Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2019-Jan-28 18:13:06 |
Detected languages |
English - United States
|
TLS Callbacks | 1 callback(s) detected. |
CompanyName | Mlcrosoft |
FileDescription | Host Process for Windows Services |
FileVersion | 1.1.1.0 |
InternalName | worker32 |
LegalCopyright | Copyright (C) 2019 |
OriginalFilename | worker32 |
ProductName | Service Worker |
ProductVersion | 1.1.1.0 |
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Miscellaneous malware strings:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to SHA1 Uses constants related to SHA256 Uses constants related to SHA512 Uses constants related to AES Microsoft's Cryptography API |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Info | The PE is digitally signed. |
Signer: MIKL LIMITED
Issuer: COMODO RSA Code Signing CA |
Malicious | VirusTotal score: 56/69 (Scanned on 2019-11-11 06:34:55) |
MicroWorld-eScan:
Generic.Ransom.LockerGoga.CC1CD792
VBA32: Trojan.Crypren CAT-QuickHeal: TrojanRansom.Crypren McAfee: RansomCLock-FAL!A5BC1F94E750 VIPRE: Trojan.Win32.Generic!BT SUPERAntiSpyware: Trojan.Agent/Gen-Falcomp[Cont] K7AntiVirus: Trojan ( 005470f61 ) Alibaba: Ransom:Win32/LockerGoga.190327 K7GW: Trojan ( 005470f61 ) CrowdStrike: win/malicious_confidence_100% (W) Arcabit: Generic.Ransom.LockerGoga.CC1CD792 TrendMicro: Ransom.Win32.LOCKERGOGA.SM1 F-Prot: W32/LockerGoga.A.gen!Eldorado Symantec: Ransom.GoGalocker!g1 APEX: Malicious Avast: Win32:DangerousSig [Trj] ClamAV: Win.Ransomware.Lockergoga-6900587-0 Kaspersky: Trojan-Ransom.Win32.Crypren.afcj BitDefender: Generic.Ransom.LockerGoga.CC1CD792 NANO-Antivirus: Trojan.Win32.Encoder.fmrfpy Paloalto: generic.ml AegisLab: Trojan.Win32.Crypren.4!c Endgame: malicious (moderate confidence) Sophos: Troj/Ransom-FFO Comodo: Malware@#3j3xm1vcaiyv6 F-Secure: Trojan.TR/AD.LockerGaga.gohtr DrWeb: Trojan.Encoder.27008 Zillya: Trojan.Crypren.Win32.832 McAfee-GW-Edition: RansomCLock-FAL!A5BC1F94E750 FireEye: Generic.Ransom.LockerGoga.CC1CD792 Emsisoft: Generic.Ransom.LockerGoga.CC1CD792 (B) Cyren: W32/LockerGoga.A.gen!Eldorado Jiangmin: Trojan.Crypren.nv Webroot: W32.Ransom.Lockergoga Avira: TR/AD.LockerGaga.gohtr Fortinet: W32/Filecoder.NUJ!tr.ransom Antiy-AVL: Trojan[Ransom]/Win32.Crypren Microsoft: Ransom:Win32/LockerGoga ViRobot: Trojan.Win32.S.LockerGoga.1268240 ZoneAlarm: Trojan-Ransom.Win32.Crypren.afcj TACHYON: Ransom/W32.LockerGoga.1268240 AhnLab-V3: Trojan/Win32.CryptoLocker.R259815 BitDefenderTheta: Gen:NN.ZexaF.32245.nv1@ayg@jtci ALYac: Trojan.Ransom.Filecoder MAX: malware (ai score=100) Ad-Aware: Generic.Ransom.LockerGoga.CC1CD792 ESET-NOD32: a variant of Win32/Filecoder.LockerGoga.A TrendMicro-HouseCall: Ransom.Win32.LOCKERGOGA.SM1 Rising: Ransom.Agent!1.B5C0 (CLASSIC) Yandex: Trojan.Crypren!LLEqdMN9hZ4 Ikarus: Trojan-Ransom.LockerGoga eGambit: Unsafe.AI_Score_99% GData: Win32.Trojan-Ransom.Filecoder.CP AVG: Win32:DangerousSig [Trj] Panda: Trj/Genetic.gen Qihoo-360: Win32/Trojan.9ad |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x120 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 5 |
TimeDateStamp | 2019-Jan-28 18:13:06 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0xe3400 |
SizeOfInitializedData | 0x53c00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00097B94 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0xe5000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.1 |
ImageVersion | 0.0 |
SubsystemVersion | 5.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x13a000 |
SizeOfHeaders | 0x400 |
Checksum | 0x13e745 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
SHLWAPI.dll |
PathIsNetworkPathA
|
---|---|
KERNEL32.dll |
CloseHandle
DuplicateHandle UnmapViewOfFile CreateFileMappingA MapViewOfFileEx CreateFileA GetSystemInfo FormatMessageA LocalFree GetProcAddress GetModuleHandleA GetExitCodeProcess CreateProcessW TerminateProcess WaitForSingleObjectEx WaitForSingleObject CreateEventA SetEvent CreateSemaphoreA ReleaseSemaphore AreFileApisANSI ReadFile WriteFile MultiByteToWideChar WideCharToMultiByte GetSystemDirectoryW CreatePipe SetHandleInformation GetProcessHeap HeapAlloc GetCurrentProcess GetLogicalDriveStringsW GetCommandLineW GetDriveTypeW GetWindowsDirectoryW Wow64DisableWow64FsRedirection Wow64RevertWow64FsRedirection QueryPerformanceCounter QueryPerformanceFrequency ResetEvent WaitForMultipleObjectsEx OpenEventA SetWaitableTimer GetCurrentProcessId GetCurrentThreadId ResumeThread TlsAlloc TlsGetValue TlsSetValue TlsFree CreateWaitableTimerA SetLastError GetCurrentThread GetThreadTimes FindNextFileA FindFirstFileExA GetTimeZoneInformation HeapSize ReadConsoleW GetLastError SwitchToThread Sleep WriteConsoleW HeapFree GetStringTypeW FormatMessageW GetExitCodeThread EnterCriticalSection LeaveCriticalSection TryEnterCriticalSection DeleteCriticalSection CreateFileW FindClose FindFirstFileExW FindNextFileW GetDiskFreeSpaceExW GetFileAttributesExW GetFileInformationByHandle SetEndOfFile SetFileAttributesW SetFilePointerEx GetTempPathW DeleteFileW GetFileAttributesW RemoveDirectoryW GetModuleHandleW MoveFileExW GetCPInfo EncodePointer DecodePointer InitializeCriticalSectionAndSpinCount CreateEventW GetSystemTimeAsFileTime GetTickCount CompareStringW LCMapStringW GetLocaleInfoW InitializeSListHead IsProcessorFeaturePresent IsDebuggerPresent UnhandledExceptionFilter SetUnhandledExceptionFilter GetStartupInfoW CreateTimerQueue SignalObjectAndWait CreateThread SetThreadPriority GetThreadPriority GetLogicalProcessorInformation CreateTimerQueueTimer ChangeTimerQueueTimer DeleteTimerQueueTimer GetNumaHighestNodeNumber GetProcessAffinityMask SetThreadAffinityMask RegisterWaitForSingleObject UnregisterWait FreeLibrary FreeLibraryAndExitThread GetModuleFileNameW LoadLibraryExW GetVersionExW VirtualAlloc VirtualProtect VirtualFree InterlockedPopEntrySList InterlockedPushEntrySList InterlockedFlushSList QueryDepthSList UnregisterWaitEx LoadLibraryW RaiseException RtlUnwind GetCommandLineA ExitThread GetModuleHandleExW SetEnvironmentVariableA ExitProcess GetModuleFileNameA GetStdHandle GetACP HeapReAlloc GetDateFormatW GetTimeFormatW IsValidLocale GetUserDefaultLCID EnumSystemLocalesW GetFileType FlushFileBuffers GetConsoleCP GetConsoleMode SetStdHandle IsValidCodePage GetOEMCP GetEnvironmentStringsW FreeEnvironmentStringsW |
SHELL32.dll |
SHGetFolderPathW
|
ole32.dll |
CoCreateInstance
CoUninitialize CoInitialize |
ADVAPI32.dll |
CryptReleaseContext
CryptAcquireContextA SetSecurityDescriptorDacl InitializeSecurityDescriptor CryptGenRandom |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 1.1.1.0 |
ProductVersion | 1.1.1.0 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | UNKNOWN |
CompanyName | Mlcrosoft |
FileDescription | Host Process for Windows Services |
FileVersion (#2) | 1.1.1.0 |
InternalName | worker32 |
LegalCopyright | Copyright (C) 2019 |
OriginalFilename | worker32 |
ProductName | Service Worker |
ProductVersion (#2) | 1.1.1.0 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2019-Jan-28 18:13:06 |
Version | 0.0 |
SizeofData | 984 |
AddressOfRawData | 0x10ad28 |
PointerToRawData | 0x109528 |
StartAddressOfRawData | 0x50b110 |
---|---|
EndAddressOfRawData | 0x50b111 |
AddressOfIndex | 0x528eb0 |
AddressOfCallbacks | 0x4e538c |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_ALIGN_1BYTES
|
Callbacks |
0x00457F30
|
Size | 0xa0 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x51d1d4 |
SEHandlerTable | 0x50a0c0 |
SEHandlerCount | 794 |
XOR Key | 0x9dd05c70 |
---|---|
Unmarked objects | 0 |
241 (40116) | 21 |
243 (40116) | 170 |
242 (40116) | 31 |
ASM objects (VS 2015/2017 runtime 26706) | 23 |
C++ objects (VS 2015/2017 runtime 26706) | 133 |
C objects (VS 2015/2017 runtime 26706) | 36 |
C objects (VS2008 SP1 build 30729) | 3 |
Imports (VS2008 SP1 build 30729) | 11 |
Total imports | 186 |
C++ objects (VS2017 v15.9.2-3 compiler 27024) | 18 |
C++ objects (VS2017 v15.9.5-6 compiler 27026) | 41 |
Resource objects (VS2017 v15.9.5-6 compiler 27026) | 1 |
151 | 1 |
Linker (VS2017 v15.9.5-6 compiler 27026) | 1 |