分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2019-01-22 03:08:38 2019-01-22 03:11:41 183 秒

魔盾分数

10.0

Servstart病毒

文件详细信息

文件名 Cache.dat
文件大小 25600 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 201b0dcb7234bcde0a0d71eeb99ced6b
SHA1 2853c2b1171f9990800891580802c6d562f826c7
SHA256 ca1a82ee601bd2def5d4fd6b2e84df4289691a34a23496a23bb8d51465828065
SHA512 d0ad460835ef2e4aa671e4cbaa7f0af4dc3f76938ed20ac6f2e307201b814a318f7d40cf552456f5233c8264734be703c6f2b130b95565601ab4c9d3d87a390a
CRC32 08D56460
Ssdeep 384:G4vo0B5ugihbUgVmDh4bGBoRlFvWcpmdCUwQZdJNqnWi7UB8c1oOOuK+wy+y:+02UgIeKBSU/Xis8cQy+y
Yara 登录查看Yara规则
样本下载 提交误报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
173.254.202.168 未知 美国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
soojoy.f3322.net A 173.254.202.168

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00404f9f
声明校验值 0x00000000
实际校验值 0x000111a3
最低操作系统版本要求 4.0
编译时间 2015-01-28 17:43:36
载入哈希 8569656ff3314023cf8db4198febb66e

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000041ba 0x00004200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.13
.rdata 0x00006000 0x0000102c 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.51
.data 0x00008000 0x00000c34 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.85

导入

库: KERNEL32.dll:
0x406038 lstrcatA
0x40603c lstrcpyA
0x406044 GetShortPathNameA
0x406048 GetModuleFileNameA
0x40604c ExitProcess
0x406050 GetLastError
0x406054 CreateMutexA
0x406058 GetCurrentProcess
0x40605c CopyFileA
0x406060 GetSystemDirectoryA
0x406068 GetComputerNameA
0x406070 GetModuleHandleA
0x406074 TerminateProcess
0x406078 SetPriorityClass
0x40607c GetCurrentThread
0x406080 SetThreadPriority
0x406084 CreateProcessA
0x406088 ResumeThread
0x40608c WaitForSingleObject
0x406090 CloseHandle
0x406094 GetTempPathA
0x406098 LoadLibraryA
0x40609c GetProcAddress
0x4060a0 WinExec
0x4060a4 CreateThread
0x4060a8 lstrlenA
0x4060ac Sleep
0x4060b0 ExitThread
0x4060b4 GetTickCount
0x4060b8 GetStartupInfoA
库: USER32.dll:
0x406144 wsprintfA
库: ADVAPI32.dll:
0x406000 OpenSCManagerA
0x406004 CreateServiceA
0x406008 OpenServiceA
0x40600c StartServiceA
0x406010 RegOpenKeyA
0x406014 RegSetValueExA
0x406018 CloseServiceHandle
0x40601c RegCloseKey
0x406020 RegOpenKeyExA
0x40602c SetServiceStatus
0x406030 RegQueryValueExA
库: WS2_32.dll:
0x40614c WSAStartup
0x406150 send
0x406154 select
0x406158 __WSAFDIsSet
0x40615c recv
0x406160 setsockopt
0x406164 connect
0x406168 closesocket
0x40616c WSAIoctl
0x406170 socket
0x406174 htons
0x406178 gethostbyname
0x40617c inet_addr
0x406180 sendto
0x406184 WSASocketA
0x406188 htonl
库: MSVCRT.dll:
0x4060c0 rand
0x4060c4 __p__commode
0x4060c8 _controlfp
0x4060d0 ??3@YAXPAX@Z
0x4060d4 __set_app_type
0x4060d8 memcpy
0x4060dc atoi
0x4060e0 strcpy
0x4060e4 strncpy
0x4060e8 strcspn
0x4060ec strstr
0x4060f0 strcat
0x4060f4 sprintf
0x4060f8 localtime
0x4060fc time
0x406100 exit
0x406104 memset
0x406108 strncmp
0x40610c strlen
0x406110 _except_handler3
0x406114 _adjust_fdiv
0x406118 malloc
0x40611c __CxxFrameHandler
0x406120 _CxxThrowException
0x406124 _exit
0x406128 _XcptFilter
0x40612c _acmdln
0x406130 __getmainargs
0x406134 _initterm
0x406138 __setusermatherr
0x40613c __p__fmode

.text
`.rdata
@.data
WWVhP-@
WWVh0G@
WWVhP-@
WWVh0>@
WWVhP-@
WWVh 1@
WWVhP-@
WWVh0>@
WWVh@D@
WWVh@D@
WWVhP-@
~KWWVh0G@
WWVh@7@
~<WWVh@N@
WWVhPM@
0123456789abcdefghijklmnopqrstuvwxyz
GET ^FuckAvast .htm
Sleep
CreateThread
WinExec
GetProcAddress
LoadLibraryA
GetTempPathA
CloseHandle
WaitForSingleObject
ResumeThread
CreateProcessA
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetCurrentProcess
lstrcatA
lstrcpyA
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
ExitProcess
GetLastError
CreateMutexA
lstrlenA
CopyFileA
GetSystemDirectoryA
GlobalMemoryStatusEx
GetComputerNameA
GetSystemDefaultUILanguage
KERNEL32.dll
wsprintfA
USER32.dll
SetServiceStatus
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
RegOpenKeyExA
RegCloseKey
CloseServiceHandle
RegSetValueExA
RegOpenKeyA
StartServiceA
OpenServiceA
CreateServiceA
OpenSCManagerA
RegQueryValueExA
ADVAPI32.dll
WSAIoctl
WS2_32.dll
memcpy
strcpy
strncpy
strcspn
strstr
strcat
sprintf
localtime
memset
strncmp
strlen
_except_handler3
malloc
__CxxFrameHandler
_CxxThrowException
MSVCRT.dll
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
??3@YAXPAX@Z
??1type_info@@UAE@XZ
_controlfp
GetTickCount
ExitThread
TerminateProcess
GetModuleHandleA
GetStartupInfoA
WSASocketA
192.168.0.100:8080
soojoy.f3322.net
\%c%c%c%c%c.exe
URLDownloadToFileA
urlmon.dll
%c%c%c%c%c.exe
> nul
/c del
COMSPEC
%04d%02d%02d
SYSTEM\CurrentControlSet\Services\
Description
%c%c%c%c%c%c.exe
BF2008
%u MB
%u MHz
HARDWARE\DESCRIPTION\System\CentralProcessor\0
Windows NT
Windows 7
Windows 2008
Windows Vista
Vista
Windows 2003
Windows XP
Windows 2000
ProductName
SOFTWARE\Microsoft\Windows NT\CurrentVersion
KERNEL32.dll
GetSystemDirectoryA
#0%s!
%s/%s
%s %s%s
%d.%d.%d.%d
192.168.1.244
.?AVtype_info@@
防病毒引擎/厂商 病毒名/规则匹配 病毒库日期
Bkav 未发现病毒 20160705
TotalDefense 未发现病毒 20160705
MicroWorld-eScan Generic.ServStart.814746FC 20160705
nProtect Generic.ServStart.814746FC 20160705
CMC 未发现病毒 20160704
CAT-QuickHeal 未发现病毒 20160705
McAfee Trojan-FGAW!201B0DCB7234 20160705
Malwarebytes Trojan.Agent.FVA 20160705
Zillya Trojan.ServStart.Win32.5894 20160705
SUPERAntiSpyware 未发现病毒 20160705
K7AntiVirus Trojan ( 0048f1971 ) 20160705
Alibaba 未发现病毒 20160705
K7GW Trojan ( 0048f1971 ) 20160705
TheHacker 未发现病毒 20160705
Arcabit Generic.ServStart.DC6E9AFC 20160705
Baidu Win32.Trojan.ServStart.j 20160705
F-Prot W32/QQhelper.C.gen!Eldorado 20160705
Symantec Backdoor.Trojan 20160705
ESET-NOD32 a variant of Win32/ServStart.DT 20160705
TrendMicro-HouseCall WORM_NITOL.SMB0 20160705
Avast Win32:Nitol-B [Trj] 20160705
ClamAV 未发现病毒 20160706
Kaspersky HEUR:Trojan.Win32.Generic 20160705
BitDefender Generic.ServStart.814746FC 20160706
NANO-Antivirus Trojan.Win32.DownLoader15.dvjcqs 20160705
AegisLab Troj.W32.Generic!c 20160705
Ad-Aware Generic.ServStart.814746FC 20160705
Emsisoft Generic.ServStart.814746FC (B) 20160704
Comodo 未发现病毒 20160705
F-Secure Generic.ServStart.814746FC 20160705
DrWeb Trojan.DownLoader15.47152 20160705
VIPRE Trojan.Win32.Nitol.b (v) 20160705
TrendMicro WORM_NITOL.SMB0 20160705
McAfee-GW-Edition BehavesLike.Win32.Backdoor.mm 20160705
Sophos Mal/Behav-116 20160705
Cyren W32/QQhelper.C.gen!Eldorado 20160706
Jiangmin Trojan.Generic.abxpt 20160705
Avira WORM/Rbot.Gen 20160705
Antiy-AVL 未发现病毒 20160705
Kingsoft 未发现病毒 20160706
Microsoft TrojanDownloader:Win32/Yemrok.A 20160705
ViRobot Trojan.Win32.Z.Servstart.25600.C[h] 20160705
GData Generic.ServStart.814746FC 20160705
AhnLab-V3 Trojan/Win32.Agent.N1663380932 20160705
ALYac Generic.ServStart.814746FC 20160705
AVware Trojan.Win32.Nitol.b (v) 20160705
VBA32 BScope.Trojan.Win32.Inject.2 20160705
Zoner 未发现病毒 20160705
Tencent Win32.Worm.Rbot.Hmhn 20160706
Ikarus Trojan.Win32.ServStart 20160705
Fortinet W32/Agent.QUB!tr 20160705
AVG Win32/DH{ZzYD?} 20160705
Panda Trj/CI.A 20160705
Qihoo-360 HEUR/QVM07.1.Malware.Gen 20160706

进程树


Cache.dat, PID: 2444, 上一级进程 PID: 2300
services.exe, PID: 428, 上一级进程 PID: 332
amqwwq.exe, PID: 2580, 上一级进程 PID: 428
cmd.exe, PID: 2672, 上一级进程 PID: 2444

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
173.254.202.168 未知 美国

TCP

无TCP连接纪录.

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 62233 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
soojoy.f3322.net A 173.254.202.168

TCP

无TCP连接纪录.

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 62233 192.168.122.1 53

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 37.684 seconds )

  • 15.581 Suricata
  • 15.116 NetworkAnalysis
  • 2.912 VirusTotal
  • 2.176 BehaviorAnalysis
  • 0.832 Static
  • 0.489 peid
  • 0.443 TargetInfo
  • 0.127 AnalysisInfo
  • 0.005 Strings
  • 0.003 Memory

Signatures ( 0.913 seconds )

  • 0.278 md_bad_drop
  • 0.133 api_spamming
  • 0.111 stealth_decoy_document
  • 0.11 stealth_timeout
  • 0.037 antisandbox_sleep
  • 0.024 antiav_detectreg
  • 0.022 md_domain_bl
  • 0.019 md_url_bl
  • 0.01 infostealer_ftp
  • 0.008 anomaly_persistence_autorun
  • 0.008 antiav_detectfile
  • 0.007 ransomware_files
  • 0.006 mimics_filetime
  • 0.006 dridex_behavior
  • 0.006 reads_self
  • 0.006 antivm_generic_scsi
  • 0.006 antivm_generic_disk
  • 0.006 virus
  • 0.006 infostealer_im
  • 0.006 ransomware_extensions
  • 0.005 hawkeye_behavior
  • 0.005 bootkit
  • 0.005 stealth_file
  • 0.005 kelihos_behavior
  • 0.005 hancitor_behavior
  • 0.005 infostealer_bitcoin
  • 0.004 stealth_network
  • 0.004 cerber_behavior
  • 0.004 infostealer_mail
  • 0.004 network_torgateway
  • 0.003 tinba_behavior
  • 0.003 injection_createremotethread
  • 0.003 antivm_generic_services
  • 0.003 anormaly_invoke_kills
  • 0.003 antivm_vbox_files
  • 0.003 geodo_banking_trojan
  • 0.003 disables_browser_warn
  • 0.002 rat_nanocore
  • 0.002 kazybot_behavior
  • 0.002 injection_runpe
  • 0.002 bot_drive
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.001 network_tor
  • 0.001 network_anomaly
  • 0.001 betabot_behavior
  • 0.001 ursnif_behavior
  • 0.001 kibex_behavior
  • 0.001 shifu_behavior
  • 0.001 dead_connect
  • 0.001 kovter_behavior
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 rat_spynet
  • 0.001 recon_fingerprint
  • 0.001 stealth_modify_uac_prompt

Reporting ( 1.148 seconds )

  • 0.917 ReportHTMLSummary
  • 0.231 Malheur
Task ID 234136
Mongo ID 5c4619a52f8f2e05ca5a2077
Cuckoo release 1.4-Maldun