ReversingLabs A1000 v2
This Integration is part of the ReversingLabs A1000 Pack.#
Supported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
ReversingLabs A1000 advanced Malware Analysis Platform.
Configure ReversingLabs A1000 v2 on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for ReversingLabs A1000 v2.
Click Add instance to create and configure a new integration instance.
Parameter Required ReversingLabs A1000 instance URL True API Token True Verify host certificates False Reliability False Wait time between report fetching retries (seconds). Deafult is 2 seconds. False Number of report fetching retries. Default is 30. False HTTP proxy address with the protocol and port number. False HTTP proxy username False HTTP proxy password False HTTPS proxy address with the protocol and port number. False HTTPS proxy username False HTTPS proxy password False
- Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
reversinglabs-a1000-get-results#
Retrieve sample analysis results
Base Command#
reversinglabs-a1000-get-results
Input#
| Argument Name | Description | Required |
|---|---|---|
| hash | file hash. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| File.SHA256 | String | The SHA256 hash of the file. |
| File.SHA1 | String | The SHA1 hash of the file. |
| File.SHA512 | String | The SHA512 hash of the file. |
| File.Name | String | The name of the file. |
| File.EntryID | String | The Entry ID. |
| File.Info | String | Information about the file. |
| File.Type | String | The type of the file. |
| File.MD5 | String | MD5 hash of the file. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| ReversingLabs.a1000_report | Unknown | A1000 report |
Command example#
!reversinglabs-a1000-get-results hash="a94775deb818a4d68635eeed3d16abc7f7b8bdd6"
Context Example#
{
"DBotScore": {
"Indicator": "a94775deb818a4d68635eeed3d16abc7f7b8bdd6",
"Reliability": "C - Fairly reliable",
"Score": 3,
"Type": "file",
"Vendor": "ReversingLabs A1000 v2"
},
"File": {
"Hashes": [
{
"type": "MD5",
"value": "a322205db6c3b1c451725b84f1d010cc"
},
{
"type": "SHA1",
"value": "a94775deb818a4d68635eeed3d16abc7f7b8bdd6"
},
{
"type": "SHA256",
"value": "d3d8091a287c8aee0ee5c54838540e714f22eef7cbeb65eb2b6af42116f5d5f2"
}
],
"MD5": "a322205db6c3b1c451725b84f1d010cc",
"Malicious": {
"Description": "antivirus - Win32.Trojan.Delf",
"Vendor": "ReversingLabs A1000 v2"
},
"SHA1": "a94775deb818a4d68635eeed3d16abc7f7b8bdd6",
"SHA256": "d3d8091a287c8aee0ee5c54838540e714f22eef7cbeb65eb2b6af42116f5d5f2"
},
"InfoFile": {
"EntryID": "7503@08d0efc0-7fc6-4c26-8ae9-f3bfc7b92a59",
"Info": "text/plain",
"Name": "A1000 report file",
"Size": 13174,
"Type": "ASCII text"
},
"ReversingLabs": {
"a1000_report": {
"count": 1,
"next": null,
"previous": null,
"results": [
{
"aliases": [
"aeb8cb59f158ca853a41c55ca3cfa14c0bf1baad.rl.zip"
],
"category": "archive",
"classification": "malicious",
"classification_origin": {
"imphash": "c57e34b759dff2e57f71960b2fdb93da",
"md5": "8521e64c683e47c1db64d80577513016",
"sha1": "aeb8cb59f158ca853a41c55ca3cfa14c0bf1baad",
"sha256": "43d51f009bf94707556031b9688e84bb85df2c59854fba8fcb90be6c0d19e1d1",
"sha512": "8a1c9512fa167b938ea31c047a48dd6ec36d9b22443bc4ee6b97a116e16ff33427645ac76349f531cd9a672b4fffc3c4c92d1c82d2a71241915c1499336fd221"
},
"classification_reason": "antivirus",
"classification_result": "Win32.Trojan.Delf",
"classification_source": 513,
"extracted_file_count": 85,
"file_size": 607237,
"file_subtype": "Archive",
"file_type": "Binary",
"id": 3065,
"identification_name": "ZIP",
"identification_version": "Generic",
"local_first_seen": "2022-12-19T11:39:10.929115Z",
"local_last_seen": "2023-06-06T16:02:03.674591Z",
"md5": "a322205db6c3b1c451725b84f1d010cc",
"riskscore": 10,
"sha1": "a94775deb818a4d68635eeed3d16abc7f7b8bdd6",
"sha256": "d3d8091a287c8aee0ee5c54838540e714f22eef7cbeb65eb2b6af42116f5d5f2",
"sha512": "d1fd72d5a52d75f23836016772e8895d901fa5a1cb1f9b25ba455db6cccbd97e9daf43fde4f8bb77b43c0b5c4937405d51dece20cda7fa7db7600715c7769554",
"summary": {
"id": 3065,
"indicators": [
{
"category": 22,
"description": "The file is password-protected or contains a password-protected file.",
"id": 1177,
"priority": 4,
"reasons": [
{
"category": "Tag Match",
"description": "Matched password tag",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "The file is encrypted or contains an encrypted file.",
"id": 1178,
"priority": 4,
"reasons": [
{
"category": "Tag Match",
"description": "Matched encrypted tag",
"propagated": false
}
],
"relevance": 0
}
],
"sha1": "a94775deb818a4d68635eeed3d16abc7f7b8bdd6",
"unpacking_status": {
"failed": 0,
"partial": 0,
"success": 1
}
},
"tags": {
"ticore": [
"antivirus",
"entropy-high",
"contains-pe",
"indicator-file",
"encrypted",
"password"
],
"user": []
},
"ticloud": {
"classification": "goodware",
"classification_reason": "antivirus",
"classification_result": null,
"first_seen": "2022-12-19T11:39:11Z",
"last_seen": "2023-06-06T16:03:51Z",
"riskscore": 5
},
"ticore": {
"application": {},
"attack": [],
"behaviour": {},
"browser": {},
"certificate": {},
"classification": {
"classification": 3,
"factor": 5,
"propagated": true,
"propagation_source": {
"name": "sha1",
"value": "aeb8cb59f158ca853a41c55ca3cfa14c0bf1baad"
},
"rca_factor": 10,
"result": "Win32.Trojan.Delf",
"scan_results": [
{
"classification": 3,
"factor": 5,
"ignored": false,
"name": "Antivirus (based on the RCA Classify)",
"rca_factor": 10,
"result": "Win32.Trojan.Delf",
"type": 1,
"version": "2.82"
},
{
"classification": 1,
"factor": 5,
"ignored": false,
"name": "Antivirus (based on the RCA Classify)",
"rca_factor": 5,
"result": "",
"type": 1,
"version": "2.73"
}
]
},
"document": {},
"email": {},
"indicators": [
{
"category": 22,
"description": "The file is password-protected or contains a password-protected file.",
"id": 1177,
"priority": 4,
"reasons": [
{
"category": "Tag Match",
"description": "Matched password tag",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "The file is encrypted or contains an encrypted file.",
"id": 1178,
"priority": 4,
"reasons": [
{
"category": "Tag Match",
"description": "Matched encrypted tag",
"propagated": false
}
],
"relevance": 0
}
],
"info": {
"file": {
"entropy": 7.999701516776105,
"file_subtype": "Archive",
"file_type": "Binary",
"hashes": [
{
"name": "md5",
"value": "a322205db6c3b1c451725b84f1d010cc"
},
{
"name": "rha0",
"value": "a94775deb818a4d68635eeed3d16abc7f7b8bdd6"
},
{
"name": "sha1",
"value": "a94775deb818a4d68635eeed3d16abc7f7b8bdd6"
},
{
"name": "sha256",
"value": "d3d8091a287c8aee0ee5c54838540e714f22eef7cbeb65eb2b6af42116f5d5f2"
},
{
"name": "sha512",
"value": "d1fd72d5a52d75f23836016772e8895d901fa5a1cb1f9b25ba455db6cccbd97e9daf43fde4f8bb77b43c0b5c4937405d51dece20cda7fa7db7600715c7769554"
},
{
"name": "ssdeep",
"value": "12288:CugvoBN+tBSSX/56xDYoZOF0rm48uyJAC9HazaUuM2G0kUZpevP:CugO+f/5wP4sT8Dy4a2UuM25kopg"
}
],
"proposed_filename": null,
"size": 607237
},
"identification": {
"author": "ReversingLabs",
"name": "ZIP",
"success": true,
"version": "Generic"
},
"properties": [
{
"name": "totalEntries",
"value": "1"
},
{
"name": "containsEncryptedFiles",
"value": "true"
},
{
"name": "password",
"value": "infected"
},
{
"name": "encryptionType",
"value": "ZipCrypto"
}
],
"statistics": {
"file_stats": [
{
"count": 1,
"identifications": [
{
"count": 1,
"name": "ZIP:Generic"
}
],
"subtype": "Archive",
"type": "Binary"
},
{
"count": 38,
"identifications": [
{
"count": 38,
"name": "IconResource:Generic"
}
],
"subtype": "None",
"type": "Binary"
},
{
"count": 38,
"identifications": [
{
"count": 38,
"name": "ICO:Generic"
}
],
"subtype": "None",
"type": "Image"
},
{
"count": 1,
"identifications": [
{
"count": 1,
"name": "Unknown"
}
],
"subtype": "Exe",
"type": "PE"
},
{
"count": 7,
"identifications": [
{
"count": 7,
"name": "Unknown"
}
],
"subtype": "None",
"type": "Text"
},
{
"count": 1,
"identifications": [
{
"count": 1,
"name": "Unknown"
}
],
"subtype": "XML",
"type": "Text"
}
]
},
"unpacking": {
"status": 2,
"warnings": [
"Contains encrypted entries"
]
}
},
"interesting_strings": [],
"malware": {},
"media": {},
"mobile": {},
"protection": {},
"security": {},
"signatures": null,
"software_package": {},
"story": "This file (SHA1: a94775deb818a4d68635eeed3d16abc7f7b8bdd6) was identified as an encrypted ZIP archive. There are 85 extracted files.",
"strings": [],
"web": {}
}
}
]
}
}
}
Human Readable Output#
ReversingLabs A1000 results for: a94775deb818a4d68635eeed3d16abc7f7b8bdd6#
Type: Binary/Archive
Size: 607237 bytes
MD5: a322205db6c3b1c451725b84f1d010cc
SHA1: a94775deb818a4d68635eeed3d16abc7f7b8bdd6
SHA256: d3d8091a287c8aee0ee5c54838540e714f22eef7cbeb65eb2b6af42116f5d5f2
SHA512: d1fd72d5a52d75f23836016772e8895d901fa5a1cb1f9b25ba455db6cccbd97e9daf43fde4f8bb77b43c0b5c4937405d51dece20cda7fa7db7600715c7769554
ID: 3065
Malware status: malicious
Local first seen: 2022-12-19T11:39:10.929115Z
Local last seen: 2022-12-20T17:37:24.670052Z
First seen: 2022-12-19T11:39:11Z
Last seen: 2022-12-20T17:37:29Z
DBot score: 3
Risk score: 10
Threat name: Win32.Trojan.Delf
Category: archive
Classification origin: {'sha1': 'aeb8cb59f158ca853a41c55ca3cfa14c0bf1baad', 'sha256': '43d51f009bf94707556031b9688e84bb85df2c59854fba8fcb90be6c0d19e1d1', 'sha512': '8a1c9512fa167b938ea31c047a48dd6ec36d9b22443bc4ee6b97a116e16ff33427645ac76349f531cd9a672b4fffc3c4c92d1c82d2a71241915c1499336fd221', 'md5': '8521e64c683e47c1db64d80577513016', 'imphash': 'c57e34b759dff2e57f71960b2fdb93da'}
Classification reason: antivirus
Aliases: aeb8cb59f158ca853a41c55ca3cfa14c0bf1baad.rl.zip
Extracted file count: 85
Identification name: ZIP
Identification version: Generic
reversinglabs-a1000-upload-sample#
Upload sample to A1000 for analysis
Base Command#
reversinglabs-a1000-upload-sample
Input#
| Argument Name | Description | Required |
|---|---|---|
| entryId | The file entry to upload. | Required |
| comment | A comment to add to the file. | Optional |
| tags | List of tags for the file. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| ReversingLabs.a1000_upload_report | Unknown | A1000 report |
Command example#
!reversinglabs-a1000-upload-sample entryId="7469@08d0efc0-7fc6-4c26-8ae9-f3bfc7b92a59" comment="this_is_a_comment" tags="one_tag"
Context Example#
{
"InfoFile": {
"EntryID": "7535@08d0efc0-7fc6-4c26-8ae9-f3bfc7b92a59",
"Info": "text/plain",
"Name": "Upload sample report file",
"Size": 341,
"Type": "ASCII text"
},
"ReversingLabs": {
"a1000_upload_report": {
"code": 201,
"detail": {
"created": "2023-06-06T16:40:33.541071Z",
"filename": "0000a0a549be5b7a95b782d31f73d8f608c4a440",
"href": "/?q=0000a0a549be5b7a95b782d31f73d8f608c4a440",
"id": 150,
"sha1": "0000a0a549be5b7a95b782d31f73d8f608c4a440",
"user": 1
},
"message": "Done."
}
}
}
Human Readable Output#
ReversingLabs A1000 upload sample#
Message: Done. ID: 150 SHA1: 0000a0a549be5b7a95b782d31f73d8f608c4a440 Created: 2023-06-06T16:40:33.541071Z
reversinglabs-a1000-upload-sample-and-get-results#
Upload sample to A1000 and retrieve analysis results
Base Command#
reversinglabs-a1000-upload-sample-and-get-results
Input#
| Argument Name | Description | Required |
|---|---|---|
| entryId | The file entry to upload. | Required |
| comment | A comment to add to the file. | Optional |
| tags | List of tags for the file. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| File.SHA256 | String | The SHA256 hash of the file. |
| File.SHA1 | String | The SHA1 hash of the file. |
| File.SHA512 | String | The SHA512 hash of the file. |
| File.Name | String | The name of the file. |
| File.EntryID | String | The Entry ID. |
| File.Info | String | Information about the file. |
| File.Type | String | The type of the file. |
| File.MD5 | String | MD5 hash of the file. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| ReversingLabs.a1000_report | Unknown | A1000 report |
Command example#
!reversinglabs-a1000-upload-sample-and-get-results entryId="7469@08d0efc0-7fc6-4c26-8ae9-f3bfc7b92a59" comment="this_is_a_comment" tags="one_tag"
Context Example#
{
"DBotScore": {
"Indicator": "0000a0a549be5b7a95b782d31f73d8f608c4a440",
"Reliability": "C - Fairly reliable",
"Score": 3,
"Type": "file",
"Vendor": "ReversingLabs A1000 v2"
},
"File": {
"Hashes": [
{
"type": "MD5",
"value": "96d17cad51f2b7c817481e5a724c9b3f"
},
{
"type": "SHA1",
"value": "0000a0a549be5b7a95b782d31f73d8f608c4a440"
},
{
"type": "SHA256",
"value": "0b40fb0cef3b557a34a3d7a9cd75d5180099205ccdceb8a73e1dfe73dbd282fd"
}
],
"MD5": "96d17cad51f2b7c817481e5a724c9b3f",
"Malicious": {
"Description": "antivirus - Win32.Browser.StartPage",
"Vendor": "ReversingLabs A1000 v2"
},
"SHA1": "0000a0a549be5b7a95b782d31f73d8f608c4a440",
"SHA256": "0b40fb0cef3b557a34a3d7a9cd75d5180099205ccdceb8a73e1dfe73dbd282fd"
},
"InfoFile": {
"EntryID": "7540@08d0efc0-7fc6-4c26-8ae9-f3bfc7b92a59",
"Info": "text/plain",
"Name": "A1000 report file",
"Size": 200767,
"Type": "ASCII text, with very long lines"
},
"ReversingLabs": {
"a1000_report": {
"count": 1,
"next": null,
"previous": null,
"results": [
{
"aliases": [
"0000a0a549be5b7a95b782d31f73d8f608c4a440"
],
"category": "application",
"classification": "malicious",
"classification_origin": null,
"classification_reason": "antivirus",
"classification_result": "Win32.Browser.StartPage",
"classification_source": 1,
"extracted_file_count": 6,
"file_size": 385774,
"file_subtype": "Exe",
"file_type": "PE",
"id": 5722,
"identification_name": "NSIS",
"identification_version": "Generic",
"local_first_seen": "2023-06-06T16:40:34.604510Z",
"local_last_seen": "2023-06-06T16:40:34.604510Z",
"md5": "96d17cad51f2b7c817481e5a724c9b3f",
"riskscore": 9,
"sha1": "0000a0a549be5b7a95b782d31f73d8f608c4a440",
"sha256": "0b40fb0cef3b557a34a3d7a9cd75d5180099205ccdceb8a73e1dfe73dbd282fd",
"sha512": "4546796ffd5075fc317549f6522df808f03d0d9e97398243259ed3d1bfb0b108083a2200fff49e4de25c5521eaef751d420763c089327b384feea27dc36d316a",
"summary": {
"id": 5722,
"indicators": [
{
"category": 22,
"description": "Deletes files in Windows system directories.",
"id": 101,
"priority": 7,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: DeleteFileA",
"propagated": false
},
{
"category": "Imported API Name",
"description": "Imports the following function: GetSystemDirectoryA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 11,
"description": "Requests permission required to shut down a system.",
"id": 990,
"priority": 7,
"reasons": [
{
"category": "Strings",
"description": "Contains the following string: AdjustTokenPrivileges",
"propagated": false
},
{
"category": "Strings",
"description": "Contains the following string: SeShutdownPrivilege",
"propagated": false
}
],
"relevance": 0
},
{
"category": 10,
"description": "Contains lzma compressed PE file.",
"id": 1052,
"priority": 7,
"reasons": [
{
"category": "Pattern Match",
"description": "Found a pattern [3c 2d 57 47 be 2d be 94 bd 8b dc 6f 25 97 af 50 f1 d2 5b 85 52 e1 d4 7c 3d 4c 75 4d a7 1f 1b 73 ed eb 01 c5 71 2f 70 5f b4 25 6f 1e a3 c5 c8 f1 1b bd] that ends at offset 138465",
"propagated": false
}
],
"relevance": 0
},
{
"category": 10,
"description": "Executes a file.",
"id": 21,
"priority": 6,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: CreateProcessA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Writes to files in Windows system directories.",
"id": 99,
"priority": 5,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: CreateFileA",
"propagated": false
},
{
"category": "Imported API Name",
"description": "Imports the following function: GetSystemDirectoryA",
"propagated": false
},
{
"category": "Imported API Name",
"description": "Imports the following function: WriteFile",
"propagated": false
}
],
"relevance": 0
},
{
"category": 11,
"description": "Tampers with user/account privileges.",
"id": 329,
"priority": 5,
"reasons": [
{
"category": "Strings",
"description": "Contains the following string: AdjustTokenPrivileges",
"propagated": false
}
],
"relevance": 0
},
{
"category": 12,
"description": "Checks operating system version.",
"id": 930,
"priority": 5,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: GetVersion",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Creates temporary files.",
"id": 969,
"priority": 5,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: GetTempFileNameA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 6,
"description": "Contains a reference to ActiveX GUID with the Kill-Bit flag set.",
"id": 1086,
"priority": 5,
"reasons": [
{
"category": "Pattern Match",
"description": "Found a pattern [65 72 5c 51 75 69 63 6b 20 4c 61 75 6e 63 68 00 00 00 ee 14 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 01 14 02 00 00 00 00 00 c0 00 00 00 00 00 00 46] that ends at offset 25492",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Deletes files.",
"id": 5,
"priority": 4,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: DeleteFileA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 9,
"description": "Accesses/modifies registry.",
"id": 7,
"priority": 4,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: RegDeleteValueA",
"propagated": false
},
{
"category": "Strings",
"description": "Contains the following string: RegDeleteKeyExA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Creates/opens files in Windows system directories.",
"id": 95,
"priority": 4,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: CreateFileA",
"propagated": false
},
{
"category": "Imported API Name",
"description": "Imports the following function: GetSystemDirectoryA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Reads from files in Windows system directories.",
"id": 97,
"priority": 4,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: CreateFileA",
"propagated": false
},
{
"category": "Imported API Name",
"description": "Imports the following function: GetSystemDirectoryA",
"propagated": false
},
{
"category": "Imported API Name",
"description": "Imports the following function: ReadFile",
"propagated": false
}
],
"relevance": 0
},
{
"category": 10,
"description": "Tampers with system shutdown.",
"id": 117,
"priority": 4,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: ExitWindowsEx",
"propagated": false
}
],
"relevance": 0
},
{
"category": 13,
"description": "Enumerates system information.",
"id": 149,
"priority": 4,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: GetSystemDirectoryA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 0,
"description": "Contains URLs.",
"id": 310,
"priority": 4,
"reasons": [
{
"category": "Strings",
"description": "Contains the following string: http://ailiao.liaoban.com/",
"propagated": false
},
{
"category": "Strings",
"description": "Contains the following string: http://nsis.sf.net/",
"propagated": false
},
{
"category": "Strings",
"description": "Contains the following string: open http://ailiao.liaoban.com/",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Modifies file/directory attributes.",
"id": 384,
"priority": 4,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: SetFileAttributesA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Copies, moves, renames, or deletes a file system object.",
"id": 965,
"priority": 4,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: SHFileOperationA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 12,
"description": "Reads paths to special directories on Windows.",
"id": 966,
"priority": 4,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: SHGetSpecialFolderLocation",
"propagated": false
}
],
"relevance": 0
},
{
"category": 12,
"description": "Reads paths to system directories on Windows.",
"id": 967,
"priority": 4,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: GetSystemDirectoryA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 12,
"description": "Reads path to temporary file location on Windows.",
"id": 968,
"priority": 4,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: GetTempPathA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 11,
"description": "Enumerates user/account privilege information.",
"id": 1215,
"priority": 4,
"reasons": [
{
"category": "Strings",
"description": "Contains the following string: LookupPrivilegeValueA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Writes to files.",
"id": 3,
"priority": 3,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: CreateFileA",
"propagated": false
},
{
"category": "Imported API Name",
"description": "Imports the following function: WriteFile",
"propagated": false
}
],
"relevance": 0
},
{
"category": 1,
"description": "Uses anti-debugging methods.",
"id": 9,
"priority": 3,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: GetTickCount",
"propagated": false
}
],
"relevance": 0
},
{
"category": 7,
"description": "Detects/enumerates process modules.",
"id": 81,
"priority": 3,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: GetModuleFileNameA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Removes a directory.",
"id": 340,
"priority": 3,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: RemoveDirectoryA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 7,
"description": "Tampers with keyboard/mouse status.",
"id": 381,
"priority": 3,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: EnableWindow",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Copies a file.",
"id": 1031,
"priority": 3,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: CopyFileA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Reads from files.",
"id": 1,
"priority": 2,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: CreateFileA",
"propagated": false
},
{
"category": "Imported API Name",
"description": "Imports the following function: ReadFile",
"propagated": false
}
],
"relevance": 0
},
{
"category": 10,
"description": "Might load additional DLLs and APIs.",
"id": 69,
"priority": 2,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: GetProcAddress",
"propagated": false
},
{
"category": "Imported API Name",
"description": "Imports the following function: LoadLibraryA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 12,
"description": "Enumerates files.",
"id": 119,
"priority": 2,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: FindFirstFileA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 13,
"description": "Enumerates system variables.",
"id": 151,
"priority": 2,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: ExpandEnvironmentStringsA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Creates a directory.",
"id": 338,
"priority": 2,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: CreateDirectoryA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Renames files.",
"id": 920,
"priority": 2,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: MoveFileA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Creates/Opens a file.",
"id": 0,
"priority": 1,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: CreateFileA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 12,
"description": "Contains references to executable file extensions.",
"id": 313,
"priority": 1,
"reasons": [
{
"category": "Strings",
"description": "Contains the following string: $PLUGINSDIR\\SkinBtn.dll",
"propagated": false
}
],
"relevance": 0
},
{
"category": 12,
"description": "Contains references to source code file extensions.",
"id": 314,
"priority": 1,
"reasons": [
{
"category": "Strings",
"description": "Contains the following string: http://ailiao.liaoban.com/xszd/index.html",
"propagated": false
},
{
"category": "Strings",
"description": "Contains the following string: open http://ailiao.liaoban.com/xszd/index.html",
"propagated": false
}
],
"relevance": 0
},
{
"category": 12,
"description": "Contains references to image file extensions.",
"id": 315,
"priority": 1,
"reasons": [
{
"category": "Strings",
"description": "Contains the following string: /IMGID=$PLUGINSDIR\\checkbox1.bmp",
"propagated": false
},
{
"category": "Strings",
"description": "Contains the following string: /IMGID=$PLUGINSDIR\\checkbox2.bmp",
"propagated": false
}
],
"relevance": 0
},
{
"category": 18,
"description": "Accesses clipboard.",
"id": 328,
"priority": 1,
"reasons": [
{
"category": "Capability Match",
"description": "Matched the following application capabilities: Clipboard",
"propagated": false
}
],
"relevance": 0
}
],
"sha1": "0000a0a549be5b7a95b782d31f73d8f608c4a440",
"unpacking_status": {
"failed": 0,
"partial": 0,
"success": 1
}
},
"tags": {
"ticore": [
"antivirus",
"arch-x86",
"capability-execution",
"desktop",
"entropy-high",
"gui",
"ng-antivirus",
"overlay",
"rich-header",
"contains-pe",
"antidebugging",
"capability-filesystem",
"capability-security",
"guid-activex-killbit",
"indicator-anomaly",
"indicator-registry",
"indicator-search",
"indicator-settings",
"string-http",
"indicator-execution",
"indicator-file",
"indicator-network",
"indicator-permissions",
"capability-deprecated",
"privilege-escalation",
"installer",
"stego-compressed"
],
"user": [
"one_tag"
]
},
"ticloud": {
"classification": "malicious",
"classification_reason": "antivirus",
"classification_result": "Win32.Browser.StartPage",
"first_seen": "2014-02-10T18:16:00Z",
"last_seen": "2023-03-06T12:17:51Z",
"riskscore": 9
},
"ticore": {
"application": {
"capabilities": [
[
"clipboard",
true
],
[
"ipc",
true
],
[
"threads",
true
],
[
"processes",
true
],
[
"storage",
true
],
[
"filesystem",
true
],
[
"peripherals",
true
],
[
"user_input",
true
],
[
"hardware_interfaces",
false
],
[
"networking",
false
],
[
"cryptography",
false
],
[
"security",
true
],
[
"system",
true
],
[
"modules",
true
],
[
"memory_management",
true
],
[
"user_interface",
true
],
[
"command_line",
true
],
[
"time_and_date",
true
],
[
"identity",
false
],
[
"monitoring",
true
],
[
"configuration",
true
],
[
"compression",
false
],
[
"multimedia",
true
],
[
"deprecated",
true
],
[
"undocumented",
false
],
[
"application_management",
false
],
[
"service_management",
false
],
[
"messaging",
false
],
[
"protection",
false
],
[
"drivers",
false
]
],
"pe": {
"analysis": {
"analysis_state": 3,
"issues": [
{
"code": 21060,
"count": 1,
"description": "Detected that image_rich_header_t::product list includes no references to linker used to generate object files.",
"name": "WC21060",
"relevance": 0
},
{
"code": 24014,
"count": 4,
"description": "Section virtual size will be automatically rounded up by section alignment value.",
"name": "WC24014",
"relevance": 0
},
{
"code": 31501,
"count": 2,
"description": "Detected that image_rich_header_t::product list includes a reference to an older toolchain version. This outdated compiler version lacks built-in protection from integer based overflow attacks while dynamically allocation memory buffers. Lowers grade to D.",
"name": "SC31501",
"relevance": 0
},
{
"code": 32004,
"count": 1,
"description": "Non-optimal file_header_t::characteristics value. File has relocations stripped, which eliminates the possibility of ASLR being used. Lowers grade to C.",
"name": "SC32004",
"relevance": 0
},
{
"code": 33012,
"count": 1,
"description": "Detected security mitigation policy issue in optional_header_t::dll_characteristics. Data execution prevention feature flag is not set. Lowers grade to D.",
"name": "SC33012",
"relevance": 0
},
{
"code": 33013,
"count": 1,
"description": "Detected security mitigation policy issue in optional_header_t::dll_characteristics. Control flow guard feature flag is not set. Lowers grade to B.",
"name": "SC33013",
"relevance": 0
},
{
"code": 33014,
"count": 1,
"description": "Detected security mitigation policy issue in optional_header_t::dll_characteristics. Address space layout randomization feature flag is not set. Lowers grade to C.",
"name": "SC33014",
"relevance": 0
},
{
"code": 38610,
"count": 1,
"description": "Detected security mitigation policy issue in dll_extended_data_t::flags. The image is not compatible with Intel Control Flow Enforcement Technology. No impact to the final grade at this time.",
"name": "SC38610",
"relevance": 0
},
{
"code": 39194,
"count": 1,
"description": "Detected the use of SDLC banned function kernel32.lstrcpynA. Use of this function is considered unsafe because it's an unbound string operation. Lowers grade to C.",
"name": "SC39194",
"relevance": 0
},
{
"code": 39196,
"count": 1,
"description": "Detected the use of SDLC banned function kernel32.lstrcatA. Use of this function is considered unsafe because it's an unbound string operation. Lowers grade to D.",
"name": "SC39196",
"relevance": 0
},
{
"code": 39200,
"count": 1,
"description": "Detected the use of SDLC banned function user32.wsprintfA. Use of this function is considered unsafe because it's an unbound string operation. Lowers grade to D.",
"name": "SC39200",
"relevance": 0
}
],
"security_grade": 3
},
"dos_header": {
"e_cblp": 144,
"e_cp": 3,
"e_cparhdr": 4,
"e_crlc": 0,
"e_cs": 0,
"e_csum": 0,
"e_ip": 0,
"e_lfanew": 200,
"e_lfarlc": 64,
"e_maxalloc": 65535,
"e_minalloc": 0,
"e_oemid": 0,
"e_oeminfo": 0,
"e_ovno": 0,
"e_res": "0000000000000000",
"e_res2": "0000000000000000000000000000000000000000",
"e_sp": 184,
"e_ss": 0
},
"file_header": {
"characteristics": 271,
"machine": 332,
"number_of_sections": 5,
"number_of_symbols": 0,
"pointer_to_symbol_table": 0,
"size_of_optional_headers": 224,
"time_date_stamp": 1245360803,
"time_date_stamp_decoded": "2009-06-18T21:33:23Z"
},
"imports": [
{
"apis": [
"RegQueryValueExA",
"RegSetValueExA",
"RegEnumKeyA",
"RegEnumValueA",
"RegOpenKeyExA",
"RegDeleteKeyA",
"RegDeleteValueA",
"RegCloseKey",
"RegCreateKeyExA"
],
"name": "ADVAPI32.dll"
},
{
"apis": [
"ImageList_AddMasked",
"ImageList_Destroy",
"0x0011",
"ImageList_Create"
],
"name": "COMCTL32.dll"
},
{
"apis": [
"SetBkColor",
"GetDeviceCaps",
"DeleteObject",
"CreateBrushIndirect",
"CreateFontIndirectA",
"SetBkMode",
"SetTextColor",
"SelectObject"
],
"name": "GDI32.dll"
},
{
"apis": [
"CompareFileTime",
"SearchPathA",
"GetShortPathNameA",
"GetFullPathNameA",
"MoveFileA",
"SetCurrentDirectoryA",
"GetFileAttributesA",
"GetLastError",
"CreateDirectoryA",
"SetFileAttributesA",
"Sleep",
"GetTickCount",
"GetFileSize",
"GetModuleFileNameA",
"GetCurrentProcess",
"CopyFileA",
"ExitProcess",
"GetWindowsDirectoryA",
"SetFileTime",
"GetCommandLineA",
"SetErrorMode",
"LoadLibraryA",
"lstrcpynA",
"GetDiskFreeSpaceA",
"GlobalUnlock",
"GlobalLock",
"CreateThread",
"CreateProcessA",
"RemoveDirectoryA",
"CreateFileA",
"GetTempFileNameA",
"lstrlenA",
"lstrcatA",
"GetSystemDirectoryA",
"GetVersion",
"CloseHandle",
"lstrcmpiA",
"lstrcmpA",
"ExpandEnvironmentStringsA",
"GlobalFree",
"GlobalAlloc",
"WaitForSingleObject",
"GetExitCodeProcess",
"GetModuleHandleA",
"LoadLibraryExA",
"GetProcAddress",
"FreeLibrary",
"MultiByteToWideChar",
"WritePrivateProfileStringA",
"GetPrivateProfileStringA",
"WriteFile",
"ReadFile",
"MulDiv",
"SetFilePointer",
"FindClose",
"FindNextFileA",
"FindFirstFileA",
"DeleteFileA",
"GetTempPathA"
],
"name": "KERNEL32.dll"
},
{
"apis": [
"SHGetPathFromIDListA",
"SHBrowseForFolderA",
"SHGetFileInfoA",
"ShellExecuteA",
"SHFileOperationA",
"SHGetSpecialFolderLocation"
],
"name": "SHELL32.dll"
},
{
"apis": [
"EndDialog",
"ScreenToClient",
"GetWindowRect",
"EnableMenuItem",
"GetSystemMenu",
"SetClassLongA",
"IsWindowEnabled",
"SetWindowPos",
"GetSysColor",
"GetWindowLongA",
"SetCursor",
"LoadCursorA",
"CheckDlgButton",
"GetMessagePos",
"LoadBitmapA",
"CallWindowProcA",
"IsWindowVisible",
"CloseClipboard",
"SetClipboardData",
"EmptyClipboard",
"RegisterClassA",
"TrackPopupMenu",
"AppendMenuA",
"CreatePopupMenu",
"GetSystemMetrics",
"SetDlgItemTextA",
"GetDlgItemTextA",
"MessageBoxIndirectA",
"CharPrevA",
"DispatchMessageA",
"PeekMessageA",
"DestroyWindow",
"CreateDialogParamA",
"SetTimer",
"SetWindowTextA",
"PostQuitMessage",
"SetForegroundWindow",
"wsprintfA",
"SendMessageTimeoutA",
"FindWindowExA",
"SystemParametersInfoA",
"CreateWindowExA",
"GetClassInfoA",
"DialogBoxParamA",
"CharNextA",
"OpenClipboard",
"ExitWindowsEx",
"IsWindow",
"GetDlgItem",
"SetWindowLongA",
"LoadImageA",
"GetDC",
"EnableWindow",
"InvalidateRect",
"SendMessageA",
"DefWindowProcA",
"BeginPaint",
"GetClientRect",
"FillRect",
"DrawTextA",
"EndPaint",
"ShowWindow"
],
"name": "USER32.dll"
},
{
"apis": [
"GetFileVersionInfoSizeA",
"GetFileVersionInfoA",
"VerQueryValueA"
],
"name": "VERSION.dll"
},
{
"apis": [
"CoTaskMemFree",
"OleInitialize",
"OleUninitialize",
"CoCreateInstance"
],
"name": "ole32.dll"
}
],
"optional_header": {
"address_of_entry_point": 12577,
"base_of_code": 4096,
"base_of_data": 28672,
"checksum": 1829480,
"data_directories": [
{
"address": 0,
"size": 0
},
{
"address": 29604,
"size": 180
},
{
"address": 299008,
"size": 97856
},
{
"address": 0,
"size": 0
},
{
"address": 1780448,
"size": 6784
},
{
"address": 0,
"size": 0
},
{
"address": 0,
"size": 0
},
{
"address": 0,
"size": 0
},
{
"address": 0,
"size": 0
},
{
"address": 0,
"size": 0
},
{
"address": 0,
"size": 0
},
{
"address": 0,
"size": 0
},
{
"address": 28672,
"size": 652
},
{
"address": 0,
"size": 0
},
{
"address": 0,
"size": 0
},
{
"address": 0,
"size": 0
}
],
"dll_characteristics": 32768,
"file_alignment": 512,
"image_base": 4194304,
"is_checksum_valid": false,
"loader_flags": 0,
"major_image_version": 6,
"major_linker_version": 6,
"major_os_version": 4,
"major_subsystem_version": 4,
"minor_image_version": 0,
"minor_linker_version": 0,
"minor_os_version": 0,
"minor_subsystem_version": 0,
"number_of_rva_and_sizes": 16,
"section_alignment": 4096,
"size_of_code": 23552,
"size_of_headers": 4096,
"size_of_heap_commit": 4096,
"size_of_heap_reserve": 1048576,
"size_of_image": 397312,
"size_of_initialized_data": 119808,
"size_of_stack_commit": 4096,
"size_of_stack_reserve": 1048576,
"size_of_uninitialized_data": 1024,
"subsystem": 2,
"win32_version_value": 0
},
"resources": [
{
"code_page": 0,
"entropy": 7.985862505328084,
"hashes": [
{
"name": "md5",
"value": "8a4d18bba9b8ac0e19c2f607987d2d91"
},
{
"name": "sha1",
"value": "d8eab701c50233d5df7a7378114ce7a4f50ea02d"
},
{
"name": "sha256",
"value": "1c565b92910b9bb3675f2d4229750edd2d579223b6b48a457fa788641e81919d"
}
],
"language_id": 1033,
"language_id_name": "English - United States",
"name": "1",
"offset": 30896,
"size": 76115,
"type": "RT_ICON"
},
{
"code_page": 0,
"entropy": 5.568665732102147,
"hashes": [
{
"name": "md5",
"value": "074f624ad8bf31d2270ffb16539bef50"
},
{
"name": "sha1",
"value": "f2b72d1097dd653c59bd73d095f3f3460923f112"
},
{
"name": "sha256",
"value": "3d5b9035786114d86687684cbe56370b0b4ad02f6fe623ea963f0bb458d58c90"
}
],
"language_id": 1033,
"language_id_name": "English - United States",
"name": "2",
"offset": 107016,
"size": 9640,
"type": "RT_ICON"
},
{
"code_page": 0,
"entropy": 5.709442226504938,
"hashes": [
{
"name": "md5",
"value": "f221acc077fa64d83684baed47ce3eda"
},
{
"name": "sha1",
"value": "df0039a4eaa334e951be732c27c35426b1eba5a7"
},
{
"name": "sha256",
"value": "fe0266e9ea02050aacef6e5bf6b8ce5468ace3145a5c6341fe4455bc1a62094e"
}
],
"language_id": 1033,
"language_id_name": "English - United States",
"name": "3",
"offset": 116656,
"size": 4264,
"type": "RT_ICON"
},
{
"code_page": 0,
"entropy": 5.828920162711904,
"hashes": [
{
"name": "md5",
"value": "e080fe806bac7bee60192a1d075337cf"
},
{
"name": "sha1",
"value": "322c0d0852972dda236128c5c103d5806860e278"
},
{
"name": "sha256",
"value": "d822f69786b1cf729e3bb0bd8925b5c6800c60808f8df74328f54d4a8c7f8d2c"
}
],
"language_id": 1033,
"language_id_name": "English - United States",
"name": "4",
"offset": 120920,
"size": 2216,
"type": "RT_ICON"
},
{
"code_page": 0,
"entropy": 3.8867394667403925,
"hashes": [
{
"name": "md5",
"value": "98a72af52ec27f1e21dc7662a82f9074"
},
{
"name": "sha1",
"value": "6514ed14e0f11654f6753643e87867b1f3ef265a"
},
{
"name": "sha256",
"value": "e59184b4acc4ca0c45f18a3d1d04b280cf50b27be2e13e45a15c27fcf2717ede"
}
],
"language_id": 1033,
"language_id_name": "English - United States",
"name": "5",
"offset": 123136,
"size": 1384,
"type": "RT_ICON"
},
{
"code_page": 0,
"entropy": 5.839608667526498,
"hashes": [
{
"name": "md5",
"value": "fa5241aafb845894790530b60497cb2a"
},
{
"name": "sha1",
"value": "278687d81bc60d4c3387d4066da28e0c3df8c06a"
},
{
"name": "sha256",
"value": "7e3e2b0943722049773d5608fca398c0b9c5db9a0f7d600c700f110a0c2e3999"
}
],
"language_id": 1033,
"language_id_name": "English - United States",
"name": "6",
"offset": 124520,
"size": 1128,
"type": "RT_ICON"
},
{
"code_page": 0,
"entropy": 3.8709246515797724,
"hashes": [
{
"name": "md5",
"value": "f8b6c2299c0954392c2d0725c55d37fc"
},
{
"name": "sha1",
"value": "c8d5923ca2bfeaea8f6b5744fa29ab07fc91a684"
},
{
"name": "sha256",
"value": "0ad1e776378969726d2cec8310e8384838951bfec73d8c17b2fc0937c38f1b30"
}
],
"language_id": 1033,
"language_id_name": "English - United States",
"name": "7",
"offset": 125648,
"size": 744,
"type": "RT_ICON"
},
{
"code_page": 0,
"entropy": 3.341242211670808,
"hashes": [
{
"name": "md5",
"value": "f58a53c67d602cee2e1a3b1e1d2f5cea"
},
{
"name": "sha1",
"value": "a13170e3da473da7f2a7376691c0fba13f0d16bc"
},
{
"name": "sha256",
"value": "6090b9cd90ee016a86735a381195f754847fe06e993cf292e910165943a18dc9"
}
],
"language_id": 1033,
"language_id_name": "English - United States",
"name": "8",
"offset": 126392,
"size": 296,
"type": "RT_ICON"
},
{
"code_page": 0,
"entropy": 2.6873340555785346,
"hashes": [
{
"name": "md5",
"value": "c0c4f9be63c9d286b8d1265977ac9d86"
},
{
"name": "sha1",
"value": "f9c0d915ded3ea188f342d0e5341e67701eed813"
},
{
"name": "sha256",
"value": "349420ba5b5de0b0081e96a686c826e0f409f2f3413f2e9fb7e6f71cb544c325"
}
],
"language_id": 1033,
"language_id_name": "English - United States",
"name": "105",
"offset": 126688,
"size": 494,
"type": "RT_DIALOG"
},
{
"code_page": 0,
"entropy": 2.930400865292582,
"hashes": [
{
"name": "md5",
"value": "2497a44fff8b76b5129662b60a617c85"
},
{
"name": "sha1",
"value": "f73bd7c9caa4c1f7a0e4840d69b0accdc6d167a0"
},
{
"name": "sha256",
"value": "a10617b39293152a65ad5c91ca4f35135845c7b785e3a582e58f6c8229045b85"
}
],
"language_id": 1033,
"language_id_name": "English - United States",
"name": "111",
"offset": 127184,
"size": 218,
"type": "RT_DIALOG"
},
{
"code_page": 0,
"entropy": 2.7791801352986436,
"hashes": [
{
"name": "md5",
"value": "3b779b7b3d2821ed9692dd7bd894b5f7"
},
{
"name": "sha1",
"value": "a175950a5287742555de01a06aec0644f4dbcdac"
},
{
"name": "sha256",
"value": "81be2a95c48e3aba71a2de5dfd57cab07acf582cc17aa574dc53e1b68d886180"
}
],
"language_id": 1033,
"language_id_name": "English - United States",
"name": "103",
"offset": 127408,
"size": 118,
"type": "RT_GROUP_ICON"
},
{
"code_page": 0,
"entropy": 5.106089527314914,
"hashes": [
{
"name": "md5",
"value": "efed251ab209699bd9e66be7265f34c2"
},
{
"name": "sha1",
"value": "67ad91d74057843c0888dd2f49e2e503672b573d"
},
{
"name": "sha256",
"value": "21c97d123cc0d703224d1c64b197f6322f7896999ca0b389df18f98192e6ece7"
}
],
"language_id": 1033,
"language_id_name": "English - United States",
"name": "1",
"offset": 127528,
"size": 533,
"type": "RT_MANIFEST"
}
],
"rich_header": {
"checksum": 3520932213,
"entries": [
{
"counter": 2,
"product": 95,
"tooling": 1,
"version": 4035
},
{
"counter": 155,
"product": 1,
"tooling": 7,
"version": 0
},
{
"counter": 17,
"product": 93,
"tooling": 7,
"version": 4035
},
{
"counter": 10,
"product": 10,
"tooling": 1,
"version": 8168
},
{
"counter": 1,
"product": 6,
"tooling": 10,
"version": 1735
}
],
"offset": 128,
"size": 72
},
"sections": [
{
"entropy": 6.403453617755809,
"flags": 1610612768,
"hashes": [
{
"name": "md5",
"value": "092e164daa50385128d3c5b319373035"
},
{
"name": "sha1",
"value": "2eb99403e1719d12eac2774ec4022c70b5c9c3a3"
},
{
"name": "sha256",
"value": "13817fd13c9476480b664e19137f80df23125cc031e655d7c91184ba9c992c6c"
}
],
"name": ".text",
"physical_base": 1024,
"physical_size": 23552,
"relative_base": 4096,
"relative_size": 24576
},
{
"entropy": 5.179614628422103,
"flags": 1073741888,
"hashes": [
{
"name": "md5",
"value": "4e7f519777030dd2f0ea0d2092babed3"
},
{
"name": "sha1",
"value": "fb84d751c3b62a4a520b71ee2c2702ca14591d38"
},
{
"name": "sha256",
"value": "8c6a303709c952e0ce0d8b8e5750ba40c4ee66e6adb9cce02791e0ee74d15ab0"
}
],
"name": ".rdata",
"physical_base": 24576,
"physical_size": 4608,
"relative_base": 28672,
"relative_size": 8192
},
{
"entropy": 4.617894309842984,
"flags": 3221225536,
"hashes": [
{
"name": "md5",
"value": "f6d93c048bf148a2daee8a6b0505e38b"
},
{
"name": "sha1",
"value": "83ca6a92e89470b5ead78e6d4da29e5437addf6d"
},
{
"name": "sha256",
"value": "de24de65c95ea0e1a0197cabcb48827c9246fc47010a8dcb9d9535bbf18afd0c"
}
],
"name": ".data",
"physical_base": 29184,
"physical_size": 1024,
"relative_base": 36864,
"relative_size": 110592
},
{
"entropy": 0,
"flags": 3221225600,
"name": ".ndata",
"physical_base": 0,
"physical_size": 0,
"relative_base": 147456,
"relative_size": 151552
},
{
"entropy": 7.668251063803404,
"flags": 1073741888,
"hashes": [
{
"name": "md5",
"value": "0d75d437922c1a3cf56c613d56bcff47"
},
{
"name": "sha1",
"value": "b3afa41b94bd303385e55c12ee45f1744369aede"
},
{
"name": "sha256",
"value": "1fdad28ab0543118fafeaa55ef287d7a7be2393d86e508dc1bb2d653a9c3ff94"
}
],
"name": ".rsrc",
"physical_base": 30208,
"physical_size": 98304,
"relative_base": 299008,
"relative_size": 98304
}
]
}
},
"attack": [
{
"matrix": "Enterprise",
"tactics": [
{
"description": "The adversary is trying to avoid being detected.",
"id": "TA0005",
"name": "Defense Evasion",
"techniques": [
{
"description": "Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.",
"id": "T1107",
"indicators": [
{
"category": 22,
"description": "Deletes files in Windows system directories.",
"id": 101,
"priority": 7,
"relevance": 0
},
{
"category": 22,
"description": "Deletes files.",
"id": 5,
"priority": 4,
"relevance": 0
},
{
"category": 22,
"description": "Removes a directory.",
"id": 340,
"priority": 3,
"relevance": 0
}
],
"name": "File Deletion"
},
{
"description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.",
"id": "T1112",
"indicators": [
{
"category": 9,
"description": "Accesses/modifies registry.",
"id": 7,
"priority": 4,
"relevance": 0
}
],
"name": "Modify Registry"
},
{
"description": "File and directory permissions are commonly managed by discretionary access control lists (DACLs) specified by the file or directory owner. File and directory DACL implementations may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.).",
"id": "T1222",
"indicators": [
{
"category": 22,
"description": "Modifies file/directory attributes.",
"id": 384,
"priority": 4,
"relevance": 0
}
],
"name": "File and Directory Permissions Modification"
},
{
"description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.",
"id": "T1027",
"indicators": [
{
"category": 10,
"description": "Contains lzma compressed PE file.",
"id": 1052,
"priority": 7,
"relevance": 0
}
],
"name": "Obfuscated Files or Information"
}
]
},
{
"description": "The adversary is trying to figure out your environment.",
"id": "TA0007",
"name": "Discovery",
"techniques": [
{
"description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.",
"id": "T1012",
"indicators": [
{
"category": 9,
"description": "Accesses/modifies registry.",
"id": 7,
"priority": 4,
"relevance": 0
}
],
"name": "Query Registry"
},
{
"description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
"id": "T1083",
"indicators": [
{
"category": 12,
"description": "Reads paths to special directories on Windows.",
"id": 966,
"priority": 4,
"relevance": 0
},
{
"category": 12,
"description": "Reads paths to system directories on Windows.",
"id": 967,
"priority": 4,
"relevance": 0
},
{
"category": 12,
"description": "Reads path to temporary file location on Windows.",
"id": 968,
"priority": 4,
"relevance": 0
},
{
"category": 12,
"description": "Enumerates files.",
"id": 119,
"priority": 2,
"relevance": 0
}
],
"name": "File and Directory Discovery"
},
{
"description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
"id": "T1082",
"indicators": [
{
"category": 12,
"description": "Checks operating system version.",
"id": 930,
"priority": 5,
"relevance": 0
},
{
"category": 13,
"description": "Enumerates system information.",
"id": 149,
"priority": 4,
"relevance": 0
},
{
"category": 13,
"description": "Enumerates system variables.",
"id": 151,
"priority": 2,
"relevance": 0
}
],
"name": "System Information Discovery"
}
]
},
{
"description": "The adversary is trying to run malicious code.",
"id": "TA0002",
"name": "Execution",
"techniques": [
{
"description": "Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.",
"id": "T1106",
"indicators": [
{
"category": 10,
"description": "Executes a file.",
"id": 21,
"priority": 6,
"relevance": 0
}
],
"name": "Execution through API"
}
]
},
{
"description": "The adversary is trying to manipulate, interrupt, or destroy your systems and data.",
"id": "TA0040",
"name": "Impact",
"techniques": [
{
"description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer. Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.",
"id": "T1529",
"indicators": [
{
"category": 10,
"description": "Tampers with system shutdown.",
"id": 117,
"priority": 4,
"relevance": 0
}
],
"name": "System Shutdown/Reboot"
}
]
},
{
"description": "The adversary is trying to gather data of interest to their goal.",
"id": "TA0009",
"name": "Collection",
"techniques": [
{
"description": "Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.",
"id": "T1115",
"indicators": [
{
"category": 18,
"description": "Accesses clipboard.",
"id": 328,
"priority": 1,
"relevance": 0
}
],
"name": "Clipboard Data"
}
]
}
]
}
],
"behaviour": {
"process_start": [
{
"arguments": "/A",
"create_no_window": true,
"domain": "",
"environment_variables": "",
"filename": "\"%InstallDir%\\$_INTVAR_88_\"",
"password": "",
"username": "",
"working_directory": ""
},
{
"arguments": "/fix",
"create_no_window": true,
"domain": "",
"environment_variables": "",
"filename": "$PLUGINSDIR\\$_INTVAR_88_",
"password": "",
"username": "",
"working_directory": ""
}
],
"registry": [
{
"key": "HKCU\\SOFTWARE\\ailiao",
"properties": [
{
"name": "action",
"value": "create"
},
{
"name": "type",
"value": "REG_DWORD"
}
],
"value": "65538",
"value_name": "UpdateVer"
},
{
"key": "HKLM\\SOFTWARE\\ailiao",
"properties": [
{
"name": "action",
"value": "create"
},
{
"name": "type",
"value": "REG_DWORD"
}
],
"value": "65538",
"value_name": "UpdateVer"
},
{
"key": "HKLM\\SOFTWARE\\ailiao",
"properties": [
{
"name": "action",
"value": "create"
},
{
"name": "type",
"value": "REG_SZ"
}
],
"value": "$_INTVAR_90_",
"value_name": "ailiaofiledir"
},
{
"key": "HKLM\\SOFTWARE\\ailiao",
"properties": [
{
"name": "action",
"value": "create"
},
{
"name": "type",
"value": "REG_SZ"
}
],
"value": "$_INTVAR_88_",
"value_name": "ailiaofilename"
},
{
"key": "HKLM\\SOFTWARE\\ailiao",
"properties": [
{
"name": "action",
"value": "create"
},
{
"name": "type",
"value": "REG_SZ"
}
],
"value": "$_INTVAR_89_",
"value_name": "ailiaosvrname"
},
{
"key": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ailiao",
"properties": [
{
"name": "action",
"value": "create"
},
{
"name": "type",
"value": "REG_SZ"
}
],
"value": "%InstallDir%\\$_INTVAR_88_",
"value_name": ""
},
{
"key": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\°®ÁÄ",
"properties": [
{
"name": "action",
"value": "create"
},
{
"name": "type",
"value": "REG_SZ"
}
],
"value": "%InstallDir%\\$_INTVAR_88_",
"value_name": "DisplayIcon"
},
{
"key": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\°®ÁÄ",
"properties": [
{
"name": "action",
"value": "create"
},
{
"name": "type",
"value": "REG_SZ"
}
],
"value": "爱聊",
"value_name": "DisplayName"
},
{
"key": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\°®ÁÄ",
"properties": [
{
"name": "action",
"value": "create"
},
{
"name": "type",
"value": "REG_SZ"
}
],
"value": "",
"value_name": "DisplayVersion"
},
{
"key": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\°®ÁÄ",
"properties": [
{
"name": "action",
"value": "create"
},
{
"name": "type",
"value": "REG_SZ"
}
],
"value": "ailiao Inc.",
"value_name": "Publisher"
},
{
"key": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\°®ÁÄ",
"properties": [
{
"name": "action",
"value": "create"
},
{
"name": "type",
"value": "REG_SZ"
}
],
"value": "",
"value_name": "URLInfoAbout"
},
{
"key": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\°®ÁÄ",
"properties": [
{
"name": "action",
"value": "create"
},
{
"name": "type",
"value": "REG_SZ"
}
],
"value": "%InstallDir%\\uninst.exe",
"value_name": "UninstallString"
}
],
"remove": [
{
"path": "$_INTVAR_65516_"
}
],
"shortcut": [
{
"command_options": "",
"description": "",
"destination_path": "%InstallDir%\\$_INTVAR_88_",
"hotkey": "",
"icon_index": 0,
"icon_path": "",
"source_path": "%DesktopCommon%\\°®ÁÄ.lnk",
"working_directory": ""
},
{
"command_options": "",
"description": "",
"destination_path": "%InstallDir%\\$_INTVAR_88_",
"hotkey": "",
"icon_index": 0,
"icon_path": "",
"source_path": "%InstallDir%\\$_INTVAR_87_.lnk",
"working_directory": ""
},
{
"command_options": "",
"description": "",
"destination_path": "%InstallDir%\\$_INTVAR_88_",
"hotkey": "",
"icon_index": 0,
"icon_path": "",
"source_path": "%StartMenuProgramsCommon%\\°®ÁÄ\\°®ÁÄ.lnk",
"working_directory": ""
},
{
"command_options": "",
"description": "",
"destination_path": "%InstallDir%\\uninst.exe",
"hotkey": "",
"icon_index": 0,
"icon_path": "",
"source_path": "%StartMenuProgramsCommon%\\°®ÁÄ\\жÔØ°®ÁÄ.lnk",
"working_directory": ""
}
]
},
"browser": {},
"certificate": {},
"classification": {
"classification": 3,
"factor": 4,
"propagated": false,
"rca_factor": 9,
"result": "Win32.Browser.StartPage",
"scan_results": [
{
"classification": 3,
"factor": 4,
"ignored": false,
"name": "Antivirus (based on the RCA Classify)",
"rca_factor": 9,
"result": "Win32.Browser.StartPage",
"type": 1,
"version": "2.79"
},
{
"classification": 3,
"factor": 2,
"ignored": false,
"name": "Next-Generation Antivirus",
"rca_factor": 7,
"result": "Win32.Malware.Heuristic",
"type": 11,
"version": "1.0"
}
]
},
"document": {},
"email": {},
"indicators": [
{
"category": 22,
"description": "Deletes files in Windows system directories.",
"id": 101,
"priority": 7,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: DeleteFileA",
"propagated": false
},
{
"category": "Imported API Name",
"description": "Imports the following function: GetSystemDirectoryA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 11,
"description": "Requests permission required to shut down a system.",
"id": 990,
"priority": 7,
"reasons": [
{
"category": "Strings",
"description": "Contains the following string: AdjustTokenPrivileges",
"propagated": false
},
{
"category": "Strings",
"description": "Contains the following string: SeShutdownPrivilege",
"propagated": false
}
],
"relevance": 0
},
{
"category": 10,
"description": "Contains lzma compressed PE file.",
"id": 1052,
"priority": 7,
"reasons": [
{
"category": "Pattern Match",
"description": "Found a pattern [3c 2d 57 47 be 2d be 94 bd 8b dc 6f 25 97 af 50 f1 d2 5b 85 52 e1 d4 7c 3d 4c 75 4d a7 1f 1b 73 ed eb 01 c5 71 2f 70 5f b4 25 6f 1e a3 c5 c8 f1 1b bd] that ends at offset 138465",
"propagated": false
}
],
"relevance": 0
},
{
"category": 10,
"description": "Executes a file.",
"id": 21,
"priority": 6,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: CreateProcessA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Writes to files in Windows system directories.",
"id": 99,
"priority": 5,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: CreateFileA",
"propagated": false
},
{
"category": "Imported API Name",
"description": "Imports the following function: GetSystemDirectoryA",
"propagated": false
},
{
"category": "Imported API Name",
"description": "Imports the following function: WriteFile",
"propagated": false
}
],
"relevance": 0
},
{
"category": 11,
"description": "Tampers with user/account privileges.",
"id": 329,
"priority": 5,
"reasons": [
{
"category": "Strings",
"description": "Contains the following string: AdjustTokenPrivileges",
"propagated": false
}
],
"relevance": 0
},
{
"category": 12,
"description": "Checks operating system version.",
"id": 930,
"priority": 5,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: GetVersion",
"propagated": false
}
],
"relevance": 0
},
{
"category": 22,
"description": "Creates temporary files.",
"id": 969,
"priority": 5,
"reasons": [
{
"category": "Imported API Name",
"description": "Imports the following function: GetTempFileNameA",
"propagated": false
}
],
"relevance": 0
},
{
"category": 6,
"description": "Contains a reference to ActiveX GUID with the Kill-Bit flag set.",
"id": 1086,