比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2019-01-22 03:29:44 2019-01-22 03:32:48 184 秒

魔盾分数

7.1

危险的

文件详细信息

文件名 Server.exe
文件大小 25600 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 584e7f703b41d3016912b9860bbc1a1f
SHA1 693dfe0c9f5f430aff4461d3755e35dcdb0383a4
SHA256 c88f49b5ee7fa5e091fc148c031b8a32556905c79a32d7c72c8be0ab39dc4576
SHA512 c3de66eda37142df061c52035d63325ad55ab14cdff080bc53ddaa698124198e32f03db42df3d06e3676155125f72293fb0362425cd81e4391124f28750f1a2e
CRC32 224BBBA0
Ssdeep 384:G4vo0B5ugihbUgVmDh4bGBoRlFvWcpmdCUwQZdJNqnWi7UB891oOOuK+wy+y:+02UgIeKBSU/Xis89Qy+y
Yara 登录查看Yara规则
样本下载 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
220.181.57.216 未知 中国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
baidu.com A 123.125.115.110
A 220.181.57.216

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00404f9f
声明校验值 0x00000000
实际校验值 0x0000d30e
最低操作系统版本要求 4.0
编译时间 2015-01-28 17:43:36
载入哈希 8569656ff3314023cf8db4198febb66e

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000041ba 0x00004200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.13
.rdata 0x00006000 0x0000102c 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.51
.data 0x00008000 0x00000c34 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.94

导入

库: KERNEL32.dll:
0x406038 lstrcatA
0x40603c lstrcpyA
0x406044 GetShortPathNameA
0x406048 GetModuleFileNameA
0x40604c ExitProcess
0x406050 GetLastError
0x406054 CreateMutexA
0x406058 GetCurrentProcess
0x40605c CopyFileA
0x406060 GetSystemDirectoryA
0x406068 GetComputerNameA
0x406070 GetModuleHandleA
0x406074 TerminateProcess
0x406078 SetPriorityClass
0x40607c GetCurrentThread
0x406080 SetThreadPriority
0x406084 CreateProcessA
0x406088 ResumeThread
0x40608c WaitForSingleObject
0x406090 CloseHandle
0x406094 GetTempPathA
0x406098 LoadLibraryA
0x40609c GetProcAddress
0x4060a0 WinExec
0x4060a4 CreateThread
0x4060a8 lstrlenA
0x4060ac Sleep
0x4060b0 ExitThread
0x4060b4 GetTickCount
0x4060b8 GetStartupInfoA
库: USER32.dll:
0x406144 wsprintfA
库: ADVAPI32.dll:
0x406000 OpenSCManagerA
0x406004 CreateServiceA
0x406008 OpenServiceA
0x40600c StartServiceA
0x406010 RegOpenKeyA
0x406014 RegSetValueExA
0x406018 CloseServiceHandle
0x40601c RegCloseKey
0x406020 RegOpenKeyExA
0x40602c SetServiceStatus
0x406030 RegQueryValueExA
库: WS2_32.dll:
0x40614c WSAStartup
0x406150 send
0x406154 select
0x406158 __WSAFDIsSet
0x40615c recv
0x406160 setsockopt
0x406164 connect
0x406168 closesocket
0x40616c WSAIoctl
0x406170 socket
0x406174 htons
0x406178 gethostbyname
0x40617c inet_addr
0x406180 sendto
0x406184 WSASocketA
0x406188 htonl
库: MSVCRT.dll:
0x4060c0 rand
0x4060c4 __p__commode
0x4060c8 _controlfp
0x4060d0 ??3@YAXPAX@Z
0x4060d4 __set_app_type
0x4060d8 memcpy
0x4060dc atoi
0x4060e0 strcpy
0x4060e4 strncpy
0x4060e8 strcspn
0x4060ec strstr
0x4060f0 strcat
0x4060f4 sprintf
0x4060f8 localtime
0x4060fc time
0x406100 exit
0x406104 memset
0x406108 strncmp
0x40610c strlen
0x406110 _except_handler3
0x406114 _adjust_fdiv
0x406118 malloc
0x40611c __CxxFrameHandler
0x406120 _CxxThrowException
0x406124 _exit
0x406128 _XcptFilter
0x40612c _acmdln
0x406130 __getmainargs
0x406134 _initterm
0x406138 __setusermatherr
0x40613c __p__fmode
.text
`.rdata
@.data
WWVhP-@
WWVh0G@
WWVhP-@
WWVh0>@
WWVhP-@
WWVh 1@
WWVhP-@
WWVh0>@
WWVh@D@
WWVh@D@
WWVhP-@
~KWWVh0G@
WWVh@7@
~<WWVh@N@
WWVhPM@
0123456789abcdefghijklmnopqrstuvwxyz
GET ^FuckAvast .htm
Sleep
CreateThread
WinExec
GetProcAddress
LoadLibraryA
GetTempPathA
CloseHandle
WaitForSingleObject
ResumeThread
CreateProcessA
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetCurrentProcess
lstrcatA
lstrcpyA
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
ExitProcess
GetLastError
CreateMutexA
lstrlenA
CopyFileA
GetSystemDirectoryA
GlobalMemoryStatusEx
GetComputerNameA
GetSystemDefaultUILanguage
KERNEL32.dll
wsprintfA
USER32.dll
SetServiceStatus
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
RegOpenKeyExA
RegCloseKey
CloseServiceHandle
RegSetValueExA
RegOpenKeyA
StartServiceA
OpenServiceA
CreateServiceA
OpenSCManagerA
RegQueryValueExA
ADVAPI32.dll
WSAIoctl
WS2_32.dll
memcpy
strcpy
strncpy
strcspn
strstr
strcat
sprintf
localtime
memset
strncmp
strlen
_except_handler3
malloc
__CxxFrameHandler
_CxxThrowException
MSVCRT.dll
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
??3@YAXPAX@Z
??1type_info@@UAE@XZ
_controlfp
GetTickCount
ExitThread
TerminateProcess
GetModuleHandleA
GetStartupInfoA
WSASocketA
Nationallvu
Nationalyuj Instruments Domain Service
Providesgty a domain server for NI security.
127.0.0.1:8080
baidu.com
\%c%c%c%c%c.exe
URLDownloadToFileA
urlmon.dll
%c%c%c%c%c.exe
> nul
/c del
COMSPEC
%04d%02d%02d
SYSTEM\CurrentControlSet\Services\
Description
%c%c%c%c%c%c.exe
BF2008
%u MB
%u MHz
HARDWARE\DESCRIPTION\System\CentralProcessor\0
Windows NT
Windows 7
Windows 2008
Windows Vista
Vista
Windows 2003
Windows XP
Windows 2000
ProductName
SOFTWARE\Microsoft\Windows NT\CurrentVersion
KERNEL32.dll
GetSystemDirectoryA
#0%s!
%s/%s
%s %s%s
%d.%d.%d.%d
192.168.1.244
.?AVtype_info@@
没有防病毒引擎扫描信息!

进程树

Server.exe, PID: 2428, 上一级进程 PID: 2300
services.exe, PID: 428, 上一级进程 PID: 332
oyccqk.exe, PID: 2576, 上一级进程 PID: 428
cmd.exe, PID: 2668, 上一级进程 PID: 2428
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
220.181.57.216 未知 中国

TCP

无TCP连接纪录.

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 62233 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
baidu.com A 123.125.115.110
A 220.181.57.216

TCP

无TCP连接纪录.

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 62233 192.168.122.1 53

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 41.038 seconds )

  • 15.561 Suricata
  • 10.885 NetworkAnalysis
  • 10.764 VirusTotal
  • 2.046 BehaviorAnalysis
  • 0.782 Static
  • 0.438 peid
  • 0.436 TargetInfo
  • 0.117 AnalysisInfo
  • 0.005 Strings
  • 0.004 Memory

Signatures ( 0.77 seconds )

  • 0.172 md_bad_drop
  • 0.127 api_spamming
  • 0.108 stealth_decoy_document
  • 0.103 stealth_timeout
  • 0.037 antisandbox_sleep
  • 0.023 antiav_detectreg
  • 0.022 md_domain_bl
  • 0.019 md_url_bl
  • 0.015 hawkeye_behavior
  • 0.01 infostealer_ftp
  • 0.007 anomaly_persistence_autorun
  • 0.007 antiav_detectfile
  • 0.007 ransomware_files
  • 0.006 infostealer_im
  • 0.006 ransomware_extensions
  • 0.005 dridex_behavior
  • 0.005 infostealer_bitcoin
  • 0.004 mimics_filetime
  • 0.004 reads_self
  • 0.004 antivm_generic_scsi
  • 0.004 virus
  • 0.004 infostealer_mail
  • 0.004 network_torgateway
  • 0.003 tinba_behavior
  • 0.003 bootkit
  • 0.003 stealth_file
  • 0.003 kelihos_behavior
  • 0.003 stealth_network
  • 0.003 antivm_generic_disk
  • 0.003 cerber_behavior
  • 0.003 hancitor_behavior
  • 0.003 antivm_vbox_files
  • 0.003 geodo_banking_trojan
  • 0.003 disables_browser_warn
  • 0.002 rat_nanocore
  • 0.002 injection_createremotethread
  • 0.002 antivm_generic_services
  • 0.002 kazybot_behavior
  • 0.002 anormaly_invoke_kills
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.001 network_tor
  • 0.001 network_anomaly
  • 0.001 betabot_behavior
  • 0.001 ursnif_behavior
  • 0.001 kibex_behavior
  • 0.001 shifu_behavior
  • 0.001 dead_connect
  • 0.001 injection_runpe
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 rat_spynet
  • 0.001 recon_fingerprint
  • 0.001 stealth_hide_notifications
  • 0.001 stealth_modify_uac_prompt

Reporting ( 1.106 seconds )

  • 0.866 ReportHTMLSummary
  • 0.24 Malheur
Task ID 234138
Mongo ID 5c461e9a2f8f2e05c35a248f
Cuckoo release 1.4-Maldun