Malware Archive


Home | Objdump info | Perdr info | Strings info

MD5 : 2f1b249b28395881654e222e691f8608
SHA1SUM : 266808a97aa84e4aec386b5d191edf36a7a31ada
Objdump info

architecture: i386, flags 0x0000010a:
EXEC_P, HAS_DEBUG, D_PAGED
start address 0x00401350

Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words

Time/Date Sat Dec 22 14:56:04 2007
Magic 010b (PE32)
MajorLinkerVersion 7
MinorLinkerVersion 10
SizeOfCode 00000400
SizeOfInitializedData 00062800
SizeOfUninitializedData 00000000
AddressOfEntryPoint 0000000000001350
BaseOfCode 0000000000001000
BaseOfData 0000000000002000
ImageBase 0000000000400000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 00067000
SizeOfHeaders 00000400
CheckSum 00000000
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000400
SizeOfStackReserve 0000000000100000
SizeOfStackCommit 0000000000001000
SizeOfHeapReserve 0000000000100000
SizeOfHeapCommit 0000000000001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 00000000000020ac 00000050 Import Directory [parts of .idata]
Entry 2 0000000000004000 0006227c Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc]
Entry 6 0000000000002080 0000001c Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000002000 00000074 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved

There is an import table in .rdata at 0x4020ac

The Import Tables (interpreted .rdata section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
000020ac 00002154 00000000 00000000 000021a8 00002058

DLL Name: SHLWAPI.dll
vma: Hint/Ord Member-Name Bound-To
2190 105 PathRemoveExtensionA
217a 41 PathFindExtensionA
2170 211 StrChrA

000020c0 000020fc 00000000 00000000 00002308 00002000

DLL Name: KERNEL32.dll
vma: Hint/Ord Member-Name Bound-To
2250 338 GetExitCodeProcess
22f8 105 CreateThread
22ea 175 ExitProcess
22da 218 FindResourceA
21b4 46 CloseHandle
21c2 916 WriteFile
21ce 77 CreateFileA
21dc 838 SizeofResource
21ee 603 LockResource
21fe 589 LoadResource
220e 219 FindResourceExA
2220 239 FreeLibrary
222e 408 GetProcAddress
2240 584 LoadLibraryA
22c4 373 GetModuleFileNameA
2266 899 WaitForSingleObject
227c 96 CreateProcessA
228e 956 lstrlenA
229a 264 GetCommandLineA
22ac 941 lstrcatA
22b8 950 lstrcpyA

000020d4 00002164 00000000 00000000 00002330 00002068

DLL Name: USER32.dll
vma: Hint/Ord Member-Name Bound-To
2324 726 wsprintfA
2316 458 LoadStringA

000020e8 00000000 00000000 00000000 00000000 00000000

Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00000388 00401000 00401000 00000400 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .rdata 0000037b 00402000 00402000 00000800 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .data 00000000 00403000 00403000 00000000 2**2
ALLOC, LOAD, DATA
3 .rsrc 0006227c 00404000 00404000 00000c00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
Perdr info
PeRdr by Frediano Ziglio. Build Dec 27 2007
++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 476D1774 Sat Dec 22 14:56:04 2007
Subsystem: 2 (Windows GUI)
Image Base: 00400000 Size: 00067000
Code Base: 00001000 Size: 00000400
Data Base: 00002000 Size: 00062800
Entry Point: 00001350 (file offset 00000750)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: .text RVA: 00001000 Offset: 00000400 Size: 00000400 Flags: 60000020 (CER)
2: .rdata RVA: 00002000 Offset: 00000800 Size: 00000400 Flags: 40000040 (DR)
3: .data RVA: 00003000 Offset: 00000000 Size: 00000000 Flags: C0000040 (DRW)
4: .rsrc RVA: 00004000 Offset: 00000C00 Size: 00062400 Flags: 40000040 (DR)

++++++++++++++++++++++++++++++++ IMPORTS +++++++++++++++++++++++++++++++++

DLL: SHLWAPI.dll
Addr: 00002058 hint: 105(0069) Name: PathRemoveExtensionA
Addr: 0000205C hint: 41(0029) Name: PathFindExtensionA
Addr: 00002060 hint: 211(00D3) Name: StrChrA

DLL: KERNEL32.dll
Addr: 00002000 hint: 338(0152) Name: GetExitCodeProcess
Addr: 00002004 hint: 105(0069) Name: CreateThread
Addr: 00002008 hint: 175(00AF) Name: ExitProcess
Addr: 0000200C hint: 218(00DA) Name: FindResourceA
Addr: 00002010 hint: 46(002E) Name: CloseHandle
Addr: 00002014 hint: 916(0394) Name: WriteFile
Addr: 00002018 hint: 77(004D) Name: CreateFileA
Addr: 0000201C hint: 838(0346) Name: SizeofResource
Addr: 00002020 hint: 603(025B) Name: LockResource
Addr: 00002024 hint: 589(024D) Name: LoadResource
Addr: 00002028 hint: 219(00DB) Name: FindResourceExA
Addr: 0000202C hint: 239(00EF) Name: FreeLibrary
Addr: 00002030 hint: 408(0198) Name: GetProcAddress
Addr: 00002034 hint: 584(0248) Name: LoadLibraryA
Addr: 00002038 hint: 373(0175) Name: GetModuleFileNameA
Addr: 0000203C hint: 899(0383) Name: WaitForSingleObject
Addr: 00002040 hint: 96(0060) Name: CreateProcessA
Addr: 00002044 hint: 956(03BC) Name: lstrlenA
Addr: 00002048 hint: 264(0108) Name: GetCommandLineA
Addr: 0000204C hint: 941(03AD) Name: lstrcatA
Addr: 00002050 hint: 950(03B6) Name: lstrcpyA

DLL: USER32.dll
Addr: 00002068 hint: 726(02D6) Name: wsprintfA
Addr: 0000206C hint: 458(01CA) Name: LoadStringA

Strings info
QSVj
tqVj
tdUWP
PWUV
SVWh
Pjhj
QSRV
UVWh
T$lR
D$hP
-L @
L$lQ
D$lP
L$lWQ
D$tP
L$$Qj
D$HD
"%s"
StrChrA
PathFindExtensionA
PathRemoveExtensionA
SHLWAPI.dll
CloseHandle
WriteFile
CreateFileA
SizeofResource
LockResource
LoadResource
FindResourceExA
FreeLibrary
GetProcAddress
LoadLibraryA
GetExitCodeProcess
WaitForSingleObject
CreateProcessA
lstrlenA
GetCommandLineA
lstrcatA
lstrcpyA
GetModuleFileNameA
FindResourceA
ExitProcess
CreateThread
KERNEL32.dll
LoadStringA
wsprintfA
USER32.dll
RSDS
d:\projects\Vm\Start\Release\Start.pdb