File is unjustifiably FULLY trusted !!!
Riskware/Adware.Downloader.Variant.Hao123 - Certificate “issued” by Symantec & VeriSign & “countersigned” by Symantec & Thawte
Some suspicious/malicious Indicators : Compiler/Packer/Crypter Signature > Compiler : Microsoft Visual C++ 6.0 & 8.0 , Packer/Cyptor: aPLib compression , File has multiple PE Anomalies ( File ignores Code Integrity , PE file has unusual entropy sections , CRC value set in PE header does not match actual value , The size of the resource is bigger than the max 512000 bytes threshold , The file embeds another file ( type: PKZIP, location: resources ) , Contains unknown resources , Foreign language identified in PE resource (Chinese) ) , Checks if a debugger is present , Contains ability to query CPU information , Found multiple Anti-VM Strings ( Found VM detection artifact “VMware trick” in Offset : “1021906” , Executes multiple WMI queries known to be used for VM detection ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads configuration files , Reads the registry for installed applications , Contains ability to lookup the windows account name , Checks for an ADS , Drops system driver , References suspicious system modules ( “ntoskrnl.exe” ) , Drops multiple executable files , Runs shell commands , Tries to delay the anaylsis , Creates a hidden Window , Creates a windows hook to log keyboard input , Creates or sets a registry key to a long series of bytes , possibly to store a binary or malware config , Deletes its orginal binary form disk , Opens the Kernel Security Device Driver , File queried details from the computer were then used in a network or crypto API call indicative of command and control communications/preperations , Modifies proxy settings , Queries sensitive IE security settings , The file references a URL pattern ( h***s://www.hao123.com ) , Found network releated activity , HTTP request contains Base64 encoded artifacts , File GET data from “123.125.114.215:80” (opensoft.hao123.com) , “103.235.46.234:80” (orange.hao123.com) , “103.235.46.111:80” (update.123juzi.net) , “47.89.58.141:80” (tongji.juzi1234567.com >>> VirusTotal
Certificate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial: 42300730919024834505941748264773407599
Serial (Hex): 1fd2d30e260fc289cfaf11518f2cd36f
Valid from: Dec 15 00:00:00 2015 GMT
Valid until: Feb 06 23:59:59 2018 GMT
C (countryName): CN [434E]
CN (commonName): BeiJing Baidu Netcom Science Technology Co., Ltd
L (localityName): Beijing [4265696A696E67]
O (organizationName): BeiJing Baidu Netcom Science Technology Co., Ltd
OU (organizationalUnitName): Engineering Excellence [20456E67696E656572696E6720457863656C6C656E6365]
ST (stateOrProvinceName): Beijing [4265696A696E67]
EDIT :
This File was recognized via signature detection from CAV on VT and also from Valkyrie ! But there is NO signature detection with CIS ! I´ve checked it with TVL ON and OFF .
File is unjustifiably FULLY trusted !!!
Riskware/Adware - Certificate “issued” by Symantec & VeriSign & “countersigned” by Symantec & VeriSign