分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp02-1 2024-11-29 23:46:25 2024-11-29 23:48:35 130 秒

魔盾分数

2.7035

可疑的

文件详细信息

文件名 PortTunnel_CHS.msi
文件大小 1958400 字节
文件类型 Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Create Time/Date: Mon Jun 21 07:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 936, Template: Intel;2052, Number of Pages: 200, Revision Number: {88195EB9-72BE-4CC8-BCD5-A10DB45A3EFC}, Title: PortTunnel, Author: SteelBytes, Number of Words: 2, Last Saved Time/Date: Wed Feb 1 06:22:01 2017, Last Printed: Wed Feb 1 06:22:01 2017
MD5 a9fdaa3cfcf7c4470e57f8412c621b10
SHA1 5edf5145e2448c0b18e200510e0e04182a4e515c
SHA256 2a0faceb797c695de63a2eec3a1490f1c5d2c612e2bd5c9422415fc5621e3a40
SHA512 9473643685761b464e3b874da8762ecc4d0181460f7adf39f27fb7c8da88945e828a26af816abac4ad15447ff8a177abb4253dc5ce5d6c0e441fd48f3b8ad4ec
CRC32 220D82BF
Ssdeep 49152:gJczCDu7Jp91TtrltERFgTGx4/Yk+i3orRZFJ:nCDufLtoGGx4/Z+i3orR
Yara 登录查看Yara规则
找不到该样本 提交漏报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
104.208.16.93 未知 美国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
watson.microsoft.com A 104.208.16.93
CNAME legacywatson.trafficmanager.net
CNAME onedsblobprdcus07.centralus.cloudapp.azure.com

摘要

登录查看详细行为信息

信息概要

应用程序 Windows Installer
作者 SteelBytes
最后保存者 None
创建时间 None
最后保存时间 None
合计编辑时间 None
文档标题 PortTunnel
文档主题
文档页数 200
文档字数 2
文档字符数 None

文档信息概要

公司 None
文档版本 None
数字签名 None
语言 None
备注 None

?dA/B6H
A7CrD
Windows Installer
Intel;2052
{88195EB9-72BE-4CC8-BCD5-A10DB45A3EFC}
PortTunnel
SteelBytes
;J;U=
DhE7G
B4FhD&B
ExE(H
DrDhD7H
ErE<H
B4FhD&B
C1A5G
.text
`.data
.rsrc
@.reloc
Software\Microsoft\NET Framework Setup\NDP\v3.%lu%s
SOFTWARE\Microsoft\NET Framework Setup\DotNetClient\v3.5
Software\Microsoft\NET Framework Setup\NDP
kernel32
IsWow64Process
Attach Debugger To Me
SetTARGETSITE
TargetVersion
%s\v%d\%s
GatherWebSites
GatherAppPools
SetTARGETAPPPOOL
SetTARGETIISPATH
<supportedRuntime version="
<startup>
VsdLaunchConditions
GatherRegisterAspNetProperties
-norestart -sn
-norestart -iru
RegisterAspNet
CreateAppRoots
EvaluateURLs
EvaluateURLsMB
EvaluateURLsNoFail
mscoree.dll
GetRequestedRuntimeInfo
CorBindToRuntime
InstallSuccess
\Setup
%lu.%lu
v%lu.%lu
Install
\MSCOREE.dll
CheckFX
RollbackApplyWebFolderProperties
GatherWebFolderProperties
ApplyWebFolderProperties
TypeLib
Software
SYSTEM
SECURITY
Hardware
Interface
FileType
Component Categories
CLSID
AppID
Delete
NoRemove
ForceRemove
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
(null)
`h````
Abad exception
Abad allocation
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
AUnknown exception
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
VSD_FORCE_ANSI
TYPELIB
ARegOpenKeyTransactedA
Advapi32.dll
RegCreateKeyTransactedA
RegDeleteKeyTransactedA
RegDeleteKeyExA
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Ayuml
yacute
ugrave
ucirc
uacute
thorn
szlig
otilde
oslash
ograve
ocirc
oacute
ntilde
igrave
icirc
iacute
egrave
ecirc
eacute
ccedil
atilde
aring
agrave
aelig
acirc
aacute
Yacute
Ugrave
Ucirc
Uacute
THORN
Otilde
Oslash
Ograve
Ocirc
Oacute
Ntilde
Igrave
Icirc
Iacute
Egrave
Ecirc
Eacute
Ccedil
Atilde
Aring
Agrave
Acirc
Aacute
AElig
0123456789abcdef
A%%%02x
SetThreadStackGuarantee
Ae+000
1#QNAN
1#INF
1#IND
1#SNAN
TUUUUU*
@??
DPCA.pdb
Root Entry
SummaryInformation
SELECT `Directory`, `DefaultDir` FROM `Directory` WHERE `Directory_Parent` = '%s'
SELECT * FROM `%s`
Custom action not implemented.
ToggleNearestAppRoot
Process call was successful.
The error indicates that IIS is in 64 bit mode, while this application is a 32 bit application and thus not compatible.
The error indicates that IIS is in 32 bit mode, while this application is a 64 bit application and thus not compatible.
The error indicates that this version of ASP.NET must first be registered on the machine.
Unknown Error.
The call to aspnet_regiis.exe was failed. Path: '%s'
Process Exit Code: '%ld'.
Create Process failed.
Running process '%s' with parameters '%s' silently...
Access denied.
CoInitializeEx - COM initialization Free Threaded.
CoInitializeEx - COM initialization Apartment Threaded...
VSCADEBUGATTACH
TARGETIISPATH
Root/
TARGETVDIR
TARGETSITE
aspnet_regiis.exe
Path =
Using 64 bit registry key...
Reading registry value Path from key 'HKLM\%s'...
Software\Microsoft\ASP.NET\%s
ProductName
Running show message with fUseMessageBox = %s
FALSE
VSDINVALIDURLMSG
HideFatalErrorForm
Executing URL '%s' with source directory '%s'...
SourceDir
Condition is false.
Condition is true. Nothing more to do.
Evaluating condition '%s'...
Getting the condition to evaluate...
A launch condition has already fired. My work is done here.
Checking a launch condition...
VSDFxConfigFile
Calling WriteFile...
Calling MsiRecordReadStream...
v1.0.3705
Calling MsiRecordDataSize...
Calling MsiViewFetch...
Calling MsiViewExecute...
SELECT `Data` FROM `Binary` WHERE `Name` = 'VSDNETCFG'
Calling MsiDatabaseOpenView...
Calling MsiGetActiveDatabase...
Creating Config File...
v%d.%d
v%d.%d.%d
2.0.50727;
_VsdLaunchCondition
sWEBCA_RegisterAspNet
TARGETASPNETVERSION
Trying 32 bit version of 'aspnet_regiis.exe'...
1.1.4322.0
CustomActionData
TARGETDIR
RESULT: %s
Path not found.
Mapping App Root to hard drive location...
Getting App Root for Url Property: %s
FAILED
Getting Application Name...
Creating at AppRoot '%s'.
Deleting approot at URL '%s'.
Creating approot at URL '%s'.
Update property is not set.
Getting update property...
_Updated
WEB_CA_
_AppRootCreate
_UrlToDir
oWriting config file with version: '%s'...
VSDFXAvailable
v1.1.4322
Calling GetRequestedRuntimeVersion...
false
VSDAllowLaterFrameworkVersions
v2.0.50727
Found GetRequestedRuntimeInfo.
1.0.3705
Could not find GetRequestedRuntimeInfo.
Found CorBindToRuntime.
Getting framework methods...
VSDNETURLMSG
VSDNETMSG
Set VSDNETMSG with the FrameworkVersion.
v3.5.21022
2.0.50727
lClient
Found a version of MSCOREE.DLL
4.0.40219
VSDFrameworkProfile
VSDFrameworkVersion
Xvsdeploy.chm
SELECT `Extension`, `ExePath`, `Verbs` FROM `_AppMappings` WHERE `Directory_` = '%s'
SELECT `Component_` FROM `_AppRootCreate` WHERE `_URLProperty` = '%s'
SELECT `_URLProperty` FROM `_UrlToDir` WHERE `TargetProperty` = '%s'
SELECT * FROM `%s`
Setting IIS Property with SetData...
Not setting the AppIsolated property...
Closing key...
Adding key '%s'.
Opening key '%s'.
Deleting key '%s'
Opening key '%s' to see if it can be deleted...
Failure to get token.
Token is '%s'.
Getting web folder property token...
Property: '%s'
Getting dword IIS Property...
Getting string/multisz IIS Property...
Key path is '%s'.
Extracting the key path from the property...
Marked string is '%s'
Marking escape sequences for'%s'...
Marked string is '%s'.
Marking escape sequences for '%s'.
Data not found while getting IIS property for rollback (ignore above failure).
TARGETAPPPOOL
|"|"|"
No ']' found in the exe path...
Finding ']' in the exe path...
Closing app mappings view...
Fetching app mapping record...
Failed to get the key path from the URL.
Saving metabase data...
Open failed.
Open succeeded.
Failed to create metabase object.
Creating metabase object...
Searching for ',' in '%s'.
Marked app mappings = '%s'.
Marked buffer = '%s'.
Closing key to the directory with CloseKey...
IIsWebVirtualDir
Deleting data for property %ld
Getting METADATA_HANDLE for the directory '%s'.
'%s'.
Splitting property...
CoInitializeEx - COM initialization Apartment Threaded.
RollbackApplyWebFolderProperties
WEBCA_RollbackApplyWebFolderProperties
WEBCA_ApplyWebFolderProperties
_IISProperties
GatherWebFolderProperties
Failed to create metabase object.
ApplyWebFolderProperties
KERNEL32.DLL
mscoree.dll
(null)
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
WUSER32.DLL
CONOUT$
SELECT `_URLProperty` FROM `_UrlToDir` WHERE `TargetProperty` = '%s'
SELECT `Directory_Parent`, `DefaultDir` FROM `Directory` WHERE `Directory` = '%s'
SELECT `_VDirProperty` FROM `_VDirToUrl` WHERE `TargetProperty` = '%s'
%.2i/%.2i/%.4i %.2i:%.2i:%.2i:%.3i
Error formatting the log message.
%-7.7s: [%s] [%-40.40s]: %.512s
ERROR
WARNING
DEBUG
Custom Action completed with return code: '%ld'
Custom Action is starting...
Custom Action succeeded.
Custom Action failed with code: '%ld'
Unknown Custom Action.
TMsiViewExecute - Open Database view on table...
MsiDatabaseOpenViewW - Prepare Database to view table...
Error_DataBase_Does_Not_Exist
Enumerating table using SQL statement: '%s'
Property '%s' retrieved with value '%s'.
MsiGetPropertyW - Getting Property '%s'...
Allocating space...
MsiGetPropertyW - Determine size of property '%s'
MsiSetPropertyW - Setting property '%s' to '%s'.
MsiSetPropertyW - Setting Property Value...
MsiRecordGetStringW - Getting value from column '%ld'...
MsiRecordGetStringW - Fetching value...
MsiRecordGetInteger - Getting value from column '%d'.
MsiGetTargetPathW - Getting Target Path for '%s'.
Memory allocaton failed...
Allocating space for target path...
MsiGetComponentState - %s
MsiDatabaseOpenViewW - Using query '%s'.
Getting AppRoot From Url key '%s'.
AppRoot: '%s'
RootAppRoot: '%s'
RootDirectoryURLProperty: '%s'
DirectoryProperty: '%s'
RootDirectoryProperty: '%s'
INSERT INTO `ComboBox` (`Property`,`Order`,`Value`,`Text`) VALUES (?, ?, ?, ?) TEMPORARY
MsiDatabaseOpenViewW - Using query '
Opening metabase location:
Opening key
Remainder:
Root thus far:
Opening key
Mapping
Calling AppCreate with inprocflag =
with inprocflag =
Calling AppCreate2 at
IIsWebServer
/LM/W3SVC/
IIsApplicationPool
/LM/W3SVC/AppPools
DefaultAppPool
APPID
Classes
REGISTRY
Module_Raw
Module
yacute
ugrave
ucirc
uacute
thorn
szlig
otilde
oslash
ograve
ocirc
oacute
ntilde
igrave
icirc
iacute
egrave
ecirc
eacute
ccedil
atilde
aring
agrave
aelig
acirc
aacute
Yacute
Ugrave
Ucirc
Uacute
THORN
Otilde
Oslash
Ograve
Ocirc
Oacute
Ntilde
Igrave
Icirc
Iacute
Egrave
Ecirc
Eacute
Ccedil
Atilde
Aring
Agrave
Acirc
Aacute
AElig
0123456789abcdef
Failure in DISPID
ekernel32.dll
没有防病毒引擎扫描信息!

进程树


msiexec.exe, PID: 2560, 上一级进程 PID: 2184

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
104.208.16.93 未知 美国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 23.209.84.31 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63246 192.168.122.1 53
192.168.122.201 63472 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
watson.microsoft.com A 104.208.16.93
CNAME legacywatson.trafficmanager.net
CNAME onedsblobprdcus07.centralus.cloudapp.azure.com

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 23.209.84.31 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63246 192.168.122.1 53
192.168.122.201 63472 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 31.926 seconds )

  • 11.441 Suricata
  • 11.361 NetworkAnalysis
  • 4.49 Strings
  • 3.122 AnalysisInfo
  • 0.796 BehaviorAnalysis
  • 0.629 TargetInfo
  • 0.085 Static
  • 0.002 Memory

Signatures ( 1.816 seconds )

  • 1.447 proprietary_url_bl
  • 0.05 antiav_detectreg
  • 0.03 api_spamming
  • 0.024 stealth_decoy_document
  • 0.023 stealth_timeout
  • 0.021 infostealer_ftp
  • 0.013 infostealer_im
  • 0.011 mimics_filetime
  • 0.011 proprietary_domain_bl
  • 0.01 antianalysis_detectreg
  • 0.009 antiav_detectfile
  • 0.009 geodo_banking_trojan
  • 0.008 anomaly_persistence_autorun
  • 0.008 antivm_generic_scsi
  • 0.007 antivm_generic_services
  • 0.007 reads_self
  • 0.007 virus
  • 0.007 infostealer_bitcoin
  • 0.007 infostealer_mail
  • 0.006 stealth_file
  • 0.006 antivm_generic_disk
  • 0.006 anormaly_invoke_kills
  • 0.005 bootkit
  • 0.004 shifu_behavior
  • 0.004 hancitor_behavior
  • 0.004 antivm_vbox_files
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 proprietary_anomaly_massive_file_ops
  • 0.003 betabot_behavior
  • 0.003 kibex_behavior
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 antiemu_wine_func
  • 0.002 rat_nanocore
  • 0.002 antidbg_windows
  • 0.002 kovter_behavior
  • 0.002 antivm_parallels_keys
  • 0.002 antivm_xen_keys
  • 0.002 disables_browser_warn
  • 0.002 darkcomet_regkeys
  • 0.002 proprietary_bad_drop
  • 0.002 network_torgateway
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 antivm_vbox_libs
  • 0.001 proprietary_anomaly_write_exe_and_obsfucate_extension
  • 0.001 antiav_avast_libs
  • 0.001 stack_pivot
  • 0.001 proprietary_malicious_write_executeable_under_temp_to_regrun
  • 0.001 injection_createremotethread
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 exec_crash
  • 0.001 infostealer_browser_password
  • 0.001 cerber_behavior
  • 0.001 bypass_firewall
  • 0.001 antianalysis_detectfile
  • 0.001 antidbg_devices
  • 0.001 antisandbox_productid
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_hyperv_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
  • 0.001 proprietary_anomaly_invoke_vb_vba
  • 0.001 proprietary_anomaly_mismatch_mime_extension
  • 0.001 proprietary_ip_reputation
  • 0.001 network_cnc_http
  • 0.001 rat_pcclient
  • 0.001 recon_fingerprint

Reporting ( 0.594 seconds )

  • 0.584 ReportHTMLSummary
  • 0.01 Malheur
Task ID 764063
Mongo ID 6749e27cdc327b16b8726e6c
Cuckoo release 1.4-Maldun