Running strings against an executable, here's some random findings and thoughts behind each
The sample file in question
https://www.virustotal.com/#/file/1c44d829d130986ade5661947b841a6a0ca79c37fe1c57ea9b93931362a324f2/detection
!This program cannot be run in DOS mode.
==> so we know this is a windows executable
MSVBVM50.DLL
VBA5.DLL
==> so we know this program was written with Visual Basic 5.0 Run-time library
@*\AC:\src\Utils\SystemInstaller\SystemInstaller.vdp
SystemInstaller.exe
==> seems to indicate that a .VDP (visual studio deployment project) was used when building this probably for installation of the software
kernel32
GetWindowsDirectoryA
GetSystemDirectoryA
GetTempPathA
==> indicates that this software might be using the windows API to determine the user's windows, system, and temp folder paths ... perhaps to grab files or put files in there
c:\program files\devstudio\vb\vb5.olb
==> likley indicates that the Microsoft Developer Studio ( devstudio ) was utilized to build this Visual Basic 5.0 project
drvSource
fraNewFile
filSource
lstFiles
dirSource
dirSource_Change
drvSource_Change
==> indicates that this program may prompt a user for Drive, Directory, or File popup boxes such as
btnExit_Click
btnFrom_Click
btnMake_Click
btnTo_Click
==> indicates that there is a GUI or user interface to this application
Error extracting from
Couldn't delete
Couldn't open
Couldn't copy
Extracted
Error copying stub (
Error opening
Error copying
__vbaFileClose
__vbaFileOpen
__vbaFileSeek
==> indicates files are likely being opened, copied, and deleted
__vbaPrintFile
==> indicates this software may have printing capabilties, also confirms this is a Visual Basic program
__vbaPutOwner3
==> indicates this program has multiple windows / popups and it's setting the parent of one window to another window
__vbaRedim
__vbaAryDestruct
==> indicates the program is allocating space for variables / arrays of data
__vbaHresultCheckObj
==> just indicates the program does it's own error handling and checks the error #s which are stored in HResult
You are required to have a destination file name
You must have some files to add
Select-Extracting file name
Make EXE
Should automatically install self-installing system OCX's or DLL's
==> indicates the program is making a program or executable and saving it to disk
MHC Associates
==> could indicate who created this executable, OSINT indicates MHC Associates, Inc., provides marking management system to manage marketing materials from a single online shopping cart.
Microsoft Visual C++ Runtime Library
==> continues to confirm it's a windows program and that it's also using C++ libraries
SizeofResource
LoadResource
FindResourceA
==> indicates this program may have resources (such as icons) that it's using and loading
LoadLibraryExA
GetProcAddress
LoadLibraryA
GetModuleHandleA
GetModuleFileNameA
==> indicates this program may dynamically load some libraries or function calls on the fly
RegDeleteKeyA
RegCreateKeyExA
RegDeleteValueA
RegCloseKey
RegOpenKeyExA
RegEnumKeyExA
RegSetValueExA
RegQueryInfoKeyA
RegEnumValueA
==> indicates this software could open, edit, or delete registry values
OleSaveToStream
OleLoadFromStream
==> indicates this software may use COM objects in Windows
HeapCreate
VirtualFree
VirtualAlloc
==> indicates this program may allocate additional memory
CreateFileA
ReadFile
==> indicates this program may create new or read existing files off disk
EMR_POLYGON16
EMR_POLYDRAW16
EMR_SELECTPALLETTE
==> indicates the program may draw objects or pictures
** PDF file created with demo version of the VideoSoftware VSPDF control. **
==> indicates this installer may include a PDF embedded in it, perhaps readme instructions
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
==> indicates this software may have compressed files embedded in it with the deflation algorithm
VSPDF Control
Copyright 2001 ComponentOne
VSPDF.VSPDF.1 = s ':-) VideoSoft VSPDF 7.0'
Use this control to convert documented created with VSPrinter 7.0 to PDF format. The PDF format is a platform-independent format developed by Adobe Systems and supported by Adobe Acrobat and other products
www.componentone.com
5900-T Hollis Street
Emeryvilla, CA 94608
VSPrinter7
Choose Printer and Print FileW
Printing...
==> indicates the program may use pre-built UI controls like buttons, textboxes, etc. and pdf generation from the vendor called ComponentOne and printer controls
!This program cannot be run in DOS mode
==> indicates this installer has potentially multiple embedded Executables inside it
<TITLE>&s</TITLE>
<BODY BGCOLOR=#%02x%02x%02x">
==> indicates this program will be generating HTML or web pages
VeriSign, Inc.1301
https://www.verisign.com/rpa0
ComponentOne1>0<
<ComponentOne VSPRINT7 Ocx Fil
==> indicates one of the embedded executables may be digitally signed by ComponentOne
No comments:
Post a Comment