分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-shaapp03-1 | 2024-04-25 17:55:27 | 2024-04-25 17:57:41 | 134 秒 |
魔盾分数
2.9375
可疑的
文件详细信息
| 文件名 | ssh-agent |
|---|---|
| 文件大小 | 293304 字节 |
| 文件类型 | ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=acabaf605d484ef34389a8106c57ab0dac1103af, for GNU/Linux 3.2.0, stripped |
| MD5 | 935f1bcc9c43c5b18bc42b170b132b87 |
| SHA1 | dbaf662716011491a38a9b864ab263d9340c00cb |
| SHA256 | 4be676c00732bf2eb5497b21af58933ea524dc6a20d2f0fb207dc1616b5232af |
| SHA512 | 09aaff26d1d3a04249bf4149226b1398f19337beb2f4a3a6b36705760a994daa6d1e8f27915bfd0a892b5487d382b60a3f6ec2bd48ab41b838f5f26c0656462f |
| CRC32 | 8AE740B2 |
| Ssdeep | 3072:T5WYGHrU7hpPiYzXuAKROnQPCJxhStD+8tQO7fqfCnB1t48Pkoy:T5W7PkuAKRAQP7tDb2O7fcCnDt4foy |
| Yara | 登录查看Yara规则 |
| 找不到该样本 提交漏报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
| 直接 | IP | 安全评级 | 地理位置 |
|---|---|---|---|
| 否 | 104.208.16.93 | 美国 |
域名解析 (可点击查询WPING实时安全评级)
| 域名 | 安全评级 | 响应 |
|---|---|---|
| watson.microsoft.com | 未知 |
A 104.208.16.93 CNAME legacywatson.trafficmanager.net CNAME onedsblobprdcus07.centralus.cloudapp.azure.com |
摘要
登录查看详细行为信息
没有可用的静态分析.
/lib64/ld-linux-x86-64.so.2
__cxa_finalize
__libc_start_main
raise
__explicit_bzero_chk
stderr
fwrite
getpid
rmdir
unlink
close
_exit
__errno_location
strerror
calloc
fcntl
strcmp
__stack_chk_fail
memmove
strcasecmp
memcpy
malloc
strdup
memset
strlen
getenv
access
socketpair
execlp
strncmp
waitpid
__realpath_chk
usleep
__fprintf_chk
getgid
setegid
setgid
prctl
getrlimit
__progname
strchr
strtoll
__printf_chk
strtol
umask
socket
listen
stdout
fflush
__poll_chk
__snprintf_chk
mkdtemp
getppid
accept
getsockopt
getuid
perror
setenv
execvp
openlog
closelog
setsid
chdir
setrlimit
__ctype_b_loc
__vasprintf_chk
strrchr
__vsnprintf_chk
__syslog_chk
clock_gettime
gettimeofday
sigfillset
sigaction
strsignal
memchr
strcspn
closefrom
close_range
opendir
readdir
dirfd
sysconf
closedir
setlogin
getpagesize
isatty
realloc
__gmon_start__
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
BN_num_bits
ECDSA_SIG_free
EC_KEY_OpenSSL
BN_div
RAND_status
RSA_meth_set_priv_enc
EC_POINT_free
RSA_meth_set1_name
DSA_get0_key
BN_sub
EC_KEY_get0_private_key
EC_GROUP_set_asn1_flag
RSA_size
BN_dup
ERR_get_error
EC_POINT_oct2point
RSA_set0_key
DSA_new
EVP_sha256
RSA_up_ref
EC_KEY_up_ref
EVP_aes_192_cbc
EVP_CIPHER_CTX_ctrl
EC_KEY_set_method
OPENSSL_init_crypto
ENGINE_load_builtin_engines
EC_KEY_METHOD_get_sign
BN_clear_free
EC_GROUP_get_order
EVP_aes_128_cbc
EVP_CipherInit
BN_bin2bn
EVP_chacha20
EC_GROUP_cmp
EC_GROUP_free
EVP_aes_192_ctr
EVP_md5
EC_KEY_get0_public_key
EVP_aes_128_gcm
ECDSA_do_verify
RSA_meth_dup
RSA_free
RSA_public_decrypt
EVP_des_ede3_cbc
EC_METHOD_get_field_type
RSA_new
EC_KEY_get0_group
ECDSA_SIG_get0
EC_GROUP_get_curve_name
ENGINE_register_all_complete
EVP_aes_128_ctr
EVP_sha1
EC_POINT_mul
EVP_sha384
EVP_Digest
EVP_CIPHER_CTX_get_iv_length
EVP_Cipher
DSA_get0_pqg
ECDSA_SIG_new
RSA_get0_crt_params
EC_GROUP_new_by_curve_name
DSA_set0_key
RSA_set0_factors
EC_KEY_set_private_key
BN_set_flags
OpenSSL_version_num
RSA_get0_factors
EC_POINT_new
RSA_set0_crt_params
BN_CTX_free
ECDSA_SIG_set0
EC_KEY_METHOD_new
BN_new
EVP_CIPHER_CTX_get_key_length
EC_KEY_set_group
EC_GROUP_method_of
RSA_set_method
BN_bn2bin
RSA_get0_key
RAND_bytes
EC_KEY_set_public_key
EC_KEY_METHOD_set_sign
EVP_CIPHER_CTX_set_key_length
EC_POINT_get_affine_coordinates_GFp
EC_POINT_cmp
ECDSA_do_sign
EVP_aes_256_cbc
EVP_CIPHER_CTX_new
BN_cmp
RSA_blinding_on
d2i_ECDSA_SIG
EVP_aes_256_gcm
EVP_CIPHER_CTX_free
BN_CTX_new
EVP_aes_256_ctr
EC_POINT_is_at_infinity
EC_KEY_free
RSA_get_default_method
EVP_sha512
DSA_free
EC_KEY_new_by_curve_name
DSA_set0_pqg
EC_POINT_point2oct
RSA_sign
BN_value_one
abort
libcrypto.so.3
libc.so.6
OPENSSL_3.0.0
GLIBC_2.16
GLIBC_2.8
GLIBC_2.4
GLIBC_2.3
GLIBC_2.17
GLIBC_2.14
GLIBC_2.34
GLIBC_2.25
GLIBC_2.2.5
GLIBC_2.3.4
D$ H=
D$ H=
D$ H=
D$ H=
D$ H=
进程树
-
cmd.exe id: 2568
-
rundll32.exe id: 3028
- mspaint.exe id: 2440
-
rundll32.exe id: 3028
-
services.exe id: 432
- svchost.exe id: 2928
-
svchost.exe id: 2400
- WerFault.exe id: 2796
- taskhost.exe id: 3568
访问主机纪录 (可点击查询WPING实时安全评级)
| 直接 | IP | 安全评级 | 地理位置 |
|---|---|---|---|
| 否 | 104.208.16.93 | 美国 |
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49160 | 23.209.84.31 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
| 192.168.122.201 | 65178 | 192.168.122.1 | 53 |
域名解析 (可点击查询WPING实时安全评级)
| 域名 | 安全评级 | 响应 |
|---|---|---|
| watson.microsoft.com | 未知 |
A 104.208.16.93 CNAME legacywatson.trafficmanager.net CNAME onedsblobprdcus07.centralus.cloudapp.azure.com |
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49160 | 23.209.84.31 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 59401 | 192.168.122.1 | 53 |
| 192.168.122.201 | 65178 | 192.168.122.1 | 53 |
HTTP 请求
| URI | HTTP数据 |
|---|---|
| URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 38.021 seconds )
- 14.709 BehaviorAnalysis
- 11.561 Suricata
- 11.376 NetworkAnalysis
- 0.35 TargetInfo
- 0.011 AnalysisInfo
- 0.011 Strings
- 0.002 Memory
- 0.001 Static
Signatures ( 7.163 seconds )
- 1.331 proprietary_url_bl
- 0.767 api_spamming
- 0.718 antiav_detectreg
- 0.587 stealth_decoy_document
- 0.585 stealth_timeout
- 0.438 injection_createremotethread
- 0.268 injection_runpe
- 0.22 injection_explorer
- 0.216 infostealer_ftp
- 0.155 antianalysis_detectreg
- 0.148 mimics_filetime
- 0.132 reads_self
- 0.117 infostealer_im
- 0.115 stealth_file
- 0.1 bootkit
- 0.1 antivm_generic_scsi
- 0.099 virus
- 0.091 antivm_generic_disk
- 0.068 infostealer_mail
- 0.063 hancitor_behavior
- 0.037 antivm_generic_services
- 0.037 shifu_behavior
- 0.035 anormaly_invoke_kills
- 0.033 proprietary_anomaly_massive_file_ops
- 0.032 kibex_behavior
- 0.032 antivm_xen_keys
- 0.03 darkcomet_regkeys
- 0.029 antivm_parallels_keys
- 0.027 antivm_generic_diskreg
- 0.027 recon_fingerprint
- 0.026 antiav_detectfile
- 0.025 geodo_banking_trojan
- 0.023 betabot_behavior
- 0.022 antisandbox_productid
- 0.018 stack_pivot
- 0.018 infostealer_bitcoin
- 0.017 proprietary_anomaly_write_exe_and_obsfucate_extension
- 0.017 proprietary_malicious_write_executeable_under_temp_to_regrun
- 0.015 kovter_behavior
- 0.012 proprietary_anomaly_write_exe_and_dll_under_winroot_run
- 0.012 packer_armadillo_regkey
- 0.011 antivm_vbox_files
- 0.011 antivm_vbox_keys
- 0.011 antivm_vmware_keys
- 0.01 infostealer_browser_password
- 0.01 antivm_xen_keys
- 0.01 antivm_hyperv_keys
- 0.01 antivm_vbox_acpi
- 0.01 antivm_vpc_keys
- 0.01 proprietary_anomaly_invoke_vb_vba
- 0.009 antiemu_wine_func
- 0.009 rat_luminosity
- 0.009 bypass_firewall
- 0.009 antivm_generic_bios
- 0.009 proprietary_domain_bl
- 0.009 recon_programs
- 0.008 proprietary_anomaly_terminated_process
- 0.008 anomaly_persistence_autorun
- 0.008 h1n1_behavior
- 0.008 antivm_generic_cpu
- 0.008 antivm_generic_system
- 0.007 hawkeye_behavior
- 0.007 antidbg_windows
- 0.006 antivm_vbox_libs
- 0.005 antidbg_devices
- 0.005 ransomware_extensions
- 0.005 ransomware_files
- 0.004 infostealer_browser
- 0.004 ransomware_message
- 0.004 sets_autoconfig_url
- 0.004 ipc_namedpipe
- 0.004 securityxploded_modules
- 0.003 network_tor
- 0.003 antiav_avast_libs
- 0.003 antisandbox_sunbelt_libs
- 0.003 antianalysis_detectfile
- 0.003 disables_browser_warn
- 0.003 network_http
- 0.003 rat_pcclient
- 0.002 tinba_behavior
- 0.002 rat_nanocore
- 0.002 disables_spdy
- 0.002 dridex_behavior
- 0.002 antivm_vmware_libs
- 0.002 kazybot_behavior
- 0.002 antisandbox_sboxie_libs
- 0.002 antiav_bitdefender_libs
- 0.002 exec_crash
- 0.002 disables_wfp
- 0.002 cerber_behavior
- 0.002 antivm_vmware_files
- 0.002 browser_security
- 0.002 codelux_behavior
- 0.002 network_torgateway
- 0.001 office_dl_write_exe
- 0.001 office_write_exe
- 0.001 anomaly_persistence_bootexecute
- 0.001 anomaly_reset_winsock
- 0.001 antivm_vbox_window
- 0.001 Locky_behavior
- 0.001 creates_largekey
- 0.001 ransomeware_modifies_desktop_wallpaper
- 0.001 creates_nullvalue
- 0.001 antisandbox_script_timer
- 0.001 sniffer_winpcap
- 0.001 antisandbox_fortinet_files
- 0.001 antivm_vpc_files
- 0.001 antiemu_wine_reg
- 0.001 banker_cridex
- 0.001 banker_zeus_mutex
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_addon
- 0.001 modify_proxy
- 0.001 disables_system_restore
- 0.001 disables_windows_defender
- 0.001 malicous_targeted_flame
- 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
- 0.001 proprietary_bad_drop
- 0.001 network_cnc_http
- 0.001 network_tor_service
- 0.001 stealth_modify_uac_prompt
Reporting ( 0.652 seconds )
- 0.59 ReportHTMLSummary
- 0.062 Malheur
| Task ID | 744309 |
|---|---|
| Mongo ID | 662a29847e769a5b6abf342b |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号