API tools faq
paste
indi_g34r

py_ransomeware_report

indi_g34r
Nov 23rd, 2016
139
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 18.67 KB | None | 0 0
raw download clone embed print report
  1. Report For sample.exe
  2. *********************
  3.  
  4. file size 0x60248b
  5. full path /home/dreamer/Desktop/work/malware analysers/sample.exe
  6.  
  7. Section Table
  8. *************
  9. 1. .text 2. .rdata 3. .data 4. .rsrc
  10. -----------------------------------------------------------------------------------------
  11. Entropy 6.22 4.98 4.59 6.72
  12. Pointer To Raw Data 0x400 0x2600 0x3000 0x3c00
  13. Size Of Raw Data 0x2200 0xa00 0xc00 0x283c00
  14. Physical End 0x2600 0x3000 0x3c00 0x287800
  15. Virtual Address 0x1000 0x4000 0x5000 0x7000
  16. Virtual Size 0x21b4 0x9d2 0x16a8 0x283abc
  17. -> actual virtual size 0x3000 0x1000 0x2000 0x284000
  18. Pointer To Relocations 0x0 0x0 0x0 0x0
  19. Number Of Relocations 0x0 0x0 0x0 0x0
  20. Pointer To Line Numbers 0x0 0x0 0x0 0x0
  21. Number Of Line Numbers 0x0 0x0 0x0 0x0
  22. Code x
  23. Initialized Data x x x
  24. Execute x
  25. Read x x x x
  26. Write x
  27.  
  28. MSDOS Header
  29. ************
  30.  
  31. description value file offset
  32. ---------------------------------------------------------------------
  33. signature word 0x5a4d 0x0
  34. last page size 0x90 0x2
  35. file pages 0x3 0x4
  36. relocation items 0x0 0x6
  37. header paragraphs 0x4 0x8
  38. minimum number of paragraphs allocated 0x0 0xa
  39. maximum number of paragraphs allocated 0xffff 0xc
  40. initial SS value 0x0 0xe
  41. initial SP value 0xb8 0x10
  42. complemented checksum 0x0 0x12
  43. initial IP value 0x0 0x14
  44. pre-relocated initial CS value 0x0 0x16
  45. relocation table offset 0x40 0x18
  46. overlay number 0x0 0x1a
  47. Reserved word 0x1c 0x0 0x1c
  48. Reserved word 0x1e 0x0 0x1e
  49. Reserved word 0x20 0x0 0x20
  50. Reserved word 0x22 0x0 0x22
  51. OEM identifier 0x0 0x24
  52. OEM information 0x0 0x26
  53. Reserved word 0x28 0x0 0x28
  54. Reserved word 0x2a 0x0 0x2a
  55. Reserved word 0x2c 0x0 0x2c
  56. Reserved word 0x2f 0x0 0x2e
  57. Reserved word 0x30 0x0 0x30
  58. Reserved word 0x32 0x0 0x32
  59. Reserved word 0x34 0x0 0x34
  60. Reserved word 0x36 0x0 0x36
  61. Reserved word 0x38 0x0 0x38
  62. Reserved word 0x3a 0x0 0x3a
  63. PE signature offset 0xf0 0x3c
  64.  
  65. COFF File Header
  66. ****************
  67.  
  68. time date stamp 10 Nov, 2008 3:10:35 PM
  69. machine type Intel 386 or later processors and compatible processors
  70. characteristics * Image only, Windows CE, and Windows NT and later.
  71. * Image only.
  72. * Machine is based on a 32-bit-word architecture.
  73.  
  74. description value file offset
  75. -------------------------------------------------------------------
  76. machine type 0x14c 0xf4
  77. number of sections 0x4 0xf6
  78. time date stamp 0x49180193 0xf8
  79. pointer to symbol table (deprecated) 0x0 0xfc
  80. number of symbols (deprecated) 0x0 0x100
  81. size of optional header 0xe0 0x104
  82. characteristics 0x103 0x106
  83.  
  84. Optional Header
  85. ***************
  86.  
  87. Magic Number: PE32, normal executable file
  88. Entry Point is in section 1 with name .text
  89. DLL Characteristics * Terminal Server aware.
  90. Subsystem: The Windows graphical user interface (GUI) subsystem
  91.  
  92. standard field value file offset
  93. -----------------------------------------------------------------------
  94. magic number 0x10b 0x108
  95. major linker version 0x9 0x10a
  96. minor linker version 0x0 0x10b
  97. size of code 0x2200 0x10c
  98. size of initialized data 0x285200 0x110
  99. size of unitialized data 0x0 0x114
  100. address of entry point 0x2c61 0x118
  101. address of base of code 0x1000 0x11c
  102. address of base of data 0x4000 0x120
  103.  
  104. windows field value file offset
  105. -----------------------------------------------------------------------
  106. image base 0x400000 0x124
  107. section alignment in bytes 0x1000 0x128
  108. file alignment in bytes 0x200 0x12c
  109. major operating system version 0x5 0x130
  110. minor operating system version 0x0 0x132
  111. major image version 0x0 0x134
  112. minor image version 0x0 0x136
  113. major subsystem version 0x5 0x138
  114. minor subsystem version 0x0 0x13a
  115. win32 version value (reserved) 0x0 0x13c
  116. size of image in bytes 0x28b000 0x140
  117. size of headers 0x400 0x144
  118. checksum 0x13334 0x148
  119. subsystem 0x2 0x14c
  120. dll characteristics 0x8000 0x14e
  121. size of stack reserve 0x100000 0x150
  122. size of stack commit 0x1000 0x154
  123. size of heap reserve 0x100000 0x158
  124. size of heap commit 0x1000 0x15c
  125. loader flags (reserved) 0x0 0x160
  126. number of rva and sizes 0x10 0x164
  127.  
  128. data directory rva -> offset size in section file offset
  129. -------------------------------------------------------------------------------------------------------------
  130. import table 0x426c 0x286c 0x50 2 .rdata 0x170
  131. resource table 0x7000 0x3c00 0x283abc 4 .rsrc 0x178
  132. load config table 0x41a0 0x27a0 0x40 2 .rdata 0x1b8
  133. IAT 0x4000 0x2600 0x178 2 .rdata 0x1c8
  134.  
  135. Imports
  136. *******
  137.  
  138. USER32.dll
  139. ----------
  140. [Keyboard Input]
  141. rva: 0x4428, va: 0x404428, hint: 292, name: GetFocus -> no description
  142.  
  143. [Dialog Box]
  144. rva: 0x442c, va: 0x404428, hint: 504, name: MessageBoxA -> no description
  145.  
  146.  
  147. MSVCR90.dll
  148. -----------
  149. [Other]
  150. rva: 0x4368, va: 0x404368, hint: 796, name: _onexit
  151. rva: 0x436c, va: 0x404368, hint: 352, name: _decode_pointer
  152. rva: 0x4370, va: 0x404368, hint: 630, name: _lock
  153. rva: 0x4374, va: 0x404368, hint: 523, name: _invoke_watson
  154. rva: 0x4378, va: 0x404368, hint: 918, name: _strdup
  155. rva: 0x437c, va: 0x404368, hint: 331, name: _crt_debugger_hook
  156. rva: 0x4380, va: 0x404368, hint: 150, name: __dllonexit
  157. rva: 0x4384, va: 0x404368, hint: 998, name: _unlock
  158. rva: 0x4388, va: 0x404368, hint: 67, name: ?terminate@@YAXXZ
  159. rva: 0x438c, va: 0x404368, hint: 224, name: __set_app_type
  160. rva: 0x4390, va: 0x404368, hint: 362, name: _encode_pointer
  161. rva: 0x4394, va: 0x404368, hint: 207, name: __p__fmode
  162. rva: 0x4398, va: 0x404368, hint: 203, name: __p__commode
  163. rva: 0x439c, va: 0x404368, hint: 267, name: _adjust_fdiv
  164. rva: 0x43a0, va: 0x404368, hint: 227, name: __setusermatherr
  165. rva: 0x43a4, va: 0x404368, hint: 316, name: _configthreadlocale
  166. rva: 0x43a8, va: 0x404368, hint: 517, name: _initterm_e
  167. rva: 0x43ac, va: 0x404368, hint: 516, name: _initterm
  168. rva: 0x43b0, va: 0x404368, hint: 253, name: _acmdln
  169. rva: 0x43b4, va: 0x404368, hint: 1228, name: exit
  170. rva: 0x43b8, va: 0x404368, hint: 549, name: _ismbblead
  171. rva: 0x43bc, va: 0x404368, hint: 102, name: _XcptFilter
  172. rva: 0x43c0, va: 0x404368, hint: 380, name: _exit
  173. rva: 0x43c4, va: 0x404368, hint: 300, name: _cexit
  174. rva: 0x43c8, va: 0x404368, hint: 159, name: __getmainargs
  175. rva: 0x43cc, va: 0x404368, hint: 277, name: _amsg_exit
  176. rva: 0x43d0, va: 0x404368, hint: 1338, name: realloc
  177. rva: 0x43d4, va: 0x404368, hint: 1217, name: bsearch
  178. rva: 0x43d8, va: 0x404368, hint: 1333, name: qsort
  179. rva: 0x43dc, va: 0x404368, hint: 1322, name: memset
  180. rva: 0x43e0, va: 0x404368, hint: 1318, name: memcpy
  181. rva: 0x43e4, va: 0x404368, hint: 1244, name: fprintf
  182. rva: 0x43e8, va: 0x404368, hint: 161, name: __iob_func
  183. rva: 0x43ec, va: 0x404368, hint: 1344, name: setbuf
  184. rva: 0x43f0, va: 0x404368, hint: 1268, name: getenv
  185. rva: 0x43f4, va: 0x404368, hint: 1215, name: atoi
  186. rva: 0x43f8, va: 0x404368, hint: 1307, name: malloc
  187. rva: 0x43fc, va: 0x404368, hint: 1252, name: free
  188. rva: 0x4400, va: 0x404368, hint: 1370, name: strncmp
  189. rva: 0x4404, va: 0x404368, hint: 1375, name: strrchr
  190. rva: 0x4408, va: 0x404368, hint: 138, name: __argv
  191. rva: 0x440c, va: 0x404368, hint: 137, name: __argc
  192. rva: 0x4410, va: 0x404368, hint: 1371, name: strncpy
  193. rva: 0x4414, va: 0x404368, hint: 873, name: _snprintf
  194. rva: 0x4418, va: 0x404368, hint: 922, name: _stricmp
  195. rva: 0x441c, va: 0x404368, hint: 371, name: _except_handler4_common
  196. rva: 0x4420, va: 0x404368, hint: 319, name: _controlfp_s
  197.  
  198.  
  199. KERNEL32.dll
  200. ------------
  201. [Error Handling]
  202. rva: 0x42f8, va: 0x4042bc, hint: 1012, name: SetLastError -> Sets the last-error code for the calling thread.
  203. rva: 0x4350, va: 0x4042bc, hint: 487, name: GetLastError -> Retrieves the calling thread's last-error code value.
  204. rva: 0x4354, va: 0x4042bc, hint: 328, name: FormatMessageA -> Formats a message string.
  205.  
  206. [Memory Management] <Virtual Memory>
  207. rva: 0x4304, va: 0x4042bc, hint: 1121, name: VirtualFree -> Releases or decommits a region of pages within the virtual address space of the calling process.
  208. rva: 0x4308, va: 0x4042bc, hint: 1124, name: VirtualProtect -> Changes the access protection on a region of committed pages in the virtual address space of the calling process.
  209. rva: 0x430c, va: 0x4042bc, hint: 1118, name: VirtualAlloc -> Reserves or commits a region of pages in the virtual address space of the calling process.
  210.  
  211. [Dynamic-Link Library]
  212. rva: 0x4310, va: 0x4042bc, hint: 333, name: FreeLibrary -> Decrements the reference count of the loaded DLL. When the reference count reaches zero, the module is unmapped from the address space of the calling process.
  213. rva: 0x4314, va: 0x4042bc, hint: 503, name: GetModuleHandleA -> Retrieves a module handle for the specified module.
  214. rva: 0x4320, va: 0x4042bc, hint: 758, name: LoadLibraryA -> Maps the specified executable module into the address space of the calling process.
  215. rva: 0x4324, va: 0x4042bc, hint: 546, name: GetProcAddress -> Retrieves the address of an exported function or variable from the specified DLL.
  216. rva: 0x434c, va: 0x4042bc, hint: 501, name: GetModuleFileNameA -> Retrieves the fully qualified path for the file containing the specified module.
  217.  
  218. [Synchronization] <Interlocked>
  219. rva: 0x42e4, va: 0x4042bc, hint: 703, name: InterlockedCompareExchange -> Performs an atomic compare-and-exchange operation on the specified values. The function compares two specified 32-bit values and exchanges with another 32-bit value based on the outcome of the comparison.
  220. rva: 0x42ec, va: 0x4042bc, hint: 706, name: InterlockedExchange -> Sets a 32-bit variable to the specified value as an atomic operation.
  221.  
  222. [Resource]
  223. rva: 0x4340, va: 0x4042bc, hint: 311, name: FindResourceA -> no description
  224. rva: 0x4344, va: 0x4042bc, hint: 763, name: LoadResource -> no description
  225. rva: 0x4348, va: 0x4042bc, hint: 780, name: LockResource -> no description
  226.  
  227. [String]
  228. rva: 0x435c, va: 0x4042bc, hint: 1215, name: lstrlenA -> no description
  229.  
  230. [Structured Exception Handling]
  231. rva: 0x42dc, va: 0x4042bc, hint: 1055, name: SetUnhandledExceptionFilter -> Enables an application to supersede the top-level exception handler of each thread and process.
  232. rva: 0x4360, va: 0x4042bc, hint: 1096, name: UnhandledExceptionFilter -> Passes unhandled exceptions to the debugger, if the process is being debugged.
  233.  
  234. [Debugging]
  235. rva: 0x42bc, va: 0x4042bc, hint: 726, name: IsDebuggerPresent -> Determines whether the calling process is being debugged by a user-mode debugger.
  236. rva: 0x4318, va: 0x4042bc, hint: 831, name: OutputDebugStringA -> Sends a string to the debugger for display.
  237.  
  238. [Time] <Windows Time>
  239. rva: 0x42d4, va: 0x4042bc, hint: 618, name: GetTickCount -> Retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days.
  240.  
  241. [Process and Thread] <Process>
  242. rva: 0x42c0, va: 0x4042bc, hint: 426, name: GetCurrentProcess -> Retrieves a pseudo handle for the current process.
  243. rva: 0x42c4, va: 0x4042bc, hint: 1079, name: TerminateProcess -> Terminates the specified process and all of its threads.
  244. rva: 0x42cc, va: 0x4042bc, hint: 427, name: GetCurrentProcessId -> Retrieves the process identifier of the calling process.
  245. rva: 0x42e0, va: 0x4042bc, hint: 572, name: GetStartupInfoA -> Retrieves the contents of the STARTUPINFO structure that was specified when the calling process was created.
  246.  
  247. [Memory Management] <Heap>
  248. rva: 0x42f0, va: 0x4042bc, hint: 674, name: HeapAlloc -> Allocates a block of memory from a heap.
  249. rva: 0x42fc, va: 0x4042bc, hint: 550, name: GetProcessHeap -> Obtains a handle to the heap of the calling process.
  250. rva: 0x4300, va: 0x4042bc, hint: 678, name: HeapFree -> Frees a memory block allocated from a heap.
  251.  
  252. [Memory Management] <Global and Local>
  253. rva: 0x4358, va: 0x4042bc, hint: 770, name: LocalFree -> no description
  254.  
  255. [Process and Thread] <Thread>
  256. rva: 0x42d0, va: 0x4042bc, hint: 430, name: GetCurrentThreadId -> Retrieves the thread identifier of the calling thread.
  257. rva: 0x42e8, va: 0x4042bc, hint: 1067, name: Sleep -> Suspends the execution of the current thread for a specified interval.
  258.  
  259. [Memory Management] <File Mapping>
  260. rva: 0x4328, va: 0x4042bc, hint: 1099, name: UnmapViewOfFile -> Unmaps a mapped view of a file from the calling process's address space.
  261. rva: 0x4334, va: 0x4042bc, hint: 122, name: CreateFileMappingA -> Creates or opens a named or unnamed file mapping object for a specified file.
  262. rva: 0x433c, va: 0x4042bc, hint: 783, name: MapViewOfFile -> Maps a view of a file mapping into the address space of a calling process.
  263.  
  264. [Memory Management] <Obsolete>
  265. rva: 0x42f4, va: 0x4042bc, hint: 717, name: IsBadReadPtr -> no description
  266.  
  267. [File Management]
  268. rva: 0x431c, va: 0x4042bc, hint: 477, name: GetFullPathNameA -> Retrieves the full path and file name of the specified file.
  269. rva: 0x432c, va: 0x4042bc, hint: 121, name: CreateFileA -> Creates or opens a file or I/O device. The most commonly used I/O devices are as follows: file, file stream, directory, physical disk, volume, console buffer, tape drive, communications resource, mailslot, and pipe.
  270. rva: 0x4330, va: 0x4042bc, hint: 469, name: GetFileSize -> Retrieves the size of the specified file, in bytes.
  271.  
  272. [Time] <File Time>
  273. rva: 0x42c8, va: 0x4042bc, hint: 595, name: GetSystemTimeAsFileTime -> Retrieves the current system date and time in UTC format.
  274.  
  275. [System Information]
  276. rva: 0x42d8, va: 0x4042bc, hint: 857, name: QueryPerformanceCounter -> Retrieves the current value of the high-resolution performance counter.
  277.  
  278. [Handle and Object]
  279. rva: 0x4338, va: 0x4042bc, hint: 68, name: CloseHandle -> Closes an open object handle.
  280.  
  281.  
  282. Resources
  283. *********
  284.  
  285. offset: 0x3d64, size: 0x282600, language -> ID: 0, name -> ID: 1, type -> PYTHON27.DLL, signatures: ZoneAlam data file (14 bytes), Acrobat plug-in (8 bytes), DirectShow filter (8 bytes), Audition graphic filter (8 bytes)
  286. offset: 0x286364, size: 0xef8, language -> ID: 0, name -> ID: 1, type -> PYTHONSCRIPT
  287. offset: 0x28725c, size: 0x208, language -> ID: 0, name -> ID: 1, type -> ID: RT_VERSION
  288. offset: 0x287464, size: 0x256, language -> ID: 0, name -> ID: 1, type -> ID: RT_MANIFEST
  289.  
  290. Manifest
  291. ********
  292.  
  293. <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  294. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
  295. <security>
  296. <requestedPrivileges>
  297. <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
  298. </requestedPrivileges>
  299. </security>
  300. </trustInfo>
  301. <dependency>
  302. <dependentAssembly>
  303. <assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
  304. </dependentAssembly>
  305. </dependency>
  306. </assembly>
  307.  
  308. Version Information
  309. *******************
  310.  
  311. VS_FIXEDFILEINFO
  312. ----------------
  313. signature: 0xfeef04bd
  314. binary version: 1.0
  315. file version: 65536.0
  316. product version: 65536.1
  317. file flags mask: 0x3f
  318. file flags: 0x0
  319. file OS: Windows NT, 32-bit Windows
  320. file type: application
  321. file subtype: 0
  322. file date: 0.0
  323.  
  324. StringFileInfo
  325. ---------------
  326. language ID: 0x0409
  327. code page: 0x04B0
  328. FileDescription: Totally not bad.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!