Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2008-Apr-01 19:35:07 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to internet browsers:
|
Malicious | The file headers were tampered with. |
Unusual section name found: .cdata
The RICH header checksum is invalid. |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 53/68 (Scanned on 2019-11-21 16:54:14) |
MicroWorld-eScan:
Trojan.Lojack.Gen.1
VBA32: Backdoor.DoubleAgent FireEye: Trojan.Lojack.Gen.1 CAT-QuickHeal: Backdoor.Doubleagent McAfee: Artemis!89503B7935A0 Zillya: Trojan.GenericKD.Win32.115912 K7AntiVirus: Riskware ( 0040eff71 ) Alibaba: Backdoor:Win32/Lojax.8a6f3f66 K7GW: Riskware ( 0040eff71 ) Cybereason: malicious.935a05 Arcabit: Trojan.Lojack.Gen.1 Symantec: Trojan.Gen APEX: Malicious Paloalto: generic.ml ClamAV: Win.Trojan.Agent-6741370-0 Kaspersky: HEUR:Backdoor.Win32.DoubleAgent.gen BitDefender: Trojan.Lojack.Gen.1 NANO-Antivirus: Trojan.Win32.LoJax.fjxdjb Endgame: malicious (high confidence) Emsisoft: Trojan.Lojack.Gen.1 (B) Comodo: Malware@#1e63rs79u7bqa F-Secure: Trojan:W32/Jaxol.A DrWeb: Trojan.LoJax.2 VIPRE: Trojan.Win32.Generic!BT TrendMicro: Backdoor.Win32.FALOJAK.SMMR McAfee-GW-Edition: BehavesLike.Win32.Injector.lh Sophos: Troj/Bckdoor-AI Cyren: W32/Backdoor.GV.gen!Eldorado Jiangmin: Backdoor.DoubleAgent.a Webroot: W32.Trojan.Agent.Gen Avira: TR/AD.BDSRpcNet.jziio Fortinet: W32/DoubleAgent.SMMR!tr.bdr Antiy-AVL: Trojan[Backdoor]/Win32.DoubleAgent Microsoft: Backdoor:Win32/Lojax.A!dha ViRobot: Trojan.Win32.Agent.17408.EC ZoneAlarm: HEUR:Backdoor.Win32.DoubleAgent.gen TACHYON: Backdoor/W32.DoubleAgent.17408 AhnLab-V3: Trojan/Win32.Agent.C2487603 ALYac: Backdoor.DoubleAgent.A MAX: malware (ai score=100) Ad-Aware: Trojan.Lojack.Gen.1 Cylance: Unsafe Zoner: Trojan.Win32.68260 ESET-NOD32: Win32/Agent.ZQE TrendMicro-HouseCall: Backdoor.Win32.FALOJAK.SMMR Rising: Trojan.Generic@ML.83 (RDMK:GrSH6nxnc5Vzzzr3h3d2hQ) Yandex: Backdoor.DoubleAgent! Ikarus: Backdoor.Win32.Lojax GData: Trojan.Lojack.Gen.1 AVG: FileRepMetagen [Malware] Panda: Trj/CI.A CrowdStrike: win/malicious_confidence_100% (W) Qihoo-360: Win32/Trojan.994 |
e_magic | MZ |
---|---|
e_cblp | 0x4 |
e_cp | 0x1 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0x1 |
e_maxalloc | 0xffff |
e_ss | 0x6a06 |
e_sp | 0xcb00 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xa8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2008-Apr-01 19:35:07 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 7.0 |
SizeOfCode | 0x3600 |
SizeOfInitializedData | 0xa00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000348D (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x5000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x8000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
WSOCK32.dll |
#11
#115 #116 |
---|---|
USER32.dll |
DefWindowProcA
wsprintfA PostQuitMessage RegisterClassA TranslateMessage GetMessageA PeekMessageA PostMessageA DispatchMessageA CreateWindowExA SetTimer PostThreadMessageA KillTimer |
KERNEL32.dll |
VirtualFreeEx
DeleteCriticalSection OpenProcess WriteFile CloseHandle RtlUnwind GetVersion LocalAlloc SetFilePointer CreateProcessA GetModuleHandleA GetLastError LocalFree ExitThread SetEvent ReadFile TerminateProcess WaitForSingleObject WriteProcessMemory ReadProcessMemory ResetEvent LeaveCriticalSection GetStdHandle TerminateThread ExitProcess InitializeCriticalSection GetModuleFileNameA GetProcAddress WaitForMultipleObjects CreateRemoteThread lstrlenA CreateEventA GetExitCodeThread CreateThread lstrcmpiA EnterCriticalSection GetCurrentProcessId CreateFileA SetThreadPriority ResumeThread lstrcpyA GetOverlappedResult FreeLibrary RaiseException GetCurrentThreadId lstrcatA GetEnvironmentVariableA SetStdHandle VirtualAllocEx Sleep CopyFileA LoadLibraryA |
ADVAPI32.dll |
RegQueryValueExA
RegEnumValueA RegOpenKeyA RegDeleteValueA SetServiceStatus OpenProcessToken RegOpenKeyExA StartServiceCtrlDispatcherA SetTokenInformation RegCloseKey RegisterServiceCtrlHandlerA DuplicateTokenEx CreateProcessAsUserA |
Ordinal | 1 |
---|---|
Address | 0x34e1 |
XOR Key | 0x77224aa4 |
---|---|
Unmarked objects | 0 |
Imports (2067) | 2 |
Imports (2179) | 7 |
Total imports | 82 |
Unmarked objects (#2) | 5 |
C objects (VS2003 (.NET) build 3077) | 14 |
C++ objects (VS2003 (.NET) build 3077) | 1 |
Exports (VS2003 (.NET) build 3077) | 1 |
Linker (VS2003 (.NET) build 3077) | 1 |