Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: fa1906082bee870a7661edd0d40f81db --

Hashes
MD5: fa1906082bee870a7661edd0d40f81db
SHA1: 2c5c6b7351a21250e37f557383064422d02ef65b
SHA256: 939bea8b95be18cd1ecfe67d5c6bad314ec5d51ccf69c2616755b09a0ac18729
SSDEEP: 192:lnwK7VS0UikIAKt4gqYwtjTd1OPSp02htAQ7TUjnk9RfcQgjJ:2KI5KZqNd1i/ktAQnNRVwJ
Details
File Type: 80386
Yara Hits
CuckooSandbox/embedded_win_api | YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/contentis_base64 | YRP/Misc_Suspicious_Strings |
Source
http://103.68.190.250/Sources//Advance/BJWJ/Builds/Full/Objs/Release/UAC_bypass.obj
Strings
		.drectve
.debug$S
B.rdata
0@.rdata
0@.rdata
0@.rdata
0@.rdata
0@.rdata
0@.rdata
0@.rdata
0@.rdata
0@.rdata
0@.rdata
0@.data
`.rdata
0@.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.text
`.text
`.debug$F
B.text
.debug$F
B.text
`.rdata
0@.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.debug$F
B.text
`.text
`.rdata
0@.rdata
0@.rdata
0@.rdata
0@.text
`.debug$F
B.text
`.rdata
0@.rdata
0@.rdata
0@.debug$F
B.text
`.rdata
0@.debug$F
B.text
`.text
`.text
`.debug$F
B   /manifestdependency:"type='win32' name='Microsoft.VC90.CRT' version='9.0.21022.8' processorArchitecture='x86' publicKeyToken='1fc8b3b9a1e18e3b'" /DEFAULTLIB:"uuid.lib" /DEFAULTLIB:"uuid.lib" /DEFAULTLIB:"MSVCRT" /DEFAULTLIB:"OLDNAMES" 
e:\Projects\progs\Petrosjan\BJWJ\Builds\Full\Objs\Release\UAC_bypass.obj
Microsoft (R) Optimizing Compiler
task_bypassuac.txt
CRYPTSP.msu
cryptbase.msu
CRYPTSP.dll
cryptbase.dll
mcx2prov.exe
sysprep.exe
system32\sysprep
8.rsru
QSSSSSSWS
WinExec
LoadLibraryA
kernel32.dll
}`DNWPu
EkYY_^[
cmd.exe /C %s
cmd.exe /C wusa.exe %s /extract:%%WINDIR%%\%s
makecab.exe /V1 %s %s
HYt:Ht
@comp.id	x
@feat.00
.drectve
.debug$S
.rdata
.rdata
.rdata
.rdata
.rdata
.rdata
.rdata
.rdata
.rdata
.rdata
.rdata
.rdata
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.rdata
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.debug$F
.rdata
.rdata
.rdata
.rdata
.debug$F
.rdata
.rdata
.rdata
.debug$F
.rdata
.debug$F
.debug$F
??_C@_0BD@MPPDECBN@task_bypassuac?4txt?$AA@
??_C@_0M@KIMLDHGB@CRYPTSP?4msu?$AA@
??_C@_0O@OEBMJBCI@cryptbase?4msu?$AA@
??_C@_0M@FJLJDFLO@CRYPTSP?4dll?$AA@
??_C@_0O@BFGOJDPH@cryptbase?4dll?$AA@
??_C@_0N@EAENOLKA@mcx2prov?4exe?$AA@
??_C@_0M@LDPEDDJM@sysprep?4exe?$AA@
??_C@_05IEIGNMPN@ehome?$AA@
??_C@_0BB@IEFGOHCJ@system32?2sysprep?$AA@
?Hibernation@TVideoRecDLL@@2HB
?RunCallback@TVideoRecDLL@@2HB
_uacTargetDir
_uacTargetApp
_uacTargetDll
_uacTargetMsu
?FileTask@@3PBDB
??1TBotObject@@UAE@XZ
??_7TBotObject@@6B@
??_GTBotObject@@UAEPAXI@Z
??_ETBotObject@@UAEPAXI@Z
??_GTBotObject@@UAEPAXI@Z
??3TBotObject@@SAXPAX@Z
??0TMemory@@QAE@K@Z
?MemAlloc@@YAPAXK@Z
??1TMemory@@QAE@XZ
?MemFree@@YAXPAX@Z
?AsStr@TMemory@@QAEPADXZ
?IsExists@File@@YA_NQAD@Z
?FileExistsA@@YA_NQAD@Z
_Shellcode@12
_Shellcode_end@0
?ConvertExeToDll@@YA_NPAX@Z
?TaskDownload2@@YGKPAX@Z
?ExecuteDownload@@YA_NPAXPAD1@Z
_ParamArgs
?Initialize@BOT@@YAXW4TProcessType@@@Z
?t_str@?$TString@D@@QBEPADXZ
??_C@_11LOCGONAA@?$AA?$AA@
??$pushargEx@$00$0JMEIAOCE@$0DO@PAU_OSVERSIONINFOA@@@@YAPAXPAU_OSVERSIONINFOA@@@Z
?GetProcAddressEx2@@YAPAXPADKKH@Z
??$pushargEx@$00$0EJKBDHEK@$0DE@PADH@@YAPAXPADH@Z
??$pushargEx@$0BD@$0PIGKKBPG@$0CBI@PADPBD@@YAPAXPADPBD@Z
??$pushargEx@$00$0FIPOHKLO@$0DG@HPAD@@YAPAXHPAD@Z
??$pushargEx@$00$0IBPAPANP@$0CD@PAD@@YAPAXPAD@Z
??$pushargEx@$00$0HILAAMHO@$0IH@PADH@@YAPAXPADH@Z
??$pushargEx@$02$0GLDKPAOM@$0BFK@PADPADPAD@@YAPAXPAD00@Z
??$pushargEx@$00$0EAHKBMGK@$0MD@PAU_STARTUPINFOA@@@@YAPAXPAU_STARTUPINFOA@@@Z
??$pushargEx@$00$0EGDBIKMH@$0DM@HPADHHHHHHPAU_STARTUPINFOA@@PAU_PROCESS_INFORMATION@@@@YAPAXHPADHHHHHHPAU_STARTUPINFOA@@PAU_PROCESS_INFORMATION@@@Z
??$pushargEx@$00$0MFEDHEPD@$0CO@PAXI@@YAPAXPAXI@Z
??$pushargEx@$00$0PNMJEDIF@$0MB@PAXPAK@@YAPAXPAXPAK@Z
??$pushargEx@$00$0HCDOLANF@$0BB@PAX@@YAPAXPAX@Z
??$pushargEx@$00$0KEINGHGC@$0CL@PBD@@YAPAXPBD@Z
??$pushargEx@$00$0BPMAOKOO@$06PAUHINSTANCE__@@PBD@@YAPAXPAUHINSTANCE__@@PBD@Z
??$pushargEx@$0BK@$0NFONMFKC@$0CDI@PAXKPAKPAK@@YAPAXPAXKPAK1@Z
??$pushargEx@$00$0GJCGABFC@$0GN@@@YAPAXXZ
??$pushargEx@$00$0JFJACLBJ@$0FJ@H@@YAPAXH@Z
??$GetRec@D@STRBUF@@YAAAUTStrRec@0@PAD@Z
?Exec@@YA_NPAKPADZZ
?m_memset@@YAXPBXEI@Z
?InfectImage@@YA_NPAXKPAD1@Z
?m_memcpy@@YAPAXPAXPBXH@Z
?m_lstrcpy@@YGXPADPBD@Z
??_C@_07NHLKNDLA@WinExec?$AA@
??_C@_0N@LOMLCOFC@LoadLibraryA?$AA@
??_C@_0N@MDJJJHMB@kernel32?4dll?$AA@
?m_memcmp@@YAHPBX0I@Z
??_C@_05JAKGACJN@?4rsrc?$AA@
?m_lstrlen@@YGKPBD@Z
??$Release@D@STRBUF@@YAXAAPAD@Z
?Free@HEAP@@YAXPAX@Z
?RunDllBypassUAC@@YA_NQAXHH@Z
??_C@_0O@DAJFMIIM@cmd?4exe?5?1C?5?$CFs?$AA@
??_C@_0CO@LAHMKEDN@cmd?4exe?5?1C?5wusa?4exe?5?$CFs?5?1extract?3@
??_C@_0BG@OFICGBNJ@makecab?4exe?5?1V1?5?$CFs?5?$CFs?$AA@
?ReadToBufferA@File@@YAPAEPBDAAK@Z
?WriteBufferA@File@@YAKPBDQAXK@Z
?GetTempName@File@@YAPADPADQAD@Z
??1?$TString@D@@UAE@XZ
??_7?$TString@D@@6B@
??_G?$TString@D@@UAEPAXI@Z
??_E?$TString@D@@UAEPAXI@Z
?RunBotBypassUAC@@YA_NHHPBD@Z
?MakeFileName@BOT@@YA?AV?$TString@D@@PBD0@Z
?GetBotFullExeName@BOT@@YA?AV?$TString@D@@XZ
?ExecTaskAfterUAC@@YAHXZ
?KillOs@@YA_NXZ
?MegaJump@@YGHP6GKPAX@Z@Z
?SafeCopyStr@@YAPADPADHPBD@Z
?AddAllowedprogram@@YA_NPBD@Z
?SetBotType@BOT@@YAXW4TBotType@@@Z
__imp__GetTickCount@0
??_G?$TString@D@@UAEPAXI@Z