比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2019-01-22 04:30:48 2019-01-22 04:33:20 152 秒

魔盾分数

9.8

危险的

文件详细信息

文件名 Cache.dat
文件大小 24064 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 7179b3f206ab703e680ee49a6c1176cb
SHA1 5db6f9075148b557a5976ffb9ae5b80831913b2f
SHA256 2588ed737c14c8fbf27c83c474ca88fa2c986c4f6828079d10cc21f9529fd7bc
SHA512 a6c4c320826658aefc7f46933508c11944513c740c8d8d8b3ed943b03d40bffa726cc8c5a9a366a41dd6299c86527b0b302be4ec908c2365416c9a65527379f1
CRC32 42620273
Ssdeep 384:+iTtAN1+WYxXCKPQ47UkBqN33JA2W/1aNmO9O6OuK+Z2hYx2Rg/IsWtORZW:+wtAbAhc+ULHJAh/10jepC/T
Yara 登录查看Yara规则
样本下载 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00403e16
声明校验值 0x000063aa
实际校验值 0x000063aa
最低操作系统版本要求 5.0
编译时间 2017-02-12 00:39:48
载入哈希 2c2d94046df4c193ca2394289feea605

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0000333a 0x00003400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.08
.rdata 0x00005000 0x000014c0 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.27
.data 0x00007000 0x0000066c 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.12
.rsrc 0x00008000 0x00001000 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.15

导入

库: KERNEL32.dll:
0x405048 GetShortPathNameA
0x40504c GetModuleFileNameA
0x405050 ExitProcess
0x405054 ReleaseMutex
0x405058 GetTempPathA
0x40505c GetProcAddress
0x405060 WaitForSingleObject
0x405064 GetLastError
0x405068 CreateMutexA
0x40506c lstrlenA
0x405070 CopyFileA
0x405074 GetCurrentProcess
0x405078 GlobalFree
0x40507c GlobalAlloc
0x405080 FreeLibrary
0x405084 GetSystemInfo
0x405088 GetCurrentThreadId
0x405090 SetPriorityClass
0x405094 GetCurrentThread
0x405098 SetThreadPriority
0x40509c ResumeThread
0x4050a0 CreateThread
0x4050a4 CloseHandle
0x4050a8 LoadLibraryA
0x4050ac CreateProcessA
0x4050b0 TerminateProcess
0x4050b4 GetSystemDirectoryA
0x4050b8 lstrcatA
0x4050bc lstrcpyA
0x4050c0 GetCurrentProcessId
0x4050c4 ExitThread
0x4050c8 Sleep
0x4050cc IsDebuggerPresent
0x4050d8 GetStartupInfoA
0x4050e4 InterlockedExchange
0x4050e8 GetTickCount
库: USER32.dll:
0x4051a4 wsprintfA
库: ADVAPI32.dll:
0x405000 RegCloseKey
0x405008 RegQueryValueExA
0x40500c CreateServiceA
0x405010 StartServiceA
0x405014 RegOpenKeyA
0x405018 RegSetValueExA
0x40501c DeleteService
0x405024 SetServiceStatus
0x405028 RegOpenKeyExA
0x40502c OpenSCManagerA
0x405030 OpenServiceA
0x405034 CloseServiceHandle
库: WS2_32.dll:
0x4051ac select
0x4051b0 __WSAFDIsSet
0x4051b4 WSAIoctl
0x4051b8 recv
0x4051bc socket
0x4051c0 connect
0x4051c4 WSAStartup
0x4051c8 WSAGetLastError
0x4051cc setsockopt
0x4051d0 htons
0x4051d4 sendto
0x4051d8 closesocket
0x4051dc WSACleanup
0x4051e0 inet_addr
0x4051e4 gethostbyname
0x4051e8 send
0x4051ec WSASocketA
0x4051f0 htonl
库: SHLWAPI.dll:
0x40519c SHDeleteKeyA
库: MSVCR90.dll:
0x4050f0 _XcptFilter
0x4050f4 _controlfp_s
0x4050f8 _invoke_watson
0x4050fc _decode_pointer
0x405100 _onexit
0x405104 _lock
0x405108 __dllonexit
0x40510c _unlock
0x405110 ?terminate@@YAXXZ
0x405114 _crt_debugger_hook
0x405118 __set_app_type
0x40511c strstr
0x405120 rand
0x405124 sprintf
0x405128 fprintf
0x40512c __iob_func
0x405130 printf
0x405134 memset
0x405138 atoi
0x40513c strncpy
0x405140 strcspn
0x405144 strncmp
0x405148 exit
0x40514c strchr
0x405150 strncat
0x405154 free
0x405158 malloc
0x405160 _amsg_exit
0x405164 __getmainargs
0x405168 _cexit
0x40516c _exit
0x405170 _encode_pointer
0x405174 _ismbblead
0x405178 _acmdln
0x40517c _initterm
0x405180 _initterm_e
0x405184 _configthreadlocale
0x405188 __setusermatherr
0x40518c _adjust_fdiv
0x405190 __p__commode
0x405194 __p__fmode
库: IPHLPAPI.DLL:
0x40503c GetIfTable
.text
`.rdata
@.data
.rsrc
QhlR@
PhTR@
Ph<R@
L$$QhlR@
L$<QhlR@
D$$Pj
Fh<T@
Fh<T@
D$hPj
L$$Qj
aPh@X@
Ph\X@
QhTX@
D$<hxY@
T$<h`Y@
L$<hLY@
T$<h<Y@
D$<h,Y@
%d.%d.%d.%d
self.location=
jdfwkey
location=
\Program Files\Internet Explorer\iexplore.exe
%s %s%s
> nul
/c del
COMSPEC
URLDownloadToFileA
%c%c%c%c%c.exe
OpenMutexA
KERNEL32.dll
WinExec
SYSTEM\CurrentControlSet\Services\
Description
%c%c%c%c%c%c.exe
RegCloseKey
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryValueExA
ADVAPI32.dll
Find CPU Error
ProcessorNameString
HARDWARE\DESCRIPTION\System\CentralProcessor\0
Windows NT
Windows 8
Windows 7
Windows 2012
Windows 2008
Windows Vista
Vista
Windows 2003
Windows XP
Windows 2000
ProductName
SOFTWARE\Microsoft\Windows NT\CurrentVersion
GetTickCount
Sleep
ExitThread
GetCurrentProcessId
lstrcpyA
lstrcatA
GetSystemDirectoryA
TerminateProcess
CreateProcessA
LoadLibraryA
CloseHandle
CreateThread
ResumeThread
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetCurrentProcess
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
ExitProcess
ReleaseMutex
GetTempPathA
GetProcAddress
WaitForSingleObject
GetLastError
CreateMutexA
lstrlenA
CopyFileA
GlobalFree
GlobalAlloc
FreeLibrary
GetSystemInfo
KERNEL32.dll
wsprintfA
USER32.dll
DeleteService
CloseServiceHandle
OpenServiceA
OpenSCManagerA
RegOpenKeyExA
SetServiceStatus
RegisterServiceCtrlHandlerA
RegCloseKey
RegSetValueExA
RegOpenKeyA
StartServiceA
CreateServiceA
RegQueryValueExA
StartServiceCtrlDispatcherA
ADVAPI32.dll
WSASocketA
WSAIoctl
WS2_32.dll
SHDeleteKeyA
SHLWAPI.dll
strstr
sprintf
fprintf
__iob_func
printf
memset
strncpy
strcspn
strncmp
strchr
strncat
malloc
MSVCR90.dll
_except_handler4_common
_amsg_exit
__getmainargs
_cexit
_exit
_XcptFilter
_ismbblead
_acmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
_encode_pointer
__set_app_type
_crt_debugger_hook
?terminate@@YAXXZ
_unlock
__dllonexit
_lock
_onexit
_decode_pointer
_invoke_watson
_controlfp_s
GetIfTable
IPHLPAPI.DLL
InterlockedExchange
InterlockedCompareExchange
GetStartupInfoA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
National
National Instruments Domain Service
Provides a domain server for NI security.
127.0.0.1:8000
XBome
XBome
XBome
XBome
DDDDDDD
</assembly>
DDOSCLIENT
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Microsoft Corporation
FileDescription
Microsoft (R) Developer Studio
FileVersion
6.00.8168.2
InternalName
MSDEV
LegalCopyright
Copyright (C) Microsoft Corp. 1992-1997
OriginalFilename
MSDEV.EXE
ProductName
Microsoft (R) Visual Studio
ProductVersion
6.00.8168.2
VarFileInfo
Translation
没有防病毒引擎扫描信息!

进程树

Cache.dat, PID: 2448, 上一级进程 PID: 2296
services.exe, PID: 428, 上一级进程 PID: 332
yemcwu.exe, PID: 2580, 上一级进程 PID: 428
cmd.exe, PID: 2672, 上一级进程 PID: 2448
mscorsvw.exe, PID: 2996, 上一级进程 PID: 428
mscorsvw.exe, PID: 1444, 上一级进程 PID: 428
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
文件名 yemcwu.exe
相关文件
C:\Windows\System32\yemcwu.exe
文件大小 24064 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 7179b3f206ab703e680ee49a6c1176cb
SHA1 5db6f9075148b557a5976ffb9ae5b80831913b2f
SHA256 2588ed737c14c8fbf27c83c474ca88fa2c986c4f6828079d10cc21f9529fd7bc
CRC32 42620273
Ssdeep 384:+iTtAN1+WYxXCKPQ47UkBqN33JA2W/1aNmO9O6OuK+Z2hYx2Rg/IsWtORZW:+wtAbAhc+ULHJAh/10jepC/T
下载提交魔盾安全分析
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 28.639 seconds )

  • 16.481 Suricata
  • 9.395 VirusTotal
  • 0.862 Static
  • 0.632 BehaviorAnalysis
  • 0.426 TargetInfo
  • 0.424 peid
  • 0.354 NetworkAnalysis
  • 0.052 AnalysisInfo
  • 0.005 Dropped
  • 0.005 Strings
  • 0.003 Memory

Signatures ( 0.729 seconds )

  • 0.339 md_bad_drop
  • 0.056 antiav_detectreg
  • 0.033 api_spamming
  • 0.026 stealth_timeout
  • 0.023 stealth_decoy_document
  • 0.022 infostealer_ftp
  • 0.019 md_domain_bl
  • 0.019 md_url_bl
  • 0.013 infostealer_im
  • 0.008 shifu_behavior
  • 0.008 antivm_generic_disk
  • 0.008 antiav_detectfile
  • 0.007 bootkit
  • 0.007 mimics_filetime
  • 0.007 reads_self
  • 0.007 anomaly_persistence_autorun
  • 0.007 virus
  • 0.007 infostealer_mail
  • 0.007 ransomware_extensions
  • 0.007 ransomware_files
  • 0.006 stealth_file
  • 0.006 infostealer_bitcoin
  • 0.005 hancitor_behavior
  • 0.004 antivm_generic_scsi
  • 0.004 antivm_vbox_files
  • 0.004 geodo_banking_trojan
  • 0.003 tinba_behavior
  • 0.003 betabot_behavior
  • 0.003 kibex_behavior
  • 0.003 antivm_xen_keys
  • 0.003 disables_browser_warn
  • 0.002 antivm_vbox_libs
  • 0.002 rat_nanocore
  • 0.002 dridex_behavior
  • 0.002 antivm_generic_services
  • 0.002 anormaly_invoke_kills
  • 0.002 cerber_behavior
  • 0.002 antivm_generic_diskreg
  • 0.002 antivm_parallels_keys
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 darkcomet_regkeys
  • 0.002 recon_fingerprint
  • 0.001 antiemu_wine_func
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 antiav_avast_libs
  • 0.001 injection_createremotethread
  • 0.001 stealth_network
  • 0.001 ursnif_behavior
  • 0.001 kazybot_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 antiav_bitdefender_libs
  • 0.001 exec_crash
  • 0.001 dead_connect
  • 0.001 infostealer_browser_password
  • 0.001 kovter_behavior
  • 0.001 antisandbox_productid
  • 0.001 antivm_xen_keys
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vbox_acpi
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_vpc_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 office_security
  • 0.001 packer_armadillo_regkey
  • 0.001 rat_pcclient
  • 0.001 stealth_modify_uac_prompt

Reporting ( 1.101 seconds )

  • 0.905 ReportHTMLSummary
  • 0.196 Malheur
Task ID 234140
Mongo ID 5c462cb42f8f2e05d05a202b
Cuckoo release 1.4-Maldun