比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2018-07-20 19:42:02 2018-07-20 19:44:43 161 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 888.exe
文件大小 696832 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 df5d50f6c38bd42af06804dc9aa5a1bd
SHA1 0e902c303fd673fcb39ded1bd4b7481807255381
SHA256 bc8c230b27c2ff47a742ab387195996dd12b7c1a89bd11873911af81c38faae9
SHA512 8e808a2e5e1af219d0c1cb4f1450ad1c59c13323756f9a6b371f33c2ac47ff471025262d3cdb0d5f3dc89e266e178b9520b076859edd39275982a087db3cfb72
CRC32 30BB52DE
Ssdeep 12288:XYLc3Tt+bM48BhSEslLHgZ9M8x8GZE8IUD61RlpOzXls+k9jGHOO5:9Z+bM4WxMHg9uO61RlpI6iHR
Yara 登录查看Yara规则
样本下载 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
118.193.211.11 未知 中国
222.187.239.189 中国
47.52.209.241 加拿大

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.tj999.top A 118.193.211.11

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00401d36
声明校验值 0x00000000
实际校验值 0x000b3a82
最低操作系统版本要求 5.1
PDB路径 D:\241\20180710xin888sysload\SysLoad\Release\SysLoad.pdb
编译时间 2018-07-17 00:00:04
载入哈希 13f170d01b0d0ea9d624172c7ecbdf3f

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0000b9f4 0x0000ba00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.69
.rdata 0x0000d000 0x00004af6 0x00004c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.64
.data 0x00012000 0x0009a628 0x00098800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.89
.rsrc 0x000ad000 0x000001b0 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.49
.reloc 0x000ae000 0x00000d78 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.50

导入

库: ADVAPI32.dll:
0x40d000 RegOpenKeyExA
0x40d004 RegQueryInfoKeyA
0x40d008 RegQueryValueExA
0x40d00c RegCloseKey
0x40d010 OpenSCManagerW
0x40d014 CloseServiceHandle
0x40d018 CreateServiceA
0x40d01c OpenServiceA
0x40d020 StartServiceW
库: WS2_32.dll:
0x40d134 send
0x40d138 connect
0x40d13c socket
0x40d140 htons
0x40d144 inet_addr
0x40d148 inet_ntoa
0x40d14c gethostbyname
0x40d150 WSAStartup
库: IPHLPAPI.DLL:
0x40d028 GetAdaptersInfo
库: KERNEL32.dll:
0x40d030 FlushFileBuffers
0x40d034 LCMapStringW
0x40d038 CreateFileW
0x40d03c lstrcmpiA
0x40d040 GetLastError
0x40d044 lstrcpyA
0x40d048 GetFullPathNameA
0x40d04c CreateFileA
0x40d050 WriteFile
0x40d054 CloseHandle
0x40d058 GetProcAddress
0x40d05c GetModuleHandleW
0x40d060 GetCurrentProcess
0x40d064 Sleep
0x40d068 HeapAlloc
0x40d06c HeapFree
0x40d070 GetCommandLineA
0x40d074 IsDebuggerPresent
0x40d07c EncodePointer
0x40d080 DecodePointer
0x40d084 ExitProcess
0x40d088 GetModuleHandleExW
0x40d08c MultiByteToWideChar
0x40d090 WideCharToMultiByte
0x40d094 GetStdHandle
0x40d098 GetModuleFileNameW
0x40d09c GetProcessHeap
0x40d0a0 SetLastError
0x40d0a4 GetCurrentThreadId
0x40d0a8 GetFileType
0x40d0b0 GetStartupInfoW
0x40d0b4 GetModuleFileNameA
0x40d0bc GetCurrentProcessId
0x40d0d8 TerminateProcess
0x40d0dc TlsAlloc
0x40d0e0 TlsGetValue
0x40d0e4 TlsSetValue
0x40d0e8 TlsFree
0x40d0f4 GetConsoleCP
0x40d0f8 GetConsoleMode
0x40d0fc SetFilePointerEx
0x40d100 IsValidCodePage
0x40d104 GetACP
0x40d108 GetOEMCP
0x40d10c GetCPInfo
0x40d110 LoadLibraryExW
0x40d114 OutputDebugStringW
0x40d118 RtlUnwind
0x40d11c SetStdHandle
0x40d120 WriteConsoleW
0x40d124 GetStringTypeW
0x40d128 HeapReAlloc
0x40d12c HeapSize
.text
`.rdata
@.data
.rsrc
@.reloc
Fhh&A
URPQQhpl@
SVWUj
(null)
`h````
CorExitProcess
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
CreateEventExW
CreateSemaphoreExW
SetThreadStackGuarantee
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
FlushProcessWriteBuffers
FreeLibraryWhenCallbackReturns
GetCurrentProcessorNumber
GetLogicalProcessorInformation
CreateSymbolicLinkW
SetDefaultDllDirectories
EnumSystemLocalesEx
CompareStringEx
GetDateFormatEx
GetLocaleInfoEx
GetTimeFormatEx
GetUserDefaultLocaleName
IsValidLocaleName
LCMapStringEx
GetCurrentPackageId
GetTickCount64
GetFileInformationByHandleExW
SetFileInformationByHandleW
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
MessageBoxW
GetActiveWindow
GetLastActivePopup
GetUserObjectInformationW
GetProcessWindowStation
e+000
1#SNAN
1#IND
1#INF
1#QNAN
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
NetCfgInstanceId
Characteristics
GetMAC Failed! ErrorCode: %d
GetMAC Failed! Because malloc failed!
%02X-%02X-%02X-%02X-%02X-%02X
%02X-%02X-%02X-%02X-%02X-%02X-%02X-%02X
IsWow64Process
ccc888
www.tj999.top
C:\Windows\temp\houczi.sys
houczi
D:\241\20180710xin888sysload\SysLoad\Release\SysLoad.pdb
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegCloseKey
OpenSCManagerW
CloseServiceHandle
CreateServiceA
OpenServiceA
StartServiceW
ADVAPI32.dll
WS2_32.dll
GetAdaptersInfo
IPHLPAPI.DLL
lstrcmpiA
GetLastError
lstrcpyA
GetFullPathNameA
CreateFileA
WriteFile
CloseHandle
GetProcAddress
GetModuleHandleW
GetCurrentProcess
Sleep
HeapAlloc
HeapFree
GetCommandLineA
IsDebuggerPresent
IsProcessorFeaturePresent
EncodePointer
DecodePointer
ExitProcess
GetModuleHandleExW
MultiByteToWideChar
WideCharToMultiByte
GetStdHandle
GetModuleFileNameW
GetProcessHeap
SetLastError
GetCurrentThreadId
GetFileType
DeleteCriticalSection
GetStartupInfoW
GetModuleFileNameA
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EnterCriticalSection
LeaveCriticalSection
GetConsoleCP
GetConsoleMode
SetFilePointerEx
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
LoadLibraryExW
OutputDebugStringW
RtlUnwind
SetStdHandle
WriteConsoleW
GetStringTypeW
HeapReAlloc
HeapSize
LCMapStringW
FlushFileBuffers
CreateFileW
KERNEL32.dll
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
(null)
mscoree.dll
runtime error
Program:
<program name unknown>
Microsoft Visual C++ Runtime Library
kernel32.dll
@ja-JP
zh-CN
ko-KR
zh-TW
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
en-US
USER32.DLL
zh-CHS
ar-SA
bg-BG
ca-ES
cs-CZ
da-DK
de-DE
el-GR
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
kok-in
ko-kr
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
CONOUT$
kernel32
没有防病毒引擎扫描信息!

进程树

888.exe, PID: 1888, 上一级进程 PID: 1520
services.exe, PID: 428, 上一级进程 PID: 332
mscorsvw.exe, PID: 2300, 上一级进程 PID: 428
mscorsvw.exe, PID: 2408, 上一级进程 PID: 428
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
118.193.211.11 未知 中国
222.187.239.189 中国
47.52.209.241 加拿大

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49163 118.193.211.11 www.tj999.top 80
192.168.122.201 49166 222.187.239.189 20101
192.168.122.201 49177 222.187.239.189 20101
192.168.122.201 49183 222.187.239.189 20100

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 57651 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.tj999.top A 118.193.211.11

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49163 118.193.211.11 www.tj999.top 80
192.168.122.201 49166 222.187.239.189 20101
192.168.122.201 49177 222.187.239.189 20101
192.168.122.201 49183 222.187.239.189 20100

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 57651 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://www.tj999.top/tongji.php?userid=ccc888&mac=52-54-00-8A-47-09 
GET /tongji.php?userid=ccc888&mac=52-54-00-8A-47-09 HTTP/1.1
Host:www.tj999.top
Connection: Keep-Alive

\x00

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp Source IP Source Port Destination IP Destination Port Protocol SID Signature Category
2018-07-20 19:42:42.884443+0800 192.168.122.201 57651 192.168.122.1 53 UDP 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 42.962 seconds )

  • 12.99 NetworkAnalysis
  • 11.92 Suricata
  • 11.793 VirusTotal
  • 3.01 Static
  • 1.903 TargetInfo
  • 0.567 peid
  • 0.375 BehaviorAnalysis
  • 0.318 AnalysisInfo
  • 0.063 Debug
  • 0.018 Strings
  • 0.003 Memory
  • 0.002 config_decoder

Signatures ( 2.525 seconds )

  • 2.033 md_url_bl
  • 0.14 md_bad_drop
  • 0.063 antiav_detectreg
  • 0.024 infostealer_ftp
  • 0.02 stealth_timeout
  • 0.017 api_spamming
  • 0.014 infostealer_im
  • 0.014 md_domain_bl
  • 0.013 decoy_document
  • 0.013 antianalysis_detectreg
  • 0.009 antiav_detectfile
  • 0.008 shifu_behavior
  • 0.008 antivm_generic_disk
  • 0.008 persistence_autorun
  • 0.008 geodo_banking_trojan
  • 0.008 infostealer_mail
  • 0.007 ransomware_files
  • 0.006 mimics_filetime
  • 0.006 infostealer_bitcoin
  • 0.006 ransomware_extensions
  • 0.005 reads_self
  • 0.005 stealth_file
  • 0.005 antivm_generic_scsi
  • 0.005 virus
  • 0.004 bootkit
  • 0.004 hancitor_behavior
  • 0.004 antivm_vbox_files
  • 0.004 disables_browser_warn
  • 0.004 network_http
  • 0.003 rat_nanocore
  • 0.003 tinba_behavior
  • 0.003 betabot_behavior
  • 0.003 kibex_behavior
  • 0.003 cerber_behavior
  • 0.003 antivm_xen_keys
  • 0.003 darkcomet_regkeys
  • 0.003 network_torgateway
  • 0.002 antivm_generic_services
  • 0.002 antivm_generic_diskreg
  • 0.002 antivm_parallels_keys
  • 0.002 bot_drive
  • 0.002 modify_proxy
  • 0.002 browser_security
  • 0.002 recon_fingerprint
  • 0.001 network_tor
  • 0.001 kazybot_behavior
  • 0.001 ursnif_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antidbg_devices
  • 0.001 antisandbox_productid
  • 0.001 antivm_xen_keys
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vbox_acpi
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_vpc_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 bypass_firewall
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 modify_uac_prompt
  • 0.001 network_cnc_http
  • 0.001 packer_armadillo_regkey
  • 0.001 stealth_hide_notifications

Reporting ( 1.006 seconds )

  • 0.624 ReportHTMLSummary
  • 0.382 Malheur
Task ID 171261
Mongo ID 5b51cb5d2e063307d23391c5
Cuckoo release 1.4-Maldun