File Name: autocopypaste.exe File size: 201454 bytes MD5: affc7e44208ff978fa197671ea879556 SHA1: d4bd47e279c9761681af697456fca91da51f7107 PEiD: UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=E9E0FFB6EEDFC1CC12CC0391E489E100ACB98402 Download/Review URL: hxxp://www.autohotkey.com hxxp://www.autohotkey.com/download A review of this application can be found @ hxxp://www.autohotkey.com/forum/topic14641.html hxxp://lifehacker.com/software/hack-attack/turn-any-action-into-a-keyboard-shortcut-316589.php VirusTotal Result: 10/32 (31.25%) AhnLab-V3: Win-Trojan/Autohk.201407 CAT-QuickHeal: Worm.Autorun.gen eSafe: suspicious Trojan/Worm F-Prot: W32/Trojan2.UNJ Ikarus: Trojan-Dropper.Win32.Binder.ac NOD32v2: archive damaged Panda: Suspicious file Prevx1: Generic.Malware TheHacker: Trojan/AutoHK.kVirusBuster VirusBuster: Worm.AutoRun.BY File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 46D419AC Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 07 Linker version (minor): 0A Size of code: 00030000 Size of initialized data: 00002000 Size of uninitialized data: 0003F000 Address of entry point: 0006E9E0 Base of code: 00040000 Base of data: 00070000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00072000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00400000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections -------------------------------------------------- Section VirtSize VirtAddr PhysSize PhysAddr Flags UPX0 0003F000 00001000 00000000 00000400 E0000080 UPX1 00030000 00040000 0002F600 00000400 E0000040 .rsrc 00002000 00070000 00001800 0002FA00 C0000040 Import table (libraries: 12) KERNEL32.DLL (imports: 6) LoadLibraryA GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess ADVAPI32.dll (imports: 1) RegCloseKey COMCTL32.dll (imports: 1) #17 comdlg32.dll (imports: 1) GetOpenFileNameA GDI32.dll (imports: 1) BitBlt ole32.dll (imports: 1) CoInitialize OLEAUT32.dll (imports: 1) #418 SHELL32.dll (imports: 1) DragFinish USER32.dll (imports: 1) GetDC VERSION.dll (imports: 1) VerQueryValueA WINMM.dll (imports: 1) mixerOpen WSOCK32.dll (imports: 1) #116 After Unpacking with UPX: File size Ratio Format Name -------------------- ------ ----------- ----------- 408814 <- 201454 49.28% win32/pe autocopypaste.exe Unpacked 1 file. File Name: autocopypaste.exe File size: 408814 bytes MD5: 8cdbb651bbea6d9aa0ad8bceac165f48 SHA1: 4fe87aa3ae7a0173c85cc22abfbb42fafbf11e88 VirusTotal Result: 3/31 (9.68%) AhnLab-V3: Dropper/Binder.429653 CAT-QuickHeal: TrojanDropper.Binder.ac NOD32v2: archive damaged PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0004 Time/Date stamp: 46D419AC Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 07 Linker version (minor): 0A Size of code: 00055600 Size of initialized data: 00013A00 Size of uninitialized data: 00000000 Address of entry point: 00041A9E Base of code: 00001000 Base of data: 00057000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0006C000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00400000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections -------------------------------------------------- Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 000555E2 00001000 00055600 00000400 60000020 .rdata 0000A638 00057000 0000A800 00055A00 40000040 .data 00007654 00062000 00002000 00060200 C0000040 .rsrc 00002000 0006A000 00001A00 00062200 40000040 Import table (libraries: 12) ----------------------------------- KERNEL32.DLL (imports: 123) Beep MultiByteToWideChar SetEnvironmentVariableA FileTimeToLocalFileTime GetSystemTimeAsFileTime CreateProcessA MulDiv ReadFile GetFileSize CreateFileA WideCharToMultiByte ReadProcessMemory WriteProcessMemory TerminateProcess SetPriorityClass OpenProcess GetCurrentProcessId GetEnvironmentVariableA GetDateFormatA GetTimeFormatA GetLocalTime GetDiskFreeSpaceA SetErrorMode DeviceIoControl GetVolumeInformationA GetDriveTypeA SetVolumeLabelA GetFileAttributesA CreateDirectoryA WriteFile GlobalSize DeleteFileA SetFileAttributesA MoveFileA LocalFileTimeToFileTime GetSystemTime GetComputerNameA GetWindowsDirectoryA GetTempPathA GetFullPathNameA GetShortPathNameA SetLastError FreeLibrary LoadLibraryA LeaveCriticalSection EnterCriticalSection GetExitCodeProcess CompareStringA RemoveDirectoryA CopyFileA GetCurrentProcess GetPrivateProfileStringA WritePrivateProfileStringA FormatMessageA MapViewOfFile CreateFileMappingA UnmapViewOfFile SystemTimeToFileTime FileTimeToSystemTime GetStartupInfoA HeapSize HeapFree HeapReAlloc ExitProcess HeapAlloc HeapDestroy HeapCreate VirtualFree VirtualAlloc OutputDebugStringA FindFirstFileA FindNextFileA FindClose GetModuleFileNameA DeleteCriticalSection GetVersionExA CreateThread SetThreadPriority GetExitCodeThread CloseHandle CreateMutexA GetLastError lstrcmpiA GetCurrentThreadId GlobalUnlock GlobalAlloc GlobalLock GlobalFree InitializeCriticalSection LCMapStringA LCMapStringW RtlUnwind GetCurrentDirectoryA GetModuleHandleA GetProcAddress Sleep SetCurrentDirectoryA GetTickCount InterlockedExchange VirtualQuery SetHandleCount GetStdHandle GetFileType GetACP GetOEMCP GetCPInfo UnhandledExceptionFilter FreeEnvironmentStringsA GetEnvironmentStrings FreeEnvironmentStringsW GetEnvironmentStringsW SetFilePointer GetCommandLineA GetStringTypeA GetStringTypeW GetLocaleInfoA VirtualProtect GetSystemInfo SetStdHandle FlushFileBuffers QueryPerformanceCounter SetFileTime SetEndOfFile ADVAPI32.dll (imports: 19) RegDeleteValueA RegDeleteKeyA RegCreateKeyExA RegSetValueExA RegQueryValueExA OpenProcessToken LookupPrivilegeValueA AdjustTokenPrivileges OpenSCManagerA LockServiceDatabase UnlockServiceDatabase CloseServiceHandle GetUserNameA RegOpenKeyExA RegQueryInfoKeyA RegEnumValueA RegEnumKeyExA RegCloseKey RegConnectRegistryA COMCTL32.dll (imports: 7) #6 ImageList_AddMasked #17 ImageList_GetIconSize ImageList_Create ImageList_Destroy ImageList_ReplaceIcon comdlg32.dll (imports: 2) GetOpenFileNameA GetSaveFileNameA GDI32.dll (imports: 29) ExcludeClipRect GetClipRgn FillRgn SetTextColor SetBkColor SetBkMode GetObjectA EnumFontFamiliesExA GetClipBox CreateCompatibleBitmap BitBlt GetPixel CreateCompatibleDC GetDIBits GetSystemPaletteEntries CreateEllipticRgn CreateRoundRectRgn CreateRectRgn CreatePolygonRgn CreateSolidBrush CreateDCA GetDeviceCaps GetStockObject SelectObject GetTextFaceA GetTextMetricsA CreateFontA DeleteObject DeleteDC ole32.dll (imports: 4) CoUninitialize CoCreateInstance CoInitialize CreateStreamOnHGlobal OLEAUT32.dll (imports: 1) #418 SHELL32.dll (imports: 11) DragQueryPoint SHFileOperationA SHGetMalloc SHGetDesktopFolder SHBrowseForFolderA SHGetPathFromIDListA ShellExecuteExA Shell_NotifyIconA DragQueryFileA DragFinish ExtractIconA USER32.dll (imports: 146) SetWindowTextA IsWindowVisible GetWindowRect GetQueueStatus SetWindowRgn EnumWindows ReleaseDC GetDC GetIconInfo SetForegroundWindow IsIconic GetWindowTextLengthA GetDlgItem MessageBeep EnumClipboardFormats ClientToScreen GetCaretPos GetCursor MoveWindow SetActiveWindow EnumChildWindows SetFocus EnableWindow InvalidateRect SetWindowPos SetDlgItemTextA SendDlgItemMessageA IsZoomed DefWindowProcA FillRect GetSysColorBrush GetSysColor RegisterWindowMessageA DialogBoxParamA GetMenuStringA GetSubMenu GetMenuItemID GetMenuItemCount IsWindowEnabled ExitWindowsEx RedrawWindow CallWindowProcA CheckRadioButton MapWindowPoints PtInRect SetMenu UpdateWindow IntersectRect DefDlgProcA GetClassLongA GetMessagePos FlashWindow SetMenuDefaultItem AppendMenuA DestroyMenu IsMenu DeleteMenu SetMenuItemInfoA CreatePopupMenu CreateMenu SetRect GetDesktopWindow SetClipboardViewer DrawIconEx GetWindow GetTopWindow BringWindowToTop DestroyWindow DestroyIcon ChangeClipboardChain IsCharAlphaA AttachThreadInput WindowFromPoint GetSystemMetrics mouse_event keybd_event GetKeyNameTextA GetCursorPos MapVirtualKeyA VkKeyScanExA GetKeyboardState SetKeyboardState GetWindowTextA PostQuitMessage CharUpperA UnregisterHotKey RegisterHotKey SetWindowsHookExA UnhookWindowsHookEx PostThreadMessageA CallNextHookEx GetKeyboardLayout ToAsciiEx CharLowerA IsCharAlphaNumericA IsCharLowerA IsCharUpperA EmptyClipboard SetClipboardData OpenClipboard GetClipboardFormatNameA GetClipboardData CloseClipboard FindWindowA PostMessageA GetMessageA GetFocus GetForegroundWindow GetWindowThreadProcessId GetClassNameA PeekMessageA GetKeyState GetWindowLongA SendMessageA IsDialogMessageA ShowWindow CountClipboardFormats ScreenToClient SetWindowLongA TranslateAcceleratorA DrawTextA AdjustWindowRectEx SystemParametersInfoA GetClientRect MessageBoxA SendMessageTimeoutA LoadCursorA RegisterClassExA CreateWindowExA EnableMenuItem TrackPopupMenuEx LoadAcceleratorsA TranslateMessage DispatchMessageA SetTimer IsWindow EndDialog CopyImage LoadImageA KillTimer GetMenu CheckMenuItem GetDlgCtrlID GetParent IsClipboardFormatAvailable GetAsyncKeyState VERSION.dll (imports: 3) VerQueryValueA GetFileVersionInfoSizeA GetFileVersionInfoA WINMM.dll (imports: 12) mixerClose joyGetPosEx mciSendStringA mixerGetLineControlsA mixerGetControlDetailsA mixerGetDevCapsA mixerGetLineInfoA waveOutGetVolume joyGetDevCapsA waveOutSetVolume mixerOpen mixerSetControlDetails WSOCK32.dll (imports: 5) #115 #57 #52 #11 #116 Embeded Menu: MENU LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US { POPUP "&File" { MENUITEM "&Reload Script\tCtrl+R", 65400 MENUITEM "&Edit Script\tCtrl+E", 65401 MENUITEM "&Window Spy", 65402 MENUITEM SEPARATOR MENUITEM "&Pause Script\tPause", 65403 MENUITEM "&Suspend Hotkeys", 65404 MENUITEM SEPARATOR MENUITEM "E&xit (Terminate Script)", 65405 } POPUP "&View" { MENUITEM "&Lines most recently executed\tCtrl+L", 65406 MENUITEM "&Variables and their contents\tCtrl+V", 65407 MENUITEM "&Hotkeys and their methods\tCtrl+H", 65408 MENUITEM "&Key history and script info\tCtrl+K", 65409 MENUITEM SEPARATOR MENUITEM "&Refresh\tF5", 65410 } POPUP "&Help" { MENUITEM "&User Manual\tF1", 65411 MENUITEM "&Web Site", 65412 } } Embeded Dialog: DIALOGEX 0, 0, 210, 83 STYLE DS_FIXEDSYS | DS_SETFOREGROUND | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME CAPTION "Dialog" LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US FONT 10, "MS Shell Dlg", FW_NORMAL, FALSE, 0 { CONTROL "", 201, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 2, 51, 207, 12 CONTROL "OK", 1, BUTTON, BS_DEFPUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 51, 67, 31, 12 CONTROL "Cancel", 2, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 129, 67, 31, 12 CONTROL "Prompt", 204, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 3, 2, 205, 48 } Embeded Accelerators: ACCELERATORS LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US { VK_F1, 65411, NOINVERT, VIRTKEY VK_H, 65408, NOINVERT, CONTROL, VIRTKEY VK_K, 65409, NOINVERT, CONTROL, VIRTKEY VK_L, 65406, NOINVERT, CONTROL, VIRTKEY VK_F5, 65410, NOINVERT, VIRTKEY VK_V, 65407, NOINVERT, CONTROL, VIRTKEY VK_PAUSE, 65403, NOINVERT, VIRTKEY VK_E, 65401, NOINVERT, CONTROL, VIRTKEY VK_R, 65400, NOINVERT, CONTROL, VIRTKEY } (Note: An accelerator is a key combination that causes a menu item to be chosen, whether or not it's visible. Only leaf menu items — menus that don't bring up other menus — can have accelerators.) Load Time DLL: Module Name Base Address Size C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000B0000 C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F5000 C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000 C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000 C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000 C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\COMCTL32.dll 0x773D0000 0x00103000 C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000 C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00047000 C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00090000 C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000 C:\WINDOWS\system32\comdlg32.dll 0x763B0000 0x00049000 C:\WINDOWS\system32\SHELL32.dll 0x7C9C0000 0x00815000 C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000 C:\WINDOWS\system32\OLEAUT32.dll 0x77120000 0x0008B000 C:\WINDOWS\system32\VERSION.dll 0x77C00000 0x00008000 C:\WINDOWS\system32\WINMM.dll 0x76B40000 0x0002D000 C:\WINDOWS\system32\WSOCK32.dll 0x71AD0000 0x00009000 C:\WINDOWS\system32\WS2_32.dll 0x71AB0000 0x00017000 C:\WINDOWS\system32\WS2HELP.dll 0x71AA0000 0x00008000 C:\WINDOWS\system32\IMM32.DLL 0x76390000 0x0001D000 Run Time DLL: Module Name Base Address Size C:\WINDOWS\system32\UxTheme.dll 0x5AD70000 0x00038000 C:\WINDOWS\system32\MSCTF.dll 0x74720000 0x0004B000 C:\WINDOWS\system32\msctfime.ime 0x755C0000 0x0002E000 Registry Reads: Key Name Value Times HKLM\Software\Microsoft\CTF\SystemShared CUAS 0 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM Ime File msctfime.ime 1