比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp01-2 2018-07-09 20:21:28 2018-07-09 20:23:48 140 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 最新的合同.bat
文件大小 480 字节
文件类型 Little-endian UTF-16 Unicode text, with no line terminators
MD5 92aa86147a96d93a5584957764fff7f7
SHA1 a7b31ee0db80f4da8e7cfefb607fb10a060b8048
SHA256 822e358dac14cf6db1506e5c135a95ee4a69e950de6d986f20dda7e3b00cea14
SHA512 37594220bcb3ed5497fa3491d7a10a8a46c33f762a4b40db3ccd4ee808ea72a7a7a054cc58ca9d9d955e43a70b5fd21789306c41d8ccc27323a68207f00a71b4
CRC32 1FBA0C0E
Ssdeep 12:Q/Eaeb1KVX11P8Jm5lWpWZhQJeH9FPWRqrk20:QCSXLPxqJenOw0
Yara 登录查看Yara规则
样本下载 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
222.187.232.9 中国
47.75.173.43 加拿大

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.xiaobaremotecontrol.xyz A 47.75.173.43
mine.ppxxmr.com A 222.187.232.9

摘要

登录查看详细行为信息
没有可用的静态分析.
没有防病毒引擎扫描信息!

进程树

cmd.exe, PID: 320, 上一级进程 PID: 1608
cmd.exe, PID: 1748, 上一级进程 PID: 320
mshta.exe, PID: 2072, 上一级进程 PID: 1748
cmd.exe, PID: 2164, 上一级进程 PID: 2072
WMIC.exe, PID: 2240, 上一级进程 PID: 2164
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
222.187.232.9 中国
47.75.173.43 加拿大

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49167 222.187.232.9 mine.ppxxmr.com 5555
192.168.122.202 49164 47.75.173.43 www.xiaobaremotecontrol.xyz 80
192.168.122.202 49165 47.75.173.43 www.xiaobaremotecontrol.xyz 80
192.168.122.202 49166 47.75.173.43 www.xiaobaremotecontrol.xyz 8080

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 52449 192.168.122.1 53
192.168.122.202 63580 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.xiaobaremotecontrol.xyz A 47.75.173.43
mine.ppxxmr.com A 222.187.232.9

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49167 222.187.232.9 mine.ppxxmr.com 5555
192.168.122.202 49164 47.75.173.43 www.xiaobaremotecontrol.xyz 80
192.168.122.202 49165 47.75.173.43 www.xiaobaremotecontrol.xyz 80
192.168.122.202 49166 47.75.173.43 www.xiaobaremotecontrol.xyz 8080

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 52449 192.168.122.1 53
192.168.122.202 63580 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://www.xiaobaremotecontrol.xyz/sct/sct_BCX.sct 
GET /sct/sct_BCX.sct HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: www.xiaobaremotecontrol.xyz
Connection: Keep-Alive
URL专业沙箱检测 -> http://www.xiaobaremotecontrol.xyz/hta/BCX.hta 
GET /hta/BCX.hta HTTP/1.1
Accept: */*
Accept-Language: zh-CN
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: www.xiaobaremotecontrol.xyz
Connection: Keep-Alive
URL专业沙箱检测 -> http://www.xiaobaremotecontrol.xyz:8080/SGTool.exe 
GET /SGTool.exe HTTP/1.1
Host: www.xiaobaremotecontrol.xyz:8080
Connection: Keep-Alive

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp Source IP Source Port Destination IP Destination Port Protocol SID Signature Category
2018-07-09 20:21:42.700422+0800 192.168.122.202 49165 47.75.173.43 80 TCP 2022520 ET POLICY Possible HTA Application Download Potentially Bad Traffic
2018-07-09 20:21:43.432263+0800 192.168.122.202 49166 47.75.173.43 8080 TCP 2022896 ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 A Network Trojan was detected
2018-07-09 20:21:42.793812+0800 47.75.173.43 80 192.168.122.202 49165 TCP 2012041 ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding Potentially Bad Traffic
2018-07-09 20:21:42.793812+0800 47.75.173.43 80 192.168.122.202 49165 TCP 2012043 ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding Potentially Bad Traffic
2018-07-09 20:21:42.793812+0800 47.75.173.43 80 192.168.122.202 49165 TCP 2012059 ET WEB_CLIENT Hex Obfuscation of document.write % Encoding Potentially Bad Traffic
2018-07-09 20:21:42.793812+0800 47.75.173.43 80 192.168.122.202 49165 TCP 2012263 ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding Potentially Bad Traffic
2018-07-09 20:21:42.793812+0800 47.75.173.43 80 192.168.122.202 49165 TCP 2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding Potentially Bad Traffic
2018-07-09 20:21:42.793812+0800 47.75.173.43 80 192.168.122.202 49165 TCP 2012269 ET WEB_CLIENT Hex Obfuscation of substr % Encoding Potentially Bad Traffic
2018-07-09 20:21:43.663014+0800 47.75.173.43 8080 192.168.122.202 49166 TCP 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
2018-07-09 20:21:43.663014+0800 47.75.173.43 8080 192.168.122.202 49166 TCP 2020500 ET CURRENT_EVENTS DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) A Network Trojan was detected

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
文件名 error[1]
相关文件
C:\Users\test\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CB4GP22D\error[1]
文件大小 3138 字节
文件类型 HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5 9bba08a58fda3049383d1390bcfa8277
SHA1 919f125817eae113c9b4c6a0c5f18a37fb60f095
SHA256 bfbe066acb5bf3459b4a221a1686d993a4b25dbb9b0b7de0ae965bb34797e109
CRC32 44A3D48D
Ssdeep 96:lkMd1/TxjqDppzwO8ddFAdd5Eddd1hddv+dd8QFhlls1MH5:lXwpq+y1FWDls1MH5
下载提交魔盾安全分析
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 24.879 seconds )

  • 14.441 NetworkAnalysis
  • 7.445 Suricata
  • 1.38 VirusTotal
  • 0.704 BehaviorAnalysis
  • 0.697 TargetInfo
  • 0.193 AnalysisInfo
  • 0.008 Static
  • 0.005 Dropped
  • 0.002 Debug
  • 0.002 Memory
  • 0.002 Strings

Signatures ( 1.846 seconds )

  • 1.263 md_url_bl
  • 0.139 antiav_detectreg
  • 0.051 infostealer_ftp
  • 0.037 stealth_timeout
  • 0.029 antianalysis_detectreg
  • 0.029 infostealer_im
  • 0.027 api_spamming
  • 0.023 decoy_document
  • 0.022 antivm_generic_scsi
  • 0.016 infostealer_mail
  • 0.013 stealth_file
  • 0.011 antiav_detectfile
  • 0.011 md_domain_bl
  • 0.008 antivm_generic_services
  • 0.008 betabot_behavior
  • 0.008 geodo_banking_trojan
  • 0.008 infostealer_bitcoin
  • 0.007 kibex_behavior
  • 0.007 antivm_xen_keys
  • 0.007 darkcomet_regkeys
  • 0.006 mimics_filetime
  • 0.006 antivm_generic_disk
  • 0.006 antivm_parallels_keys
  • 0.005 reads_self
  • 0.005 antivm_generic_diskreg
  • 0.005 recon_fingerprint
  • 0.004 bootkit
  • 0.004 shifu_behavior
  • 0.004 persistence_autorun
  • 0.004 virus
  • 0.004 antivm_vbox_files
  • 0.004 md_bad_drop
  • 0.004 ransomware_files
  • 0.003 antiemu_wine_func
  • 0.003 hancitor_behavior
  • 0.003 antisandbox_productid
  • 0.003 ransomware_extensions
  • 0.002 tinba_behavior
  • 0.002 infostealer_browser_password
  • 0.002 kovter_behavior
  • 0.002 antivm_xen_keys
  • 0.002 antivm_generic_system
  • 0.002 antivm_hyperv_keys
  • 0.002 antivm_vbox_acpi
  • 0.002 antivm_vbox_keys
  • 0.002 antivm_vmware_keys
  • 0.002 antivm_vpc_keys
  • 0.002 bypass_firewall
  • 0.002 disables_browser_warn
  • 0.002 network_http
  • 0.002 network_torgateway
  • 0.002 packer_armadillo_regkey
  • 0.001 network_tor
  • 0.001 rat_nanocore
  • 0.001 antiav_avast_libs
  • 0.001 infostealer_browser
  • 0.001 injection_createremotethread
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 antivm_vbox_libs
  • 0.001 exec_crash
  • 0.001 antidbg_windows
  • 0.001 cerber_behavior
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_cpu
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 modify_proxy
  • 0.001 browser_security
  • 0.001 rat_pcclient
  • 0.001 recon_programs

Reporting ( 0.673 seconds )

  • 0.596 ReportHTMLSummary
  • 0.077 Malheur
Task ID 169738
Mongo ID 5b4353f4bb7d57487f05abb9
Cuckoo release 1.4-Maldun