分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2021-06-18 23:57:57 2021-06-18 23:58:56 59 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 NULLspoofer2-H121jun.exe
文件大小 496640 字节
文件类型 PE32+ executable (console) x86-64, for MS Windows
MD5 7da236c9a2504e50b85495e05e0d596b
SHA1 505740e074c61557d620071403e5300da5ad4fa8
SHA256 69f79cb0af645aa6df50c36bde972d54156b0dbac5b2789cea9bfb1f681a5ea3
SHA512 5ff023936312c1f52eae240b6a35be1c74147d0a973b2ddf227269a23252b5b089aa160b46abd64ba90575861f926e49215d7e3818a5cb3edc298cb4d3fab75e
CRC32 BD83210B
Ssdeep 12288:9tzE5elwLz9TrQGs2Bf0A/gPjq2NoZMGaidfKV/Cte6VKW4PWY9E:9tA4KdTcGsyJgPjq6HVG5KWpY9E
Yara 登录查看Yara规则
样本下载 提交误报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME a1983.dscd.akamai.net
CNAME acroipm.adobe.com.edgesuite.net
A 104.91.68.27
A 104.91.68.75

摘要

登录查看详细行为信息

PE 信息

初始地址 0x140000000
入口地址 0x140001000
声明校验值 0x00000000
实际校验值 0x00086e19
最低操作系统版本要求 4.0
编译时间 2019-07-30 16:52:08
载入哈希 f326f88ca83c9aacaa44acfb8884f1d4
图标
图标精确哈希值 5a44d0533a2324e912c71da4e8604ce3
图标相似性哈希值 cadc1e965f2dcb0cda620ba7c3eef151

版本信息

InternalName
FileDescription
ProductName
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.code 0x00001000 0x00005b79 0x00005c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.51
.text 0x00007000 0x00010d25 0x00010e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.35
.rdata 0x00018000 0x00004b9d 0x00004c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.69
.pdata 0x0001d000 0x00001140 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.00
.data 0x0001f000 0x000023b8 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.39
.rsrc 0x00022000 0x0005b1c4 0x0005b200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.87

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x000224ec 0x000366d0 LANG_NEUTRAL SUBLANG_NEUTRAL 7.67 data
RT_RCDATA 0x0006cd00 0x000100a7 LANG_NEUTRAL SUBLANG_NEUTRAL 8.00 data
RT_RCDATA 0x0006cd00 0x000100a7 LANG_NEUTRAL SUBLANG_NEUTRAL 8.00 data
RT_RCDATA 0x0006cd00 0x000100a7 LANG_NEUTRAL SUBLANG_NEUTRAL 8.00 data
RT_RCDATA 0x0006cd00 0x000100a7 LANG_NEUTRAL SUBLANG_NEUTRAL 8.00 data
RT_RCDATA 0x0006cd00 0x000100a7 LANG_NEUTRAL SUBLANG_NEUTRAL 8.00 data
RT_RCDATA 0x0006cd00 0x000100a7 LANG_NEUTRAL SUBLANG_NEUTRAL 8.00 data
RT_RCDATA 0x0006cd00 0x000100a7 LANG_NEUTRAL SUBLANG_NEUTRAL 8.00 data
RT_RCDATA 0x0006cd00 0x000100a7 LANG_NEUTRAL SUBLANG_NEUTRAL 8.00 data
RT_GROUP_ICON 0x0007cda8 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 1.77 MS Windows icon resource - 1 icon, 256x256
RT_VERSION 0x0007cdbc 0x00000168 LANG_NEUTRAL SUBLANG_NEUTRAL 3.01 data
RT_MANIFEST 0x0007cf24 0x000002a0 LANG_NEUTRAL SUBLANG_NEUTRAL 5.09 XML 1.0 document, ASCII text, with very long lines, with no line terminators

导入

库: msvcrt.dll:
0x14001f6c8 memset
0x14001f6d0 wcsncmp
0x14001f6d8 memmove
0x14001f6e0 wcsncpy
0x14001f6e8 wcsstr
0x14001f6f0 _wcsnicmp
0x14001f6f8 _wcsdup
0x14001f700 free
0x14001f708 _wcsicmp
0x14001f710 wcslen
0x14001f718 wcscpy
0x14001f720 wcscmp
0x14001f728 wcscat
0x14001f730 memcpy
0x14001f738 tolower
0x14001f740 malloc
库: KERNEL32.dll:
0x14001f750 GetModuleHandleW
0x14001f758 HeapCreate
0x14001f760 GetStdHandle
0x14001f768 SetConsoleCtrlHandler
0x14001f770 HeapDestroy
0x14001f778 ExitProcess
0x14001f780 WriteFile
0x14001f788 GetTempFileNameW
0x14001f790 LoadLibraryExW
0x14001f798 EnumResourceTypesW
0x14001f7a0 FreeLibrary
0x14001f7a8 RemoveDirectoryW
0x14001f7b0 EnumResourceNamesW
0x14001f7b8 GetCommandLineW
0x14001f7c0 LoadResource
0x14001f7c8 SizeofResource
0x14001f7d0 FreeResource
0x14001f7d8 FindResourceW
0x14001f7e0 GetShortPathNameW
0x14001f7e8 GetSystemDirectoryW
0x14001f7f0 EnterCriticalSection
0x14001f7f8 CloseHandle
0x14001f800 LeaveCriticalSection
0x14001f810 WaitForSingleObject
0x14001f818 TerminateThread
0x14001f820 CreateThread
0x14001f828 Sleep
0x14001f830 WideCharToMultiByte
0x14001f838 HeapAlloc
0x14001f840 HeapFree
0x14001f848 LoadLibraryW
0x14001f850 GetProcAddress
0x14001f858 GetCurrentProcessId
0x14001f860 GetCurrentThreadId
0x14001f868 GetModuleFileNameW
0x14001f870 PeekNamedPipe
0x14001f878 TerminateProcess
0x14001f880 GetEnvironmentVariableW
0x14001f888 SetEnvironmentVariableW
0x14001f890 GetCurrentProcess
0x14001f898 DuplicateHandle
0x14001f8a0 CreatePipe
0x14001f8a8 CreateProcessW
0x14001f8b0 GetExitCodeProcess
0x14001f8b8 RtlLookupFunctionEntry
0x14001f8c0 RtlVirtualUnwind
0x14001f8d8 HeapSize
0x14001f8e0 MultiByteToWideChar
0x14001f8e8 CreateDirectoryW
0x14001f8f0 SetFileAttributesW
0x14001f8f8 GetTempPathW
0x14001f900 DeleteFileW
0x14001f908 GetCurrentDirectoryW
0x14001f910 SetCurrentDirectoryW
0x14001f918 CreateFileW
0x14001f920 SetFilePointer
0x14001f928 TlsFree
0x14001f930 TlsGetValue
0x14001f938 TlsSetValue
0x14001f940 TlsAlloc
0x14001f948 HeapReAlloc
0x14001f950 DeleteCriticalSection
0x14001f958 GetLastError
0x14001f960 SetLastError
0x14001f968 UnregisterWait
0x14001f970 GetCurrentThread
库: SHELL32.DLL:
0x14001f988 ShellExecuteExW
0x14001f990 SHGetFolderLocation
0x14001f998 SHGetPathFromIDListW
库: WINMM.DLL:
0x14001f9a8 timeBeginPeriod
库: OLE32.DLL:
0x14001f9b8 CoInitialize
0x14001f9c0 CoTaskMemFree
库: SHLWAPI.DLL:
0x14001f9d0 PathAddBackslashW
0x14001f9d8 PathRenameExtensionW
0x14001f9e0 PathQuoteSpacesW
0x14001f9e8 PathRemoveArgsW
0x14001f9f0 PathRemoveBackslashW
库: USER32.DLL:
0x14001fa00 CharUpperW
0x14001fa08 CharLowerW
0x14001fa10 MessageBoxW
0x14001fa18 DefWindowProcW
0x14001fa20 GetWindowLongPtrW
0x14001fa28 GetWindowTextLengthW
0x14001fa30 GetWindowTextW
0x14001fa38 EnableWindow
0x14001fa40 DestroyWindow
0x14001fa48 UnregisterClassW
0x14001fa50 LoadIconW
0x14001fa58 LoadCursorW
0x14001fa60 RegisterClassExW
0x14001fa68 IsWindowEnabled
0x14001fa70 GetSystemMetrics
0x14001fa78 CreateWindowExW
0x14001fa80 SetWindowLongPtrW
0x14001fa88 SendMessageW
0x14001fa90 SetFocus
0x14001fa98 CreateAcceleratorTableW
0x14001faa0 SetForegroundWindow
0x14001faa8 BringWindowToTop
0x14001fab0 GetMessageW
0x14001fab8 TranslateAcceleratorW
0x14001fac0 TranslateMessage
0x14001fac8 DispatchMessageW
0x14001fad0 DestroyAcceleratorTable
0x14001fad8 PostMessageW
0x14001fae0 GetForegroundWindow
0x14001fae8 GetWindowThreadProcessId
0x14001faf0 IsWindowVisible
0x14001faf8 EnumWindows
0x14001fb00 SetWindowPos
库: GDI32.DLL:
0x14001fb10 GetStockObject
库: COMCTL32.DLL:
0x14001fb20 InitCommonControlsEx

.code
`.text
`.rdata
@.pdata
@.data
.rsrc
(YPh(
(YPhd
t?H9}
}5=N?
SHBrowseForFolderW
SHGetPathFromIDListW
GetLongPathNameW
SHGetKnownFolderPath
0123456789abcdefK
InitOnceExecuteOnce
1.2.11
incorrect header check
unknown compression method
invalid window size
unknown header flags set
header crc mismatch
invalid block type
invalid stored block lengths
too many length or distance symbols
invalid code lengths set
invalid bit length repeat
invalid code -- missing end-of-block
invalid literal/lengths set
invalid distances set
invalid literal/length code
invalid distance code
invalid distance too far back
incorrect data check
incorrect length check
inflate 1.2.11 Copyright 1995-2017 Mark Adler
need dictionary
stream end
file error
stream error
data error
insufficient memory
buffer error
incompatible version
memset
msvcrt.dll
GetModuleHandleW
HeapCreate
GetStdHandle
SetConsoleCtrlHandler
HeapDestroy
ExitProcess
WriteFile
GetTempFileNameW
LoadLibraryExW
EnumResourceTypesW
FreeLibrary
RemoveDirectoryW
EnumResourceNamesW
GetCommandLineW
LoadResource
SizeofResource
FreeResource
FindResourceW
GetShortPathNameW
GetSystemDirectoryW
KERNEL32.dll
ShellExecuteExW
SHGetFolderLocation
SHGetPathFromIDListW
SHELL32.DLL
timeBeginPeriod
WINMM.DLL
CoInitialize
CoTaskMemFree
OLE32.DLL
PathAddBackslashW
PathRenameExtensionW
PathQuoteSpacesW
PathRemoveArgsW
PathRemoveBackslashW
SHLWAPI.DLL
wcsncmp
memmove
wcsncpy
wcsstr
_wcsnicmp
_wcsdup
_wcsicmp
wcslen
wcscpy
wcscmp
wcscat
memcpy
tolower
malloc
EnterCriticalSection
CloseHandle
LeaveCriticalSection
InitializeCriticalSection
WaitForSingleObject
TerminateThread
CreateThread
Sleep
WideCharToMultiByte
HeapAlloc
HeapFree
LoadLibraryW
GetProcAddress
GetCurrentProcessId
GetCurrentThreadId
GetModuleFileNameW
PeekNamedPipe
TerminateProcess
GetEnvironmentVariableW
SetEnvironmentVariableW
GetCurrentProcess
DuplicateHandle
CreatePipe
CreateProcessW
GetExitCodeProcess
RtlLookupFunctionEntry
RtlVirtualUnwind
RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
HeapSize
MultiByteToWideChar
CreateDirectoryW
SetFileAttributesW
GetTempPathW
DeleteFileW
GetCurrentDirectoryW
SetCurrentDirectoryW
CreateFileW
SetFilePointer
TlsFree
TlsGetValue
TlsSetValue
TlsAlloc
HeapReAlloc
DeleteCriticalSection
GetLastError
SetLastError
UnregisterWait
GetCurrentThread
RegisterWaitForSingleObject
CharUpperW
CharLowerW
MessageBoxW
DefWindowProcW
GetWindowLongPtrW
GetWindowTextLengthW
GetWindowTextW
EnableWindow
DestroyWindow
UnregisterClassW
LoadIconW
LoadCursorW
RegisterClassExW
IsWindowEnabled
GetSystemMetrics
CreateWindowExW
SetWindowLongPtrW
SendMessageW
SetFocus
CreateAcceleratorTableW
SetForegroundWindow
BringWindowToTop
GetMessageW
TranslateAcceleratorW
TranslateMessage
DispatchMessageW
DestroyAcceleratorTable
PostMessageW
GetForegroundWindow
GetWindowThreadProcessId
IsWindowVisible
EnumWindows
SetWindowPos
USER32.DLL
GetStockObject
GDI32.DLL
InitCommonControlsEx
COMCTL32.DLL
InputRequester
STATIC
BUTTON
SHELL32.DLL
Invalid memory access
Array bounds exceeded
Debugger breakpoint reached
Misaligned data access
Denormal floating-point operand
Division by zero (floating-point)
Inexact floating-point result
Invalid floating-point operation
Floating-point overflow (exponent to great)
Floating-point stack overflow or underflow
Floating-point underflow (exponent too small)
Illegal instruction
Memory page error
Division by zero
Integer overflow
Exception handler returned unknown value
Exception handler tried to continue after non-continuable exception
Privileged instruction
Single step trap
Stack overflow
Unknown error code
Kernel32.DLL
Shell32.DLL
Downloads\
Kernel32.dll
74E93BE106(801835E840CAFC0A54693D6671C5F2F32E22A589(8297B655311BF93C05EBB474A7E3F47342BAA1DA 82F28EC7C35658FBAC403005118B0FE7(9375F821169C2E8FE844226EBA40427D40652B06(C43A384F9B5B5817FE7CE88E0539379C402B2650(
没有防病毒引擎扫描信息!

进程树


NULLspoofer2-H121jun.exe, PID: 2500, 上一级进程 PID: 2172
cmd.exe, PID: 2760, 上一级进程 PID: 2500
WMIC.exe, PID: 2820, 上一级进程 PID: 2760
PING.EXE, PID: 3008, 上一级进程 PID: 2760
WMIC.exe, PID: 2272, 上一级进程 PID: 2760
PING.EXE, PID: 2520, 上一级进程 PID: 2760
more.exe, PID: 2880, 上一级进程 PID: 2760
PING.EXE, PID: 2912, 上一级进程 PID: 2760
cmd.exe, PID: 3004, 上一级进程 PID: 2880
msg.exe, PID: 972, 上一级进程 PID: 3004
PING.EXE, PID: 2824, 上一级进程 PID: 2760

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49164 104.91.68.27 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME a1983.dscd.akamai.net
CNAME acroipm.adobe.com.edgesuite.net
A 104.91.68.27
A 104.91.68.75

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49164 104.91.68.27 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 18.305 seconds )

  • 10.909 Suricata
  • 2.527 BehaviorAnalysis
  • 1.723 VirusTotal
  • 1.47 NetworkAnalysis
  • 0.818 Static
  • 0.458 TargetInfo
  • 0.375 peid
  • 0.012 Strings
  • 0.01 AnalysisInfo
  • 0.002 Memory
  • 0.001 config_decoder

Signatures ( 2.64 seconds )

  • 1.399 md_url_bl
  • 0.151 api_spamming
  • 0.114 stealth_decoy_document
  • 0.112 stealth_timeout
  • 0.074 antiav_detectreg
  • 0.068 mimics_filetime
  • 0.058 stealth_file
  • 0.058 virus
  • 0.056 reads_self
  • 0.056 antivm_generic_disk
  • 0.05 bootkit
  • 0.036 injection_createremotethread
  • 0.036 hancitor_behavior
  • 0.031 infostealer_ftp
  • 0.02 injection_runpe
  • 0.018 antivm_generic_scsi
  • 0.017 infostealer_im
  • 0.016 antiav_detectfile
  • 0.014 antianalysis_detectreg
  • 0.013 antivm_generic_services
  • 0.012 anormaly_invoke_kills
  • 0.011 infostealer_bitcoin
  • 0.01 injection_explorer
  • 0.01 antidbg_windows
  • 0.01 infostealer_mail
  • 0.01 md_domain_bl
  • 0.008 maldun_anomaly_massive_file_ops
  • 0.007 anomaly_persistence_autorun
  • 0.007 vawtrak_behavior
  • 0.007 kovter_behavior
  • 0.006 process_needed
  • 0.006 antivm_vbox_files
  • 0.006 geodo_banking_trojan
  • 0.005 antiemu_wine_func
  • 0.005 maldun_malicious_write_executeable_under_temp_to_regrun
  • 0.005 maldun_anomaly_write_exe_and_obsfucate_extension
  • 0.005 infostealer_browser_password
  • 0.004 infostealer_browser
  • 0.004 betabot_behavior
  • 0.004 kibex_behavior
  • 0.004 maldun_anomaly_write_exe_and_dll_under_winroot_run
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 hawkeye_behavior
  • 0.003 rat_luminosity
  • 0.003 ransomware_message
  • 0.003 antivm_parallels_keys
  • 0.003 antivm_xen_keys
  • 0.003 disables_browser_warn
  • 0.003 darkcomet_regkeys
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 maldun_anomaly_terminated_process
  • 0.002 network_tor
  • 0.002 antivm_vbox_libs
  • 0.002 rat_nanocore
  • 0.002 antivm_vbox_window
  • 0.002 ipc_namedpipe
  • 0.002 shifu_behavior
  • 0.002 h1n1_behavior
  • 0.002 antisandbox_script_timer
  • 0.002 antidbg_devices
  • 0.002 antivm_generic_diskreg
  • 0.002 browser_security
  • 0.002 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.002 network_torgateway
  • 0.002 rat_pcclient
  • 0.001 removes_zoneid_ads
  • 0.001 antiav_avast_libs
  • 0.001 TrickBotTaskDelete
  • 0.001 sets_autoconfig_url
  • 0.001 kazybot_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 antisandbox_sboxie_libs
  • 0.001 antiav_bitdefender_libs
  • 0.001 exec_crash
  • 0.001 cerber_behavior
  • 0.001 bypass_firewall
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_xen_keys
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vbox_acpi
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_files
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_vpc_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 modify_proxy
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 codelux_behavior
  • 0.001 malicous_targeted_flame
  • 0.001 maldun_anomaly_invoke_vb_vba
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http
  • 0.001 packer_armadillo_regkey
  • 0.001 recon_fingerprint
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.575 seconds )

  • 0.519 ReportHTMLSummary
  • 0.056 Malheur
Task ID 641033
Mongo ID 60ccc2e37e769a1c5870e19c
Cuckoo release 1.4-Maldun