恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
URL	win7-sp1-x64-shaapp03-1	2020-10-23 17:58:40	2020-10-23 18:00:42	122 秒

魔盾分数

7.87

危险的

URL详细信息

URL
URL专业沙箱检测 -> http://tips-hn.7654.com/n/tui/package/screensaver/v1.0.8.2/screen_saver-4.exe

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
tips-hn.7654.com	A 59.63.235.236 A 125.78.252.115 A 59.63.235.194 A 59.63.235.122 CNAME tips-hn.7654.com.cdn.dnsv1.com CNAME 817465.p23.tc.cdntip.com
acroipm.adobe.com	CNAME acroipm.adobe.com.edgesuite.net A 23.218.94.163 CNAME a1983.dscd.akamai.net A 23.218.94.155
watson.microsoft.com	A 104.42.151.234 CNAME legacy.umwatsonrouting.trafficmanager.net CNAME skypedataprdcolwus16.cloudapp.net

摘要

登录查看详细行为信息

URL分析
防病毒引擎

WHOIS 信息

Name: None
Country: CN
State: Shanghai
City: None
ZIP Code: None
Address: None

Orginization: None
Domain Name(s):
    7654.COM
    7654.com
Creation Date:
    2001-12-28 19:39:25
Updated Date:
    2018-11-28 06:00:28
Expiration Date:
    2027-12-28 19:39:25
Email(s):
    abuse@ename.com

Registrar(s):
    eName Technology Co.,Ltd.
Name Server(s):
    F1G1NS1.DNSPOD.NET
    F1G1NS2.DNSPOD.NET
    f1g1ns1.dnspod.net
    f1g1ns2.dnspod.net
Referral URL(s):
    None

没有防病毒引擎扫描信息!

iexplore.exe, PID: 2428, 上一级进程 PID: 2116

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49162	104.42.151.234 watson.microsoft.com	80
192.168.122.201	49160	23.218.94.163 acroipm.adobe.com	80
192.168.122.201	49159	59.63.235.194 tips-hn.7654.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	53125	192.168.122.1	53
192.168.122.201	56270	192.168.122.1	53
192.168.122.201	59401	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
tips-hn.7654.com	A 59.63.235.236 A 125.78.252.115 A 59.63.235.194 A 59.63.235.122 CNAME tips-hn.7654.com.cdn.dnsv1.com CNAME 817465.p23.tc.cdntip.com
acroipm.adobe.com	CNAME acroipm.adobe.com.edgesuite.net A 23.218.94.163 CNAME a1983.dscd.akamai.net A 23.218.94.155
watson.microsoft.com	A 104.42.151.234 CNAME legacy.umwatsonrouting.trafficmanager.net CNAME skypedataprdcolwus16.cloudapp.net

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49162	104.42.151.234 watson.microsoft.com	80
192.168.122.201	49160	23.218.94.163 acroipm.adobe.com	80
192.168.122.201	49159	59.63.235.194 tips-hn.7654.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	53125	192.168.122.1	53
192.168.122.201	56270	192.168.122.1	53
192.168.122.201	59401	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://tips-hn.7654.com/n/tui/package/screensaver/v1.0.8.2/screen_saver-4.exe	GET /n/tui/package/screensaver/v1.0.8.2/screen_saver-4.exe HTTP/1.1 Accept: / Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Accept-Encoding: gzip, deflate Host: tips-hn.7654.com Connection: Keep-Alive
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache
URL专业沙箱检测 -> http://watson.microsoft.com/StageOne/AcroRd32_exe/11_0_0_379/505fd19e/AcroRd32_dll/11_0_0_379/505fd190/c0000005/000d2b25.htm?LCID=2052&OS=6.1.7601.2.00010100.1.0.1.17514&SM=QEMU&SPN=Standard%20PC%20(i440FX%20+%20PIIX_%201996)&BV=Bochs&MID=418354EE-9703-4A5C-8802-E77B54791961	GET /StageOne/AcroRd32_exe/11_0_0_379/505fd19e/AcroRd32_dll/11_0_0_379/505fd190/c0000005/000d2b25.htm?LCID=2052&OS=6.1.7601.2.00010100.1.0.1.17514&SM=QEMU&SPN=Standard%20PC%20(i440FX%20+%20PIIX_%201996)&BV=Bochs&MID=418354EE-9703-4A5C-8802-E77B54791961 HTTP/1.1 Connection: Keep-Alive User-Agent: MSDW Host: watson.microsoft.com

URI

HTTP数据

URL专业沙箱检测 -> http://tips-hn.7654.com/n/tui/package/screensaver/v1.0.8.2/screen_saver-4.exe

GET /n/tui/package/screensaver/v1.0.8.2/screen_saver-4.exe HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: tips-hn.7654.com
Connection: Keep-Alive

URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip

GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

URL专业沙箱检测 -> http://watson.microsoft.com/StageOne/AcroRd32_exe/11_0_0_379/505fd19e/AcroRd32_dll/11_0_0_379/505fd190/c0000005/000d2b25.htm?LCID=2052&OS=6.1.7601.2.00010100.1.0.1.17514&SM=QEMU&SPN=Standard%20PC%20(i440FX%20+%20PIIX_%201996)&BV=Bochs&MID=418354EE-9703-4A5C-8802-E77B54791961

GET /StageOne/AcroRd32_exe/11_0_0_379/505fd19e/AcroRd32_dll/11_0_0_379/505fd190/c0000005/000d2b25.htm?LCID=2052&OS=6.1.7601.2.00010100.1.0.1.17514&SM=QEMU&SPN=Standard%20PC%20(i440FX%20+%20PIIX_%201996)&BV=Bochs&MID=418354EE-9703-4A5C-8802-E77B54791961 HTTP/1.1
Connection: Keep-Alive
User-Agent: MSDW
Host: watson.microsoft.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Protocol	SID	Signature	Category
2020-10-23 17:58:57.576037+0800	59.63.235.194	80	192.168.122.201	49159	TCP	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
2020-10-23 17:59:17.026015+0800	192.168.122.201	49162	104.42.151.234	80	TCP	2018170	ET POLICY Application Crash Report Sent to Microsoft	Potential Corporate Privacy Violation
2020-10-23 18:00:13.024920+0800	192.168.122.201	49162	104.42.151.234	80	TCP	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 16.164 seconds )

10.635 Suricata
4.685 NetworkAnalysis
0.613 Static
0.225 AnalysisInfo
0.004 BehaviorAnalysis
0.002 Memory

Signatures ( 1.468 seconds )

1.39 md_url_bl
0.014 md_domain_bl
0.011 antiav_detectreg
0.005 anomaly_persistence_autorun
0.005 infostealer_ftp
0.004 antiav_detectfile
0.004 geodo_banking_trojan
0.004 ransomware_extensions
0.004 ransomware_files
0.003 infostealer_bitcoin
0.003 infostealer_im
0.002 tinba_behavior
0.002 antianalysis_detectreg
0.002 antivm_vbox_files
0.002 disables_browser_warn
0.002 infostealer_mail
0.002 network_torgateway
0.001 rat_nanocore
0.001 cerber_behavior
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 ie_martian_children
0.001 md_bad_drop
0.001 stealth_modify_uac_prompt

Reporting ( 0.476 seconds )

0.476 ReportHTMLSummary


Task ID	583126
Mongo ID	5f92a9e47e769a0a8e08d310
Cuckoo release	1.4-Maldun