PUP.Taobao.A

By CagedTech in Potentially Unwanted Programs

Table of Contents

Analysis Report

General information

Family Name:	PUP.Taobao.A
Signature status:	Hash Mismatch

Known Samples

MD5: ef31b5cb5e05957c5c96fc584f7caf7d

SHA1: cb3058009aadbb53604f900f14aa03f73f679289

SHA256: CC3E2580C4470F3AA41BECDE80F50A134F194E5D234A27339A63F5DECB561CEA

File Size: 1.28 MB, 1282048 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File has exports table
File has TLS information
File is 32-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Company Name	UCWeb Inc.
Company Short Name	UCWeb Inc.
File Description	UCBrowser Online Installer
File Version	1.0.0.0
Internal Name	online_installer_exe
Last Change	73f648de558045928473aa66cf189e43cd80aef8
Legal Copyright	Copyright 2008-2014 UCWeb Inc. All rights reserved.
Official Build	0
Product Name	UC Browser
Product Short Name	UC Browser
Product Version	1.0.0.0

Digital Signatures

Signer	Root	Status
TAOBAO (CHINA) SOFTWARE CO.,LTD.	Symantec Class 3 SHA256 Code Signing CA	Hash Mismatch
TAOBAO (CHINA) SOFTWARE CO.,LTD.	VeriSign Class 3 Code Signing 2010 CA	Hash Mismatch

File Traits

2+ executable sections
HighEntropy
Installer Version
x86

Block Information

Total Blocks:	5,223
Potentially Malicious Blocks:	337
Whitelisted Blocks:	4,509
Unknown Blocks:	377

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 ? 0 0 0 0 0 x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 ? 0 0 0 0 0 0 x 0 ? 0 0 x x x ? x x 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 ? 0 0 0 ? 0 0 ? 0 ? 0 ? 0 ? 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? ? ? ? 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 x ? 0 0 0 ? x 0 x ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 ? 0 ? 0 x x ? x 0 ? ? x ? 0 0 0 0 ? ? 0 x 0 x 0 0 0 0 0 0 0 0 x ? 0 0 0 0 x 0 x x x ? 0 0 0 0 0 0 ? ? 0 1 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 x ? 0 x 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 ? ? x ? 0 ? 0 0 0 0 0 x x 0 ? ? ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 ? 0 0 0 0 0 ? ? 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 x 0 0 0 ? 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 ? 0 ? x 0 0 0 0 0 0 ? ? 0 0 ? 0 0 0 ? 0 0 0 0 ? 0 0 0 x 0 0 0 0 x x ? ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 ? 0 0 ? ? 0 0 0 0 ? ? ? 0 ? 0 x x ? ? 0 0 x x ? ? 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 ? 0 0 0 0 0 ? 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 x 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 ? ? ? 0 x x x 0 x 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 x 0 0 x x x 0 ? ? 0 0 0 x 0 0 x x x ? ? ? 0 x 0 x 0 0 x ? 0 ? ? 0 0 ? x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? ? ? ? ? 0 0 0 0 0 x 0 0 0 ? x 0 0 0 x ? ? 0 x 0 0 ? 0 0 ? ? ? 0 ? 0 x 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 ? 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 x 0 0 ? 0 ? 0 0 0 0 ? 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 ? x ? 0 0 ? 0 x x 0 ? x x 0 0 0 0 0 x ? x 0 x 0 0 0 x 0 0 x x x x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 x ? ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 ? ? 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 x ? 0 x 0 ? 0 ? ? 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 x 0 x 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 ? x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? 0 1 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 x 0 0 0 0 0 0 0 x x 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x ? ? 0 1 1 ? 0 ? ? ? ? 0 ? 0 0 0 ? ? ? ? 0 0 1 ? ? ? 0 ? ? 0 0 0 0 0 ? 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 ? ? ? 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 ? ? 0 0 ? ? ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? 0 0 0 ? ? ? ? ? 0 0 0 0 0 0 ? 0 0 0 0 ? 0 ? 0 ? 0 1 1 1 0 0 0 ? ? 0 0 0 ? ? ? ? 0 0 ? 0 ? ? ? ? 0 0 0 0 1 ? ? ? 0 0 ? 0 0 0 ? 0 ? ? ? ? ? ? ? ? 0 ? x 0 0 0 ? 0 0 0 x 0 0 ? 0 1 1 x 0 x 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 ? ? 0 x ? 0 ? x ? x x 0 x x x ? x 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 ? 0 1 ? ? ? 0 0 ? 0 1 0 x 0 0 ? 0 ? x 0 0 ? ? ? 0 ? ? 0 0 0 x ? 0 0 1 1 0 0 0 0 x 0 0 x x 0 0 x 0 ? 0 ? 0 ? 0 0 0 0 0 0 x 0 0 0 0 0 x x 0 0 0 x 0 0 0 ? 0 0 ? x ? x ? 0 x 0 1 0 ? x 0 0 0 ? ? ? x 0 ? ? ? ? 0 ? ? x ? x ? ? 0 0 0 0 ? ? ? ? 0 ? ? ? x ? 0 0 1 1 ? 0 x 0 ? ? x ? x 0 x x x 0 ? ? 0 0 0 1 0 ? 0 ? ? ? ? ? ? x ? ? ? 0 ? 0 ? ? ? ? ? ? 0 x 0 x ? 0 1 0 ? x ? 0 0 ? 0 x ? x x x ? ? x 0 ? x 0 0 ? 0 1 x x x ? 0 x x 0 x x 0 x x x x x x x x x x x 0 x x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 1 x x x 0 0 x x 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 x 0 0 0 0 x 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x ? 0 0 0 0 0 0 0 0

... Data truncated

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File	Attributes
\device\harddisk0\dr0	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\ucbrowser\online_downloader\download.log	Read Attributes,Synchronize,Append data
c:\users\user\appdata\local\ucbrowser\online_downloader\dumps\browser_online-installer_6.1.2015.1007_900e4458777f3830e79cd0d4bc6e5ad2v0000002c5100899_a361fa3e53919a4aae1bab615d957620_0\process.dmp	Generic Write,Read Attributes
c:\users\user\appdata\local\ucbrowser\online_downloader\stats_uploader.exe	Generic Write,Read Attributes
c:\users\user\downloads\debug.log	Read Attributes,Synchronize,Append data

Registry Modifications

Key::Value	Data	API Name
HKLM\software\wow6432node\ucbrowserpid::machineid		RegNtPreCreateKey
HKCU\software\ucbrowserpid::machineid		RegNtPreCreateKey
HKLM\software\wow6432node\ucbrowserpid::machineidex	900e4458777f3830e79cd0d4bc6e5ad2v0000002c5100899	RegNtPreCreateKey
HKCU\software\ucbrowserpid::machineidex	900e4458777f3830e79cd0d4bc6e5ad2v0000002c5100899	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	嘶낑ꪹǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ꐺ낟ꪹǜ	RegNtPreCreateKey

Windows API Usage

Category	API
Anti Debug	IsDebuggerPresent NtQuerySystemInformation OutputDebugString
Process Manipulation Evasion	NtUnmapViewOfSection ReadProcessMemory
Process Shell Execute	CreateProcess
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateMutant Show More ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile UNKNOWN
User Data Access	GetUserObjectInformation
Network Wininet	InternetOpen InternetOpenUrl InternetReadFile
Process Terminate	TerminateProcess

Shell Command Execution


							"C:\Users\Wrfscjtw\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAkGKlyq5g3OjXWLReWWH4QkZzytj/FzD6UXR6X51L1vfGqjOCY/nHCF/VFZEWqw/nnl11kOJKuc8JH0yehMzxVl2yfUnx4kM9zr5WjF5QB1EaZyTzaVWPKQzQSvEOYvmyTFh696+xMZimh1ivDYEWtKeMwTlSSsMJMbrh/7D5TlNy4hwpwL9paKe4KyK0HyaAswDU8lgMEWp0wiK1bPPAM/MIDCrf0Y/dO/ZoLjuWLnIrqBu6TGCwCHirkNLnMkQE7VMgx8eCm1aNg==


							"C:\Users\Wrfscjtw\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --type=dump-process --version=6.1.2015.1007 --pid=7572 --tid=8912 --exptr=144167668 --process-type=online-installer --event=browser_crash_7572 --stats-url=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAhWKoznNg2ewcWLNSJ7FniChiktFeE31jIyInkG4K6JGE/JGEN7kRKN0UJlIAKF/I3kgF1kWKRVN13qcsKw9YNaCw0LvdobsMbatnL1SHYWna5US8YdWtRNJGp2hzt0AkcZkJqp8kFgm+hqsx69YdOGiZS7Fhi2VwAO9qtoC5flVAoEk0kq+kuU6sK2QqiAJNqYRe98kN2GMlx/yqQKAHhBDJD/jxRJ0qHTHveQyAe4wPPA6/3rN3geN9LW79Mn4i9dcb7eUKws57iz2+FtqfvRiDzLNsOosARfR85j+o8WM1L2fg3x6q3vv/C9qNg==

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

PUP.Taobao.A

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

File Traits

Block Information

Block Information

Visual Map

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Dohdoor Backdoor

RebateBlast

Wellhabits.xyz

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

How to Fix 'macOS cannot verify that this app is...

Discord Shows Black Screen when Sharing Screen