分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-hpdapp01-1 | 2019-05-08 13:16:55 | 2019-05-08 13:17:40 | 45 秒 |
魔盾分数
1.5
正常的
文件详细信息
| 文件名 | 短信轰炸机.exe |
|---|---|
| 文件大小 | 107008 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 50ceeedcd33cdd8506d0f36c6e0daff9 |
| SHA1 | e458a68744d1d8bbff2bb727d964fcba736df7c9 |
| SHA256 | aa5a0b493fb91941a3784312a43e5935c215682e5ad6559349f74a8fb2f2221a |
| SHA512 | ddb9fc2929b77a5293ca68f8c955722bdac2d9e0b80f2f266bce3bae4e91c1c5d495fc54ffc43184ff6e004eb57226c03ff6cc9577767aa327b271d400e17c10 |
| CRC32 | B3480011 |
| Ssdeep | 1536:Zsz81BlwaYfZ98VHVr3KqFoeVV+I+sS7LEN:ZsMUfhcLfHogN |
| Yara | 登录查看Yara规则 |
| 样本下载 提交漏报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00401000 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x00025f67 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 1972-12-25 13:33:23 |
| 载入哈希 | ae0a5112fe1176f4e5f6e1bc95e4c209 |
版本信息
| LegalCopyright | |
|---|---|
| FileVersion | |
| CompanyName | |
| Comments | |
| ProductName | |
| ProductVersion | |
| FileDescription | |
| Translation |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00000224 | 0x00000400 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 3.51 |
| .rdata | 0x00002000 | 0x00000194 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.64 |
| .data | 0x00003000 | 0x00018200 | 0x00018200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 6.07 |
| .rsrc | 0x0001c000 | 0x000015f4 | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.54 |
导入
库: USER32.dll:
• 0x402030 MessageBoxA
库: KERNEL32.dll:
• 0x402010 FreeLibrary
• 0x402014 lstrcatA
• 0x402018 GetModuleFileNameA
• 0x40201c ExitProcess
• 0x402020 LoadLibraryA
• 0x402024 GetProcAddress
• 0x402028 lstrlenA
.text
`.rdata
@.data
.rsrc
GetNewSock
Error
krnln.fne
Not found the kernel library or the kernel library is invalid!
krnln.fnr
Software\FlySky\E\Install
MessageBoxA
USER32.dll
ExitProcess
FreeLibrary
GetProcAddress
LoadLibraryA
lstrcatA
lstrlenA
KERNEL32.dll
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
ADVAPI32.dll
GetModuleFileNameA
const
https://note.youdao.com/yws/public/note/fdc9a865df2923eaecea71bf26cd8d4f
<\/div><div yne-bulb-block=\"paragraph\" style=\"white-space: pre-wrap;\">
OPTIONS
DELETE
TRACE
CONNECT
WinHttp.WinHttpRequest.5.1
@SetTimeouts
SetProxy
Basic
Proxy-Authorization
SetRequestHeader
Option
Accept: */*
Accept:
Accept: */*
Referer:
Referer:
Accept-Language:
Accept-Language: zh-cn
User-Agent:
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
content-type
Content-Type
Content-Type:
Content-Type: application/x-www-form-urlencoded
Cookie
ResponseBody
GetallResponseHeaders
Status
Set-Cookie
Set-Cookie:
@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
=deleted
13841200000
(*.*)|*.*
18341200000
&type=24&aid=1319
https://m.pipix.com/passport/web/send_code/?account_sdk_source=web&mobile=
http://www.721889.com/home/passport/sendSms?mobile=
Accept-Language: zh-CN,zh;q=0.9
http://mservice.moerlong.com:8805/sso/sendSMSCode
&syscode=1174726&action=Register
mobile=
https://capi.wealth365.com.cn/storm/userbase/register/verifycode/H5?b=8&c=4&ch=
","codeType":0,"validationType":1,"operationType":0,"source":"1"}
{"c":3,"mobile":"
User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 115Browser/9.1.1
https://intrepaypro.handmart.cn/hpayDFPaySupport/system/authSmsCode
&msgType=1&channelCode=hbwallet
http://xjy.coocm.com/wap/channel/sendsms.html
Accept-Language: zh-CN,zh;q=0.9
&appName=jkb&graphicCode=&clientType=
https://a.shuziqb.com/hkd_boot/userLogin/getPhoneCodeNew?type=1&phone=
https://vip-service-center.vcredit.com/vip-api/loanInvite/loanInviteAccept
","userSource":2}
{"userIdKey":"33DFD1CAE4DA7176","userMobile":"
User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 115Browser/9.1.1
%22%2C%22mode%22%3A1%2C%22imageCode%22%3A%22%22%2C%22deviceCode%22%3A77.09578668767404%2C%22tokenId%22%3A%22%22%2C%22fileName%22%3A338.95248280523725%2C%22sourceType%22%3A%227%22%2C%22version%22%3A%222.4.0%22%2C%22utmCode%22%3A100%7D&credithc-request-client-type=html5&_=
https://hyd.hengchang6.com/hyd/services/hydUser/smsCodeForLogin?callback=success_jsonpCallback&jsonParams=%7B%22userPhone%22%3A%22
https://dbzloan.xiaojinqb.cn/common/getVerifyCode.do
&type=1
http://api.mobile.auth.xiaozhoudao.net/register/sms/code/send
&token=
telephone=
https://www.grwdai.com:6708/grw-api/user/sendSmsMessage
&type=1&openId=xjzz
phoneMob=
https://api.haoqianbao.com/api/member/hasUser
{"user":{"umobile":"
http://www.tukuchina.cn/index.php?r=site/SendMessageLogin
&geetest_challenge=5ace54a824f01d4f427d70288f458be3&geetest_validate=ff4273cdb85d30e3c752a8d6ba8a8362&geetest_seccode=ff4273cdb85d30e3c752a8d6ba8a8362%7Cjordan&sessionId=CA8831D6F0ABA1CF7E5305C0D5F7C511&_=1551025760617
https://service.youshang.com/commonservice/ajaxChecking.do?callback=jQuery111204568359262588684_1551025760610&action=geetestVerify&nextAction=sendYZJSMS&mobile=
&type=2&_=
http://office.teacher.com.cn/auth/captcha?telephone=
https://imsummer.cn/invite_register/index
user_id=af1aa453-5f52-4d05-bd65-8e52a646fae0&phone=%2B86
&geetest_challenge=e161939d5f264d1bf745142b87c69935&geetest_validate=58819b9b78b46de2e7eace3031f88e0b&geetest_seccode=58819b9b78b46de2e7eace3031f88e0b
https://service.youshang.com/commonservice/ajaxChecking.do?callback=jQuery111209130881338707941_1551182115561&action=geetestVerify&nextAction=sendSMS&mobile=
http://xc.kuaiyiche.me/app/Login/getPhoneCode
&use_type=1
http://yxyb.shanzuking.com/api/site/sendsms
type=registered&mobile_phone=
https://loan.sinaquyong.com/api/msg/sms/landing/code.do?t=
&source=000007015
codeType=1&mobileNo=
https://jie.gomemyf.com/jie-api/facade/h5post.do
","serKey":"5f28f2b858a6abf5e20800115546385f","clientType":"H5"}
jsonData={"service":"001009","mobile":"
&type=02&deviceType=android
http://mtransfer.ulinkcredit.com/openapi/allinpay.balance.service/balance/sendMsgByHtml?mobile=
https://hdgateway.zto.com/auth_account_sendRegisterSmsVerifyCode
{"mobile":"
Accept-Language: zh-CN,zh;q=0.9
http://www.57de.com/index.php?m=&c=sms&a=sendSmsCode
®_imgcode=&type=ureg
phone=
success">
http://www.suzhoudk.com/plus/search.php?phone=
http://www.zdaiwang.com/sms.php
http://www.91hrw.cn/home/passport/sendsms.html
&sms_yzm=undefined
http://admin.benfen.tech/home/CustomerFromH5/sendCode
http://www.casheasy.cn:8081/api/verify/imageCode/status
","smsTagId":""}}
{"header":{"channel":"","deviceInfo":"Wechat","deviceIp":"","inputCharset":"utf-8","requestDate":"20160905","requestTime":"115001","service":"100005","requestId":"e5806547-ed72-49a4-b7ee-f5e2d1806fea"},"body":{"mobNo":"
Accept-Language: zh-CN,zh;q=0.9
https://cardloan.xiaoying.com/h5/user/check_register
&os=h5&_srcid=100026631
http://www.zhuolu2018.com/user/getVerifyCode?phone=
https://www.icve.com.cn/commonUser/portal/register/sendCode
&countryCode=86
&csrf=05eLEiGvNiOFs26Q
http://ly.yichang.gov.cn/index.php/index/authCode?phone=
&t_type=
https://www.acc5.com/module.php?c=verify_code&action=reg&phone=
https://accounts.douban.com/j/mobile/login/request_phone_code
ck=&area_code=%2B86&number=
&country=CN
https://unite.nike.com/phoneVerification?appVersion=577&experienceVersion=475&uxid=com.nike.commerce.nikedotcom.web&locale=zh_CN&backendEnvironment=identity&browser=Google%20Inc.&os=undefined&mobile=false&native=false&visit=1&visitor=1517902f-6512-41ee-82e9-3d35cdb98c4e&phoneNumber=86
https://www.szcredit.com.cn/xy2.outside/AJax/ZCPhoneCheckCode.ashx
&uid=230231200206233315&type=1
dealType=
http://wsdj.saic.gov.cn/saicreg/register/verifyCodeSend
phoneNo=
http://www.ancc.org.cn/Member/registerNew.aspx?action=nul&Requst_Source=
&Txt_subjoin=&Btn_subjoin=%E8%8E%B7%E5%8F%96%E9%AA%8C%E8%AF%81%E7%A0%81&Txt_PassWord=&Txt_RePassWord=
__VIEWSTATE=%2FwEPDwUJODk2MTIyNzE4ZGSKz73ufo7zMbJzoiIAMr3ELwPEUmqU5HLznJDRnpelow%3D%3D&__VIEWSTATEGENERATOR=7DAEFE4F&Top%24h_keyword=&navBar%24h_keyword=&Txt_UserName=&Txt_Email=&Txt_Tel=
http://www.hstechsz.com/?ct=login&ac=sendsms
&code_type=reg
https://txwk.10010.com/KCard/wxColletion/sendCodeInfo
1970-01-01 08:00:00
https://www.jieyide.cn/member.php?mod=register
formhash" value="
https://www.jieyide.cn/plugin.php?id=zhanmishu_sms:send&no_submit=no_submit&method=send
&code=922730&sms_verify=&nationcode=86
&referer=https%3A%2F%2Fwww.jieyide.cn%2Fvip%2F&activationauth=&elvuka=%E5%8F%AF%E7%88%B1%E9%A3%98&L1nbtn=a123456&Y9fv3f=a123456&KMAM3Q=2171755355%40qq.com&mobile=
regsubmit=yes&formhash=
Accept-Language: zh-CN,zh;q=0.9
ScriptControl
JScript
Language
';return unescape(x);}
function xx(){var x='
ExecuteStatement
Adodb.Stream
Write
Position
unicode
Charset
ReadText
Close
https://www.qianpen.com/user-center/sendcode/send-phone-code-register?u_asec=099%23KAFE17E9EXEEhYTLEEEEEpEQz0yFD6PTSXRIS6zHDrsYW6P3DXyEn6t1BYFETRpCD6jXE7EFbOR5D3UTETOLrTMkUllP%2FcZoFjhtvMRx%2BKhFVovK8Pc9Z6ITEEaU%2F3iSlZTHaIBi8%2FlxE7EqWRaSt3tIvbCHSVOlBYFETRpCD6ixE7EqWRaSt3dGloCHSVOlfYFE1XZdhj8qluZlcJMTEEvP%2Fwon23lP%2Fna4E7EFb%2FR5DcYTEHI15sGEjOTDfJ6%2F1HN7Va6o3kikLwCIRvmQom4RyUQCqHGt%2BTfuViqaqNDfwwLY0mDSqqaqyUNSqwqS8TfuViqac1IRkmw4qDGtIUYRyUQGBwSGAYFE0OIlD3YScblcL4wsDRrsLaScwRBycRK63Me6r02Wr7PclMeAnaeCivDc1s32riURiUF3%2BuUW%2FqQREyWdCwUQL4Tt9235rAocwEz6zqFnHQe6wBZCGRonann6LyByNsj6CG%2F7u0XCruGTE1LP%2F3iSlllP%2FcZddYslluVSsyaaolllWMiP%2F3IclllzgcZddYsllu8FBEFE1cZdt0dkoBIKsYFETrudt%2F95AFMTEEyP%2F9iSllluE7EFL2xhGDQTEExCbPi5DEFETcZdt9TZE7EKsyAKxkwlsySoMYFE1u%2Btt37bYzn5YPpjMYFE1u%2Bdt37dF0n5YPpjBYFETRpCD6iWE7EjWRYxFg9lsyaPe1Ue%2F0Z1SUgXE7EFbOR5D6ITEEaU%2F3iSlDLPaIBi8%2FtXE7EFbOR5D6ITEEaU%2F3iSlDYBaIBi8%2FlxE7EqWRaSt3to8qCHSVOlSYFEwc%2Bdt3ilBEBqgfc2llUTETiNrBNQY3lP%2FcZBqLRK4M3MG6WEsY%3D%3D&u_atype=2
&channel=user-center-register-PC
&sessionId=
_uab_collina=155703230058706492537855; UM_distinctid=16a865b35cc786-06fc65e8eda4f3-6d0c07-1fa400-16a865b35cdaeb; aliyungf_tc=AQAAAGqGj0VK4QUAOinkcT8xt9K+vfIM; acw_tc=76b20f6a15570322893981596e4f46adb893318c023c8cbaa95fbc382d9119; 136a3d03-9748-4f83-a54f-9b2a93f979a0=e7ee4c5c-3e12-43b9-b389-1c9b7d6b35a5; _ga=GA1.2.1166889318.1557032290; _gid=GA1.2.1350661909.1557032290; _jzqx=1.1557032290.1557032290.1.jzqsr=baike%2Eqianpen%2Ecom|jzqct=/dkbk/wljd/13756%2Ehtml.-; _jzqckmp=1; CNZZDATA1253109578=2102872924-1557027041-null%7C1557027041; Hm_lvt_b6405d746b704d5415b876b2478f7517=1557032290; Hm_lpvt_b6405d746b704d5415b876b2478f7517=1557032294; _qzja=1.1339668177.1557032289935.1557032289935.1557032289935.1557032289935.1557032293995..0.0.2.1; _qzjb=1.1557032289935.2.0.0.0; _qzjc=1; _qzjto=2.1.0; _jzqa=1.850139233399563600.1557032290.1557032290.1557032290.1; _jzqc=1; _jzqb=1.2.10.1557032290.1; url_session_id=0.8736910672969914; u_asec=099%23KAFEQGEKE7EEhYTLEEEEEpEQz0yFD6PTSXRIS6zHDrsYW6P3DXyEn6t1WEFE5YKi%2FEThbJmSoZdIkmwvqDGt062q3IYrfBgAk7PrLLIGBwZIHnsNqaqCBmSqccTNBB7GaqAr%2BB7GqaxMHnsNqaqQIYP05c7aBwS%2B%2BEPrLLTo3iwhE7T8bLl5uw7WadWc73%2F5rsr337QqPfbQb4St%2BUZVNOeV1Sst%2BOJ9cOKc95QRbteVcYPcY7uRWLedaYbT%2FOaIcL%2Bc7JDtUtxsHGQq14Z4GioB%2BUS69yREPa939oZ6PfrBPFnR1twVNspssEFEpcZdt3illuZdsyaCw%2FllsviP%2F36alllzgcZddYsllu8FsyaCw%2FllWMjoE7EIsyaDvA0AoYvrE7EhssaZttiFjYFETrZtt3illlQTEEx6zIywBYFETRpCD6i5E7EFsyaDdE%3D%3D
function time(){return Math.random()}
https://my.22.cn/register.html
hidden" value="
&b_mobiletail=&ftoken=
&act=send&type=regvalid&newM=1&mobilenum=
https://my.22.cn/ajax/member/mobile.ashx?t=
http://www.soozhu.com/souzhuusers/regist/
csrftoken
http://www.soozhu.com/souzhuusers/login/sendvcode/
&phone=
csrfmiddlewaretoken=
https://xluser-ssl.xunlei.com/xluser.core.login/v3/sendsms
xluser-ssl.xunlei.com
keep-alive
Connection
max-age=0
Cache-Control
http://i.xunlei.com
Origin
Upgrade-Insecure-Requests
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 115Browser/9.1.1
User-Agent
multipart/form-data; boundary=----WebKitFormBoundaryKBY8fudvIRGrZkC8
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept
http://i.xunlei.com/login/?r_d=1&use_cdn=0×tamp=1557220084462&refurl=http%3A%2F%2Fi.xunlei.com%2Fxluser%2Flogin.html
Referer
zh-CN,zh;q=0.9
Accept-Language
UTF-8
WriteText
https://jq.qq.com/?_wv=1027&k=5kMVbpX
ole32.dll
kernel32.dll
user32
user32.dll
kernel32
CoInitialize
CoUninitialize
MultiByteToWideChar
WideCharToMultiByte
GetCurrentProcessId
MessageBoxTimeoutA
FindWindowExA
IsWindow
IsWindowVisible
GetWindowThreadProcessId
GetWindowTextLengthA
GetWindowTextA
GetClassNameA
GetLocalTime
GetInputState
imSun
uP| s
@reloc1
VS_VERSION_INFO
StringFileInfo
080404B0
FileVersion
1.0.0.0
FileDescription
ProductName
ProductVersion
1.0.0.0
CompanyName
LegalCopyright
852190049
Comments
VarFileInfo
Translation
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
HTTP 请求
未发现HTTP请求.
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 24.041 seconds )
- 15.403 Suricata
- 6.237 VirusTotal
- 0.834 Static
- 0.544 TargetInfo
- 0.455 peid
- 0.345 NetworkAnalysis
- 0.12 AnalysisInfo
- 0.077 BehaviorAnalysis
- 0.023 Strings
- 0.003 Memory
Signatures ( 0.835 seconds )
- 0.647 md_bad_drop
- 0.028 antiav_detectreg
- 0.02 md_domain_bl
- 0.02 md_url_bl
- 0.012 infostealer_ftp
- 0.008 antiav_detectfile
- 0.007 anomaly_persistence_autorun
- 0.007 infostealer_im
- 0.007 ransomware_extensions
- 0.007 ransomware_files
- 0.006 antianalysis_detectreg
- 0.005 infostealer_bitcoin
- 0.004 api_spamming
- 0.004 infostealer_mail
- 0.003 tinba_behavior
- 0.003 stealth_decoy_document
- 0.003 stealth_timeout
- 0.003 antivm_vbox_files
- 0.003 geodo_banking_trojan
- 0.003 disables_browser_warn
- 0.002 rat_nanocore
- 0.002 betabot_behavior
- 0.002 cerber_behavior
- 0.002 bot_drive
- 0.002 browser_security
- 0.002 modify_proxy
- 0.001 network_tor
- 0.001 ursnif_behavior
- 0.001 kibex_behavior
- 0.001 shifu_behavior
- 0.001 antianalysis_detectfile
- 0.001 antidbg_devices
- 0.001 antivm_generic_diskreg
- 0.001 antivm_parallels_keys
- 0.001 antivm_xen_keys
- 0.001 banker_zeus_mutex
- 0.001 bot_drive2
- 0.001 browser_addon
- 0.001 disables_system_restore
- 0.001 disables_windows_defender
- 0.001 darkcomet_regkeys
- 0.001 malicious_drop_executable_file_to_temp_folder
- 0.001 office_security
- 0.001 rat_pcclient
- 0.001 rat_spynet
- 0.001 recon_fingerprint
- 0.001 stealth_hide_notifications
- 0.001 stealth_modify_uac_prompt
- 0.001 stealth_modify_security_center_warnings
Reporting ( 2.709 seconds )
- 1.871 Malheur
- 0.838 ReportHTMLSummary
| Task ID | 288099 |
|---|---|
| Mongo ID | 5cd266982f8f2e3af603c5c6 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号