I found a "nice" (or, let's just say: retard) analysis of dgVoodooCpl:
https://hybrid-analysis.com/sample/b8d28c0d5a … vironmentId=100
Beware!!! dgVoodooCpl is very very dangerous, it's threat rate is 91/100.
Let just see some of the gems (suspicious indicators) of the analysis. It's so annyoing by now that I'm not going to speak politely here:
Anti-Reverse Engineering
PE file has unusual entropy sections […]
Show full quote
Anti-Reverse Engineering
PE file has unusual entropy sections
details
.rsrc with unusual entropies 7.11796850266
source
Static Parser
relevance
10/10
I don't know how entropy as a measure is defined and what formula it's calculated by, but I guess the id**ot found the uncompressed logo bmp's (that are much larger than a simple 32x32 icon) and "they don't look" like a typical code, jpeg or some other type of data, in which the values of consecutive bytes follows a more "random" pattern.
Relevance: 10/10 !!!
Environment Awareness
Possibly tries to implement anti-virtualization techniques […]
Show full quote
Environment Awareness
Possibly tries to implement anti-virtualization techniques
details
"DosBox' or 'QEmu'.
; EnableGDIHooking: If enabled then dgVoodoo hooks GDI to be able to render graphical contents
; (like movie playback through the ancient Windows Multimedia AVI player library)
; rendered through GDI - experimental feature, for the time being it's implemented
; only for DX emulation
DesktopResolution = %s
DesktopBitDepth = %s
DeframerSize = %s
ImageScaleFactor = %s
DisplayROI = %s
Resampling = %s
FreeMouse = %s
WindowedAttributes = %s
Environment = %s
EnableGDIHooking = %s
;--------------------------------------------------------------------------
[Glide]
; VideoCard: "voodoo_graphics", "voodoo_rush", "voodoo_2", "voodoo_banshee", "other_greater"
; OnboardRAM:" (Indicator: "qemu")
"qemu" (Indicator: "qemu")
"QEmu" (Indicator: "qemu")
"; or can be set to 'DosBox' or 'QEmu'." (Indicator: "qemu")
source
String
relevance
4/10
"Possibly tries to implement anti-virtualization techniques."
Uhmmm, WTF??? Just because a string of 'DosBox' or 'QEmu' found??
Relevance: 4/10 (congrats, you ****)
Reads the active computer name […]
Show full quote
Reads the active computer name
details
"dgVoodooCpl.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
source
Registry Access
relevance
5/10
ATT&CK ID
T1012 (Show technique in the MITRE ATT&CK™ matrix)
No, it doesn't. Maybe indirectly through a standard Windows API, like when it queries the current user roaming folder where the dgvoodoo file is seached by default.
Relevance: 5/10!!!
Contains ability to find and load resources of a specific module […]
Show full quote
Contains ability to find and load resources of a specific module
details
FindResourceW@KERNEL32.dll (Show Stream)
LockResource@KERNEL32.dll (Show Stream)
source
Hybrid Analysis Technology
relevance
1/10
Yes, it loads its own resources from the .rsrc section, you id**ot.
Thanks God, Relevance is only 1/10.
Network Related
Found potential IP address in binary/memory […]
Show full quote
Network Related
Found potential IP address in binary/memory
details
"2.63.0.0"
source
String
relevance
3/10
2.63.0.0 as a potential IP address. Hmm... need to say anything here beside ***** ** * *******?
Relevance: 3/10
Unusual Characteristics
Imports suspicious APIs […]
Show full quote
Unusual Characteristics
Imports suspicious APIs
details
LoadLibraryW
LoadLibraryA
LockResource
CreateDirectoryW
GetProcAddress
GetFileSizeEx
GetModuleFileNameW
WriteFile
GetModuleHandleW
FindResourceW
CreateFileW
CreateFileA
FindWindowExW
source
Static Parser
relevance
1/10
"Unusual Characteristics + Imports suspicious APIs "
So, the most common API's like LoadLibrary, GetProcAddress, CreateFile and such is suspicious and unusual….
You poor ******** windows-guru.
Relevance: 1/10
Reads information about supported languages […]
Show full quote
Reads information about supported languages
details
"dgVoodooCpl.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
source
Registry Access
relevance
3/10
ATT&CK ID
T1012 (Show technique in the MITRE ATT&CK™ matrix)
No, it doesn't. Maybe through some standard Windows API. But even if it did, then what?
Relevance: 3/10
Contains PDB pathways […]
Show full quote
Contains PDB pathways
details
"D:\Dev\dgVoodoo_2.6x\Bin\Win32\Release\dgVoodooCpl.pdb"
source
String
relevance
1/10
Yes, it's written there by the linker itself, you *****. In order to find the .pdb file when you want to debug the application.
Relevance: 1/10
Scanning for window names […]
Show full quote
Scanning for window names
details
"dgVoodooCpl.exe" searching for class "DGVOODOOCOMM"
source
API Call
relevance
10/10
ATT&CK ID
T1010 (Show technique in the MITRE ATT&CK™ matrix)
Yes, because it can communicate with running instances of dgvoodoo-wrapped processes. This one could be justifiable, but DGVOODOOCOMM is not a standard window-class name, not even one from some popular Windows-software or sg like that. So, where is the risk?? How many malwares have you encountered in your life scanning for DGVOODOOCOMM, you ****?
Relevance: 10/10
Connects to LPC ports […]
Show full quote
Connects to LPC ports
Dropped files
details
"dgVoodoo.conf" has type "ASCII text with CRLF line terminators"
source
Extracted File
relevance
3/10
:DDDDDDD What a threat!!!!!
Relevance: 3/10!!!!
Touches files in the Windows directory […]
Show full quote
Touches files in the Windows directory
details
"dgVoodooCpl.exe" touched file "%WINDIR%\System32\en-US\user32.dll.mui"
"dgVoodooCpl.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"dgVoodooCpl.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"dgVoodooCpl.exe" touched file "%WINDIR%\System32\en-US\msctf.dll.mui"
source
API Call
relevance
7/10
No, it doesn't. Again, maybe Windows itself when calling into some standard Windows API. Your shit sandboxing environment can't tell where the call coming from?
Relevance: 7/10
Found potential URL in binary/memory […]
Show full quote
Found potential URL in binary/memory
details
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Pattern match: "http://www.benshoof.org/blog/minicrt"
Pattern match: "https://github.com/GPUOpen-Tools/common-src-S … ree/master/DX10"
Pattern match: "benshoof.org/blog/minicrt"
source
String
relevance
10/10
Yes, so it's for sure that dgVoodooCpl phones home and sends the collected keylogs to GitHub or Microsoft...
If your analyzer is thought to be so advanced and hyper-super then it could analyze the url's themself, at least if they are very well known common and excludable ones, or some other 'random'-nonsense ones (you could use your crap entropy-calculation here), or they are in a database or sg like that.
Relevance: 10/10 (congrats again, you moron)
System Security
Opens the Kernel Security Device Driver (KsecDD) of Windows […]
Show full quote
System Security
Opens the Kernel Security Device Driver (KsecDD) of Windows
details
"dgVoodooCpl.exe" opened "\Device\KsecDD"
source
API Call
relevance
10/10
ATT&CK ID
T1215 (Show technique in the MITRE ATT&CK™ matrix)
No, it doesn't. For the n+1th time: maybe through some standard Windows API.
Relevance: 10/10
Summarized, to be absolutely "safe", I shouldn't include uncompressed BMP(!) files amongst the resources because these hyperadvanced modern AV analyzers cannot recognize them (only it's suspicious entropy), I shouldn't include a version number because that's a potential IP address, I shouldn't use any regular Windows API like CreateFile or LoadLibrary and I shouldn't mention URL's in the About dialog, and not even evil CR-LF's that could fly at throat.