File name: | c3e5902a08d212ba72b8fb032612b394c7a59311968e665303a315d6093237cf |
Full analysis: | https://app.any.run/tasks/b110983a-37e7-4ad3-9399-813766905a07 |
Verdict: | Malicious activity |
Analysis date: | November 15, 2018, 11:13:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive |
MD5: | 38A1D02688001CD944C9AFA6E90DEE64 |
SHA1: | 13CE1ECC7D2FCB4B8552F2334D7FBFF80D266D22 |
SHA256: | C3E5902A08D212BA72B8FB032612B394C7A59311968E665303A315D6093237CF |
SSDEEP: | 12288:3kWAehJuqT+r5Eam4kjVBtkgdyslt63w4h7IHhoPlQD2r7hHRhGhPSxw7paXc3TE:3kWAAuqKrnm4kzKVsX6x1IHhWQD2BxhL |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0xb480 |
UninitializedDataSize: | - |
InitializedDataSize: | 23040 |
CodeSize: | 72192 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2011:05:28 18:04:29+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 28-May-2011 16:04:29 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 28-May-2011 16:04:29 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00011998 | 0x00011A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.55849 |
.rdata | 0x00013000 | 0x00001C15 | 0x00001E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.86387 |
.data | 0x00015000 | 0x0000FF2C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.51849 |
.CRT | 0x00025000 | 0x00000010 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.213101 |
.rsrc | 0x00026000 | 0x00003674 | 0x00003800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.38088 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.20816 | 1464 | Latin 1 / Western European | Chinese - PRC | RT_MANIFEST |
2 | 3.88998 | 1384 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
3 | 4.12176 | 744 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
4 | 4.68705 | 2216 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
7 | 5.31352 | 226 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
8 | 5.71488 | 368 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
9 | 5.51373 | 216 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
10 | 4.70177 | 502 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
11 | 4.87297 | 148 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
100 | 2.64576 | 62 | Latin 1 / Western European | Chinese - PRC | RT_GROUP_ICON |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3944 | "C:\Users\admin\Desktop\c3e5902a08d212ba72b8fb032612b394c7a59311968e665303a315d6093237cf.exe" | C:\Users\admin\Desktop\c3e5902a08d212ba72b8fb032612b394c7a59311968e665303a315d6093237cf.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3192 | "C:\Users\admin\AppData\Local\Temp\bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe" /i /s | C:\Users\admin\AppData\Local\Temp\bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe | — | c3e5902a08d212ba72b8fb032612b394c7a59311968e665303a315d6093237cf.exe |
User: admin Company: Beijing Certificate Authority Integrity Level: MEDIUM Description: OTG KEY HID CSP安装程序 Exit code: 3221226540 Version: 1, 4, 3, 1 | ||||
3156 | "C:\Users\admin\AppData\Local\Temp\bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe" /i /s | C:\Users\admin\AppData\Local\Temp\bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe | c3e5902a08d212ba72b8fb032612b394c7a59311968e665303a315d6093237cf.exe | |
User: admin Company: Beijing Certificate Authority Integrity Level: HIGH Description: OTG KEY HID CSP安装程序 Exit code: 0 Version: 1, 4, 3, 1 | ||||
3224 | "C:\Program Files\bjca_sjk1312_hid(AK5018-D)otgkeyCSP\ASKeyHidDemon.exe" | C:\Program Files\bjca_sjk1312_hid(AK5018-D)otgkeyCSP\ASKeyHidDemon.exe | bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe | |
User: admin Company: Beijing Certificate Authority Integrity Level: MEDIUM Description: certreg Version: 1, 4, 3, 1 |
(PID) Process: | (3944) c3e5902a08d212ba72b8fb032612b394c7a59311968e665303a315d6093237cf.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3944) c3e5902a08d212ba72b8fb032612b394c7a59311968e665303a315d6093237cf.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3156) bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\SJK1312_HID(AK5018-D) OTGKEY CSP V1.0 |
Operation: | write | Name: | Type |
Value: 1 | |||
(PID) Process: | (3156) bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\SJK1312_HID(AK5018-D) OTGKEY CSP V1.0 |
Operation: | write | Name: | Image Path |
Value: %SystemRoot%\system32\bjcakey_sjk1312_hid.dll | |||
(PID) Process: | (3156) bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A3FEB44-62DB-4B9F-8A7C-7DBCF1448275} |
Operation: | write | Name: | DisplayName |
Value: BJCA OTGKeyHid(AK5018-D) CSP | |||
(PID) Process: | (3156) bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A3FEB44-62DB-4B9F-8A7C-7DBCF1448275} |
Operation: | write | Name: | UninstallString |
Value: "C:\Program Files\bjca_sjk1312_hid(AK5018-D)otgkeyCSP\bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe" /u/s | |||
(PID) Process: | (3156) bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A3FEB44-62DB-4B9F-8A7C-7DBCF1448275} |
Operation: | write | Name: | Publisher |
Value: BJCA | |||
(PID) Process: | (3156) bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | ASKeyHidDemon.exe |
Value: "C:\Program Files\bjca_sjk1312_hid(AK5018-D)otgkeyCSP\ASKeyHidDemon.exe" /run |
PID | Process | Filename | Type | |
---|---|---|---|---|
3944 | c3e5902a08d212ba72b8fb032612b394c7a59311968e665303a315d6093237cf.exe | C:\Users\admin\AppData\Local\Temp\bjcakey_sjk1312_hid_w32.dll | executable | |
MD5:7B468AA30BBFAD4465CBA074BD4EC138 | SHA256:EFCE177B95DC897CED0C725504DB148BB64337EB09BD7FBFC6ADE69BEE51EE82 | |||
3944 | c3e5902a08d212ba72b8fb032612b394c7a59311968e665303a315d6093237cf.exe | C:\Users\admin\AppData\Local\Temp\bjcakey_sjk1312_hid.sig | binary | |
MD5:51E10CAEE41D7843AA14A17F2B327388 | SHA256:9ADDC833675134118E0E466840A9BA46C413F5E64F0AA3E6E1DBFE0D81D1CEFA | |||
3944 | c3e5902a08d212ba72b8fb032612b394c7a59311968e665303a315d6093237cf.exe | C:\Users\admin\AppData\Local\Temp\bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe | executable | |
MD5:CBE1445D8D6D52BD69E763C74FFBFE2A | SHA256:9B745FC8EC2CC747163FC3BFB617C0C2D551F4EC108B45FBBE9CA7C92F64671F | |||
3944 | c3e5902a08d212ba72b8fb032612b394c7a59311968e665303a315d6093237cf.exe | C:\Users\admin\AppData\Local\Temp\AXTX_OTG_PID1513_GM.dll | executable | |
MD5:D788571BB5945E31A6CB2A22BB3EB942 | SHA256:716BE4CA1C6AB0D6A40A365130CA539ACF8439DD93AAF093C06B7D6F33719984 | |||
3944 | c3e5902a08d212ba72b8fb032612b394c7a59311968e665303a315d6093237cf.exe | C:\Users\admin\AppData\Local\Temp\bjcakey_sjk1312_hid.dll | executable | |
MD5:F5A630C2B8E981F6A044744849C4061C | SHA256:7B7F5B3666473F5B86FDA8B218668CD09B7BE86080994FE017C892027842E8D9 | |||
3944 | c3e5902a08d212ba72b8fb032612b394c7a59311968e665303a315d6093237cf.exe | C:\Users\admin\AppData\Local\Temp\bjcakey_sjk1312_hid_x64.dll | executable | |
MD5:28A101B145307566D265F2719FD29162 | SHA256:F641674A00FC175AE6C17223B8EC9A94E7556B5DBFD996893A1BB0DB0D576439 | |||
3944 | c3e5902a08d212ba72b8fb032612b394c7a59311968e665303a315d6093237cf.exe | C:\Users\admin\AppData\Local\Temp\ASKeyHidDemon.exe | executable | |
MD5:154790C56C8E14B6FE45170C6054F08F | SHA256:783F31A32D69B09046D998955D58BA7B9D22114316BB9D5623C05069245DC2D4 | |||
3944 | c3e5902a08d212ba72b8fb032612b394c7a59311968e665303a315d6093237cf.exe | C:\Users\admin\AppData\Local\Temp\AXTX_OTG_PID1513_GM_x64.dll | executable | |
MD5:AFE0CAC21A546ACA4886B06122967594 | SHA256:4982B5108093365C56C42016D60B602FAC137CDEA6F46F37A17808517BD53ACF | |||
3156 | bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe | C:\Program Files\bjca_sjk1312_hid(AK5018-D)otgkeyCSP\bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe | executable | |
MD5:CBE1445D8D6D52BD69E763C74FFBFE2A | SHA256:9B745FC8EC2CC747163FC3BFB617C0C2D551F4EC108B45FBBE9CA7C92F64671F | |||
3156 | bjca_sjk1312_hid(AK5018-D)otgkey_CSP_Install.exe | C:\Program Files\bjca_sjk1312_hid(AK5018-D)otgkeyCSP\AXTX_OTG_PID1513_GM.dll | executable | |
MD5:D788571BB5945E31A6CB2A22BB3EB942 | SHA256:716BE4CA1C6AB0D6A40A365130CA539ACF8439DD93AAF093C06B7D6F33719984 |
Process | Message |
---|---|
ASKeyHidDemon.exe | ASKeyHidDemon: create hmutex
|
ASKeyHidDemon.exe | askeydemon _icapi_function_list_init() call |
ASKeyHidDemon.exe | initDevList |