恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-hpdapp01-1	2018-03-23 21:58:11	2018-03-23 21:58:43	32 秒

错误信息: Task #141234: Analysis failed: Function raised an error: Unable to execute the initial process, analysis aborted.
请联系 support@maldun.com 取得帮助!

魔盾分数

0.0

正常的

文件详细信息

文件名	wayprotect64.sys
文件大小	2763000 字节
文件类型	PE32+ executable (native) x86-64, for MS Windows
MD5	d6e8478a6c110aa4202c586f02aad377
SHA1	02a8b0426dbb7ea7516758f5a53b658bd62bd1cf
SHA256	d7325f5f55f7514a62792ef55a7968afcc87f4e2b11b25055bf6aae4faff14e5
SHA512	c0b904e63794a2c60e9d96f8c240fd9643374fbc6f24af9113c6402faa5064bdd6d5a5b605c15a3ce44239ab70dba5a468b9ccba8f6d352ee11412ea6b25e3db
CRC32	72905C3E
Ssdeep	49152:aIVZjIyWCPkmAGnH8QOirPk0lonLzRS8k4wSYJP+UmTg2SsIVK6LUEYOKBrqIzYC:NjIyNsmAWcnircwO/CIzYozrsBGf
Yara	登录查看Yara规则
	样本下载提交漏报

登录查看威胁特征

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x140000000
入口地址	0x1401b6cb2
声明校验值	0x002a7666
实际校验值	0x002a7666
最低操作系统版本要求	6.3
编译时间	2017-10-10 23:53:45
载入哈希	8fe84f3e62e173780b4b4f3999e597ac

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

微软证书验证 (Sign Tool)

SHA1	时间戳	有效性	错误
5a52023ca932b5a8c1590abc631a34583205f684	Sun Oct 22 15:34:54 2017	是	无

证书链	Certificate Chain 1
发行给	VeriSign Class 3 Public Primary Certification Authority - G5
发行人	VeriSign Class 3 Public Primary Certification Authority - G5
有效期	Thu Jul 17 075959 2036
SHA1 哈希	4eb6d578499b1ccf5f581ead56be3d9b6744a5e5

证书链	Certificate Chain 2
发行给	VeriSign Class 3 Code Signing 2010 CA
发行人	VeriSign Class 3 Public Primary Certification Authority - G5
有效期	Sat Feb 08 075959 2020
SHA1 哈希	495847a93187cfb8c71f840cb7b41497ad95c64f

证书链	Certificate Chain 3
发行给	Btra Away Ltda - ME
发行人	VeriSign Class 3 Code Signing 2010 CA
有效期	Thu Oct 26 075959 2017
SHA1 哈希	bd72bdc02c225091d3628684d4b42b917bc5a92c

证书链	Timestamp Chain 1
发行给	Thawte Timestamping CA
发行人	Thawte Timestamping CA
有效期	Fri Jan 01 075959 2021
SHA1 哈希	be36a4562fb2ee05dbb3d32323adf445084ed656

证书链	Timestamp Chain 2
发行给	Symantec Time Stamping Services CA - G2
发行人	Thawte Timestamping CA
有效期	Thu Dec 31 075959 2020
SHA1 哈希	6c07453ffdda08b83707c09b82fb3d15f35336b1

证书链	Timestamp Chain 3
发行给	Symantec Time Stamping Services Signer - G4
发行人	Symantec Time Stamping Services CA - G2
有效期	Wed Dec 30 075959 2020
SHA1 哈希	65439929b67973eb192d6ff243e6767adf0834e4

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00003210	0x00000000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	0.00
.rdata	0x00005000	0x00004a10	0x00000000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_READ	0.00
.data	0x0000a000	0x00003ce4	0x00000000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.pdata	0x0000e000	0x00000330	0x00000000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_READ	0.00
PAGE	0x0000f000	0x00001987	0x00000000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	0.00
INIT	0x00011000	0x0000078c	0x00000000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	0.00
.vmp0	0x00012000	0x001a049b	0x00000000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	0.00
.vmp1	0x001b3000	0x00000008	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.12
.vmp2	0x001b4000	0x00299c30	0x00299e00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	7.57
.reloc	0x0044e000	0x00000084	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	1.39
.rsrc	0x0044f000	0x00000340	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	2.76

导入

库: ntoskrnl.exe:

• 0x1402e5000 RtlInitUnicodeString

• 0x1402e5008 RtlUnicodeStringToAnsiString

• 0x1402e5010 RtlCopyUnicodeString

• 0x1402e5018 KeQueryTimeIncrement

• 0x1402e5020 KeInitializeGuardedMutex

• 0x1402e5028 KeAcquireGuardedMutex

• 0x1402e5030 KeReleaseGuardedMutex

• 0x1402e5038 ExAllocatePoolWithTag

• 0x1402e5040 ExFreePoolWithTag

• 0x1402e5048 IoGetCurrentProcess

• 0x1402e5050 ObRegisterCallbacks

• 0x1402e5058 ObUnRegisterCallbacks

• 0x1402e5060 PsGetCurrentProcessId

• 0x1402e5068 PsGetThreadProcessId

• 0x1402e5070 RtlDowncaseUnicodeString

• 0x1402e5078 __C_specific_handler

• 0x1402e5080 PsProcessType

• 0x1402e5088 PsThreadType

• 0x1402e5090 ZwCreateFile

• 0x1402e5098 ZwReadFile

• 0x1402e50a0 ZwClose

• 0x1402e50a8 RtlGetVersion

• 0x1402e50b0 IofCompleteRequest

• 0x1402e50b8 IoCreateSymbolicLink

• 0x1402e50c0 IoDeleteDevice

• 0x1402e50c8 IoDeleteSymbolicLink

• 0x1402e50d0 KeBugCheck

• 0x1402e50d8 IoGetRequestorProcessId

• 0x1402e50e0 IoGetRequestorProcess

• 0x1402e50e8 SeLocateProcessImageName

• 0x1402e50f0 MmGetSystemRoutineAddress

• 0x1402e50f8 IoCreateDevice

• 0x1402e5100 ObOpenObjectByPointer

• 0x1402e5108 ZwSetSecurityObject

• 0x1402e5110 IoDeviceObjectType

• 0x1402e5118 _snwprintf

• 0x1402e5120 RtlLengthSecurityDescriptor

• 0x1402e5128 SeCaptureSecurityDescriptor

• 0x1402e5130 RtlCreateSecurityDescriptor

• 0x1402e5138 RtlSetDaclSecurityDescriptor

• 0x1402e5140 RtlAbsoluteToSelfRelativeSD

• 0x1402e5148 IoIsWdmVersionAvailable

• 0x1402e5150 SeExports

• 0x1402e5158 wcschr

• 0x1402e5160 _wcsnicmp

• 0x1402e5168 RtlLengthSid

• 0x1402e5170 RtlAddAccessAllowedAce

• 0x1402e5178 RtlGetSaclSecurityDescriptor

• 0x1402e5180 RtlGetDaclSecurityDescriptor

• 0x1402e5188 RtlGetGroupSecurityDescriptor

• 0x1402e5190 RtlGetOwnerSecurityDescriptor

• 0x1402e5198 ZwOpenKey

• 0x1402e51a0 ZwCreateKey

• 0x1402e51a8 ZwQueryValueKey

• 0x1402e51b0 ZwSetValueKey

• 0x1402e51b8 RtlFreeUnicodeString

• 0x1402e51c0 KeBugCheckEx

库: ntoskrnl.exe:

• 0x1402e51d0 ExAllocatePool

• 0x1402e51d8 NtQuerySystemInformation

• 0x1402e51e0 ExFreePoolWithTag

• 0x1402e51e8 IoAllocateMdl

• 0x1402e51f0 MmProbeAndLockPages

• 0x1402e51f8 MmMapLockedPagesSpecifyCache

• 0x1402e5200 MmUnlockPages

• 0x1402e5208 IoFreeMdl

• 0x1402e5210 KeQueryActiveProcessors

• 0x1402e5218 KeSetSystemAffinityThread

• 0x1402e5220 KeRevertToUserAffinityThread

• 0x1402e5228 DbgPrint

库: HAL.dll:

• 0x1402e5238 KeQueryPerformanceCounter

.text
h.rdata
H.data
.pdata
HPAGE
`INIT
`.vmp0
h.vmp1
.vmp2
`.reloc
B.rsrc
ZwCreateKey
IoDeleteSymbolicLink
ExFreePoolWithTag
RtlGetSaclSecurityDescriptor
ZwSetSecurityObject
KeQueryActiveProcessors
ZwSetValueKey
:h{:p)
wcschr
RtlGetOwnerSecurityDescriptor
_dC;H
NtQuerySystemInformation
TvmEW
MmGetSystemRoutineAddress
SeLocateProcessImageName
KeRevertToUserAffinityThread
ZwCreateFile
IoDeviceObjectType
ObRegisterCallbacks
_snwprintf
RtlAbsoluteToSelfRelativeSD
RtlDowncaseUnicodeString

防病毒引擎/厂商	病毒名/规则匹配	病毒库日期
Bkav	未发现病毒	20180315
MicroWorld-eScan	未发现病毒	20180315
nProtect	未发现病毒	20180315
CMC	未发现病毒	20180315
CAT-QuickHeal	未发现病毒	20180315
McAfee	未发现病毒	20180315
Cylance	未发现病毒	20180316
Zillya	未发现病毒	20180315
AegisLab	未发现病毒	20180315
K7AntiVirus	未发现病毒	20180315
K7GW	未发现病毒	20180315
TheHacker	未发现病毒	20180311
TrendMicro	未发现病毒	20180315
Baidu	未发现病毒	20180315
Cyren	未发现病毒	20180315
Symantec	未发现病毒	20180315
ESET-NOD32	未发现病毒	20180315
TrendMicro-HouseCall	未发现病毒	20180315
Paloalto	未发现病毒	20180316
ClamAV	未发现病毒	20180315
Kaspersky	未发现病毒	20180316
BitDefender	未发现病毒	20180315
NANO-Antivirus	未发现病毒	20180315
SUPERAntiSpyware	未发现病毒	20180315
Rising	未发现病毒	20180315
Ad-Aware	未发现病毒	20180315
Sophos	未发现病毒	20180315
Comodo	未发现病毒	20180315
F-Secure	未发现病毒	20180315
DrWeb	未发现病毒	20180315
VIPRE	未发现病毒	20180315
Invincea	未发现病毒	20180121
McAfee-GW-Edition	未发现病毒	20180315
Emsisoft	未发现病毒	20180316
Ikarus	未发现病毒	20180315
F-Prot	未发现病毒	20180315
Jiangmin	未发现病毒	20180315
Webroot	未发现病毒	20180316
Avira	未发现病毒	20180316
Antiy-AVL	未发现病毒	20180316
Kingsoft	未发现病毒	20180316
Microsoft	未发现病毒	20180315
Endgame	未发现病毒	20180308
Arcabit	未发现病毒	20180316
ViRobot	未发现病毒	20180316
ZoneAlarm	未发现病毒	20180315
Avast-Mobile	未发现病毒	20180315
GData	未发现病毒	20180315
AhnLab-V3	未发现病毒	20180315
ALYac	未发现病毒	20180315
AVware	未发现病毒	20180315
MAX	未发现病毒	20180316
VBA32	未发现病毒	20180315
Malwarebytes	未发现病毒	20180315
WhiteArmor	未发现病毒	20180223
Panda	未发现病毒	20180315
Zoner	未发现病毒	20180316
Tencent	未发现病毒	20180316
Yandex	未发现病毒	20180315
SentinelOne	未发现病毒	20180225
eGambit	未发现病毒	20180316
Fortinet	未发现病毒	20180315
AVG	未发现病毒	20180316
Avast	未发现病毒	20180316
CrowdStrike	未发现病毒	20170201
Qihoo-360	未发现病毒	20180316

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49158	23.5.251.27	80
192.168.122.201	49159	23.5.251.27	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	63248	192.168.122.1	53
192.168.122.201	64412	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49158	23.5.251.27	80
192.168.122.201	49159	23.5.251.27	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	63248	192.168.122.1	53
192.168.122.201	64412	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
URL专业沙箱检测 -> http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEH7hTCUOAM0tC1dj5IZGaRw%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEH7hTCUOAM0tC1dj5IZGaRw%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: sf.symcd.com

URI

HTTP数据

URL专业沙箱检测 -> http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com

URL专业沙箱检测 -> http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEH7hTCUOAM0tC1dj5IZGaRw%3D

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEH7hTCUOAM0tC1dj5IZGaRw%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sf.symcd.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 31.009 seconds )

12.04 Suricata
8.872 Static
4.614 TargetInfo
3.936 VirusTotal
0.785 NetworkAnalysis
0.443 peid
0.253 AnalysisInfo
0.034 Debug
0.016 Strings
0.009 config_decoder
0.004 Memory
0.003 BehaviorAnalysis

Signatures ( 2.271 seconds )

2.033 md_url_bl
0.099 md_bad_drop
0.019 antiav_detectreg
0.013 md_domain_bl
0.01 persistence_autorun
0.008 antiav_detectfile
0.008 infostealer_ftp
0.007 network_http
0.006 geodo_banking_trojan
0.006 ransomware_files
0.005 infostealer_bitcoin
0.005 infostealer_im
0.005 ransomware_extensions
0.004 tinba_behavior
0.004 antianalysis_detectreg
0.004 disables_browser_warn
0.003 rat_nanocore
0.003 cerber_behavior
0.003 antivm_vbox_files
0.003 infostealer_mail
0.002 betabot_behavior
0.002 bot_drive
0.002 modify_proxy
0.002 browser_security
0.001 network_tor
0.001 kazybot_behavior
0.001 kibex_behavior
0.001 shifu_behavior
0.001 ursnif_behavior
0.001 antianalysis_detectfile
0.001 antivm_parallels_keys
0.001 antivm_xen_keys
0.001 banker_zeus_mutex
0.001 bot_drive2
0.001 browser_addon
0.001 disables_system_restore
0.001 disables_windows_defender
0.001 modify_uac_prompt
0.001 network_cnc_http

Reporting ( 0.911 seconds )

0.598 ReportHTMLSummary
0.313 Malheur


Task ID	141234
Mongo ID	5ab5083c2e063313e91432eb
Cuckoo release	1.4-Maldun