魔盾安全分析报告 分析类型 开始时间 结束时间 持续时间 分析引擎版本 FILE 2016-09-10 18:15:17 2016-09-10 18:17:44 147 秒 1.4-Maldun 虚拟机机器名 标签 虚拟机管理 开机时间 关机时间 win7-sp1-x64 win7-sp1-x64 KVM 2016-09-10 18:15:17 2016-09-10 18:17:42 魔盾分数 10.0 恶意的 文件详细信息 文件名 文件大小 文件类型 CRC32 MD5 SHA1 SHA256 SHA512 Ssdeep PEiD Yara VirusTotal 百度云搜索器.exe 1530880 字节 PE32 executable (GUI) Intel 80386, for MS Windows 4AA17CAB f632b2730a34f51daa8c4dcc76cd2278 d35ecb1f1e3e3fa0e9b4f456e5471677c97205bb 3b4fb90ade22126ae63440837ebf6a7c8a19708c4179a9d593e2fa8105f6f923 e51f5dfb4857bc7df2441c8e8982d903e06d45836ab17d82d7271283102d4e42e8082884207b1c512c35fcb9a0ded5078d540e461b4ca92c858fbce0c225f 298 24576:5PGOVZyfDCwYrI6oYpMAU3kNttVvZBj7+/aPv+7KUL5TP1aEaDat7lb5IrcmCJXo:AOVZDwsGYup3kNttjBjKCn+tNTQEMatU 无匹配 无 Yara 规则匹配 VirusTotal 链接 VirusTotal 扫描时间 : 2016-09-10 05:20:19 扫描结果 : 4/56 特征 创建 RWX 内存 对一些具体的运行中的进程呈现出兴趣 process: System 文件已被至少一个 VirusTotal 上的反病毒引擎检测为病毒 Symantec: Heur.AdvML.B ESET-NOD32: a variant of Win32/Packed.Themida suspicious Invincea: trojandownloader.msil.ranos.a CrowdStrike: malicious_confidence_100% (W) 二进制文件可能包含加密或压缩数据 section: name: \x00, entropy: 7.97, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA IMAGE_SCN_MEM_EXECUTE IMAGE_SCN_MEM_READ IMAGE_SCN_MEM_WRITE, raw_size: 0x00019400, virtual_size: 0x00030000 section: name:.rsrc, entropy: 7.97, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA IMAGE_SCN_MEM_READ IMAGE_SCN_MEM_WRITE, raw_size: 0x00005800, virtual_size: 0x00011000 section: name: iolkafel, entropy: 7.92, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA IMAGE_SCN_MEM_EXECUTE IMAGE_SCN_MEM_READ IMAGE_SCN_MEM_WRITE, raw_size: 0x00154a00, virtual_size: 0x00156000 检查是否存在常见排错或检验程序的窗口 Window: OLLYDBG Window: GBDYLLO Window: pediy06 Window: FilemonClass Window: File Monitor - Sysinternals: www.sysinternals.com Window: PROCMON_WINDOW_CLASS Window: Process Monitor - Sysinternals: www.sysinternals.com Window: RegmonClass Window: Registry Monitor - Sysinternals: www.sysinternals.com Window: 18467-41 下列进程可能被使用 Themida 打包 :.exe 检查是否存在常见排错或检验程序的驱动 通过注册表键检测是否存在 Wine 模拟器 检查 Bios 版本, 可能被用来实现反虚拟机 通过 ACPI 技术检测 VirtualBox 系统 异常的二进制特征 anomaly: Unprintable characters found in section name
运行截图 网络分析 UDP 连接 IP 地址 端口 192.168.122.255 138 224.0.0.252 5355 239.255.255.250 1900 40.118.103.7 123 无信息 静态分析 PE 信息 初始地址 入口地址 声明校验值 实际校验值 0x00400000 0x007c2000 0x00183a87 0x00183a87 最低操作系统版本要求 4.0 编译时间 2016-09-08 17:38:27 图标 图标精确哈希值 图标相似性哈希值 ab860ed8cda3fe40e9f13279b1f89ed6 eea5d5c4637223da43613588b5f102df 版本信息 Translation: 0x0000 0x04b0 LegalCopyright: Copyright \xa9 MS 2016 Assembly Version: InternalName: 1.1.2.7 \x767e\x5ea6\x4e91\x641c\x7d22\x5668.exe FileVersion: 1.1.2.7 CompanyName: ProductName: MS \x767e\x5ea6\x4e91\x641c\x7d22\x5668 ProductVersion: 1.1.2.7 FileDescription: OriginalFilename: \x767e\x5ea6\x4e91\x641c\x7d22\x5668 \x767e\x5ea6\x4e91\x641c\x7d22\x5668.exe PE 数据组成 名称 虚拟地址 虚拟大小 原始数据大小 特征 熵 (Entropy) \x00 0x00002000 0x00030000 0x00019400 IMAGE_SCN_CNT_INITIALIZED_DATA IMAGE_SCN_MEM_EXECUTE IMAGE_SCN_MEM_READ IMAGE_SCN_MEM_WRITE 7.97.rsrc 0x00032000 0x00011000 0x00005800 IMAGE_SCN_CNT_INITIALIZED_DATA IMAGE_SCN_MEM_READ IMAGE_SCN_MEM_WRITE 7.97
.idata 0x00044000 0x00002000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA IMAGE_SCN_MEM_READ IMAGE_SCN_MEM_WRITE 1.31 0x00046000 0x00226000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA IMAGE_SCN_MEM_EXECUTE IMAGE_SCN_MEM_READ IMAGE_SCN_MEM_WRITE 0.26 iolkafel 0x0026c000 0x00156000 0x00154a00 IMAGE_SCN_CNT_INITIALIZED_DATA IMAGE_SCN_MEM_EXECUTE IMAGE_SCN_MEM_READ IMAGE_SCN_MEM_WRITE 7.92 qmpqagbb 0x003c2000 0x00002000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA IMAGE_SCN_MEM_EXECUTE IMAGE_SCN_MEM_READ IMAGE_SCN_MEM_WRITE 4.02 资源 名称 偏移量 大小 语言 子语言熵 (Entropy) 文件类型 RT_ICON 0x003afb64 0x00010828 LANG_NEUTRAL SUBLANG_NEUTRAL 5.65 data RT_GROUP_ICON 0x003c038c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.16 MS Windows icon resource - 1 icon RT_VERSION 0x003c03a0 0x000002cc LANG_NEUTRAL SUBLANG_NEUTRAL 3.65 data RT_MANIFEST 0x003c066c 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL 5.00 XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 导入 库 kernel32.dll: 0x444033 - lstrcpy 库 comctl32.dll: 0x44403b - InitCommonControls 投放文件 无信息 行为分析 互斥量 (Mutexes) DBWinMutex 执行的命令无信息 创建的服务无信息 启动的服务无信息 进程.exe PID: 2912, 上一级进程 PID: 2080 访问的文件 C:\Users\test\AppData\Local\Temp\.exe C:\Windows\System32\ntdll.dll C:\Windows\System32\mscoree.dll.local C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoreei.dll C:\Windows\Microsoft.NET\Framework\Upgrades.2.0.50727\mscoreei.dll C:\Users\test\AppData\Local\Temp\.exe.config \??\NUL C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorwks.dll 读取的文件 C:\Windows\System32\ntdll.dll C:\Users\test\AppData\Local\Temp\.exe.config \??\NUL 修改的文件 删除的文件无信息 注册表键 HKEY_CURRENT_USER HKEY_CURRENT_USER\Software\Wine HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc HKEY_LOCAL_MACHINE\Hardware\description\System HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v2.0 HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Upgrades HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Standards HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319 HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Upgrades HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Upgrades HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles 读取的注册表键读取的注册表键 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles 修改的注册表键修改的注册表键无信息删除的注册表键删除的注册表键无信息 API 解析解析 kernel32.dll.getnativesysteminfo winmm.dll.timegettime ntdll.dll.ntopenthread shell32.dll.shgetspecialfolderpatha shlwapi.dll.pathaddextensiona shlwapi.dll.pathremovefilespeca shlwapi.dll.pathcombinea shlwapi.dll.strchra shlwapi.dll.strtointa ntdll.dll.rtlallocateheap ntdll.dll.rtlfreeheap kernel32.dll.loadlibrarya kernel32.dll.loadlibraryw kernelbase.dll.loadlibraryexa kernel32.dll.loadlibraryexa kernelbase.dll.loadlibraryexw kernel32.dll.loadlibraryexw kernelbase.dll.getprocaddress kernel32.dll.getprocaddress kernelbase.dll.freelibrary kernel32.dll.freelibrary kernelbase.dll.getmodulefilenamea kernel32.dll.getmodulefilenamea kernelbase.dll.getmodulefilenamew kernel32.dll.getmodulefilenamew kernelbase.dll.getmodulehandlea kernel32.dll.getmodulehandlea kernelbase.dll.getmodulehandlew kernel32.dll.getmodulehandlew kernelbase.dll.getmodulehandleexa kernel32.dll.getmodulehandleexa kernelbase.dll.getmodulehandleexw kernel32.dll.getmodulehandleexw kernelbase.dll.closehandle kernel32.dll.closehandle kernelbase.dll.readfile kernel32.dll.readfile kernelbase.dll.getfilesize kernel32.dll.getfilesize kernelbase.dll.lockfile kernel32.dll.lockfile kernelbase.dll.lockfileex kernel32.dll.lockfileex kernelbase.dll.duplicatehandle kernel32.dll.duplicatehandle kernelbase.dll.getfilesizeex kernel32.dll.getfilesizeex kernelbase.dll.createfilea kernel32.dll.createfilea kernelbase.dll.createfilew kernel32.dll.createfilew kernelbase.dll.setfilepointer kernel32.dll.setfilepointer kernel32.dll.copyfilea kernelbase.dll.getfiletype kernel32.dll.getfiletype kernelbase.dll.getfileattributesa kernel32.dll.getfileattributesa kernelbase.dll.getfiletime kernel32.dll.getfiletime kernelbase.dll.getfileinformationbyhandle
kernel32.dll.getfileinformationbyhandle kernelbase.dll.setfilepointerex kernel32.dll.setfilepointerex kernel32.dll.copyfileexa kernelbase.dll.getfileattributesexa kernel32.dll.getfileattributesexa kernel32.dll.copyfilew kernel32.dll.copyfileexw kernelbase.dll.getfileattributesw kernel32.dll.getfileattributesw kernelbase.dll.getfileattributesexw kernel32.dll.getfileattributesexw kernel32.dll.createfilemappinga kernelbase.dll.createfilemappingw kernel32.dll.createfilemappingw kernel32.dll.openfilemappinga kernelbase.dll.openfilemappingw kernel32.dll.openfilemappingw kernelbase.dll.mapviewoffileex kernel32.dll.mapviewoffileex kernelbase.dll.mapviewoffile kernel32.dll.mapviewoffile kernelbase.dll.unmapviewoffile kernel32.dll.unmapviewoffile advapi32.dll.cryptverifysignaturea kernelbase.dll.exitprocess kernel32.dll.exitprocess ntdll.dll.ntquerysysteminformation advapi32.dll.regopenkeyexw advapi32.dll.regqueryinfokeyw advapi32.dll.regenumkeyexw advapi32.dll.regenumvaluew advapi32.dll.regclosekey advapi32.dll.regqueryvalueexw kernel32.dll.queryactctxw shlwapi.dll.urlisw 2016 上海魔盾信息科技有限公司