分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-shaapp01-1 | 2020-04-08 22:21:42 | 2020-04-08 22:22:10 | 28 秒 |
魔盾分数
10.0
Flystudio病毒
文件详细信息
| 文件名 | kgexdll.dll |
|---|---|
| 文件大小 | 306176 字节 |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| MD5 | 2451ac574f07afab5513417d68897604 |
| SHA1 | dcad4ccf83ecd2a86c7d4533f9b840448c97437f |
| SHA256 | 3b7e3a53c30d5b18f01fae2e7b487358f7477ad8d47d1bf7edc1b609c488e1f1 |
| SHA512 | 5828f368e53f2dd28180f401fb3cdd2ace4aacb19dc0f07a5283395abcf563a2c36a0d0e10950cc8ce8a6c3d1d6a4c84b16a7d02129068fbea1e3f24b98a33ab |
| CRC32 | F5AF4CDD |
| Ssdeep | 6144:bs2ESdVB7NRF4kQdm7QmzaqSDIwBmDRgFHRkNBXC2Ipx2ZfP9IQgyZ3nWq:hEAVB7NRF4kQdm7QmzaqSDIwBmD6FHRF |
| Yara | 登录查看Yara规则 |
| 样本下载 提交误报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x10000000 |
|---|---|
| 入口地址 | 0x10001000 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x00058848 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 1972-12-25 13:33:23 |
| 载入哈希 | ae0a5112fe1176f4e5f6e1bc95e4c209 |
| 导出DLL库名称 | \xc0\xa9\xd5\xb9\xb9\xa6\xc4\xdc\xb2\xe5\xbc\xfe |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00000328 | 0x00000400 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 4.75 |
| .rdata | 0x00002000 | 0x00000194 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.64 |
| .data | 0x00003000 | 0x00000014 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.07 |
| .reloc | 0x00004000 | 0x0000006c | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 1.32 |
| .data | 0x00005000 | 0x00049c00 | 0x00049c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 5.95 |
| .data | 0x0004f000 | 0x00000058 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 1.07 |
导入
库: USER32.dll:
• 0x10002030 MessageBoxA
库: KERNEL32.dll:
• 0x10002010 FreeLibrary
• 0x10002014 lstrcatA
• 0x10002018 GetModuleFileNameA
• 0x1000201c ExitProcess
• 0x10002020 LoadLibraryA
• 0x10002024 GetProcAddress
• 0x10002028 lstrlenA
导出
| 序列 | 地址 | 名称 |
|---|---|---|
| 1 | 0x1004eac0 | Focus |
| 2 | 0x1004eaca |
.text
`.rdata
@.data
.reloc
B.data
.data
krnln.fnr
krnln.fne
GetNewSock
Software\FlySky\E\Install
Not found the kernel library or the kernel library is invalid or the kernel library of this edition does not support DLL!
Error
MessageBoxA
USER32.dll
ExitProcess
FreeLibrary
GetProcAddress
LoadLibraryA
lstrcatA
lstrlenA
KERNEL32.dll
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
ADVAPI32.dll
GetModuleFileNameA
const
WHERE memb___id = '
UPDATE memb_info SET JF = JF +
windir
\EAddress.dll
n.fnr
GetNewSock
ftware\FlySky\E\Install
KERNEL32.DLL
ADVAPI32.dll
USER32.dll
LoadLibraryA
GetProcAddress
RegCloseKey
MessageBoxA
http://42724920.ys168.com
WScript.Shell
@Favorites
Desktop
CreateShortcut
TargetPath
SpecialFolders
krnln.fnr
Software\FlySky\E\Install\Path
krnln.fne
?.url
00400940
Focus
005706D2
0042E4FA
00439602
004D6E92
00509925
00446EAD
00553B9B
0041F6ED
0050F640
005121B4
0041EFF6
004C0FA0
LogAddFunc
004C0EB0
blackLog
005406A0
gObjGetRelationShip
00508CD0
gObjAllDisconnect
004041D3
AllSendServerMsg
00405D8A
SendNoticeToAllUser
004B3370
DataSend
004075EA
GCMoneySend
0053F280
gObjCheckMaxZen
00438540
MsgSendV2
0043C010
CGLevelUpPointAdd
0043C2F0
GCPkLevelSend
0055B200
OpenItemNameScript
004A7170
LogSkillNameList
004BB790
CAcceptIp
0050D130
gObjLevelUp
00455EC0
GCKillPlayerExpSend
00456E30
CGWarehouseUseEnd
0055D9E0
ManagementProc
0043B180
GCCloseMsgSend
004B4030
ResponErrorCloseClient
00509940
gObjGameClose
0050A020
gObjDel
0043B7F0
CGPCharDel
0042E970
00407004
004C0880
00534E60
00405c86
0040367a
0050A650
00420330
xel]F
-[c=~fs
SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp\PortNumber
.\KGConfig.ini
.\DATA\serverinfo.dat
BTMap
ZGsSetting
TZDrop
NewSetItemMap
NewSetItemRate
BlessRate
SoulRate
jolRate
ChaosRate
LkzYRate
IsAddZYDrop
ZYRate3
ZYRate4
ZYRate5
ZYRate6
MFBOOK0
MFBOOK1
MFBOOK2
MFBOOK3
MFBOOK4
MFBOOK5
MFBOOK6
MFBOOK7
MFBOOK8
MFBOOK9
MFBOOK10
MFBOOK11
MFBOOK12
MFBOOK13
MFBOOK14
MFBOOK15
MFBOOK16
MFBOOK17
MFBOOK18
SoulAddDur
127.0.0.1
DB_Server
DBServerInfo
DB_User
DB_PassWord
DB_Name
DB_EnableTrusted
ServerCode
GameServerInfo
..\DATA\ServerInfo.dat
ServerName
Warrant16
GameServerExt
Warrant12
Warrant8
Warrant4
ZS_Switches
Largest_ZS
Smallest_ZS
Limit_JB
NewRoleToPoint
PKNORED
NODUEL
GameServerLog
SevSockNum
ConnectNotice
JYJGTime
MemberOnly
PKItemDrop
MembItemTrade
MembItemSell
MembItemToPSshop
MembItemLevel
MembItemDur
MembItemExt
TeamPK
MoveCheck
ScrLog
ExlentDrop
MoneyAdd
Tempfix
WareHouseNum
SmeltLimit
AllPopCombo
JJLwitches
JJLmoney
JJLLevel
DROPITEM
ISDROPEXSET
AutoGmGGwitches
AutoGMGGTime
GGSwitches
GGSLevel
GGMoney
GGTime
GGSendToAll
ADLog
ChrGMGG
GMGGLevel
500000
GMGGMoney
AddPointWitches
AddPointMoney
32767
SetChrMaxPoint
ClearHMwitches
100000
ClearHMMoney
OnlineZSWitches
1000000
OnlineZSMoney
OnlineZSLevel
ResetChar_Switch
10000000
ResetChar_Money
ResetChar_Lv
HaveSaveEye
SayTime
IsOpenAE
GameServerNormal
IsOpenJF
AutoJFMaxLv
MyExp
AutoExpMaxLv
AutoExpTime
LXGJWitches
LXGJMaxConnect
LXGJMaxUser
LXGJTimeConnect
JFBetOn
WinPer
AutoQuestion
QUESTION
QuestionDispJG
QuestionHour
QuestionMinu
QuestionTimes
QuestionJGSec
QuestionDisp
QuestionAnswerChrs
QuestionDispDA
QuestionDispDAAnswed
QuestionAnswType
AnswerMoney
AnswerMUB
QuestWitches
PKQuest
QuestLevel
50000
QuestMoney
QuestTime
Questjobsum
QuestPkCount
HaveJH
JHSET
JHMap
JHLEVEL
10000
JHMONEY
JHTIMES
JHFQTXMoney
JHMustYX
DispFQName
HaveBFB
BFBAtackHour
MZSitdownMinu
MZSitdownJG
BFBIncome
004376D4
.\ItemMoney.txt
.\DropItem.txt
./Goodsprice.txt
004416CB
.\MemberShop.txt
SELECT JF FROM memb_info WHERE memb___id = '
') AND (AccountID = '
SELECT JHDX, JHtype FROM [Character] WHERE (Name = '
JHtype
UPDATE memb_info SET JF = JF -
SELECT JF FROM muonline.dbo.memb_info WHERE memb___id = '
UPDATE muonline.dbo.memb_info SET JF =
SELECT * FROM GuildMember WHERE Name = '
G_Level
G_Name
SELECT COUNT(*)'count' FROM Guildmember WHERE G_Name = '
count
SELECT JF FROM Memb_info WHERE memb___id = '
AND Type = 1
DELETE FROM BFB_SBK WHERE ServerID =
INSERT INTO BFB_SBK(ServerID,Type,GuildName,GuildTT,JXJF,GuildIndex) VALUES(
', JHtype = 2 WHERE (Name = '
UPDATE [Character] SET JHDX = '
', JHtype = 1 WHERE (Name = '
$@UPDATE [Character] SET JHDX = '', JHtype = 0 WHERE (Name = '
WHERE GuildTT = '
UPDATE BFB_SBK SET JXJF =
UPDATE memb_info set JF = JF -
= 0]
= 0]
EXEC YY_BFBWIN
order by ID
select top 1 * from QUESTIONS where ID>=
nAnsws
Answer1
Answer2
Answer3
Answer4
Answer5
Answer6
update ZYZZ set ZYWin= 1,ServerID =
update ZYZZ set ZYWin= 2,ServerID =
update ZYZZ set ZYWin=3,ServerID =
EXEC YY_BFBLOSE
select Notice GMGG ,Type from autogmgg where svrID= 1 and valid<>0 and getdate()>=begintm and (DATEDIFF(minute,begintm,getdate()) % LoopMinu) < WorkMinu and ((DATEDIFF(minute,begintm,getdate()) % LoopMinu) % DispJG)=0 order by begintm,id
EXEC YY_BFBINCOME
DRIVER=SQL Server;SERVER=127.0.0.1;APP=Microsoft Open Database Connectivity;DATABASE=%DSN;Trusted_Connection=Yes
DRIVER=SQL Server;SERVER=(local);DATABASE=%DSN;UID=%UID;PWD=%PWD
(local)
update autogmgg set valid=0 where getdate()>=endtm and valid=1
EXEC WHS_GAME_INFO '
SELECT Type ,GuildName, GuildTT ,GuildIndex,JXJF FROM BFB_SBK WHERE ServerID = 1
SELECT ZYWin FROM ZYZZ WHERE ServerID =
ZYWin
GuildName
GuildTT
GuildIndex
select count(*) as count from QUESTIONS
EAddress.dll
kernel32.dll
advapi32.dll
GetCurrentProcessId
OpenProcess
OpenFileMappingA
CreateFileMappingA
MapViewOfFile
WriteProcessMemory
CloseHandle
GetModuleHandleA
GetModuleFileNameA
GetUserNameA
RtlMoveMemory
ReadProcessMemory
VirtualQuery
VirtualQueryEx
VirtualProtectEx
VirtualProtect
GetProcessHeap
HeapAlloc
InitializeCriticalSection
CreateThread
CreateWaitableTimerA
SetWaitableTimer
MsgWaitForMultipleObjects
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
HeapFree
Ph0%S
| 防病毒引擎/厂商 | 病毒名/规则匹配 | 病毒库日期 |
|---|---|---|
| Bkav | 未发现病毒 | 20151012 |
| MicroWorld-eScan | 未发现病毒 | 20151012 |
| nProtect | 未发现病毒 | 20151012 |
| CMC | 未发现病毒 | 20151012 |
| CAT-QuickHeal | Trojan.gen.r6 | 20151012 |
| McAfee | Artemis!2451AC574F07 | 20151012 |
| Malwarebytes | Trojan.FlyStudio | 20151012 |
| Zillya | 未发现病毒 | 20151012 |
| SUPERAntiSpyware | 未发现病毒 | 20151012 |
| K7AntiVirus | 未发现病毒 | 20151012 |
| Alibaba | 未发现病毒 | 20151012 |
| K7GW | 未发现病毒 | 20151010 |
| TheHacker | 未发现病毒 | 20151012 |
| Agnitum | 未发现病毒 | 20151012 |
| Cyren | W32/Trojan.XDLB-6566 | 20151012 |
| Symantec | 未发现病毒 | 20151011 |
| ESET-NOD32 | 未发现病毒 | 20151012 |
| TrendMicro-HouseCall | 未发现病毒 | 20151012 |
| Avast | Win32:Malware-gen | 20151012 |
| ClamAV | Trojan.Agent-148768 | 20151012 |
| Kaspersky | UDS:DangerousObject.Multi.Generic | 20151012 |
| BitDefender | 未发现病毒 | 20151012 |
| NANO-Antivirus | Trojan.Win32.FlyStudio.kcij | 20151012 |
| AegisLab | 未发现病毒 | 20151012 |
| ByteHero | 未发现病毒 | 20151012 |
| Tencent | Win32.Trojan.Generic.Hphx | 20151012 |
| Ad-Aware | 未发现病毒 | 20151012 |
| Emsisoft | 未发现病毒 | 20151012 |
| Comodo | TrojWare.Win32.TrojanSpy.FlyStudio.~B | 20151012 |
| F-Secure | 未发现病毒 | 20151012 |
| DrWeb | 未发现病毒 | 20151012 |
| VIPRE | Trojan.Win32.BHO.ct (v) | 20151012 |
| TrendMicro | 未发现病毒 | 20151012 |
| McAfee-GW-Edition | BehavesLike.Win32.Ramnit.dm | 20151012 |
| Sophos | Troj/DwnLdr-HRL | 20151012 |
| F-Prot | W32/Trojan2.HYS | 20151012 |
| Jiangmin | 未发现病毒 | 20151011 |
| Avira | TR/Crypt.ULPM.Gen | 20151012 |
| Antiy-AVL | Trojan[Spy]/Win32.Agent | 20151012 |
| Kingsoft | Win32.Troj.Generic.(kcloud) | 20151012 |
| Microsoft | Trojan:Win32/BHO.CT | 20151012 |
| Arcabit | 未发现病毒 | 20151012 |
| ViRobot | Trojan.Win32.PSWIGames.124928[h] | 20151012 |
| AhnLab-V3 | 未发现病毒 | 20151012 |
| GData | 未发现病毒 | 20151012 |
| TotalDefense | Win32/Nuj!generic | 20151012 |
| ALYac | 未发现病毒 | 20151012 |
| AVware | Trojan.Win32.BHO.ct (v) | 20151012 |
| VBA32 | Trojan.Genome.al | 20151012 |
| Baidu-International | 未发现病毒 | 20151012 |
| Zoner | 未发现病毒 | 20151012 |
| Rising | 未发现病毒 | 20151011 |
| Ikarus | 未发现病毒 | 20151012 |
| Fortinet | 未发现病毒 | 20151012 |
| AVG | 未发现病毒 | 20151012 |
| Panda | 未发现病毒 | 20151012 |
| Qihoo-360 | 未发现病毒 | 20151012 |
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
HTTP 请求
未发现HTTP请求.
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 4.748 seconds )
- 3.352 VirusTotal
- 0.485 Static
- 0.292 peid
- 0.268 TargetInfo
- 0.225 NetworkAnalysis
- 0.094 BehaviorAnalysis
- 0.019 AnalysisInfo
- 0.011 Strings
- 0.002 Memory
Signatures ( 0.121 seconds )
- 0.022 antiav_detectreg
- 0.01 md_url_bl
- 0.009 infostealer_ftp
- 0.007 md_domain_bl
- 0.006 anomaly_persistence_autorun
- 0.006 antiav_detectfile
- 0.005 infostealer_im
- 0.004 api_spamming
- 0.004 antianalysis_detectreg
- 0.004 infostealer_bitcoin
- 0.004 ransomware_extensions
- 0.004 ransomware_files
- 0.003 stealth_decoy_document
- 0.003 stealth_timeout
- 0.003 infostealer_mail
- 0.002 tinba_behavior
- 0.002 rat_nanocore
- 0.002 antivm_vbox_files
- 0.002 geodo_banking_trojan
- 0.002 disables_browser_warn
- 0.001 mimics_filetime
- 0.001 betabot_behavior
- 0.001 reads_self
- 0.001 kibex_behavior
- 0.001 shifu_behavior
- 0.001 cerber_behavior
- 0.001 antivm_parallels_keys
- 0.001 antivm_xen_keys
- 0.001 banker_zeus_mutex
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_addon
- 0.001 browser_security
- 0.001 modify_proxy
- 0.001 maldun_malicious_drop_executable_file_to_temp_folder
- 0.001 md_bad_drop
- 0.001 stealth_modify_uac_prompt
Reporting ( 0.634 seconds )
- 0.626 ReportHTMLSummary
- 0.008 Malheur
| Task ID | 535198 |
|---|---|
| Mongo ID | 5e8dde1bbb7d5727dd78b82f |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号