分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp02-1 2023-06-07 17:11:38 2023-06-07 17:13:53 135 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 ._cache_锄大地5.22.4.exe
文件大小 9158295 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 69175a2da049d19f22be8ea5f90845f2
SHA1 6bc6d031585ec90fb715c45689642928ad853fff
SHA256 1dc633d25ca34ed7fe8b7efc5c76a9bcd645aa4676d608978fdc436d4df8c1e3
SHA512 ba6d4c8767b917c18c7f09535085af20bae314f29a4aa903dea874a35e1227ef4a4671b1aed35b523013cfd7833da8383873ba2f9d1e62c3b994fcd2005f3fc5
CRC32 EAC59C98
Ssdeep 98304:/r3frjoeEg5qcAd4p5Blmkk5/C4OWoHI7NINa4tqR+zqbJ278Inp4jEMS66BXlkz:/7frMM5qr4Flmh5dCIetOl27WEMSZsJ
Yara 登录查看Yara规则
找不到该样本 提交误报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
117.27.139.134 中国
124.237.176.160 中国
165.160.15.20 美国
180.101.50.242 中国
220.181.33.11 中国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
soft.anjian.com 未知 A 117.27.139.134
down.vrbrothers.com 未知
www.baidu.com 未知 CNAME www.a.shifen.com
A 180.101.50.188
A 180.101.50.242
hi.vrbrothers.com 未知
ad.vrbrothers.com 未知
s.csbew.com 未知 A 165.160.15.20
A 165.160.13.20
img.users.51.la 未知 NXDOMAIN
hm.baidu.com 未知 CNAME hm.e.shifen.com
A 220.181.33.11
log.hm.baidu.com 未知 CNAME log.hm.e.shifen.com
A 124.237.176.160

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00b86000
声明校验值 0x002e3da8
实际校验值 0x008c4209
最低操作系统版本要求 5.1
编译时间 2020-06-09 15:55:40
载入哈希 baa93d47220682c04d92f7797d9224ce

微软证书验证 (Sign Tool)

SHA1 时间戳 有效性 错误
2418b40b100bec5216a9781c921185916cfe9407 Tue Jun 09 16:07:43 2020
WinVerifyTrust returned error 0x80096010
证书链 Certificate Chain 1
发行给 DigiCert Assured ID Root CA
发行人 DigiCert Assured ID Root CA
有效期 Mon Nov 10 080000 2031
SHA1 哈希 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
证书链 Certificate Chain 2
发行给 DigiCert SHA2 Assured ID Code Signing CA
发行人 DigiCert Assured ID Root CA
有效期 Sun Oct 22 200000 2028
SHA1 哈希 92c1588e85af2201ce7915e8538b492f605b80c6
证书链 Certificate Chain 3
发行给 Fujian Chuangyi Jiahe Soft Co., Ltd.
发行人 DigiCert SHA2 Assured ID Code Signing CA
有效期 Thu Mar 25 200000 2021
SHA1 哈希 ed5f47d7adc69afd09ac3fe793a357c4bab7145a
证书链 Timestamp Chain 1
发行给 DigiCert Assured ID Root CA
发行人 DigiCert Assured ID Root CA
有效期 Mon Nov 10 080000 2031
SHA1 哈希 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
证书链 Timestamp Chain 2
发行给 DigiCert Assured ID CA-1
发行人 DigiCert Assured ID Root CA
有效期 Wed Nov 10 080000 2021
SHA1 哈希 19a09b5a36f4dd99727df783c17a51231a56c117
证书链 Timestamp Chain 3
发行给 DigiCert Timestamp Responder
发行人 DigiCert Assured ID CA-1
有效期 Tue Oct 22 080000 2024
SHA1 哈希 614d271d9102e30169822487fde5de00a352b01d

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
\x00 0x00001000 0x002d3000 0x00134a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.99
.rsrc 0x002d4000 0x00039a78 0x00023c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.95
.idata 0x0030e000 0x00001000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.31
0x0030f000 0x002fd000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.26
dlyhprqf 0x0060c000 0x0017a000 0x00179800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.86
nrszgpfo 0x00786000 0x00001000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.35

覆盖

偏移量 0x00765fa0
大小 0x00155ef7

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_MENU 0x0030b94c 0x0000010e LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x0030bdb0 0x00000034 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x0030bdb0 0x00000034 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x0030bdb0 0x00000034 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x0030bdb0 0x00000034 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x0030bdb0 0x00000034 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x0030bdb0 0x00000034 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x0030bdb0 0x00000034 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x0030d008 0x000001a6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x0030d2d8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x0030d2d8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x0030d2d8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x0030d2d8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x0030d2d8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x0030d2d8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x0030d2d8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x0030d2d8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x0030d2d8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x0030d2d8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x0030d2d8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x0030d2d8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x0030d2d8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x0030d2d8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x0030d2d8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
None 0x0030d9cc 0x000000aa LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None

导入

库: kernel32.dll:
0x70e033 lstrcpy
库: comctl32.dll:
0x70e03b InitCommonControls

.rsrc
.idata
dlyhprqf
nrszgpfo
Y!{Cn
n.*kJO
e!Y|)
JHX$n
s!,4C+ON
.`t#v7l
%Ws$[
没有防病毒引擎扫描信息!

进程树


._cache__________5.22.4.exe, PID: 2712, 上一级进程 PID: 2332
binding.exe, PID: 2552, 上一级进程 PID: 2712
PING.EXE, PID: 2544, 上一级进程 PID: 2712
Runner.exe, PID: 2632, 上一级进程 PID: 2712
PING.EXE, PID: 2600, 上一级进程 PID: 2712
PING.EXE, PID: 3068, 上一级进程 PID: 2712

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
117.27.139.134 中国
124.237.176.160 中国
165.160.15.20 美国
180.101.50.242 中国
220.181.33.11 中国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49159 104.100.168.41 80
192.168.122.201 49161 117.27.139.134 soft.anjian.com 80
192.168.122.201 49162 117.27.139.134 soft.anjian.com 80
192.168.122.201 49163 117.27.139.134 soft.anjian.com 80
192.168.122.201 49164 117.27.139.134 soft.anjian.com 80
192.168.122.201 49168 117.27.139.134 soft.anjian.com 80
192.168.122.201 49172 117.27.139.134 soft.anjian.com 80
192.168.122.201 49173 117.27.139.134 soft.anjian.com 80
192.168.122.201 49174 117.27.139.134 soft.anjian.com 80
192.168.122.201 49179 124.237.176.160 log.hm.baidu.com 80
192.168.122.201 49180 124.237.176.160 log.hm.baidu.com 80
192.168.122.201 49175 165.160.15.20 s.csbew.com 80
192.168.122.201 49176 165.160.15.20 s.csbew.com 80
192.168.122.201 49178 220.181.33.11 hm.baidu.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 51304 192.168.122.1 53
192.168.122.201 53118 192.168.122.1 53
192.168.122.201 53759 192.168.122.1 53
192.168.122.201 53947 192.168.122.1 53
192.168.122.201 57526 192.168.122.1 53
192.168.122.201 59277 192.168.122.1 53
192.168.122.201 60155 192.168.122.1 53
192.168.122.201 61447 192.168.122.1 53
192.168.122.201 63246 192.168.122.1 53
192.168.122.201 63472 192.168.122.1 53
192.168.122.201 63902 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
soft.anjian.com 未知 A 117.27.139.134
down.vrbrothers.com 未知
www.baidu.com 未知 CNAME www.a.shifen.com
A 180.101.50.188
A 180.101.50.242
hi.vrbrothers.com 未知
ad.vrbrothers.com 未知
s.csbew.com 未知 A 165.160.15.20
A 165.160.13.20
img.users.51.la 未知 NXDOMAIN
hm.baidu.com 未知 CNAME hm.e.shifen.com
A 220.181.33.11
log.hm.baidu.com 未知 CNAME log.hm.e.shifen.com
A 124.237.176.160

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49159 104.100.168.41 80
192.168.122.201 49161 117.27.139.134 soft.anjian.com 80
192.168.122.201 49162 117.27.139.134 soft.anjian.com 80
192.168.122.201 49163 117.27.139.134 soft.anjian.com 80
192.168.122.201 49164 117.27.139.134 soft.anjian.com 80
192.168.122.201 49168 117.27.139.134 soft.anjian.com 80
192.168.122.201 49172 117.27.139.134 soft.anjian.com 80
192.168.122.201 49173 117.27.139.134 soft.anjian.com 80
192.168.122.201 49174 117.27.139.134 soft.anjian.com 80
192.168.122.201 49179 124.237.176.160 log.hm.baidu.com 80
192.168.122.201 49180 124.237.176.160 log.hm.baidu.com 80
192.168.122.201 49175 165.160.15.20 s.csbew.com 80
192.168.122.201 49176 165.160.15.20 s.csbew.com 80
192.168.122.201 49178 220.181.33.11 hm.baidu.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 51304 192.168.122.1 53
192.168.122.201 53118 192.168.122.1 53
192.168.122.201 53759 192.168.122.1 53
192.168.122.201 53947 192.168.122.1 53
192.168.122.201 57526 192.168.122.1 53
192.168.122.201 59277 192.168.122.1 53
192.168.122.201 60155 192.168.122.1 53
192.168.122.201 61447 192.168.122.1 53
192.168.122.201 63246 192.168.122.1 53
192.168.122.201 63472 192.168.122.1 53
192.168.122.201 63902 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

URL专业沙箱检测 -> http://down.vrbrothers.com/qmacro/up_mymacro/liveupdate8.dat
GET /qmacro/up_mymacro/liveupdate8.dat HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: down.vrbrothers.com
Connection: Keep-Alive

URL专业沙箱检测 -> http://soft.anjian.com/V2014V2/Config/ad-mymacro.xml
GET /V2014V2/Config/ad-mymacro.xml HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: soft.anjian.com
Connection: Keep-Alive

URL专业沙箱检测 -> http://soft.anjian.com/Include/BuildPage/ExitAdXJL.shtml
POST /Include/BuildPage/ExitAdXJL.shtml HTTP/1.1
Accept: */*
Host: soft.anjian.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible)
Content-Length: 0
Cache-Control: no-cache

URL专业沙箱检测 -> http://soft.anjian.com/Interface/GetIP.aspx
POST /Interface/GetIP.aspx HTTP/1.1
Accept: */*
Host: soft.anjian.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible)
Content-Length: 29
Cache-Control: no-cache

data=697580D98850350D55630001
URL专业沙箱检测 -> http://soft.anjian.com/Include/BuildPage/AnJianBindingInstallPC.html
GET /Include/BuildPage/AnJianBindingInstallPC.html HTTP/1.1
User-Agent: HttpClient
Host: soft.anjian.com
Cache-Control: no-cache

URL专业沙箱检测 -> http://soft.anjian.com/Interface/BindingPC/BindingUpdate.aspx
POST /Interface/BindingPC/BindingUpdate.aspx HTTP/1.1
Accept: */*
Host: soft.anjian.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible)
Content-Length: 269
Cache-Control: no-cache
Cookie: ASP.NET_SessionId=fykk4ubv2mp0g1rsglhrnrzz

data=09206B45BCFC569EBF8446011F6926E431F804A318E631C411256E8DE7592EED2796AF2EDF5529F9871EE4D34F0A0924B2F7F03D604499651666740C8F43EDB05CD75B9985870B13A018B1B802552A63D10CABD234C9ADB137AD8EAC671F08B417800B0D373A5F906E1294A3D2DCCD8704B5BD50072769DCC690460924C38A25B8F60002
URL专业沙箱检测 -> http://soft.anjian.com/Interface/BindingPC/BindingUsing.aspx
POST /Interface/BindingPC/BindingUsing.aspx HTTP/1.1
Accept: */*
Host: soft.anjian.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible)
Content-Length: 157
Cache-Control: no-cache
Cookie: ASP.NET_SessionId=fykk4ubv2mp0g1rsglhrnrzz

data=32225CA34697FF1E3AFB05BA3DF60C148EDA0EF2A32655A6D546E3F3C3AB7FCE61EB634F7DB1E5B526A40D9EED55F6A1931FC880E6C81F794222156A8A2DA41A9C52C350B09E29209D4B0002
URL专业沙箱检测 -> http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm
GET /qmacro/ad-mymacro8-b.htm HTTP/1.1
User-Agent: ._cache__________5.22.4
Host: ad.vrbrothers.com

URL专业沙箱检测 -> http://ad.vrbrothers.com/qmacro/ad-mymacro8-n.htm
GET /qmacro/ad-mymacro8-n.htm HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: ad.vrbrothers.com
Connection: Keep-Alive

URL专业沙箱检测 -> http://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm
GET /qmacro/ad-mymacro8-p.htm HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: ad.vrbrothers.com
Connection: Keep-Alive

URL专业沙箱检测 -> http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm
GET /qmacro/ad-mymacro8-b.htm HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: ad.vrbrothers.com
Connection: Keep-Alive

URL专业沙箱检测 -> http://s.csbew.com/k.js
GET /k.js HTTP/1.1
Accept: */*
Referer: http://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: s.csbew.com
Connection: Keep-Alive

URL专业沙箱检测 -> http://s.csbew.com/k.js
GET /k.js HTTP/1.1
Accept: */*
Referer: http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: s.csbew.com
Connection: Keep-Alive

URL专业沙箱检测 -> http://hm.baidu.com/h.js?82d5c049236934007371777578c30be1
GET /h.js?82d5c049236934007371777578c30be1 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://soft.anjian.com/V2014V2/UserExperience/SoftwareExperience.shtml?UT&P=mymacro&VP=2014.06.19549&VR=1.1.0.19486&MC=fbac1552
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Connection: Keep-Alive
Host: hm.baidu.com

URL专业沙箱检测 -> http://log.hm.baidu.com/hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&et=0&ja=1&ln=zh-CN&lo=0&lt=1675774689&nv=1&rnd=1478447540&si=82d5c049236934007371777578c30be1&st=1&v=1.3.0&lv=2
GET /hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&et=0&ja=1&ln=zh-CN&lo=0&lt=1675774689&nv=1&rnd=1478447540&si=82d5c049236934007371777578c30be1&st=1&v=1.3.0&lv=2 HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://soft.anjian.com/V2014V2/UserExperience/SoftwareExperience.shtml?UT&P=mymacro&VP=2014.06.19549&VR=1.1.0.19486&MC=fbac1552
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: log.hm.baidu.com
Cookie: HMACCOUNT=E1D26E5788266558

URL专业沙箱检测 -> http://log.hm.baidu.com/hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&ep=2000,100&et=3&ja=1&ln=zh-CN&lo=0&lt=1675774689&nv=0&rnd=1667573351&si=82d5c049236934007371777578c30be1&st=4&v=1.3.0&lv=2
GET /hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&ep=2000,100&et=3&ja=1&ln=zh-CN&lo=0&lt=1675774689&nv=0&rnd=1667573351&si=82d5c049236934007371777578c30be1&st=4&v=1.3.0&lv=2 HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://soft.anjian.com/V2014V2/UserExperience/SoftwareExperience.shtml?UT&P=mymacro&VP=2014.06.19549&VR=1.1.0.19486&MC=fbac1552
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: log.hm.baidu.com
Cookie: HMACCOUNT=E1D26E5788266558

URL专业沙箱检测 -> http://log.hm.baidu.com/hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&et=0&ja=1&ln=zh-CN&lo=0&lt=1675774866&nv=1&rnd=292622231&si=82d5c049236934007371777578c30be1&st=1&v=1.3.0&lv=2
GET /hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&et=0&ja=1&ln=zh-CN&lo=0&lt=1675774866&nv=1&rnd=292622231&si=82d5c049236934007371777578c30be1&st=1&v=1.3.0&lv=2 HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://soft.anjian.com/V2014V2/UserExperience/SoftwareExperience.shtml?MyMacro2014=2014.06.19549&MMID=0010BDFBF195046ED175ED71E46C2F29F651F41C5C0A316DB9737889962B69ABD1CD5B0FE8DD2CD8D60FC68B5C45FE944B6A11420B17FA797226DF57E162DBDFC2F291D54C911DDEFFF791FA12049079C1389019
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: log.hm.baidu.com
Cookie: HMACCOUNT=E1D26E5788266558

URL专业沙箱检测 -> http://log.hm.baidu.com/hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&ep=2000,100&et=3&ja=1&ln=zh-CN&lo=0&lt=1675774866&nv=0&rnd=998648007&si=82d5c049236934007371777578c30be1&st=4&v=1.3.0&lv=2
GET /hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&ep=2000,100&et=3&ja=1&ln=zh-CN&lo=0&lt=1675774866&nv=0&rnd=998648007&si=82d5c049236934007371777578c30be1&st=4&v=1.3.0&lv=2 HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://soft.anjian.com/V2014V2/UserExperience/SoftwareExperience.shtml?MyMacro2014=2014.06.19549&MMID=0010BDFBF195046ED175ED71E46C2F29F651F41C5C0A316DB9737889962B69ABD1CD5B0FE8DD2CD8D60FC68B5C45FE944B6A11420B17FA797226DF57E162DBDFC2F291D54C911DDEFFF791FA12049079C1389019
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: log.hm.baidu.com
Cookie: HMACCOUNT=E1D26E5788266558

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

源地址 目标地址 ICMP类型 数据
192.168.122.201 180.101.50.242 8 abcdefghijklmnopqrstuvwabcdefghi
180.101.50.242 192.168.122.201 0 abcdefghijklmnopqrstuvwabcdefghi
192.168.122.201 180.101.50.242 8 abcdefghijklmnopqrstuvwabcdefghi
180.101.50.242 192.168.122.201 0 abcdefghijklmnopqrstuvwabcdefghi
192.168.122.201 180.101.50.242 8 abcdefghijklmnopqrstuvwabcdefghi
180.101.50.242 192.168.122.201 0 abcdefghijklmnopqrstuvwabcdefghi
192.168.122.201 180.101.50.242 8 abcdefghijklmnopqrstuvwabcdefghi
180.101.50.242 192.168.122.201 0 abcdefghijklmnopqrstuvwabcdefghi
192.168.122.201 180.101.50.242 8 abcdefghijklmnopqrstuvwabcdefghi
180.101.50.242 192.168.122.201 0 abcdefghijklmnopqrstuvwabcdefghi
192.168.122.201 180.101.50.242 8 abcdefghijklmnopqrstuvwabcdefghi
180.101.50.242 192.168.122.201 0 abcdefghijklmnopqrstuvwabcdefghi

CIF 报告

无 CIF 结果

网络警报

Timestamp Source IP Source Port Destination IP Destination Port Protocol SID Signature Category
2023-06-07 17:12:14.869845+0800 192.168.122.201 49168 117.27.139.134 80 TCP 2008974 ET MALWARE User-Agent (Mozilla/4.0 (compatible)) A Network Trojan was detected
2023-06-07 17:12:06.441842+0800 192.168.122.201 49163 117.27.139.134 80 TCP 2008974 ET MALWARE User-Agent (Mozilla/4.0 (compatible)) A Network Trojan was detected
2023-06-07 17:12:18.012949+0800 192.168.122.201 49172 117.27.139.134 80 TCP 2008974 ET MALWARE User-Agent (Mozilla/4.0 (compatible)) A Network Trojan was detected
2023-06-07 17:12:06.869891+0800 192.168.122.201 49163 117.27.139.134 80 TCP 2008974 ET MALWARE User-Agent (Mozilla/4.0 (compatible)) A Network Trojan was detected

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 52.429 seconds )

  • 15.667 Static
  • 12.111 NetworkAnalysis
  • 11.258 Suricata
  • 6.714 BehaviorAnalysis
  • 4.32 VirusTotal
  • 1.816 TargetInfo
  • 0.497 peid
  • 0.02 config_decoder
  • 0.012 AnalysisInfo
  • 0.012 Strings
  • 0.002 Memory

Signatures ( 15.289 seconds )

  • 10.417 network_http
  • 1.844 md_url_bl
  • 0.472 api_spamming
  • 0.391 stealth_decoy_document
  • 0.377 stealth_timeout
  • 0.182 antiav_detectreg
  • 0.162 mimics_filetime
  • 0.154 reads_self
  • 0.153 stealth_file
  • 0.147 virus
  • 0.124 antivm_generic_disk
  • 0.115 bootkit
  • 0.114 hancitor_behavior
  • 0.082 infostealer_ftp
  • 0.041 infostealer_im
  • 0.035 md_domain_bl
  • 0.029 antianalysis_detectreg
  • 0.028 antivm_generic_scsi
  • 0.019 antivm_generic_services
  • 0.017 anormaly_invoke_kills
  • 0.017 infostealer_mail
  • 0.016 antisandbox_sleep
  • 0.015 infostealer_browser
  • 0.015 antiav_detectfile
  • 0.012 antidbg_windows
  • 0.012 darkcomet_regkeys
  • 0.011 kibex_behavior
  • 0.011 infostealer_bitcoin
  • 0.01 ipc_namedpipe
  • 0.01 anomaly_persistence_autorun
  • 0.01 infostealer_browser_password
  • 0.009 betabot_behavior
  • 0.009 geodo_banking_trojan
  • 0.008 maldun_anomaly_massive_file_ops
  • 0.007 injection_createremotethread
  • 0.007 sets_autoconfig_url
  • 0.007 shifu_behavior
  • 0.007 securityxploded_modules
  • 0.007 antivm_parallels_keys
  • 0.007 antivm_xen_keys
  • 0.006 antivm_vbox_libs
  • 0.006 maldun_malicious_write_executeable_under_temp_to_regrun
  • 0.006 maldun_anomaly_write_exe_and_obsfucate_extension
  • 0.006 ransomware_message
  • 0.006 kovter_behavior
  • 0.006 antivm_vbox_files
  • 0.006 ransomware_extensions
  • 0.005 antivm_generic_diskreg
  • 0.005 ransomware_files
  • 0.005 recon_fingerprint
  • 0.004 antiemu_wine_func
  • 0.004 antisandbox_sunbelt_libs
  • 0.004 exec_crash
  • 0.004 injection_runpe
  • 0.004 maldun_anomaly_invoke_vb_vba
  • 0.003 antiav_avast_libs
  • 0.003 disables_spdy
  • 0.003 dridex_behavior
  • 0.003 stealth_network
  • 0.003 antisandbox_sboxie_libs
  • 0.003 disables_wfp
  • 0.003 antisandbox_productid
  • 0.003 disables_browser_warn
  • 0.003 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.003 md_bad_drop
  • 0.003 network_torgateway
  • 0.002 tinba_behavior
  • 0.002 hawkeye_behavior
  • 0.002 network_tor
  • 0.002 rat_nanocore
  • 0.002 office_dl_write_exe
  • 0.002 office_write_exe
  • 0.002 antivm_vmware_libs
  • 0.002 antivm_vbox_window
  • 0.002 kazybot_behavior
  • 0.002 antiav_bitdefender_libs
  • 0.002 ransomeware_modifies_desktop_wallpaper
  • 0.002 cerber_behavior
  • 0.002 bypass_firewall
  • 0.002 antidbg_devices
  • 0.002 antivm_xen_keys
  • 0.002 antivm_hyperv_keys
  • 0.002 antivm_vbox_keys
  • 0.002 antivm_vmware_keys
  • 0.002 antivm_vpc_keys
  • 0.002 browser_security
  • 0.002 codelux_behavior
  • 0.002 packer_armadillo_regkey
  • 0.001 network_anomaly
  • 0.001 rat_luminosity
  • 0.001 clickfraud_cookies
  • 0.001 injection_explorer
  • 0.001 dyre_behavior
  • 0.001 maldun_anomaly_write_exe_and_dll_under_winroot_run
  • 0.001 vawtrak_behavior
  • 0.001 h1n1_behavior
  • 0.001 antisandbox_script_timer
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_cpu
  • 0.001 antivm_generic_system
  • 0.001 antivm_vmware_files
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 modify_proxy
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 malicous_targeted_flame
  • 0.001 network_cnc_http
  • 0.001 rat_pcclient
  • 0.001 recon_programs
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.556 seconds )

  • 0.511 ReportHTMLSummary
  • 0.045 Malheur
Task ID 721967
Mongo ID 64804aa9dc327b4796064f5c
Cuckoo release 1.4-Maldun