比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-1 2016-08-26 17:01:38 2016-08-26 17:02:18 40 秒

魔盾分数

3.3

可疑的

文件详细信息

文件名 MiniTPFw.exe
文件大小 59848 字节
文件类型 PE32 executable (console) Intel 80386, for MS Windows
MD5 58bb62e88687791ad2ea5d8d6e3fe18b
SHA1 0ffb029064741d10c9cf3f629202aa97167883de
SHA256 f02fa7ddab2593492b9b68e3f485e59eb755380a9235f6269705f6d219dff100
SHA512 cd36b28f87be9cf718f0c44bf7c500d53186edc08889bcfa5222041ff31c5cbee509b186004480efbd99c36b2233182ae0969447f4051510e1771a73ed209da5
CRC32 0E23C82A
Ssdeep 768:BSODywYihzSrVPdQsNruuGYOLO3NNkFlBi1jSZIfjeGdJARt03juFGu:BSKywYDdQsQuG5L27Ui1SPRt0qf
Yara 登录查看Yara规则
样本下载 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
23.44.155.27 未知 美国
23.41.75.27 未知 美国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
ocsp.verisign.com 未知 A 23.41.75.27
CNAME ocsp-ds.ws.symantec.com.edgekey.net
CNAME e8218.dscb1.akamaiedge.net

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00402cda
声明校验值 0x00012a3f
实际校验值 0x00012a3f
最低操作系统版本要求 5.0
PDB路径 d:\Project\MiniTPFw\MiniTPFw\Release\MiniTPFw.pdb
编译时间 2014-01-07 14:46:58

版本信息

LegalCopyright
InternalName
FileVersion
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

微软证书验证 (Sign Tool)

SHA1 时间戳 有效性 错误
a64a78fd248c6695ad41095c9b938ad32b8c37fd Tue Jan 07 14:47:49 2014
证书链 Certificate Chain 1
发行给 VeriSign Class 3 Public Primary Certification Authority - G5
发行人 VeriSign Class 3 Public Primary Certification Authority - G5
有效期 Thu Jul 17 075959 2036
SHA1 哈希 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5
证书链 Certificate Chain 2
发行给 VeriSign Class 3 Code Signing 2010 CA
发行人 VeriSign Class 3 Public Primary Certification Authority - G5
有效期 Sat Feb 08 075959 2020
SHA1 哈希 495847a93187cfb8c71f840cb7b41497ad95c64f
证书链 Certificate Chain 3
发行给 ShenZhen Thunder Networking Technologies Ltd.
发行人 VeriSign Class 3 Code Signing 2010 CA
有效期 Wed Jun 24 075959 2015
SHA1 哈希 20c98cd8e61f7b9e77dbd74242b7538ff410f57b
证书链 Timestamp Chain 1
发行给 Thawte Timestamping CA
发行人 Thawte Timestamping CA
有效期 Fri Jan 01 075959 2021
SHA1 哈希 be36a4562fb2ee05dbb3d32323adf445084ed656
证书链 Timestamp Chain 2
发行给 Symantec Time Stamping Services CA - G2
发行人 Thawte Timestamping CA
有效期 Thu Dec 31 075959 2020
SHA1 哈希 6c07453ffdda08b83707c09b82fb3d15f35336b1
证书链 Timestamp Chain 3
发行给 Symantec Time Stamping Services Signer - G4
发行人 Symantec Time Stamping Services CA - G2
有效期 Wed Dec 30 075959 2020
SHA1 哈希 65439929b67973eb192d6ff243e6767adf0834e4

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00008aeb 0x00008c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.51
.rdata 0x0000a000 0x00002ab4 0x00002c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.20
.data 0x0000d000 0x00001a1c 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.71
.rsrc 0x0000f000 0x00000504 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.51

覆盖

偏移量 0x0000d000
大小 0x000019c8

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_VERSION 0x0000f0a0 0x000002fc LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.37 data
RT_MANIFEST 0x0000f39c 0x00000165 LANG_ENGLISH SUBLANG_ENGLISH_US 4.78 ASCII text, with CRLF line terminators

导入

库: SHELL32.dll:
0x40a0f0 ShellExecuteW
库: KERNEL32.dll:
0x40a008 GetLocalTime
0x40a00c RtlUnwind
0x40a010 RaiseException
0x40a014 GetModuleHandleW
0x40a018 GetProcAddress
0x40a01c TlsGetValue
0x40a020 TlsAlloc
0x40a024 TlsSetValue
0x40a028 TlsFree
0x40a030 SetLastError
0x40a034 GetCurrentThreadId
0x40a038 GetLastError
0x40a040 TerminateProcess
0x40a044 GetCurrentProcess
0x40a050 IsDebuggerPresent
0x40a054 HeapFree
0x40a058 HeapAlloc
0x40a05c Sleep
0x40a060 ExitProcess
0x40a064 WriteFile
0x40a068 GetStdHandle
0x40a06c GetModuleFileNameA
0x40a070 GetModuleFileNameW
0x40a07c GetCommandLineW
0x40a080 SetHandleCount
0x40a084 GetFileType
0x40a088 GetStartupInfoA
0x40a08c HeapCreate
0x40a090 VirtualFree
0x40a098 GetTickCount
0x40a09c GetCurrentProcessId
0x40a0ac GetCPInfo
0x40a0b0 GetACP
0x40a0b4 GetOEMCP
0x40a0b8 IsValidCodePage
0x40a0bc VirtualAlloc
0x40a0c0 HeapReAlloc
0x40a0c4 HeapSize
0x40a0c8 LoadLibraryA
0x40a0d0 GetLocaleInfoA
0x40a0d4 GetStringTypeA
0x40a0d8 MultiByteToWideChar
0x40a0dc GetStringTypeW
0x40a0e0 LCMapStringA
0x40a0e4 WideCharToMultiByte
0x40a0e8 LCMapStringW
库: USER32.dll:
0x40a0f8 wsprintfW
.text
`.rdata
@.data
.rsrc
uBhF\@
SVWUj
bad allocation
bad allocation
string too long
invalid string position
Unknown exception
bad exception
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
d:\Project\MiniTPFw\MiniTPFw\Release\MiniTPFw.pdb
ShellExecuteW
SHELL32.dll
GetCurrentDirectoryW
GetLocalTime
KERNEL32.dll
wsprintfW
USER32.dll
RtlUnwind
RaiseException
GetModuleHandleW
GetProcAddress
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
GetLastError
InterlockedDecrement
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapFree
HeapAlloc
Sleep
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
DeleteCriticalSection
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
VirtualAlloc
HeapReAlloc
HeapSize
LoadLibraryA
InitializeCriticalSectionAndSpinCount
GetLocaleInfoA
GetStringTypeA
MultiByteToWideChar
GetStringTypeW
LCMapStringA
WideCharToMultiByte
LCMapStringW
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
.?AVbad_exception@std@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
%4d-%.2d-%.2d%.2d:%.2d:%.2d
MiniThunderPlatform
\MiniThunderPlatform.exe"
ThunderFW.exe
KERNEL32.DLL
mscoree.dll
VS_VERSION_INFO
StringFileInfo
080404b0
FileDescription
MiniTPFw Application
FileVersion
1, 0, 0, 1
InternalName
MiniTPFw
LegalCopyright
Copyright (c) 2014 Thunder Networking Technologies,LTD
OriginalFilename
MiniTPFw.exe
ProductName
MiniTPFw Application
ProductVersion
1, 0, 0, 1
VarFileInfo
Translation
防病毒引擎/厂商 病毒名/规则匹配 病毒库日期
Bkav 未发现病毒 20160622
MicroWorld-eScan 未发现病毒 20160622
nProtect 未发现病毒 20160622
CMC 未发现病毒 20160620
CAT-QuickHeal 未发现病毒 20160622
McAfee 未发现病毒 20160622
Malwarebytes 未发现病毒 20160622
VIPRE 未发现病毒 20160622
AegisLab 未发现病毒 20160622
K7AntiVirus 未发现病毒 20160622
BitDefender 未发现病毒 20160622
K7GW 未发现病毒 20160622
TheHacker 未发现病毒 20160621
Baidu 未发现病毒 20160622
F-Prot 未发现病毒 20160622
Symantec 未发现病毒 20160622
ESET-NOD32 未发现病毒 20160622
TrendMicro-HouseCall 未发现病毒 20160622
Avast 未发现病毒 20160622
ClamAV 未发现病毒 20160622
Kaspersky 未发现病毒 20160622
Alibaba 未发现病毒 20160622
NANO-Antivirus 未发现病毒 20160622
ViRobot 未发现病毒 20160622
Ad-Aware 未发现病毒 20160622
Sophos 未发现病毒 20160622
Comodo 未发现病毒 20160622
F-Secure 未发现病毒 20160622
DrWeb 未发现病毒 20160622
Zillya 未发现病毒 20160622
TrendMicro 未发现病毒 20160622
McAfee-GW-Edition 未发现病毒 20160622
Emsisoft 未发现病毒 20160622
Cyren 未发现病毒 20160622
Jiangmin 未发现病毒 20160622
Avira 未发现病毒 20160622
Antiy-AVL 未发现病毒 20160622
Kingsoft 未发现病毒 20160622
Microsoft 未发现病毒 20160622
Arcabit 未发现病毒 20160622
SUPERAntiSpyware 未发现病毒 20160622
GData 未发现病毒 20160622
AhnLab-V3 未发现病毒 20160622
ALYac 未发现病毒 20160622
AVware 未发现病毒 20160622
VBA32 未发现病毒 20160621
Baidu-International 未发现病毒 20160614
Zoner 未发现病毒 20160622
Tencent 未发现病毒 20160622
Yandex 未发现病毒 20160621
Ikarus 未发现病毒 20160622
Fortinet 未发现病毒 20160622
AVG 未发现病毒 20160622
Panda 未发现病毒 20160622
Qihoo-360 未发现病毒 20160622

进程树

MiniTPFw.exe, PID: 1624, 上一级进程 PID: 1472
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
23.44.155.27 未知 美国
23.41.75.27 未知 美国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.70 49335 23.41.75.27 ocsp.verisign.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.70 51435 192.168.122.1 53
192.168.122.70 53257 192.168.122.1 53
192.168.122.70 54531 192.168.122.1 53
192.168.122.70 57997 192.168.122.1 53
192.168.122.70 59485 192.168.122.1 53
192.168.122.70 64732 192.168.122.1 53
192.168.122.70 137 192.168.122.255 137
192.168.122.70 5355 192.168.122.69 53197
192.168.122.70 5355 192.168.122.69 64810
192.168.122.70 49500 224.0.0.252 5355
192.168.122.70 51346 224.0.0.252 5355
192.168.122.70 54315 224.0.0.252 5355
192.168.122.70 60614 224.0.0.252 5355
192.168.122.70 60702 224.0.0.252 5355
192.168.122.70 61735 224.0.0.252 5355
192.168.122.70 62263 224.0.0.252 5355
192.168.122.70 65076 224.0.0.252 5355
192.168.122.70 57195 239.255.255.250 1900
192.168.122.70 123 40.69.40.157 123

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
ocsp.verisign.com 未知 A 23.41.75.27
CNAME ocsp-ds.ws.symantec.com.edgekey.net
CNAME e8218.dscb1.akamaiedge.net

TCP

源地址 源端口 目标地址 目标端口
192.168.122.70 49335 23.41.75.27 ocsp.verisign.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.70 51435 192.168.122.1 53
192.168.122.70 53257 192.168.122.1 53
192.168.122.70 54531 192.168.122.1 53
192.168.122.70 57997 192.168.122.1 53
192.168.122.70 59485 192.168.122.1 53
192.168.122.70 64732 192.168.122.1 53
192.168.122.70 137 192.168.122.255 137
192.168.122.70 5355 192.168.122.69 53197
192.168.122.70 5355 192.168.122.69 64810
192.168.122.70 49500 224.0.0.252 5355
192.168.122.70 51346 224.0.0.252 5355
192.168.122.70 54315 224.0.0.252 5355
192.168.122.70 60614 224.0.0.252 5355
192.168.122.70 60702 224.0.0.252 5355
192.168.122.70 61735 224.0.0.252 5355
192.168.122.70 62263 224.0.0.252 5355
192.168.122.70 65076 224.0.0.252 5355
192.168.122.70 57195 239.255.255.250 1900
192.168.122.70 123 40.69.40.157 123

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
URL专业沙箱检测 -> http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAz%2FezKc%2F387jS1UKrJYJro%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAz%2FezKc%2F387jS1UKrJYJro%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
URL专业沙箱检测 -> http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAz%2FezKc%2F387jS1UKrJYJro%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAz%2FezKc%2F387jS1UKrJYJro%3D HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 3.721 seconds )

  • 2.325 VirusTotal
  • 0.543 Static
  • 0.439 peid
  • 0.219 TargetInfo
  • 0.097 NetworkAnalysis
  • 0.042 BehaviorAnalysis
  • 0.022 AnalysisInfo
  • 0.013 Strings
  • 0.009 config_decoder
  • 0.007 Debug
  • 0.002 Dropped
  • 0.002 Memory
  • 0.001 ProcessMemory

Signatures ( 0.056 seconds )

  • 0.012 antiav_detectreg
  • 0.005 persistence_autorun
  • 0.005 antiav_detectfile
  • 0.005 infostealer_ftp
  • 0.004 geodo_banking_trojan
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_im
  • 0.002 tinba_behavior
  • 0.002 antianalysis_detectreg
  • 0.002 antivm_vbox_files
  • 0.002 disables_browser_warn
  • 0.002 infostealer_mail
  • 0.002 network_torgateway
  • 0.001 betabot_behavior
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 modify_proxy
  • 0.001 browser_security
  • 0.001 ransomware_files

Reporting ( 2.347 seconds )

  • 1.759 ReportPDF
  • 0.578 ReportHTMLSummary
  • 0.01 Malheur
Task ID 15580
Mongo ID 57c005a04d3bd014d8bafd84
Cuckoo release 1.4-Maldun