Cff Explorer Windows 10arrowclever

Posted on by

If you want to see general information about the cff explorer.exe then visit General Information Page. You can also check most distributed file variants with name cff explorer.exe. This file belongs to product CFF Explorer and was developed by company Daniel Pistelli. This file has description Common File Format Explorer. Since CFF Explorer is closed-source, I had to reverse-engineer parts of it. Then I created a small code cave and added extra code that checks flag value and skips over extraData field, if necessary. If you're interested how exactly it was done. This tool lets you edit contents of the file's PE header. For example, if you decide to analyze the file's code on Windows 8.1, you'll need to clear the DynamicBase flag in the DllCharacteristics field to deal with the ASLR feature of the OS. CFF Explorer calls this field 'DLL can move', as shown below.

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity in March for the “Corona-virus” binary below. Malware authors have taken advantage of the public’s desire for information on the COVID-19 pandemic since it was first found in December of 2019. Most of the world is in self-isolation currently, so people are under emotional distress searching for news about this new pandemic. This includes installing new applications and/or clicking on hyper-links they may not normally click on during this frightening and hair-raising time.

Just like the Corona-virus, this piece of malware has many layers to it. People often forget how many layers security researchers have to grind through, so today the light shines in the darkness below:

Samples: 1st Layer, Static Information:

Looking at the first layer in CFF Explorer, checking for corruption. The first layer is a Native Win32 binary.

Command-line static information:

Main starting routine and flowchart:

Static Resources:

Explorer windows 10 download

Static Strings:

Compiler Information: Embarcadero Delphi for Win32 compiler version 33.0 (26.0.32429.4364)

Cff Explorer Windows 10arrowclever

Samples: 1st layer, Dynamic Information:

Samples: 2nd Layer, Static Information:

Looking at the second layer in CFF Explorer, checking for corruption. The second layer is a Native Win32 binary.

Second layer, Command-line static information:

Second layer, Main starting routine and flowchart:

Static Resources, Binary 1 Found:

Static Resources, Binary 2 Found:

Samples: 3rd Layer, Static Information:

Looking at the third layer in CFF Explorer, checking for corruption. The third layer is a Native Win32 binary.

Third layer, Command-line static information:

Third layer, Main starting routine and flowchart:

Third layer, Static Resources:

Samples: 4th Layer, Static Information:

Looking at the fourth layer in CFF Explorer, checking for corruption. The fourth layer is a Native Win32 binary.

Fourth layer, Command-line static information:

Fourth layer, Main starting routine and flowchart:

Fourth layer, Static Resources:

Samples: 5th Layer, Static Information:

Extracting the WinRAR SFX:

Batch File:

The -p parameter stands for password, -d parameter stands for directory.

Looking at the fifth layer in CFF Explorer, checking for corruption. The fifth layer is a Native Win32 binary.

Fifth layer, Command-line static information:

Extracting:

Using the password above, we now have a new layer, layer 6:

Samples: 6th Layer, Static Information:

Looking at the sixth layer in CFF Explorer, checking for corruption. The sixth layer is a Native Win32 binary.

Sixth layer, Command-line static information:

Sixth layer, Main starting routine and flowchart:

Sixth layer, Static Resources:

Samples: 7th Layer, Static Information:

Cff Explorer Windows 10 Arrow Clever Park

Looking at the seventh layer in CFF Explorer, checking for corruption. The seventh layer is a Native Win32 binary.

Seventh layer, Command-line static information:

Cff Explorer Windows 10 Arrow Clever Lite

Seventh layer, Main starting routine:

Seventh layer, Static Resources:

Samples: 7th Layer, Dynamic Malware Analysis

We start to see the light emerge from darkness in the seventh layer, a request is being crafted:

Lets trap the request (POST REQUEST):

(POST RESPONSE):

We can see the same requests in Procmon:

What is sent is overall statistics and metrics designed around every piece of hardware your machine has physically installed along with usernames and hostnames among much much more. This is all done by the use of a cookie below that is encrypted and compressed:

Samples: 8th Layer, Static Information:

Looking at the eighth layer in CFF Explorer, checking for corruption. The eighth layer is a Native Win32 binary.

Eighth layer, Command-line static information:

Eighth layer, Main starting routine:

Eighth layer, Static Resources:

Samples: 8th Layer, Dynamic Information:

Network Connections:

Click the picture below, to see the Remote Addresses:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

Summary:

As you can see above, malware today use many layers. I could have added even more layers. Total there are close to 12 layers in this piece of malware. Unfortunately, for the standard user there is no way to tell how many layers are involved when you click install on your favorite application. You have to trust the designer of the installer. Well, malware authors abuse this trust as shown above.

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

Appendix

Sample Hash: f850f746f1a5f52d3de1cbbc510b578899fc8f9db17df7b30e1f9967beb0cf71

Enjoy the comfort of being able to have all the necessary tools in one simple, clean interface.

PE Explorer is the most feature-packed program for inspecting the inner workings of your own software, and more importantly, third party Windows applications and libraries for which you do not have source code. Once you have selected the file you wish to examine, PE Explorer will analyze the file and display a summary of the PE header information, and all of the resources contained in the PE file. From here, the tool allows you to explore the specific elements within an executable file.

Besides being an effective Resource Editor, PE Explorer also provides several tools that elevate it to Power Coder status: an API Function Syntax Lookup, Dependency Scanner, Section Editor, and a powerful yet easy-to-use Disassembler for generating annotated code dumps. With PE Explorer you can view, examine and edit EXE and DLL files, or correct and repair the internal structures of any PE (portable executable) files with the click of a button.

  • See what's inside an executable
  • Customize the GUI elements of your favorite Windows programs
  • Track down what a program accesses and which DLLs are called
  • Understand the way a program works, behaves, and interacts with others
  • Say good bye to digging through bloated help files just to hash out an API reference
  • Open UPX-, Upack- and NsPack-compressed files seamlessly in PE Explorer, without long workarounds
  • Special support for Delphi applications

Cff Explorer Windows 10arrowclever

PE Explorer runs on all versions of Windows from 95 through XP, Vista, 7, 8 and 10.

Minimum hardware requirements:
Intel Pentium® or AMD K5 processor with 166 MHz
16 MB RAM

For maximum editing and inspecting power, purchase a PE Explorer Personal license now for $129. A Business license is available for $229.95. When you utilize all the different tools PE Explorer integrates, you will agree that this is definitely an awesome price. PE Explorer is a bargain with its many features! It will save you hours of time and it’s easy to use!