魔盾安全分析报告 分析类型 开始时间 结束时间 持续时间 分析引擎版本 FILE 2016-08-08 10:38:11 2016-08-08 10:40:38 147 秒 1.4-Maldun 虚拟机机器名 标签 虚拟机管理 开机时间 关机时间 win7-sp1-x64 win7-sp1-x64 KVM 2016-08-08 10:38:12 2016-08-08 10:40:38 魔盾分数 10.0 Madangel 文件详细信息 文件名 文件大小 文件类型 CRC32 MD5 SHA1 SHA256 SHA512 Ssdeep PEiD PUF.Hijacker-B5T!1.exe_ 501350 字节 PE32 executable (console) Intel 80386, for MS Windows DAC2DF44 0107d210231ce8d4dc1cffe4c00c0f65 9b39019a1ecbaf89527b98d6ce1509a5abc4f4 9069c8b20f4bd238dedcbce3ce548efdc59a18c18afcd44f34fa54ea9e4528aa e4f22e1b088a6e6aed6a6f6a394039952d101f24cb3089ffe5f602f7fea07c2e5ae4b671e66def2882d3fb12741ff3a5dafe1992003be63432d22cd422583ede 12288:1xfA6BmseAN9AzBo2SzqEQQnsLjWR8VGXoHm5LJN5Tlyo+JBm:1C6Bl23jA2qGqX5T0TJBm 无匹配 Yara DebuggerCheck API () Check_OutputDebugStringA_iat () MD5_Constants (Look for MD5 constants) NET () VirusTotal VirusTotal 链接 VirusTotal 扫描时间 : 2015-11-05 06:26:10 扫描结果 : 46/ 特征 文件已被至少十个 VirusTotal 上的反病毒引擎检测为病毒 TotalDefense: Win32/Madangel MicroWorld-eScan: Win32.Madangel.DIA nprotect: Win32.Madangel.DIA CMC: Virus.Win32.AngryAngel.1!O CAT-QuickHeal: W32.Madang.A McAfee: W32/Madangel.a VIPRE: Virus.Win32.Madang.a (v) TheHacker: W32/Small.L BitDefender: Win32.Madangel.DIA K7GW: Virus ( 00001b721 ) K7AntiVirus: Virus ( 00001b721 ) Agnitum: Win32.Madang.A F-Prot: New Symantec: W32.Madangel ESET-NOD32: Win32/Madang.A TrendMicro-HouseCall: PE_MADANGEL.A Avast: Win32:Madangel ClamAV: Trojan.Downloader.Small-1607 Kaspersky: Virus.Win32.Small.l NANO-Antivirus: Trojan.Win32.Small.csvzuq ViRobot: Win32.Small.B[h] Ad-Aware: Win32.Madangel.DIA Emsisoft: Win32.Madangel.DIA (B) Comodo: Virus.Win32.MadAngel.n F-Secure: Win32.Madangel.DIA DrWeb: Win32.Angel Zillya: Virus.Small.Win32.52 TrendMicro: PE_MADANGEL.A McAfee-GW-Edition: BehavesLike.Win32.Autorun.gh Sophos: W32/Madang-A Cyren: Small Jiangmin: Win32/Angryel.b Avira: W32/Small.L Antiy-AVL: Virus/Win32.Small.l Microsoft: Virus:Win32/Madang.A Arcabit: Win32.Madangel.DIA AhnLab-V3: Win32/MaDang GData: Win32.Madangel.DIA VBA32: Virus.Win32.Small.L AVware: Virus.Win32.Madang.a (v) Panda: W32/Guarder.A Zoner: I-Worm.Agent.NJC Rising: PE:PUF.Hijacker-B5T!1.A1C0 [F] Ikarus: Virus.Win32.Small Fortinet: W32/Madang.C AVG: Win32/Madang.C 异常的二进制特征 anomaly: Actual checksum does not match that reported in PE header
运行截图 网络分析 UDP连接 IP地址 端口 192.168.122.255 138 224.0.0.252 55 224.0.0.252 55 239.255.255.250 1900 40.69.40.157 123 无信息 静态分析 PE 信息 初始地址 0x00400000 入口地址 0x0047f6d7 声明校验值 0x0007bcf3 实际校验值 0x0007ff80 最低操作系统版本要求 5.1 PDB路径 E:\code\5.2.2\B5TClient\bin\Release\B5TNaMsgHost.pdb 编译时间 2014-08-21 11:26:25 PE数据组成 名称 虚拟地址 虚拟大小 原始数据大小 特征 熵 (Entropy).text 0x00001000 0x000576cc 0x00057800 IMAGE_SCN_CNT_CODE IMAGE_SCN_MEM_EXECUTE IMAGE_SCN_MEM_READ 6.61.rdata 0x00059000 0x00010dde 0x00010e00 IMAGE_SCN_CNT_INITIALIZED_DATA IMAGE_SCN_MEM_READ 4.59.data 0x0006a000 0x0000514c 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA IMAGE_SCN_MEM_READ IMAGE_SCN_MEM_WRITE 4.33.rsrc 0x00070000 0x000001b4 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA IMAGE_SCN_MEM_READ 5.10.reloc 0x00071000 0x0000f866 0x0000f866 IMAGE_SCN_CNT_INITIALIZED_DATA IMAGE_SCN_MEM_DISCARDABLE IMAGE_SCN_MEM_EXECUTE IMAGE_SCN_MEM_READ IMAGE_SCN_MEM_WRITE 4.63 资源 名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型 RT_MANIFEST 0x00070058 0x0000015a LANG_ENGLISH SUBLANG_ENGLISH_US 4.80 ASCII text, with CRLF line terminators 导入 库 KERNEL32.dll: 0x459024 - WideCharToMultiByte 0x459028 - DeleteFileA 0x45902c - GetCurrentProcess 0x459030 - OutputDebugStringA 0x459034 - GetModuleFileNameA 0x459038 - GetModuleHandleExW 0x45903c - GetModuleHandleA 0x459040 - GetVersionExW 0x459044 - GetSystemTime 0x459048 - InitializeCriticalSection 0x45904c - EnterCriticalSection 0x459050 - LeaveCriticalSection 0x459054 - GetCurrentProcessId 0x459058 - Process32NextW 0x45905c - Process32FirstW 0x459060 - CreateToolhelp32Snapshot 0x459064 - GetTempPathW 0x459068 - CreateFileW 0x45906c - GetCurrentThreadId 0x459070 - lstrlena 0x459074 - MultiByteToWideChar 0x459078 - GetEnvironmentVariableW
0x45907c - InterlockedDecrement 0x459080 - DeviceIoControl 0x459084 - SetPriorityClass 0x459088 - FindClose 0x45908c - GetTickCount 0x459090 - TerminateProcess 0x459094 - GetStdHandle 0x459098 - FindFirstFileExW 0x45909c - FindFirstFileExA 0x4590a0 - FileTimeToLocalFileTime 0x4590a4 - FileTimeToSystemTime 0x4590a8 - HeapSetInformation 0x4590ac - GetCommandLineW 0x4590b0 - GetSystemTimeAsFileTime 0x4590b4 - GetLocalTime 0x4590b8 - WTSGetActiveConsoleSessionId 0x4590bc - LocalFree 0x4590c0 - SetEnvironmentVariableA 0x4590c4 - CompareStringW 0x4590c8 - GetProcessHeap 0x4590cc - lstrlenw 0x4590d0 - ReadFile 0x4590d4 - Sleep 0x4590d8 - SetEvent 0x4590dc - CreateEventW 0x4590e0 - ConnectNamedPipe 0x4590e4 - DisconnectNamedPipe 0x4590e8 - GetModuleHandleW 0x4590ec - FlushFileBuffers 0x4590f0 - CreateThread 0x4590f4 - CreateNamedPipeW 0x4590f8 - GetTempPathA 0x4590fc - CreateMutexW 0x459100 - CreateProcessW 0x459104 - WaitForSingleObject 0x459108 - CloseHandle 0x45910c - FreeLibrary 0x459110 - GetProcAddress 0x459114 - OutputDebugStringW 0x459118 - GetLastError 0x45911c - LoadLibraryW 0x459120 - GetModuleFileNameW 0x459124 - HeapFree 0x459128 - DecodePointer 0x45912c - EncodePointer 0x459130 - DeleteCriticalSection 0x459134 - GetStringTypeW 0x459138 - InterlockedExchange 0x45913c - InterlockedCompareExchange 0x459140 - InterlockedIncrement 0x459144 - WriteConsoleW 0x459148 - SetEndOfFile 0x45914c - SetStdHandle 0x459150 - HeapReAlloc 0x459154 - IsValidLocale 0x459158 - EnumSystemLocalesA 0x45915c - GetLocaleInfoA 0x459160 - GetFileType 0x459164 - GetUserDefaultLCID 0x459168 - RtlUnwind 0x45916c - LCMapStringW 0x459170 - GetCPInfo 0x459174 - RaiseException 0x459178 - UnhandledExceptionFilter 0x45917c - SetUnhandledExceptionFilter 0x459180 - IsDebuggerPresent 0x459184 - HeapCreate 0x459188 - IsProcessorFeaturePresent 0x45918c - TlsAlloc 0x459190 - TlsGetValue 0x459194 - TlsSetValue 0x459198 - TlsFree 0x45919c - SetLastError 0x4591a0 - HeapSize 0x4591a4 - GetLocaleInfoW 0x4591a8 - IsValidCodePage 0x4591ac - GetOEMCP 0x4591b0 - GetACP 0x4591b4 - SetFilePointer 0x4591b8 - GetConsoleMode 0x4591bc - GetConsoleCP 0x4591c0 - GetTimeZoneInformation 0x4591c4 - QueryPerformanceCounter 0x4591c8 - GetStartupInfoW 0x4591cc - InitializeCriticalSectionAndSpinCount 0x4591d0 - SetHandleCount 0x4591d4 - GetEnvironmentStringsW 0x4591d8 - WriteFile 0x4591dc - CreateFileA 0x4591e0 - FreeEnvironmentStringsW 0x4591e4 - ExitProcess 0x4591e8 - HeapAlloc 库 USER32.dll: 0x459228 - wsprintfw 0x45922c - MessageBoxA 库 ADVAPI32.dll: 0x459000 - RegQueryValueExW 0x459004 - RegOpenKeyExW 0x459008 - RegCloseKey 0x45900c - GetUserNameW 0x459010 - SetSecurityDescriptorDacl 0x459014 - InitializeSecurityDescriptor
库 SHELL32.dll: 0x459210 - SHGetFolderLocation 0x459214 - None 0x459218 - SHGetPathFromIDListW 库 ole32.dll: 0x45924c - CoCreateInstance 0x459250 - CoInitialize 0x459254 - CoUninitialize 0x459258 - CoSetProxyBlanket 0x45925c - CoInitializeSecurity 0x459260 - CoTaskMemFree 库 OLEAUT32.dll: 0x4591f0 - None 0x4591f4 - None 0x4591f8 - None 0x4591fc - None 库 SHLWAPI.dll: 0x459220 - SHRegGetValueW 库 PSAPI.DLL: 0x459204 - GetModuleBaseNameW 0x459208 - GetModuleBaseNameA 库 WTSAPI32.dll: 0x459234 - WTSFreeMemory 0x459238 - WTSQuerySessionInformationW 0x45923c - WTSQueryUserToken 库 dbghelp.dll: 0x459244 - MiniDumpWriteDump 库 IPHLPAPI.DLL: 0x45901c - GetAdaptersInfo 投放文件 无信息 行为分析 互斥量 (Mutexes) 无信息 执行的命令无信息 创建的服务无信息 启动的服务无信息 进程 PUF.Hijacker-B5T_1.exe_ PID: 1184, 上一级进程 PID: 328 访问的文件无信息 读取的文件无信息 修改的文件无信息 删除的文件无信息 注册表键无信息 读取的注册表键无信息 修改的注册表键无信息 删除的注册表键无信息 API 解析无信息 2016 上海魔盾信息科技有限公司