOW
reloc 24 offset 1c9 [11c9] HIGHLOW
reloc 25 offset 1d1 [11d1] HIGHLOW
reloc 26 offset 1da [11da] HIGHLOW
reloc 27 offset 1f9 [11f9] HIGHLOW
reloc 28 offset 200 [1200] HIGHLOW
reloc 29 offset 208 [1208] HIGHLOW
reloc 30 offset 20e [120e] HIGHLOW
reloc 31 offset 0 [1000] ABSOLUTE
winedump (daaqvjzgl.ztd)
Contents of daaqvjzgl.ztd: 270336 bytes
File Header
Machine: 014C (i386)
Number of Sections: 5
TimeDateStamp: 4FC4B8FB (Tue May 29 07:54:35 2012) offset 216
PointerToSymbolTable: 00000000
NumberOfSymbols: 00000000
SizeOfOptionalHeader: 00E0
Characteristics: 210E
EXECUTABLE_IMAGE
LINE_NUMS_STRIPPED
LOCAL_SYMS_STRIPPED
32BIT_MACHINE
DLL
Optional Header (32bit)
Magic 0x10B 267
linker version 6.00
size of code 0x400 1024
size of initialized data 0x41800 268288
size of uninitialized data 0x0 0
entrypoint RVA 0x115b 4443
base of code 0x1000 4096
base of data 0x2000 8192
image base 0x10000000 268435456
section align 0x1000 4096
file align 0x200 512
required OS version 4.00
image version 0.00
subsystem version 4.00
Win32 Version 0x0 0
size of image 0x47000 290816
size of headers 0x400 1024
checksum 0x0 0
Subsystem 0x2 (Windows GUI)
DLL characteristics: 0x0
stack reserve size 0x100000 1048576
stack commit size 0x1000 4096
heap reserve size 0x100000 1048576
heap commit size 0x1000 4096
loader flags 0x0 0
RVAs & sizes 0x10 16
Data Directory
EXPORT rva: 0x0 size: 0x0
IMPORT rva: 0x2044 size: 0x50
RESOURCE rva: 0x4000 size: 0x41068
EXCEPTION rva: 0x0 size: 0x0
SECURITY rva: 0x0 size: 0x0
BASERELOC rva: 0x46000 size: 0x48
DEBUG rva: 0x0 size: 0x0
ARCHITECTURE rva: 0x0 size: 0x0
GLOBALPTR rva: 0x0 size: 0x0
TLS rva: 0x0 size: 0x0
LOAD_CONFIG rva: 0x0 size: 0x0
Bound IAT rva: 0x0 size: 0x0
IAT rva: 0x2000 size: 0x44
Delay IAT rva: 0x0 size: 0x0
CLR Header rva: 0x0 size: 0x0
rva: 0x0 size: 0x0
Resource Extraction
e48db15c97c00d7c8d5070d3ef76cba2 daaqvjzgl.ztd_10_BUTTON_0: PE32 executable for MS Windows (console) Intel 80386 32-bit
