About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Tuesday, September 3, 2013

PlugX strings - APT

File: hkcmd.exe
MD5:  23f2c3dbdb65c898a11e7f4ddc598a10
Size: 173592






Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
WRichu
.text
`.rdata
@.data
.rsrc
SVWjD_W3
PVVh
-----------snip
t/9U
WWWWW
_^[]
h`4B
WWWWW
SSSSS
WWWWW
bad allocation
TypeLib
Software
SYSTEM
SECURITY
Mime
Hardware
Interface
FileType
Component Categories
CLSID
AppID
Delete
NoRemove
ForceRemove
USER32.DLL
IsTvWizardInstalled
SOFTWARE\Intel\TvWizard\
ExpansionAllDisplay
SOFTWARE\Intel\Display\igfxcui\hkcmd
Software\Microsoft\Windows\CurrentVersion\App Paths\
.exe
Intel
TvWizard2ft.exe
SOFTWARE\Microsoft\.NETFramework\v3.0
9gpB
T`<y
uj{IActiveDevices
AvailableDevices
Configurations
Software\Intel\Display\igfxcui\
FourthSerialNo
ThirdSerialNo
SecondarySerialNo
PrimarySerialNo
FourthInterlaced
ThirdInterlaced
SecondaryInterlaced
PrimaryInterlaced
FourthRight
FourthLeft
FourthBottom
FourthTop
ThirdRight
ThirdLeft
ThirdBottom
ThirdTop
SecondaryRight
SecondaryLeft
SecondaryBottom
SecondaryTop
PrimaryRight
PrimaryLeft
PrimaryBottom
PrimaryTop
FourthTVHDTV
ThirdTVHDTV
SecondaryTVHDTV
PrimaryTVHDTV
FourthTVStandard
ThirdTVStandard
SecondaryTVStandard
PrimaryTVStandard
FourthDisplayOrientation
ThirdDisplayOrientation
SecondaryDisplayOrientation
PrimaryDisplayOrientation
FourthAspectScaling
ThirdAspectScaling
SecondaryAspectScaling
PrimaryAspectScaling
FourthBPP
FourthRR
FourthYY
FourthXX
ThirdBPP
ThirdRR
ThirdYY
ThirdXX
SecondaryBPP
SecondaryRR
SecondaryYY
SecondaryXX
PrimaryBPP
PrimaryRR
PrimaryYY
PrimaryXX
FourthDevice
ThirdDevice
SecondaryDevice
PrimaryDevice
OperatingMode
-HDRGB
-HDTV
-COMPONENT
-COMPOSITE
-SVIDEO
-SCART
9gpB
FRegDeleteKeyExA
Advapi32.dll
HKCR
HKCU
HKLM
HKPD
HKDD
HKCC
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
ButtonUndraw
ButtonDraw
igfxdo.dll
EnableResDialog
Software\Intel\Display\igfxcui\hkcmd
.tlb
\Implemented Categories
\Required Categories
CLSID\
FUnRegisterTypeLibForUser
RegisterTypeLibForUser
\ehome\ehshell.exe
EnableMovingWindow
.\\Device1\
HkWndName
HkClass
IGFXHKMUTEXT
AppID
Software\Microsoft\Windows\CurrentVersion\Media Center\Extensibility\Categories\More Programs\{84440044-FAC0-441c-A098-720AB987FE22}
EnableTvWizard
TVWizardSupported
SOFTWARE\INTEL\DISPLAY\IGFXCUI\TVWizard
RegServer
UnregServer
9gpB
T`<y
0ATL:%p
Disable
Enable
HotKeys
HotKeysCatcher
igfxcfg.exe
=L9o<
InterlockedPopEntrySList
InterlockedPushEntrySList
kernel32.dll
string too long
invalid string position
Unknown exception
SetThreadStackGuarantee
e+000
GAIsProcessorFeaturePresent
KERNEL32
modf
floor
ceil
atan
exp10
acos
asin
log10
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
bad exception
CorExitProcess
runtime error
TLOSS error
SING error
DOMAIN error
R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
R6032
- not enough space for locale information
R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
R6030
- CRT not initialized
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
(null)
( 8PX
700WP
`h````
xpxxxx
 Complete Object Locator'
 Class Hierarchy Descriptor'
 Base Class Array'
 Base Class Descriptor at (
 Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
 delete[]
 new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
 delete
 new
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
_nextafter
_logb
frexp
fmod
_hypot
_cabs
ldexp
fabs
sqrt
atan2
tanh
cosh
sinh
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
('8PW
700PP
`h`hhh
xppwpp
1#QNAN
1#INF
1#IND
1#SNAN
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
LoadSTRING
FindResources
LoadSTRINGFromHKCU
hccutils.DLL
GetProcAddress
GetModuleHandleA
CreateProcessA
FreeLibrary
LoadLibraryA
CloseHandle
GetLastError
InterlockedDecrement
SearchPathA
CompareFileTime
MultiByteToWideChar
WideCharToMultiByte
lstrlenW
RaiseException
InitializeCriticalSection
DeleteCriticalSection
lstrlenA
lstrcmpiA
InterlockedIncrement
GetModuleFileNameA
GetModuleHandleW
IsDBCSLeadByte
SizeofResource
LoadResource
FindResourceA
LoadLibraryExA
GetWindowsDirectoryA
Sleep
CreateMutexA
GetCurrentThreadId
GetCommandLineA
EnterCriticalSection
LeaveCriticalSection
FlushInstructionCache
GetCurrentProcess
GetSystemDefaultLangID
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
GetLocaleInfoA
SetLastError
KERNEL32.dll
wsprintfA
EnumDisplaySettingsA
GetWindowLongA
GetCursorPos
EnumDisplayDevicesA
MessageBoxA
CharNextA
CharNextW
PostThreadMessageA
SendMessageA
SetWindowTextA
GetWindowRect
GetDesktopWindow
GetDlgItem
DestroyWindow
KillTimer
DefWindowProcA
PeekMessageA
PostQuitMessage
ShowWindow
CreateDialogParamA
IsWindow
SetTimer
DispatchMessageA
GetMessageA
CreateWindowExA
RegisterClassA
SetWindowLongA
GetClassInfoExA
LoadCursorA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyNameTextA
MapVirtualKeyExA
ActivateKeyboardLayout
RegisterHotKey
UnregisterHotKey
RegisterClassExA
CallWindowProcA
USER32.dll
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegOpenKeyA
RegCreateKeyExA
RegSetValueExA
RegDeleteKeyA
RegEnumKeyExA
RegDeleteValueA
RegQueryInfoKeyA
ADVAPI32.dll
ShellExecuteExA
SHELL32.dll
CoCreateInstance
CoTaskMemAlloc
CoTaskMemRealloc
CoRevokeClassObject
CoRegisterClassObject
CoTaskMemFree
CoSuspendClassObjects
StringFromGUID2
CoUninitialize
CoInitialize
ole32.dll
OLEAUT32.dll
InterlockedCompareExchange
HeapFree
GetProcessHeap
HeapAlloc
IsProcessorFeaturePresent
VirtualFree
VirtualAlloc
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlUnwind
VirtualProtect
GetSystemInfo
VirtualQuery
GetStartupInfoA
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
LCMapStringW
ExitProcess
HeapReAlloc
HeapCreate
WriteFile
GetStdHandle
HeapSize
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LCMapStringA
GetStringTypeA
GetStringTypeW
CompareStringA
CompareStringW
SetEnvironmentVariableA
InitializeCriticalSectionAndSpinCount
SetFilePointer
GetConsoleCP
GetConsoleMode
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
CreateFileA
FlushFileBuffers
UnregisterClassA
schemename
schemeexe
szresetonexit
szopmode
szbpp
szrrate
szrotation
szaspect
szdevice
szbblue
szbgreen
szbred
szcblue
szcgreen
szcred
szgblue
szggreen
szgred
szsx
szsy
szsbpp
szsrrate
szsrotation
szsaspect
szsdevice
szsbblue
szsbgreen
szsbred
szscblue
szscgreen
szscred
szsgblue
szsggreen
szsgred
szPriTvFullScreen
szSecTvFullScreen
szPriTvStandard
szSecTvStandard
szLeft
szRight
szTop
szBottom
szsLeft
szsRight
szsTop
szsBottom
szPriTVType
szSecTVType
szOvlSaturation
szOvlBrightness
szOvlContrast
szOvlGamma
szOvlHue
szPriCustomScaleX
szPriCustomScaleY
szSecCustomScaleX
szSecCustomScaleY
szPriIndependentRot
szSecIndependentRot
szPriInterlaced
szSecInterlaced
szDummy
sztx
szty
sztbpp
sztrrate
sztrotation
sztaspect
sztdevice
sztbblue
sztbgreen
sztbred
sztcblue
sztcgreen
sztcred
sztgblue
sztggreen
sztgred
szfx
szfy
szfbpp
szfrrate
szfrotation
szfaspect
szfdevice
szfbblue
szfbgreen
szfbred
szfcblue
szfcgreen
szfcred
szfgblue
szfggreen
szfgred
szThirdTvFullScreen
szFourthTvFullScreen
szThirdTvStandard
szFourthTvStandard
sztLeft
sztRight
sztTop
sztBottom
szfLeft
szfRight
szfTop
szfBottom
szThirdTVType
szFourthTVType
szThirdCustomScaleX
szThirdCustomScaleY
szFourthCustomScaleX
szFourthCustomScaleY
szThirdInterlaced
szFourthInterlaced
.?AVbad_alloc@std@@
.?AVexception@std@@
SHIFT
CTRL
Left
Down
Right
<ERR>
NUM 0
NUM 1
NUM 2
NUM 3
NUM 4
NUM 5
NUM 6
NUM 7
NUM 8
NUM 9
Left
Down
Right
.?AVCAtlException@ATL@@
.?AVCHotKey@@
.?AVCComModule@ATL@@
.?AV?$CAtlModuleT@VCComModule@ATL@@@ATL@@
.?AVCAtlModule@ATL@@
.?AU_ATL_MODULE70@ATL@@
.?AVCRegObject@ATL@@
.?AUIRegistrarBase@@
.?AUIUnknown@@
.?AVCExeModule@@
SHIFT
CTRL
Left
Down
Right
<ERR>
NUM 0
NUM 1
NUM 2
NUM 3
NUM 4
NUM 5
NUM 6
NUM 7
NUM 8
NUM 9
Left
Down
Right
.?AVCHotKeysCatcher@@
.?AV?$CWindowImpl@VCHotKeysCatcher@@VCWindow@ATL@@V?$CWinTraits@$0FGAAAAAA@$0A@@3@@ATL@@
.?AV?$CWindowImplBaseT@VCWindow@ATL@@V?$CWinTraits@$0FGAAAAAA@$0A@@2@@ATL@@
.?AV?$CWindowImplRoot@VCWindow@ATL@@@ATL@@
.?AVCWindow@ATL@@
.?AVCMessageMap@ATL@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AV_com_error@@
.?AVtype_info@@
                         
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                         
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVbad_exception@std@@
kU'9
HMXB
?Zd;
?/L[
S;uD
z?aUY
D?$?
U>c{
zc%C1
.:3q
-64OS
NKeb
HKCR
NoRemove AppID
{DC43D1A5-EB66-11D3-B561-00A0C92E6848} = s 'hkcmd'
'hkcmd.EXE'
val AppID = s {DC43D1A5-EB66-11D3-B561-00A0C92E6848}
PADMSFT
3yHKCMDLib
hkcmd 1.0 Type Library
Created by MIDL version 7.00.0500 at Fri Aug 14 10:34:51 2009
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
Z0X03
>0!0
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA0
070615000000Z
120614235959Z0\1
VeriSign, Inc.1402
+VeriSign Time Stamping Services Signer - G20
J[/K
5TX5
6^bMRQ4q
JcEG.k
(0&0$
http://ocsp.verisign.com0
,0*0(
"http://crl.verisign.com/tss-ca.crl0
TSA1-20
u6t:
!?DA
y>]r}
Western Cape1
Durbanville1
Thawte1
Thawte Certification1
Thawte Timestamping CA0
031204000000Z
131203235959Z0S1
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA0
_zj1.
XWou
(0&0$
http://ocsp.verisign.com0
:0806
0http://crl.verisign.com/ThawteTimestampingCA.crl0
TSA2048-1-530
?7!Op1
Ief8
VeriSign, Inc.1705
.Class 3 Public Primary Certification Authority0
040716000000Z
140715235959Z0
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)041.0,
%VeriSign Class 3 Code Signing 2004 CA0
"'$l8
q,]!
HRHo8
=0;09
0*0(
https://www.verisign.com/rpa01
*0(0&
 http://crl.verisign.com/pca3.crl0
Class3CA2048-1-430
==d6|h
a0_1
VeriSign, Inc.1705
.Class 3 Public Primary Certification Authority
yg#$
/cU}
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)041.0,
%VeriSign Class 3 Code Signing 2004 CA0
080321000000Z
110423235959Z0
California1
Folsom1
Intel Corporation1>0<
5Digital ID Class 3 - Microsoft Software Validation v21
ISWQL1
Intel Corporation0
I)T7
Oo{d
90705
/http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
=0;09
0*0(
https://www.verisign.com/rpa0
i0g0$
http://ocsp.verisign.com0?
3http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
==d6|h
`UVd
V9")
Washington1
Redmond1
Microsoft Corporation1)0'
 Microsoft Code Verification Root0
060523170129Z
160523171129Z0_1
VeriSign, Inc.1705
.Class 3 Public Primary Certification Authority0
#_p)6
qdLe.
N0L0J
Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
n.aAHu
$s%<
(LeT
l#qg
g.Q{49
/HoS
uN1+gc
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)041.0,
%VeriSign Class 3 Code Signing 2004 CA
6j*j
0g0S1
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA
090821171248Z0#
`Ez#

Unicode Strings:
---------------------------------------------------------------------------
jjjjj
\DriverDefaultAlgoSettings
APPID
HKCU
Software
Classes
OLEAUT32.DLL
@REGISTRY
Module_Raw
Module
ekernel32.dll
KERNEL32.DLL
mscoree.dll
(null)
         (((((                  H
         h((((                  H
                                 H
REGISTRY
TYPELIB
Hkcmd
hkcmd
igfxres.dll
igfx.hlp
igfxr
.lrc
igfxh
.lhp
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
CompanyName
Intel Corporation
FileDescription
hkcmd Module
FileVersion
6.14.10.5102
InternalName
HKCMD
LegalCopyright
Copyright 1999-2006, Intel Corporation
LegalTrademarks
OriginalFilename
HKCMD.EXE
PrivateBuild
ProductName
Intel(R) Common User Interface
ProductVersion
6.14.10.5102
SpecialBuild
VarFileInfo
Translation
<<<Obsolete>>
CrossC
Labels: ,