恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
URL	win7-sp1-x64-hpdapp03-1	2018-03-18 14:29:36	2018-03-18 14:31:55	139 秒

魔盾分数

0.45

正常的

URL详细信息

URL
URL专业沙箱检测 -> http://d.hyds360.com/setup_b66529.exe

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
否	122.224.45.50	中国
否	222.187.223.155	中国

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
d.hyds360.com	A 222.187.223.155
www.microsoft.com	CNAME e13678.ca.s.tl88.net A 122.224.45.50 CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net CNAME www.microsoft.com-c-3.edgekey.net

摘要

登录查看详细行为信息

URL分析
防病毒引擎

WHOIS 信息

Name: Registration Private
Country: US
State: Arizona
City: Scottsdale
ZIP Code: 85260
Address: DomainsByProxy.com

Orginization: Domains By Proxy, LLC
Domain Name(s):
    HYDS360.COM
    hyds360.com
Creation Date:
    2017-11-22 08:31:37
Updated Date:
    2017-12-28 04:32:50
    2017-11-22 08:31:37
Expiration Date:
    2018-11-22 08:31:37
Email(s):
    abuse@godaddy.com
    hyds360.com@domainsbyproxy.com

Registrar(s):
    GoDaddy.com, LLC
Name Server(s):
    F1G1NS1.DNSPOD.NET
    F1G1NS2.DNSPOD.NET
Referral URL(s):
    None

没有防病毒引擎扫描信息!

进程树

iexplore.exe id: 700
- iexplore.exe id: 2264

iexplore.exe, PID: 700, 上一级进程 PID: 284

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

iexplore.exe, PID: 2264, 上一级进程 PID: 700

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
否	122.224.45.50	中国
否	222.187.223.155	中国

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49161	122.224.45.50 www.microsoft.com	80
192.168.122.201	49160	222.187.223.155 d.hyds360.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	54844	192.168.122.1	53
192.168.122.201	59793	192.168.122.1	53
192.168.122.201	60316	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
d.hyds360.com	A 222.187.223.155
www.microsoft.com	CNAME e13678.ca.s.tl88.net A 122.224.45.50 CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net CNAME www.microsoft.com-c-3.edgekey.net

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49161	122.224.45.50 www.microsoft.com	80
192.168.122.201	49160	222.187.223.155 d.hyds360.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	54844	192.168.122.1	53
192.168.122.201	59793	192.168.122.1	53
192.168.122.201	60316	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://d.hyds360.com/setup_b66529.exe	GET /setup_b66529.exe HTTP/1.1 Accept: / Referer: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=30&ved=0CCEQfjVWhseG5qZllyU0V4U0VrUGFrcnpCVXRN&url=http%3A%2F%2Fd.hyds360.com%2Fsetup_b66529.exe&ei=cUFDZnRIck1LSFJ6&usg=AFQjRHJOWU9NYWxMUW1W Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Accept-Encoding: gzip, deflate Host: d.hyds360.com Connection: Keep-Alive
URL专业沙箱检测 -> http://www.microsoft.com/	GET / HTTP/1.1 Host: www.microsoft.com Connection: Close

URI

HTTP数据

URL专业沙箱检测 -> http://d.hyds360.com/setup_b66529.exe

GET /setup_b66529.exe HTTP/1.1
Accept: */*
Referer: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=30&ved=0CCEQfjVWhseG5qZllyU0V4U0VrUGFrcnpCVXRN&url=http%3A%2F%2Fd.hyds360.com%2Fsetup_b66529.exe&ei=cUFDZnRIck1LSFJ6&usg=AFQjRHJOWU9NYWxMUW1W
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: d.hyds360.com
Connection: Keep-Alive

URL专业沙箱检测 -> http://www.microsoft.com/

GET / HTTP/1.1
Host: www.microsoft.com
Connection: Close

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Protocol	SID	Signature	Category
2018-03-18 14:30:00.422429+0800	122.224.45.50	80	192.168.122.201	49161	TCP	2012692	ET POLICY Microsoft user-agent automated process response to automated request	A Network Trojan was detected
2018-03-18 14:29:49.911575+0800	222.187.223.155	80	192.168.122.201	49160	TCP	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

文件名	index.dat
相关文件	C:\Users\test\AppData\Roaming\Microsoft\Windows\IECompatCache\index.dat
文件大小	65536 字节
文件类型	Internet Explorer cache file version Ver 5.2
MD5	191d3d20f356bf520a7d1ed07b1bc08b
SHA1	bdba37ad96d8801e8d2c9e30e68afaf3822b0e4a
SHA256	d2eae7eeb07f08972ec78e59eaf73b6cfa48e92121748f61a394a28e33e36788
CRC32	BFF870C9
Ssdeep	384:wEEG/+oBMgfh3+EIOTcxi8kB+JuE1uPFykblh2F/0mjv3Bw2LI/u1sVdvM2zLOY4:wEEG/+xo
	下载提交魔盾安全分析

文件名	index.dat
相关文件	C:\Users\test\AppData\Local\Microsoft\Feeds Cache\index.dat
文件大小	32768 字节
文件类型	Internet Explorer cache file version Ver 5.2
MD5	0aee387ca0a52dcdd8f8a29ea76edb42
SHA1	5df81547dcadb2a7b8bc689da8e1383ba1a84cb9
SHA256	c31bc37e102b70a472837d530ec80bdaea28b0fefda3e9aa8c8cda98c4200c4e
CRC32	B451CA0B
Ssdeep	12:qjtSaFpbZli3zIoYDPO7em4GZj03W/cKYDPOCG5A30WUsOXQDG9YRm4GZ5:qj4avEIoYTCebGZ7ZYTlEJ0oQQ4bGZ
魔盾安全分析结果	2.0 分析时间：2016-11-06 20:10:20 查看分析报告
	下载提交魔盾安全分析

文件名	JavaDeployReg.log
相关文件	C:\Users\test\AppData\Local\Temp\JavaDeployReg.log
文件大小	1068 字节
文件类型	ASCII text, with CRLF line terminators
MD5	dd9b3507ad0e08a8f5095d824a72e48a
SHA1	f446824fc44488f6a05d9b0a6aac973329d02318
SHA256	cd82d1abbd3a2822ea18c74ee0754b307599803b9030aafb70b58abc03eb0b45
CRC32	0033CA08
Ssdeep	24:odn9LnnMm8uA8XlZQfU78Tc49PX/+1Soih9:odn9LnnMruA8XlZQfU78Tc49PX/+A5X
	下载提交魔盾安全分析显示文本
[2017/06/01 16:29:23.649] Latest deploy version: [2017/06/01 16:29:23.649] 11.121.2 [2017/06/01 16:30:14.832] Latest deploy version: [2017/06/01 16:30:14.832] 11.121.2 [2017/06/01 16:40:25.052] Latest deploy version: [2017/06/01 16:40:25.052] 11.121.2 [2017/06/08 18:03:28.677] Latest deploy version: [2017/06/08 18:03:28.677] 11.121.2 [2017/06/08 18:15:11.176] Latest deploy version: [2017/06/08 18:15:11.176] 11.121.2 [2017/06/08 18:17:04.791] Latest deploy version: [2017/06/08 18:17:04.791] 11.121.2 [2017/09/01 16:11:55.188] Latest deploy version: [2017/09/01 16:11:55.188] 11.121.2 [2017/09/01 20:28:25.900] Latest deploy version: [2017/09/01 20:28:25.900] 11.121.2 [2017/09/01 22:02:42.198] Latest deploy version: [2017/09/01 22:02:42.198] 11.121.2 [2017/09/03 00:16:45.426] Latest deploy version: [2017/09/03 00:16:45.426] 11.121.2 [2017/09/03 11:22:53.307] Latest deploy version: [2017/09/03 11:22:53.307] 11.121.2 [2018/03/18 23:30:47.541] Latest deploy version: [2018/03/18 23:30:47.556] 11.121.2

文件名	{B9FC1DC4-2A75-11E8-8D49-52540055321F}.dat
相关文件	C:\Users\test\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B9FC1DC4-2A75-11E8-8D49-52540055321F}.dat
文件大小	4096 字节
文件类型	Composite Document File V2 Document, Cannot read section info
MD5	d71bf356881ce2d3ecbe23c3e79cd9f6
SHA1	a41484c2fb3c92011bd4b5c9a6f7771742019039
SHA256	e5f7c1b7337ac97bd5c44ad25907ee1ef7a78056f427ef8df4db958de7de434b
CRC32	763DF5FC
Ssdeep	12:rl0YmGFVhrEgm8GL7KF9rEgm8Gz7qPNlCgrNl26ao:rXhG8NG8JNlLrNlIo
	下载提交魔盾安全分析

文件名	RecoveryStore.{B9FC1DC3-2A75-11E8-8D49-52540055321F}.dat
相关文件	C:\Users\test\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B9FC1DC3-2A75-11E8-8D49-52540055321F}.dat
文件大小	5120 字节
文件类型	Composite Document File V2 Document, Cannot read section info
MD5	c2c4711723ecefe1368c04fe3c65eb2c
SHA1	ac2981f2173105428ed4960b68e88a3078192e32
SHA256	c86463dc12f720a7865eef506ceac1504800a44e3481d6b38b8b338f60ad0e14
CRC32	A0795F89
Ssdeep	24:rLhTG5/k8y85/OMkNlWowZOQNlWoEZxZ:rJG5c+5GEowZOdoEZxZ
	下载提交魔盾安全分析

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 23.718 seconds )

9.131 NetworkAnalysis
7.448 Suricata
3.219 BehaviorAnalysis
2.565 Static
1.007 VirusTotal
0.277 AnalysisInfo
0.036 Debug
0.031 Dropped
0.004 Memory

Signatures ( 4.808 seconds )

1.577 md_url_bl
1.02 antiav_detectreg
0.35 infostealer_ftp
0.284 md_bad_drop
0.213 antianalysis_detectreg
0.195 infostealer_im
0.131 stealth_timeout
0.111 infostealer_mail
0.11 antivm_generic_scsi
0.097 api_spamming
0.077 antivm_generic_services
0.055 kibex_behavior
0.055 darkcomet_regkeys
0.054 antivm_xen_keys
0.053 antivm_parallels_keys
0.039 geodo_banking_trojan
0.038 betabot_behavior
0.036 antivm_generic_diskreg
0.023 packer_armadillo_regkey
0.019 antivm_vbox_keys
0.019 antivm_vmware_keys
0.018 stealth_file
0.018 antivm_xen_keys
0.018 antivm_hyperv_keys
0.018 antivm_vbox_acpi
0.018 antivm_vpc_keys
0.018 bypass_firewall
0.015 md_domain_bl
0.008 antiav_detectfile
0.007 antivm_generic_disk
0.006 mimics_filetime
0.006 persistence_autorun
0.005 antiemu_wine_func
0.005 virus
0.005 kovter_behavior
0.005 infostealer_bitcoin
0.005 ransomware_files
0.004 bootkit
0.004 infostealer_browser_password
0.004 antidbg_windows
0.004 ransomware_extensions
0.004 recon_fingerprint
0.003 hancitor_behavior
0.003 antivm_vbox_libs
0.003 antiemu_wine_reg
0.003 antivm_vbox_files
0.003 disables_browser_warn
0.002 tinba_behavior
0.002 antiav_avast_libs
0.002 stack_pivot
0.002 dridex_behavior
0.002 injection_createremotethread
0.002 ransomware_message
0.002 vawtrak_behavior
0.002 injection_runpe
0.002 antisandbox_productid
0.002 network_torgateway
0.001 hawkeye_behavior
0.001 network_tor
0.001 rat_nanocore
0.001 antisandbox_sunbelt_libs
0.001 antisandbox_sboxie_libs
0.001 antiav_bitdefender_libs
0.001 shifu_behavior
0.001 exec_crash
0.001 cerber_behavior
0.001 antidbg_devices
0.001 antivm_generic_bios
0.001 antivm_generic_cpu
0.001 antivm_generic_system
0.001 bot_drive
0.001 bot_drive2
0.001 browser_addon
0.001 browser_security
0.001 ie_martian_children
0.001 modify_uac_prompt
0.001 rat_pcclient
0.001 recon_programs
0.001 whois_create

Reporting ( 0.53 seconds )

0.53 ReportHTMLSummary


Task ID	138937
Mongo ID	5aae0809a093ef3ab503d3ba
Cuckoo release	1.4-Maldun