*********************************************** * CTB-Locker Payload imports * *********************************************** Library/Function RVA ================================= ======== KERNEL32.dll ------------ FindFirstFileExA 000E50DC GetDriveTypeA 000E50E0 SetEnvironmentVariableA 000E50E4 CompareStringW 000E50E8 GetCurrentDirectoryW 000E50EC RaiseException 000E50F0 SetEndOfFile 000E50F4 GetFileInformationByHandle 000E50F8 FileTimeToLocalFileTime 000E50FC FileTimeToSystemTime 000E5100 CreateFileA 000E5104 SetConsoleMode 000E5108 ReadConsoleInputA 000E510C GetFileAttributesW 000E5110 ExitThread 000E5114 GetDateFormatA 000E5118 GetTimeFormatA 000E511C CreateDirectoryW 000E5120 CreateMutexW 000E5124 OpenMutexW 000E5128 GetModuleHandleW 000E512C WTSGetActiveConsoleSessionID 000E5130 CreateProcessW 000E5134 OpenProcess 000E5138 ResumeThread 000E513C GetModuleHandleA 000E5140 GetProcAddress 000E5144 LoadLibraryA 000E5148 WideCharToMultiByte 000E514C ExitProcess 000E5150 VirtualProtectEx 000E5154 VirtualProtect 000E5158 WriteProcessMemory 000E515C FindFirstFileW 000E5160 VirtualAllocEx 000E5164 VirtualAlloc 000E5168 HeapDestroy 000E516C DeleteCriticalSection 000E5170 WaitForMultipleObjects 000E5174 HeapCreate 000E5178 GetDriveTypeW 000E517C InitializeCriticalSection 000E5180 GetLogicalDriveStringsW 000E5184 SetThreadPriority 000E5188 GetTempPathW 000E518C MoveFileExW 000E5190 WaitForSingleObject 000E5194 CreateThread 000E5198 TerminateThread 000E519C Sleep 000E51A0 MultiByteToWideChar 000E51A4 GetTimeZoneInformation 000E51A8 GetUserGeoID 000E51AC GetModuleFileNameW 000E51B0 GetNativeSystemInfo 000E51B4 GetVersionExW 000E51B8 GetVersion 000E51BC GetCurrentThread 000E51C0 LocalFree 000E51C4 LocalAlloc 000E51C8 GetLastError 000E51CC GetCurrentProcess 000E51D0 Process32NextW 000E51D4 Process32FirstW 000E51D8 CreateToolhelp32Snapshot 000E51DC DeleteFileW 000E51E0 SetFileTime 000E51E4 WriteFile 000E51E8 SetFilePointer 000E51EC GetFileSize 000E51F0 GetFileTime 000E51F4 CloseHandle 000E51F8 ReadFile 000E51FC CreateFileW 000E5200 GetCurrentThreadID 000E5204 GetCurrentProcessID 000E5208 GetTickCount 000E520C GetSystemTimeAsFileTime 000E5210 HeapFree 000E5214 GetProcessHeap 000E5218 FindClose 000E521C FindNextFileW 000E5220 LeaveCriticalSection 000E5224 HeapReAlloc 000E5228 EnterCriticalSection 000E522C SetErrorMode 000E5230 VirtualQuery 000E5234 CreateIOCompletionPort 000E5238 PostQueuedCompletionStatus 000E523C ReleaseSemaphore 000E5240 CreateSemaphoreA 000E5244 GetQueuedCompletionStatus 000E5248 FlushConsoleInputBuffer 000E524C GetVersionExA 000E5250 GlobalMemoryStatus 000E5254 GetSystemInfo 000E5258 FormatMessageW 000E525C CreatePipe 000E5260 CreateProcessA 000E5264 GetFullPathNameA 000E5268 HeapAlloc 000E526C GetSystemDirectoryW 000E5270 SetHandleInformation 000E5274 PeekNamedPipe 000E5278 FlushFileBuffers 000E527C HeapSize 000E5280 IsProcessorFeaturePresent 000E5284 WriteConsoleW 000E5288 GetCommandLineW 000E528C HeapSetInformation 000E5290 GetStartupInfoW 000E5294 DecodePointer 000E5298 UnhandleExceptionFilter 000E529C SetUnhandleExceptionFilter 000E52A0 IsDebuggerPresent 000E52A4 EncodePointer 000E52A8 TerminateProcess 000E52AC GetCPInfo 000E52B0 InterlockedIncrement 000E52B4 InterlockedDecrement 000E52B8 GetACP 000E52BC GetOEMCP 000E52C0 IsValidCodePage 000E52C4 TlsAlloc 000E52C8 TlsGetValue 000E52CC TlsSetValue 000E52D0 TlsFree 000E52D4 SetLastError 000E52D8 GetStdHandle 000E52DC FreeEnvironmentStringsW 000E52E0 GetEnvironmentStringsW 000E52E4 SetHandleCount 000E52E8 InitializeCriticalSectionAndSpinCount 000E52EC GetFileType 000E52F0 QueryPerformanceCounter 000E52F4 GetConsoleCP 000E52F8 GetConsoleMode 000E52FC LCMapStringW 000E5300 GetStringTypeW 000E5304 SetConsoleCtrlHandler 000E5308 FreeLibrary 000E530C LoadLibraryW 000E5310 RtlUnwind 000E5314 SetStdHandle 000E5318 USER32.dll ---------- EndPaint 000E5338 DestroyWindow 000E533C PostQuitMessage 000E5340 SetTimer 000E5344 DefWindowProc 000E5348 DrawTextW 000E534C GetDC 000E5350 ReleaseDC 000E5354 MoveWindow 000E5358 ShowWindow 000E535C SetWindowTextA 000E5360 GetDesktopWindow 000E5364 OemToCharW 000E5368 SetWindowTextW 000E536C GetWindowTextW 000E5370 GetUserObjectInformationW 000E5374 GetProcessWindowStation 000E5378 SetwindowRgn 000E537C CreateIconFromResource 000E5380 LoadCursorW 000E5384 RegisterClassExW 000E5388 CreateWindowExW 000E538C UpdateWindow 000E5390 GetMessageW 000E5394 TranslateMessage 000E5398 DispatchMessageW 000E539C GetClientRect 000E53A0 wsprintfW 000E53A4 OpenWindowStationW 000E53A8 RedrawWindow 000E53AC FindWindowW 000E53B0 FindWindowExW 000E53B4 SetThreadDesktop 000E53B8 OpenDesktopW 000E53BC UnregisterClassW 000E53C0 BeginPaint 000E53C4 SendMessageW 000E53C8 SetProcessWindowStation 000E53CC GDI32.dll --------- SetDIBits 000E50A4 CreateCompatibleDC 000E50A8 CreateCompatibleBitmap 000E50AC CreateRoundRectRgn 000E50B0 SetBkColor 000E50B4 CreateFontW 000E50B8 TextOutW 000E50BC GetTextExtentPointW 000E50C0 SetTextColor 000E50C4 SetBkMode 000E50C8 BitBlt 000E50CC GetTextExtentPoint32W 000E50D0 SelectObject 000E50D4 ADVAPI32.dll ------------ SetSecurityDescriptorGroup 000E5000 CryptSetHashParam 000E5004 CryptReleaseContext 000E5008 CryptSignHashA 000E500C CryptAcquireContextA 000E5010 CryptCreateHash 000E5014 CreateProcessAsUserW 000E5018 DuplicateTokenEx 000E501C RegSetValueExW 000E5020 RegCreateKeyExW 000E5024 AdjustTokenPrivileges 000E5028 LookupPrivilegeValueW 000E502C GetUserNameW 000E5030 CryptAcquireContextW 000E5034 FreeSid 000E5038 AccessCheck 000E503C IsValidSecurityDescriptor 000E5040 SetSecurityDescriptorOwner 000E5044 SetSecurityDescriptorDACL 000E5048 AddAccessAllowedAce 000E504C InitializeAcl 000E5050 GetLengthSid 000E5054 InitializeSecurityDescriptor 000E5058 AllocateAndInitializeSID 000E505C DuplicateToken 000E5060 OpenThreadToken 000E5064 GetSidSubAuthority 000E5068 GetTokenInformation 000E506C OpenProcessToken 000E5070 RegCloseKey 000E5074 RegQueryValueExA 000E5078 RegOpenKeyExA 000E507C CryptGenRandom 000E5080 CryptDestroyKey 000E5084 CryptDecrypt 000E508C CryptDestroyHash 000E5090 SHELL32.dll ----------- ShellExecuteW 000E5328 GetFolderPathW 000E532C ShellExecuteA 000E5330 ole32.dll --------- CoUninitialize 000E5480 CoCreateInstance 000E5484 CoInitializeSecurity 000E5488 CoInitialize 000E548C CoInitializeEx 000E5490 OLEAUT32.dll ------------ WS32_32.dll ----------- ... WSASetLastError 000E5400 shutdown 000E5404 sendto 000E5408 recvfrom 000E540C WSAIoctl 000E5410 listen 000E5414 accept 000E5418 RtlGetLastWin32Error 000E541C htons 000E5420 getsockname 000E5424 gethostbyname 000E5428 htonl 000E542C htons 000E5430 WSACleanup 000E5434 gethostname 000E5438 socket 000E543C getaddrinfo 000E5440 connect 000E5444 freeaddrinfo 000E5448 send 000E544C select 000E5450 ioctlsocket 000E5454 recv 000E5458 inet_addr 000E545C closesocket 000E5460 htonl 000E5464 WSAStartup 000E5468 WTSAPI32.dll ------------ PI32.dll -------- WTSQueryUserToken 000E5470 WTSFreeMemory 000E5474 WTSEnumerateSessionsW 000E5478 COMCTL32.dll ------------ InitCommonControlsEx 000E5094 WININET.dll ----------- InternetOpenA 000E53D4 InternetConnectA 000E53D8 HttpOpenRequestA 000E53DC InternetSetOptionA 000E53E0 HttpSendRequestA 000E53E4 InternetReadFile 000E53E8 InternetCloseHandle 000E53EC CRYPT32.dll ----------- CertFreeCertificateContext 000E509C