a5bc1f94e7505a2e73c866551f7996f9

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-Jan-28 18:13:06
Detected languages English - United States
TLS Callbacks 1 callback(s) detected.
CompanyName Mlcrosoft
FileDescription Host Process for Windows Services
FileVersion 1.1.1.0
InternalName worker32
LegalCopyright Copyright (C) 2019
OriginalFilename worker32
ProductName Service Worker
ProductVersion 1.1.1.0

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
  • exploit
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to SHA1
Uses constants related to SHA256
Uses constants related to SHA512
Uses constants related to AES
Microsoft's Cryptography API
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryW
 Functions which can be used for anti-debugging purposes:
  • SwitchToThread
 Possibly launches other programs:
  • CreateProcessW
 Uses Microsoft's cryptographic API:
  • CryptReleaseContext
  • CryptAcquireContextA
  • CryptGenRandom
 Can create temporary files:
  • CreateFileA
  • CreateFileW
  • GetTempPathW
 Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
 Enumerates local disk drives:
  • GetLogicalDriveStringsW
  • GetDriveTypeW
Info The PE is digitally signed. Signer: MIKL LIMITED
Issuer: COMODO RSA Code Signing CA
Malicious VirusTotal score: 56/69 (Scanned on 2019-11-11 06:34:55) MicroWorld-eScan: Generic.Ransom.LockerGoga.CC1CD792
VBA32: Trojan.Crypren
CAT-QuickHeal: TrojanRansom.Crypren
McAfee: RansomCLock-FAL!A5BC1F94E750
VIPRE: Trojan.Win32.Generic!BT
SUPERAntiSpyware: Trojan.Agent/Gen-Falcomp[Cont]
K7AntiVirus: Trojan ( 005470f61 )
Alibaba: Ransom:Win32/LockerGoga.190327
K7GW: Trojan ( 005470f61 )
CrowdStrike: win/malicious_confidence_100% (W)
Arcabit: Generic.Ransom.LockerGoga.CC1CD792
TrendMicro: Ransom.Win32.LOCKERGOGA.SM1
F-Prot: W32/LockerGoga.A.gen!Eldorado
Symantec: Ransom.GoGalocker!g1
APEX: Malicious
Avast: Win32:DangerousSig [Trj]
ClamAV: Win.Ransomware.Lockergoga-6900587-0
Kaspersky: Trojan-Ransom.Win32.Crypren.afcj
BitDefender: Generic.Ransom.LockerGoga.CC1CD792
NANO-Antivirus: Trojan.Win32.Encoder.fmrfpy
Paloalto: generic.ml
AegisLab: Trojan.Win32.Crypren.4!c
Endgame: malicious (moderate confidence)
Sophos: Troj/Ransom-FFO
Comodo: Malware@#3j3xm1vcaiyv6
F-Secure: Trojan.TR/AD.LockerGaga.gohtr
DrWeb: Trojan.Encoder.27008
Zillya: Trojan.Crypren.Win32.832
McAfee-GW-Edition: RansomCLock-FAL!A5BC1F94E750
FireEye: Generic.Ransom.LockerGoga.CC1CD792
Emsisoft: Generic.Ransom.LockerGoga.CC1CD792 (B)
Cyren: W32/LockerGoga.A.gen!Eldorado
Jiangmin: Trojan.Crypren.nv
Webroot: W32.Ransom.Lockergoga
Avira: TR/AD.LockerGaga.gohtr
Fortinet: W32/Filecoder.NUJ!tr.ransom
Antiy-AVL: Trojan[Ransom]/Win32.Crypren
Microsoft: Ransom:Win32/LockerGoga
ViRobot: Trojan.Win32.S.LockerGoga.1268240
ZoneAlarm: Trojan-Ransom.Win32.Crypren.afcj
TACHYON: Ransom/W32.LockerGoga.1268240
AhnLab-V3: Trojan/Win32.CryptoLocker.R259815
BitDefenderTheta: Gen:NN.ZexaF.32245.nv1@ayg@jtci
ALYac: Trojan.Ransom.Filecoder
MAX: malware (ai score=100)
Ad-Aware: Generic.Ransom.LockerGoga.CC1CD792
ESET-NOD32: a variant of Win32/Filecoder.LockerGoga.A
TrendMicro-HouseCall: Ransom.Win32.LOCKERGOGA.SM1
Rising: Ransom.Agent!1.B5C0 (CLASSIC)
Yandex: Trojan.Crypren!LLEqdMN9hZ4
Ikarus: Trojan-Ransom.LockerGoga
eGambit: Unsafe.AI_Score_99%
GData: Win32.Trojan-Ransom.Filecoder.CP
AVG: Win32:DangerousSig [Trj]
Panda: Trj/Genetic.gen
Qihoo-360: Win32/Trojan.9ad

Hashes

MD5 a5bc1f94e7505a2e73c866551f7996f9
SHA1 7dea7ff735023418b902d093964028aefbc486a5
SHA256 14e8a8095426245633cd6c3440afc5b29d0c8cd4acefd10e16f82eb3295077ca
SHA3 e653e47ee29620e458328fcbf1fcf95f97c80a07c29a37c5e5d032bede8bd856
SSDeep 24576:EwA0nFj1AkatNE/FprtCgbip6MXyVhJdoZfvzUQicA8a8/ae2K:9DQCF/CgbPMo1oZ3zUQicArZe2K
Imports Hash c226ac4bab6f48634bacbb7a1d34f8f6

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x120

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2019-Jan-28 18:13:06
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0xe3400
SizeOfInitializedData 0x53c00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00097B94 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xe5000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x13a000
SizeOfHeaders 0x400
Checksum 0x13e745
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 04eb804df22d15abcecda53d177cda5c
SHA1 ed0edd2c04f99849e53032d5b1bffc932f54bd88
SHA256 9597fe4c2214d2766cb318e5df4a57d9cf2dfa252b8410f07d261dea74c72ce3
SHA3 19f77af70faf0334af141a7f574a6c87df63813f5d19ad9d717b12e67422c6b3
VirtualSize 0xe33a2
VirtualAddress 0x1000
SizeOfRawData 0xe3400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.62512

.rdata

MD5 d2b29a42675870499ba8bbd504ed4444
SHA1 123390abf3390fee593945bd4af714e3ea70ffd6
SHA256 b3f80998b61c7ec39baee52641a8c8d7fd8a40528103871c5a30d9c52aaa0d2f
SHA3 4ea2ca210cc4e88efbb11c72b7e327f14935a0d88e82656dd17096b73def3332
VirtualSize 0x3795a
VirtualAddress 0xe5000
SizeOfRawData 0x37a00
PointerToRawData 0xe3800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.90707

.data

MD5 5978f2be1aec4dfdad08bdae94283b40
SHA1 cb73dfac1342c7670baba9bb442be5fccebebf1d
SHA256 052f2478d6578ee1116bf0da3caef6e87a65876561057485fff985b50e2d4c78
SHA3 0fd31bf978a2e2f0c085405dfbbc486b90798c1175061d1c31b4916256e8e7b1
VirtualSize 0xcb80
VirtualAddress 0x11d000
SizeOfRawData 0xa400
PointerToRawData 0x11b200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.94561

.rsrc

MD5 4ea8e68cc1db55a88b76f3dddd52665c
SHA1 75a8e3a7d4e1a1f581394a8e838b70df636b6d37
SHA256 527941024ddff3d068dfd60041137f2072717d33d0e4bdc041c16cca02675609
SHA3 6bde46be9afcb901342f11ecaaefaea5d58f92ff93a7f359c64ee7d9e9caa8ad
VirtualSize 0x5f0
VirtualAddress 0x12a000
SizeOfRawData 0x600
PointerToRawData 0x125600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.42064

.reloc

MD5 6b0681f99d5ae45208fe9c7c21efc754
SHA1 9b30babe75684bc2c390f6026fc8ffb909808e16
SHA256 df41478f39d6223090724e063cc39c554163cef1f0d8db0684dc148ac84d6c9e
SHA3 f9e14a01aa03597e9df8328b3a7677d059ad0c0f128cdb8bfc8af1c546451695
VirtualSize 0xef7c
VirtualAddress 0x12b000
SizeOfRawData 0xf000
PointerToRawData 0x125c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.57185

Imports

SHLWAPI.dll PathIsNetworkPathA
KERNEL32.dll CloseHandle
DuplicateHandle
UnmapViewOfFile
CreateFileMappingA
MapViewOfFileEx
CreateFileA
GetSystemInfo
FormatMessageA
LocalFree
GetProcAddress
GetModuleHandleA
GetExitCodeProcess
CreateProcessW
TerminateProcess
WaitForSingleObjectEx
WaitForSingleObject
CreateEventA
SetEvent
CreateSemaphoreA
ReleaseSemaphore
AreFileApisANSI
ReadFile
WriteFile
MultiByteToWideChar
WideCharToMultiByte
GetSystemDirectoryW
CreatePipe
SetHandleInformation
GetProcessHeap
HeapAlloc
GetCurrentProcess
GetLogicalDriveStringsW
GetCommandLineW
GetDriveTypeW
GetWindowsDirectoryW
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
QueryPerformanceCounter
QueryPerformanceFrequency
ResetEvent
WaitForMultipleObjectsEx
OpenEventA
SetWaitableTimer
GetCurrentProcessId
GetCurrentThreadId
ResumeThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
CreateWaitableTimerA
SetLastError
GetCurrentThread
GetThreadTimes
FindNextFileA
FindFirstFileExA
GetTimeZoneInformation
HeapSize
ReadConsoleW
GetLastError
SwitchToThread
Sleep
WriteConsoleW
HeapFree
GetStringTypeW
FormatMessageW
GetExitCodeThread
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
CreateFileW
FindClose
FindFirstFileExW
FindNextFileW
GetDiskFreeSpaceExW
GetFileAttributesExW
GetFileInformationByHandle
SetEndOfFile
SetFileAttributesW
SetFilePointerEx
GetTempPathW
DeleteFileW
GetFileAttributesW
RemoveDirectoryW
GetModuleHandleW
MoveFileExW
GetCPInfo
EncodePointer
DecodePointer
InitializeCriticalSectionAndSpinCount
CreateEventW
GetSystemTimeAsFileTime
GetTickCount
CompareStringW
LCMapStringW
GetLocaleInfoW
InitializeSListHead
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
CreateTimerQueue
SignalObjectAndWait
CreateThread
SetThreadPriority
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
FreeLibrary
FreeLibraryAndExitThread
GetModuleFileNameW
LoadLibraryExW
GetVersionExW
VirtualAlloc
VirtualProtect
VirtualFree
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
LoadLibraryW
RaiseException
RtlUnwind
GetCommandLineA
ExitThread
GetModuleHandleExW
SetEnvironmentVariableA
ExitProcess
GetModuleFileNameA
GetStdHandle
GetACP
HeapReAlloc
GetDateFormatW
GetTimeFormatW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileType
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetStdHandle
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SHELL32.dll SHGetFolderPathW
ole32.dll CoCreateInstance
CoUninitialize
CoInitialize
ADVAPI32.dll CryptReleaseContext
CryptAcquireContextA
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
CryptGenRandom

Delayed Imports

1

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x2dc
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.35289
MD5 f7b2e2d1950ef49eedf0e9fdc04616f5
SHA1 f6c5456c39a10833a14f6d0ccca05b4bd34c25eb
SHA256 36d6ea5cc5b4207cc34fc6bc3f3f8be80d72afb522514f8542a48ccf4820641a
SHA3 046e1736da5282053455224a0d38306db1c2afbbb48b10991f493f1e28c5df19

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x26c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.01892
MD5 fbf3faf765f2b7436a54526f2ca37259
SHA1 39665051dfc0f41d629c604bf5ef33cffc2c8564
SHA256 87f34749fc9e94dc4cc8cfc0b086b3af4001244dd85bb914b470ebe59e80831a
SHA3 34bbfa15449905243b3a96db00d987d451d683f4439df6334dea572e809908f3

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.1.1.0
ProductVersion 1.1.1.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
CompanyName Mlcrosoft
FileDescription Host Process for Windows Services
FileVersion (#2) 1.1.1.0
InternalName worker32
LegalCopyright Copyright (C) 2019
OriginalFilename worker32
ProductName Service Worker
ProductVersion (#2) 1.1.1.0
Resource LangID English - United States

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2019-Jan-28 18:13:06
Version 0.0
SizeofData 984
AddressOfRawData 0x10ad28
PointerToRawData 0x109528

TLS Callbacks

StartAddressOfRawData 0x50b110
EndAddressOfRawData 0x50b111
AddressOfIndex 0x528eb0
AddressOfCallbacks 0x4e538c
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_1BYTES
Callbacks 0x00457F30

Load Configuration

Size 0xa0
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x51d1d4
SEHandlerTable 0x50a0c0
SEHandlerCount 794

RICH Header

XOR Key 0x9dd05c70
Unmarked objects 0
241 (40116) 21
243 (40116) 170
242 (40116) 31
ASM objects (VS 2015/2017 runtime 26706) 23
C++ objects (VS 2015/2017 runtime 26706) 133
C objects (VS 2015/2017 runtime 26706) 36
C objects (VS2008 SP1 build 30729) 3
Imports (VS2008 SP1 build 30729) 11
Total imports 186
C++ objects (VS2017 v15.9.2-3 compiler 27024) 18
C++ objects (VS2017 v15.9.5-6 compiler 27026) 41
Resource objects (VS2017 v15.9.5-6 compiler 27026) 1
151 1
Linker (VS2017 v15.9.5-6 compiler 27026) 1

Errors

<-- -->