分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-shaapp01-2 | 2018-05-22 09:53:02 | 2018-05-22 09:55:21 | 139 秒 |
魔盾分数
6.45
危险的
文件详细信息
| 文件名 | 荒野小迪辅助V1.4.exe |
|---|---|
| 文件大小 | 1515520 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | b3cfa0e80bad2716b1a17aa6d4e085ab |
| SHA1 | 5cb993a09b5c92f9a302b1d6c950c55057a28d0a |
| SHA256 | 3ddf360bb5b22191ceea48aeabbb10cdead2f2a72821f3877dc5b57103f8b23a |
| SHA512 | 0a95f3bf1ad3db77c4b268c9051266ea75e1c0f754f264536b416df8b1996761fbd6b44c0196ad25f9ae74d28bbd9969bc7276f995aad6d39357a56a997c9d5a |
| CRC32 | 8602D5DB |
| Ssdeep | 24576:r6KsaYJK9GYSCZRyxgA77sp5xEVEFzioAF26FTEInVeGbPdb+hba8fg/zmHfjiP0:rMoGrCZRyiAXwnwvoY9F4DGbPC9fuz+h |
| Yara | 登录查看Yara规则 |
| 样本下载 提交误报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
| 直接 | IP | 安全评级 | 地理位置 |
|---|---|---|---|
| 否 | 59.110.185.116 | 未知 | 中国 |
| 否 | 59.110.185.127 | 未知 | 中国 |
域名解析 (可点击查询WPING实时安全评级)
| 域名 | 安全评级 | 响应 |
|---|---|---|
| xddh.oss-cn-beijing.aliyuncs.com | 未知 | A 59.110.185.127 |
| xdms.oss-cn-beijing.aliyuncs.com | 未知 | A 59.110.185.116 |
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x0061f86b |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x0018028c |
| 最低操作系统版本要求 | 5.0 |
| 编译时间 | 2018-05-20 17:53:07 |
| 载入哈希 | 8f31095220b1605f7b376ac192a7f43a |
| 图标 |  |
| 图标精确哈希值 | 6fa49d83cf505e43b1e72e636239ff76 |
| 图标相似性哈希值 | c1fd735250e97dde9605af75014ebbf4 |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000ae086 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .rdata | 0x000b0000 | 0x0001b13a | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .data | 0x000cc000 | 0x0004b24a | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .vmp0 | 0x00118000 | 0x000e60cb | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .vmp1 | 0x001ff000 | 0x00159c56 | 0x0015a000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.94 |
| .rsrc | 0x00359000 | 0x000167f9 | 0x00017000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.82 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x0035ed9c | 0x00010828 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.74 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0035ed9c | 0x00010828 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.74 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0035ed9c | 0x00010828 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.74 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0035ed9c | 0x00010828 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.74 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0035ed9c | 0x00010828 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.74 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x0035ed9c | 0x00010828 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.74 | dBase III DBT, version number 0, next free block index 40 |
| RT_GROUP_ICON | 0x0036f618 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_GROUP_ICON | 0x0036f618 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_GROUP_ICON | 0x0036f618 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_MANIFEST | 0x0036f62c | 0x000001cd | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.08 | XML 1.0 document, ASCII text, with very long lines, with no line terminators |
导入
库: RASAPI32.dll:
• 0x602000 RasHangUpA
库: USER32.dll:
• 0x602018 OpenClipboard
库: GDI32.dll:
• 0x602020 CreatePolygonRgn
库: WINMM.dll:
• 0x602028 waveOutReset
库: WINSPOOL.DRV:
• 0x602030 DocumentPropertiesA
库: ADVAPI32.dll:
• 0x602038 RegOpenKeyExA
库: SHELL32.dll:
• 0x602040 Shell_NotifyIconA
库: ole32.dll:
• 0x602048 OleUninitialize
库: OLEAUT32.dll:
• 0x602050 UnRegisterTypeLib
库: COMCTL32.dll:
• 0x602058 None
库: WS2_32.dll:
• 0x602060 getpeername
库: WININET.dll:
• 0x602068 InternetSetOptionA
库: comdlg32.dll:
• 0x602070 GetSaveFileNameA
库: KERNEL32.dll:
• 0x602078 GetModuleFileNameW
库: KERNEL32.dll:
• 0x602080 GetModuleHandleA
• 0x602084 LoadLibraryA
• 0x602088 LocalAlloc
• 0x60208c LocalFree
• 0x602090 GetModuleFileNameA
• 0x602094 ExitProcess
.text
`.rdata
@.data
.vmp0
.vmp1
.rsrc
tH7DQ
LocalAlloc
ExitProcess
LoadLibraryA
lstrcpynA
user32.dll
GetModuleFileNameW
GetVersion
COMCTL32.dll
CreatePolygonRgn
WINSPOOL.DRV
mK855
ep#}
GetModuleHandleA
RegOpenKeyExA
InternetSetOptionA
KERNEL32.dll
Shell_NotifyIconA
comdlg32.dll
)RASAPI32.dll
访问主机纪录 (可点击查询WPING实时安全评级)
| 直接 | IP | 安全评级 | 地理位置 |
|---|---|---|---|
| 否 | 59.110.185.116 | 未知 | 中国 |
| 否 | 59.110.185.127 | 未知 | 中国 |
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.202 | 49161 | 59.110.185.116 xdms.oss-cn-beijing.aliyuncs.com | 80 |
| 192.168.122.202 | 49160 | 59.110.185.127 xddh.oss-cn-beijing.aliyuncs.com | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.202 | 52449 | 192.168.122.1 | 53 |
| 192.168.122.202 | 63580 | 192.168.122.1 | 53 |
域名解析 (可点击查询WPING实时安全评级)
| 域名 | 安全评级 | 响应 |
|---|---|---|
| xddh.oss-cn-beijing.aliyuncs.com | 未知 | A 59.110.185.127 |
| xdms.oss-cn-beijing.aliyuncs.com | 未知 | A 59.110.185.116 |
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.202 | 49161 | 59.110.185.116 xdms.oss-cn-beijing.aliyuncs.com | 80 |
| 192.168.122.202 | 49160 | 59.110.185.127 xddh.oss-cn-beijing.aliyuncs.com | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.202 | 52449 | 192.168.122.1 | 53 |
| 192.168.122.202 | 63580 | 192.168.122.1 | 53 |
HTTP 请求
| URI | HTTP数据 |
|---|---|
| URL专业沙箱检测 -> http://xddh.oss-cn-beijing.aliyuncs.com/PZ.txt | GET /PZ.txt HTTP/1.1 User-Agent: HTTPREAD Host: xddh.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache |
| URL专业沙箱检测 -> http://xddh.oss-cn-beijing.aliyuncs.com/LRE.dll | GET /LRE.dll HTTP/1.1 User-Agent: HTTPREAD Host: xddh.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache |
| URL专业沙箱检测 -> http://xddh.oss-cn-beijing.aliyuncs.com/Moon.txt | GET /Moon.txt HTTP/1.1 User-Agent: HTTPREAD Host: xddh.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache |
| URL专业沙箱检测 -> http://xdms.oss-cn-beijing.aliyuncs.com/MS.txt | GET /MS.txt HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: */* Host: xdms.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache |
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
| Timestamp | Source IP | Source Port | Destination IP | Destination Port | Protocol | SID | Signature | Category |
|---|---|---|---|---|---|---|---|---|
| 2018-05-22 09:53:18.466181+0800 | 192.168.122.202 | 49161 | 59.110.185.116 | 80 | TCP | 2016879 | ET POLICY Unsupported/Fake Windows NT Version 5.0 | Potential Corporate Privacy Violation |
| 2018-05-22 09:53:16.708915+0800 | 59.110.185.127 | 80 | 192.168.122.202 | 49160 | TCP | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
| 文件名 | Moon.dll |
|---|---|
| 相关文件 |
C:\Users\test\Desktop\Moon\Moon.dll
|
| 文件大小 | 152424 字节 |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| MD5 | 6a22f0dbf53994c20c63fed1fb8eab2c |
| SHA1 | a4cb7172435352965165c8c3691855f92b837087 |
| SHA256 | 9159c210bc679ffb7dd50ba218822c75d00753a135d390e33d40a567c29dcc43 |
| CRC32 | D363E346 |
| Ssdeep | 1536:u6uaPRWYhsleoDJKvrcVYbWNNHsn5ez6TUskHgs+X0vngaMbtbTNQuYrYF:uDjDJZYHn4zukwuCbtbTNQuYrYF |
| 下载 提交魔盾安全分析 |
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 32.748 seconds )
- 20.766 NetworkAnalysis
- 7.373 Suricata
- 1.748 TargetInfo
- 1.218 VirusTotal
- 1.075 Static
- 0.27 peid
- 0.172 AnalysisInfo
- 0.1 BehaviorAnalysis
- 0.01 Dropped
- 0.009 Strings
- 0.003 config_decoder
- 0.002 Debug
- 0.002 Memory
Signatures ( 1.499 seconds )
- 1.353 md_url_bl
- 0.022 antiav_detectreg
- 0.014 md_domain_bl
- 0.011 stealth_file
- 0.009 infostealer_ftp
- 0.006 persistence_autorun
- 0.006 antiav_detectfile
- 0.006 infostealer_im
- 0.005 antidbg_windows
- 0.005 stealth_timeout
- 0.005 antianalysis_detectreg
- 0.005 geodo_banking_trojan
- 0.004 infostealer_bitcoin
- 0.004 md_bad_drop
- 0.004 ransomware_files
- 0.003 api_spamming
- 0.003 decoy_document
- 0.003 disables_browser_warn
- 0.003 infostealer_mail
- 0.003 ransomware_extensions
- 0.002 rat_nanocore
- 0.002 tinba_behavior
- 0.002 antivm_vbox_files
- 0.002 browser_security
- 0.002 network_http
- 0.002 network_torgateway
- 0.001 antivm_vbox_window
- 0.001 betabot_behavior
- 0.001 antivm_vbox_libs
- 0.001 kibex_behavior
- 0.001 antivm_generic_scsi
- 0.001 cerber_behavior
- 0.001 antivm_parallels_keys
- 0.001 antivm_xen_keys
- 0.001 banker_zeus_mutex
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_addon
- 0.001 modify_proxy
Reporting ( 0.425 seconds )
- 0.418 ReportHTMLSummary
- 0.007 Malheur
| Task ID | 162415 |
|---|---|
| Mongo ID | 5b0378adbb7d5744ffff4172 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号