Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2010-Nov-20 09:05:05 |
Detected languages |
English - United States
|
Info | Matching compiler(s): |
Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++ Microsoft Visual C++ v6.0 Microsoft Visual C++ v5.0/v6.0 (MFC) |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Miscellaneous malware strings:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to AES Microsoft's Cryptography API |
Malicious | This program contains valid cryptocurrency addresses. |
Contains a valid Bitcoin address:
|
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Suspicious | The PE is possibly a dropper. |
Resource 1 is possibly compressed or encrypted.
Resource 1 is possibly compressed or encrypted. Resources amount for 98.1255% of the executable. |
Malicious | VirusTotal score: 52/61 (Scanned on 2017-05-22 16:46:16) |
Bkav:
W32.RansomwareTBJ.Trojan
MicroWorld-eScan: Trojan.Ransom.WannaCryptor.A nProtect: Ransom/W32.WannaCry.Zen CAT-QuickHeal: Ransom.WannaCrypt.A4 ALYac: Trojan.Ransom.WannaCryptor Malwarebytes: Ransom.WannaCrypt Zillya: Trojan.WannaCry.Win32.2 K7GW: Trojan ( 0050d7171 ) K7AntiVirus: Trojan ( 0050d7171 ) Arcabit: Trojan.Ransom.WannaCryptor.A Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9936 F-Prot: W32/WannaCrypt.D Symantec: Trojan.Gen.2 TrendMicro-HouseCall: Ransom_WCRY.J Paloalto: generic.ml ClamAV: Win.Ransomware.WannaCry-6313787-0 Kaspersky: Trojan-Ransom.Win32.Wanna.d BitDefender: Trojan.Ransom.WannaCryptor.A NANO-Antivirus: Trojan.Win32.Wanna.eorfmq ViRobot: Trojan.Win32.S.WannaCry.3514368.Q[h] Avast: Win32:WanaCry-A [Trj] Tencent: Win32.Trojan.Ransome.wannacry.ldzq Ad-Aware: Trojan.Ransom.WannaCryptor.A Emsisoft: Trojan.Ransom.WannaCryptor.A (B) Comodo: TrojWare.Win32.Ransom.WannaCryptor.a F-Secure: Trojan.Ransom.WannaCryptor.A DrWeb: Trojan.Encoder.11432 VIPRE: Trojan.Win32.Generic!BT TrendMicro: Ransom_WCRY.J McAfee-GW-Edition: Ransom-WannaCry!B7F7AD497050 Sophos: Troj/Ransom-EMG SentinelOne: static engine - malicious Cyren: W32/Trojan.ZTSA-8671 Jiangmin: Trojan.WanaCry.b Webroot: W32.Ransomware.Wcry Avira: TR/Agent.hlwss Microsoft: Ransom:Win32/WannaCrypt!rfn AegisLab: Gen.Variant.Graftor!c ZoneAlarm: Trojan-Ransom.Win32.Wanna.d GData: Win32.Trojan-Ransom.WannaCry.A AhnLab-V3: Trojan/Win32.WannaCryptor.R200571 McAfee: Ransom-WannaCry!B7F7AD497050 AVware: Trojan.Win32.Generic!BT ESET-NOD32: Win32/Filecoder.WannaCryptor.D Rising: Malware.Heuristic!ET#89% (cloud:vZkqDj6QDKF) Yandex: Trojan.Filecoder!cfsqa4THfJY Ikarus: Trojan-Ransom.WannaCry Fortinet: W32/WannaCryptor.D!tr AVG: FileCryptor.OYP Panda: Trj/RansomCrypt.F CrowdStrike: malicious_confidence_100% (W) Qihoo-360: Trojan.Generic |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xf8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2010-Nov-20 09:05:05 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 6.0 |
SizeOfCode | 0x7000 |
SizeOfInitializedData | 0x352000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000077BA (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x8000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x1000 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x35a000 |
SizeOfHeaders | 0x1000 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetFileAttributesW
GetFileSizeEx CreateFileA InitializeCriticalSection DeleteCriticalSection ReadFile GetFileSize WriteFile LeaveCriticalSection EnterCriticalSection SetFileAttributesW SetCurrentDirectoryW CreateDirectoryW GetTempPathW GetWindowsDirectoryW GetFileAttributesA SizeofResource LockResource LoadResource MultiByteToWideChar Sleep OpenMutexA GetFullPathNameA CopyFileA GetModuleFileNameA VirtualAlloc VirtualFree FreeLibrary HeapAlloc GetProcessHeap GetModuleHandleA SetLastError VirtualProtect IsBadReadPtr HeapFree SystemTimeToFileTime LocalFileTimeToFileTime CreateDirectoryA GetStartupInfoA SetFilePointer SetFileTime GetComputerNameW GetCurrentDirectoryA SetCurrentDirectoryA GlobalAlloc LoadLibraryA GetProcAddress GlobalFree CreateProcessA CloseHandle WaitForSingleObject TerminateProcess GetExitCodeProcess FindResourceA |
---|---|
USER32.dll |
wsprintfA
|
ADVAPI32.dll |
CreateServiceA
OpenServiceA StartServiceA CloseServiceHandle CryptReleaseContext RegCreateKeyW RegSetValueExA RegQueryValueExA RegCloseKey OpenSCManagerA |
MSVCRT.dll |
realloc
fclose fwrite fread fopen sprintf rand srand strcpy memset strlen wcscat wcslen __CxxFrameHandler ??3@YAXPAX@Z memcmp _except_handler3 _local_unwind2 wcsrchr swprintf ??2@YAPAXI@Z memcpy strcmp strrchr __p___argv __p___argc _stricmp free malloc ??0exception@@QAE@ABV0@@Z ??1exception@@UAE@XZ ??0exception@@QAE@ABQBD@Z _CxxThrowException calloc strcat _mbsstr ??1type_info@@UAE@XZ _exit _XcptFilter exit _acmdln __getmainargs _initterm __setusermatherr _adjust_fdiv __p__commode __p__fmode __set_app_type _controlfp |
XOR Key | 0x8254a4a4 |
---|---|
Unmarked objects | 0 |
12 (7291) | 2 |
C++ objects (8047) | 1 |
14 (7299) | 4 |
C objects (8047) | 11 |
Linker (8047) | 4 |
Imports (VS2003 (.NET) build 4035) | 13 |
Total imports | 163 |
C++ objects (VS98 SP6 build 8804) | 7 |
Resource objects (VS98 SP6 cvtres build 1736) | 1 |