分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-hpdapp01-1 | 2019-08-16 10:30:20 | 2019-08-16 10:33:03 | 163 秒 |
魔盾分数
10.0
危险的
文件详细信息
| 文件名 | ZSsafe.exe |
|---|---|
| 文件大小 | 3213573 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 78cc1fbaa1a89984591c90218e9d8806 |
| SHA1 | 400d6f503ba76129e9d2f9fe77c65f6cceb24f47 |
| SHA256 | c1f8a2be52e1739a4d8475f97f73daeae71af56bcd5bf468862b38b5f7e4a10b |
| SHA512 | 6e6c223906cd59206f28dbbfc28c52c955efe606ce51e330c6c79dda233d0779f0e806a117b298271be4f43f1c4148f7094ab0a92312e20486f9b028f356feef |
| CRC32 | B6815DA2 |
| Ssdeep | 49152:7fkH7Ag+ZNBaX5FvI6zZDQ6Y3eqa3rpq9nBmuT+xahqg2ryR7KmBS2RBokBF45ck:Dr9aX5l83f0rcBtTUao7yq27okBa5oA |
| Yara | 登录查看Yara规则 |
| 样本下载 提交误报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
| 直接 | IP | 安全评级 | 地理位置 |
|---|---|---|---|
| 否 | 119.23.59.239 | 中国 | |
| 否 | 122.114.130.31 | 中国 | |
| 否 | 123.58.180.39 | 中国 |
域名解析 (可点击查询WPING实时安全评级)
| 域名 | 安全评级 | 响应 |
|---|---|---|
| mojunxie521.blog.163.com |
A 123.58.180.101 A 123.58.180.39 |
|
| 2018k.cn | A 119.23.59.239 | |
| yuanlin.6600.org | A 122.114.130.31 |
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00401000 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x00315d2c |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 1972-12-25 13:33:23 |
| 载入哈希 | 469b1bae2575baede5bf1f06a01b4767 |
版本信息
| LegalCopyright | |
|---|---|
| FileVersion | |
| CompanyName | |
| Comments | |
| ProductName | |
| ProductVersion | |
| FileDescription | |
| Translation |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .UPX1 | 0x00001000 | 0x001c6000 | 0x00000200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 1.36 |
| .UPX1 | 0x001c7000 | 0x0014ca75 | 0x001485b3 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.88 |
覆盖
| 偏移量 | 0x0030e791 |
| 大小 | 0x00002174 |
导入
库: kernel32.dll:
• 0x70e79e LoadLibraryA
• 0x70e7a2 GetProcAddress
• 0x70e7a6 VirtualAlloc
• 0x70e7aa VirtualProtect
• 0x70e7ae VirtualFree
• 0x70e7b2 GetModuleHandleA
.UPX1
`.UPX1
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>
)4T[h2
oI>28
D^b{(
,:4QV@
Im.ge
vr0pcR
zK9!w
psyh1-b
3!7^@`_/
sr9xu 'v
QxcTS
o793%
e@uB+
#&n0v
[ZS:+?
_u>{#
|UWs9
Wt;C4
/y72-
U# >1
Fqc<7
jn26&
Nu?@&Z
N#p}^
)_WZns
4 UZ?
@}82:
q@@TD
K6}-*:[1
+kdnl5
,meyL
'$qAa
u`Q8M
,3r=[O
_%v4=
Po@(Ns
B~2Mx
/Ya_3
p~/5{?
`c{t&
N=<Zs|
v:/2|
Y\@LP/b
B/^z3
S=QyF
ajJl;
j{V%Q
MN]vt
]`v {
j1*2aW
[/0_G
#i;kn
VS_VERSION_INFO
StringFileInfo
080404B0
FileVersion
1.1.6.8
FileDescription
ProductName
ZSsafe
ProductVersion
1.1.6.8
CompanyName
LegalCopyright
Comments
(http://www.eyuyan.com)
VarFileInfo
Translation
| 防病毒引擎/厂商 | 病毒名/规则匹配 | 病毒库日期 |
|---|---|---|
| Bkav | 未发现病毒 | 20190815 |
| MicroWorld-eScan | Trojan.GenericKD.41522303 | 20190816 |
| CMC | 未发现病毒 | 20190321 |
| CAT-QuickHeal | Backdoor.FlyAgent | 20190814 |
| McAfee | Artemis!78CC1FBAA1A8 | 20190815 |
| Cylance | Unsafe | 20190816 |
| SUPERAntiSpyware | 未发现病毒 | 20190809 |
| K7AntiVirus | Adware ( 004b8bcf1 ) | 20190814 |
| BitDefender | Trojan.GenericKD.41522303 | 20190816 |
| K7GW | Adware ( 004b8bcf1 ) | 20190814 |
| CrowdStrike | win/malicious_confidence_90% (W) | 20190212 |
| Baidu | 未发现病毒 | 20190318 |
| F-Prot | W32/RLPacked.B.gen!Eldorado | 20190816 |
| Symantec | Trojan.Gen.6 | 20190816 |
| ESET-NOD32 | a variant of Win32/Packed.FlyStudio potentially unwanted | 20190816 |
| APEX | Malicious | 20190813 |
| Paloalto | generic.ml | 20190816 |
| ClamAV | 未发现病毒 | 20190815 |
| Kaspersky | Trojan.Win32.Inject.alxmo | 20190815 |
| Alibaba | Backdoor:Win32/Inject.c6900bd2 | 20190527 |
| NANO-Antivirus | Trojan.Win32.Inject.fvbvcr | 20190816 |
| ViRobot | 未发现病毒 | 20190813 |
| Avast | Win32:Malware-gen | 20190815 |
| Tencent | 未发现病毒 | 20190816 |
| Endgame | malicious (high confidence) | 20190802 |
| Sophos | Mal/Generic-S | 20190815 |
| Comodo | 未发现病毒 | 20190815 |
| F-Secure | Trojan.TR/Dropper.Gen | 20190815 |
| DrWeb | Trojan.Rootkit.22030 | 20190815 |
| Zillya | 未发现病毒 | 20190815 |
| Invincea | heuristic | 20190717 |
| McAfee-GW-Edition | BehavesLike.Win32.Backdoor.wc | 20190815 |
| Trapmine | malicious.high.ml.score | 20190522 |
| FireEye | Generic.mg.78cc1fbaa1a89984 | 20190816 |
| Emsisoft | Trojan.GenericKD.41522303 (B) | 20190815 |
| SentinelOne | DFI - Malicious PE | 20190807 |
| Cyren | W32/RLPacked.B.gen!Eldorado | 20190815 |
| Jiangmin | 未发现病毒 | 20190813 |
| Webroot | 未发现病毒 | 20190816 |
| Avira | TR/Dropper.Gen | 20190815 |
| Fortinet | W32/Autorun.BX!worm | 20190816 |
| Antiy-AVL | Trojan[Spy]/Win32.KeyLogger.dwl | 20190815 |
| Kingsoft | 未发现病毒 | 20190816 |
| Arcabit | Trojan.Generic.D279947F | 20190815 |
| AegisLab | Trojan.Win32.Malicious.4!c | 20190816 |
| ZoneAlarm | Trojan.Win32.Inject.alxmo | 20190815 |
| Avast-Mobile | 未发现病毒 | 20190815 |
| Microsoft | Backdoor:Win32/FlyAgent.F | 20190815 |
| TACHYON | 未发现病毒 | 20190816 |
| AhnLab-V3 | Malware/Win32.Generic.C3401931 | 20190815 |
| Acronis | suspicious | 20190815 |
| VBA32 | Backdoor.FlyAgent | 20190815 |
| ALYac | Trojan.GenericKD.41522303 | 20190815 |
| MAX | 未发现病毒 | 20190816 |
| Ad-Aware | Trojan.GenericKD.41522303 | 20190815 |
| Malwarebytes | 未发现病毒 | 20190815 |
| Zoner | 未发现病毒 | 20190815 |
| Rising | PUF.Hacktool!1.B2A6 (CLASSIC) | 20190815 |
| Yandex | Packed/RLPack | 20190811 |
| Ikarus | 未发现病毒 | 20190815 |
| eGambit | 未发现病毒 | 20190816 |
| GData | Win32.Application.PUPStudio.A | 20190816 |
| MaxSecure | 未发现病毒 | 20190803 |
| AVG | Win32:Malware-gen | 20190815 |
| Cybereason | malicious.03ba76 | 20190616 |
| Panda | 未发现病毒 | 20190815 |
| Qihoo-360 | 未发现病毒 | 20190816 |
进程树
-
ZSsafe.exe id: 2664
- ctfmon.exe id: 2900
-
services.exe id: 428
- mscorsvw.exe id: 2684
- mscorsvw.exe id: 2568
访问主机纪录 (可点击查询WPING实时安全评级)
| 直接 | IP | 安全评级 | 地理位置 |
|---|---|---|---|
| 否 | 119.23.59.239 | 中国 | |
| 否 | 122.114.130.31 | 中国 | |
| 否 | 123.58.180.39 | 中国 |
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49170 | 119.23.59.239 2018k.cn | 80 |
| 192.168.122.201 | 49172 | 119.23.59.239 2018k.cn | 80 |
| 192.168.122.201 | 49171 | 122.114.130.31 yuanlin.6600.org | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 53932 | 192.168.122.1 | 53 |
| 192.168.122.201 | 58181 | 192.168.122.1 | 53 |
| 192.168.122.201 | 61698 | 192.168.122.1 | 53 |
| 192.168.122.201 | 62233 | 192.168.122.1 | 53 |
域名解析 (可点击查询WPING实时安全评级)
| 域名 | 安全评级 | 响应 |
|---|---|---|
| mojunxie521.blog.163.com |
A 123.58.180.101 A 123.58.180.39 |
|
| 2018k.cn | A 119.23.59.239 | |
| yuanlin.6600.org | A 122.114.130.31 |
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49170 | 119.23.59.239 2018k.cn | 80 |
| 192.168.122.201 | 49172 | 119.23.59.239 2018k.cn | 80 |
| 192.168.122.201 | 49171 | 122.114.130.31 yuanlin.6600.org | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 53932 | 192.168.122.1 | 53 |
| 192.168.122.201 | 58181 | 192.168.122.1 | 53 |
| 192.168.122.201 | 61698 | 192.168.122.1 | 53 |
| 192.168.122.201 | 62233 | 192.168.122.1 | 53 |
HTTP 请求
| URI | HTTP数据 |
|---|---|
| URL专业沙箱检测 -> http://2018k.cn/api | GET /api HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Accept: text/html, application/xhtml+xml, */* Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: 2018k.cn |
| URL专业沙箱检测 -> http://2018k.cn/api/ | GET /api/ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Accept: text/html, application/xhtml+xml, */* Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: 2018k.cn |
| URL专业沙箱检测 -> http://yuanlin.6600.org/cansu521.txt | GET /cansu521.txt HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: zh-CN Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: yuanlin.6600.org Connection: Keep-Alive |
| URL专业沙箱检测 -> http://2018k.cn/api/checkVersion?id=abebaa2cbd49475f9ad45be62b11f3d1&version=1.2.8.6 | GET /api/checkVersion?id=abebaa2cbd49475f9ad45be62b11f3d1&version=1.2.8.6 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Accept: text/html, application/xhtml+xml, */* Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: 2018k.cn |
| URL专业沙箱检测 -> http://2018k.cn/api/checkVersion?id=abebaa2cbd49475f9ad45be62b11f3d1&html=true.html | GET /api/checkVersion?id=abebaa2cbd49475f9ad45be62b11f3d1&html=true.html HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 2018k.cn Connection: Keep-Alive |
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 60.271 seconds )
- 23.053 BehaviorAnalysis
- 15.52 Suricata
- 8.438 Static
- 6.828 NetworkAnalysis
- 3.946 TargetInfo
- 1.476 VirusTotal
- 0.653 peid
- 0.33 AnalysisInfo
- 0.015 Strings
- 0.009 config_decoder
- 0.003 Memory
Signatures ( 10.142 seconds )
- 2.087 md_url_bl
- 1.289 api_spamming
- 1.147 injection_createremotethread
- 1.02 stealth_timeout
- 0.789 stealth_decoy_document
- 0.734 vawtrak_behavior
- 0.558 process_needed
- 0.493 injection_explorer
- 0.228 antiav_detectreg
- 0.224 process_interest
- 0.142 infostealer_browser
- 0.125 reads_self
- 0.098 stealth_file
- 0.088 mimics_filetime
- 0.087 infostealer_ftp
- 0.065 infostealer_browser_password
- 0.057 bootkit
- 0.054 antivm_generic_scsi
- 0.05 infostealer_im
- 0.047 antianalysis_detectreg
- 0.04 ipc_namedpipe
- 0.037 antivm_generic_services
- 0.037 virus
- 0.035 antivm_generic_disk
- 0.033 anormaly_invoke_kills
- 0.03 md_domain_bl
- 0.028 infostealer_mail
- 0.026 antivm_vbox_libs
- 0.026 hancitor_behavior
- 0.025 antiav_detectfile
- 0.023 antiemu_wine_func
- 0.022 kovter_behavior
- 0.021 antidbg_windows
- 0.018 infostealer_bitcoin
- 0.015 antiav_avast_libs
- 0.015 antisandbox_sunbelt_libs
- 0.014 kibex_behavior
- 0.014 geodo_banking_trojan
- 0.013 exec_crash
- 0.012 antisandbox_sboxie_libs
- 0.012 antivm_xen_keys
- 0.011 betabot_behavior
- 0.011 antiav_bitdefender_libs
- 0.011 anomaly_persistence_autorun
- 0.011 shifu_behavior
- 0.011 darkcomet_regkeys
- 0.01 maldun_suspicious
- 0.01 antivm_parallels_keys
- 0.01 antivm_vbox_files
- 0.01 ransomware_extensions
- 0.009 ransomware_files
- 0.008 dridex_behavior
- 0.008 antivm_generic_diskreg
- 0.007 antivm_vmware_libs
- 0.007 recon_fingerprint
- 0.006 network_http
- 0.005 antisandbox_productid
- 0.004 antivm_vbox_window
- 0.004 antivm_xen_keys
- 0.004 antivm_hyperv_keys
- 0.004 antivm_vbox_acpi
- 0.004 antivm_vbox_keys
- 0.004 antivm_vmware_keys
- 0.004 antivm_vpc_keys
- 0.004 disables_browser_warn
- 0.003 tinba_behavior
- 0.003 hawkeye_behavior
- 0.003 network_tor
- 0.003 rat_nanocore
- 0.003 cerber_behavior
- 0.003 antisandbox_script_timer
- 0.003 bypass_firewall
- 0.003 browser_security
- 0.003 network_torgateway
- 0.003 packer_armadillo_regkey
- 0.003 rat_pcclient
- 0.002 malicious_write_executeable_under_temp_to_regrun
- 0.002 stealth_network
- 0.002 kazybot_behavior
- 0.002 antivm_generic_bios
- 0.002 antivm_generic_cpu
- 0.002 antivm_generic_system
- 0.002 antivm_vmware_files
- 0.002 modify_proxy
- 0.002 codelux_behavior
- 0.002 md_bad_drop
- 0.002 network_cnc_http
- 0.002 recon_programs
- 0.001 network_anomaly
- 0.001 rat_luminosity
- 0.001 anomaly_persistence_bootexecute
- 0.001 clickfraud_cookies
- 0.001 antisandbox_sleep
- 0.001 sets_autoconfig_url
- 0.001 ursnif_behavior
- 0.001 heapspray_js
- 0.001 antisandbox_mouse_hook
- 0.001 ransomeware_modifies_desktop_wallpaper
- 0.001 h1n1_behavior
- 0.001 infostealer_keylog
- 0.001 sniffer_winpcap
- 0.001 antianalysis_detectfile
- 0.001 antivm_vpc_files
- 0.001 banker_cridex
- 0.001 banker_zeus_mutex
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_addon
- 0.001 disables_system_restore
- 0.001 disables_windows_defender
- 0.001 malicious_drop_executable_file_to_temp_folder
- 0.001 malicous_targeted_flame
- 0.001 network_tor_service
- 0.001 rat_spynet
- 0.001 stealth_hiddenreg
- 0.001 stealth_hide_notifications
- 0.001 stealth_modify_uac_prompt
- 0.001 stealth_modify_security_center_warnings
Reporting ( 1.195 seconds )
- 0.878 ReportHTMLSummary
- 0.317 Malheur
| Task ID | 355134 |
|---|---|
| Mongo ID | 5d5616a52f8f2e29f3d82a01 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号