× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 527afa9d3ab2074a1b7e0ea98a8c819cab92dabe81acaf02a13a360fd43306a8
File name: 673630
Detection ratio: 2 / 57
Analysis date: 2016-04-02 11:13:07 UTC ( 2 years, 6 months ago ) View latest
Antivirus Result Update
Baidu Win32.Virus.Lamer.g 20160402
SUPERAntiSpyware Trojan.Agent/Gen-Backdoor 20160402
Ad-Aware 20160402
AegisLab 20160402
AhnLab-V3 20160401
Alibaba 20160401
ALYac 20160402
Antiy-AVL 20160402
Arcabit 20160402
Avast 20160402
AVG 20160402
Avira (no cloud) 20160402
AVware 20160402
Baidu-International 20160402
BitDefender 20160402
Bkav 20160402
CAT-QuickHeal 20160401
ClamAV 20160402
CMC 20160401
Comodo 20160402
Cyren 20160402
DrWeb 20160402
Emsisoft 20160402
ESET-NOD32 20160402
F-Prot 20160402
F-Secure 20160402
Fortinet 20160401
GData 20160402
Ikarus 20160402
Jiangmin 20160402
K7AntiVirus 20160402
K7GW 20160402
Kaspersky 20160402
Kingsoft 20160402
Malwarebytes 20160402
McAfee 20160402
McAfee-GW-Edition 20160402
Microsoft 20160402
eScan 20160402
NANO-Antivirus 20160402
nProtect 20160401
Panda 20160402
Qihoo-360 20160402
Rising 20160402
Sophos AV 20160402
Symantec 20160331
Tencent 20160402
TheHacker 20160330
TotalDefense 20160330
TrendMicro 20160402
TrendMicro-HouseCall 20160402
VBA32 20160401
VIPRE 20160402
ViRobot 20160402
Yandex 20160316
Zillya 20160401
Zoner 20160402
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Signature verification Certificate out of its validity period
Signers
[+] Novel Games Limited
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer GlobalSign CodeSigning CA - SHA256 - G2
Valid from 10:59 AM 4/13/2015
Valid to 10:01 AM 5/23/2016
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 6688B52B2382859E04E6FCD86FFD01E0B54BF5F0
Serial number 11 21 BD 8C 37 18 B9 8A 11 CF 31 D1 3E 64 43 F7 51 D9
[+] GlobalSign CodeSigning CA - SHA256 - G2
Status Valid
Issuer GlobalSign
Valid from 11:00 AM 8/2/2011
Valid to 11:00 AM 8/2/2019
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 4E34C4841080D07059EFC1F3C5DE4D79905A36FF
Serial number 04 00 00 00 00 01 31 89 C6 37 E8
[+] GlobalSign Root CA - R3
Status Valid
Issuer GlobalSign
Valid from 11:00 AM 3/18/2009
Valid to 11:00 AM 3/18/2029
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha256RSA
Thumbprint D69B561148F01C77C54578C10926DF5B856976AD
Serial number 04 00 00 00 00 01 21 58 53 08 A2
Packers identified
F-PROT ZIP
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-11-07 04:18:01
Entry Point 0x00001362
Number of sections 5
PE sections
Overlays
MD5 15752d091caabd7daa016bcfa3c3d619
File type application/zip
Offset 126976
Size 543216
Entropy 8.00
PE imports
GetLastError
InitializeCriticalSectionAndSpinCount
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
SetHandleCount
LoadLibraryA
GetModuleFileNameW
WaitForSingleObject
GetExitCodeProcess
QueryPerformanceCounter
IsDebuggerPresent
HeapAlloc
TlsAlloc
GetEnvironmentStringsW
GetFileAttributesW
RtlUnwind
GetModuleFileNameA
GetCPInfo
FreeEnvironmentStringsA
DeleteCriticalSection
GetStartupInfoA
GetEnvironmentStrings
GetLocaleInfoA
GetCurrentProcessId
GetCommandLineW
WideCharToMultiByte
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
HeapSize
FreeEnvironmentStringsW
CreateDirectoryW
DeleteFileW
GetProcAddress
GetStringTypeA
GetProcessHeap
GetTempFileNameW
RaiseException
CreateThread
TlsFree
SetFilePointer
ReadFile
SetUnhandledExceptionFilter
GetTempPathW
GetCurrentProcess
CloseHandle
GetSystemTimeAsFileTime
GetCommandLineA
GetACP
HeapReAlloc
GetStringTypeW
GetModuleHandleW
GetOEMCP
TerminateProcess
LCMapStringA
IsValidCodePage
HeapCreate
WriteFile
CreateFileW
VirtualFree
TlsGetValue
Sleep
GetFileType
GetTickCount
TlsSetValue
ExitProcess
GetCurrentThreadId
InterlockedIncrement
VirtualAlloc
SetLastError
LeaveCriticalSection
SHFileOperationW
ShellExecuteExW
PathAppendW
GetMessageW
DispatchMessageW
TranslateMessage
Number of PE resources by type
RT_ICON 7
RT_GROUP_ICON 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 9
PE resources
Debug information
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2011:11:07 05:18:01+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
60928

LinkerVersion
9.0

FileTypeExtension
exe

InitializedDataSize
65024

SubsystemVersion
5.0

EntryPoint
0x1362

OSVersion
5.0

ImageVersion
0.0

UninitializedDataSize
0

File identification
MD5 2b211f711c2322be699adb3b64126a8d
SHA1 37c28d7ae9dbd8dea6848748256e1d944113a7bd
SHA256 527afa9d3ab2074a1b7e0ea98a8c819cab92dabe81acaf02a13a360fd43306a8
ssdeep
12288:emftwnQC6yTILE9OPwK0myrFD0SfRTzibZPaHUGB6JZzcKuwyqJvT3YJJeNJy:LtwQCFTILE+wpFljubZPabU0KXyqJvb2

imphash f3e974452807d25c2b9375c00e84e2c2
File size 654.5 KB ( 670192 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2015-04-17 13:07:02 UTC ( 3 years, 6 months ago )
Last submission 2016-11-28 23:34:02 UTC ( 1 year, 10 months ago )
File names jumping.5.exe
527501
jumping.5.exe
673630
fcec80966678b25fccab2be65d189ef9bc5d2c05
KnxnDo1h.docx
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Shell commands
Code injections in the following processes
Created mutexes
Opened mutexes
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications