魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2020-02-04 14:20:06	2020-02-04 14:28:49	523 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-hpdapp01-2	win7-sp1-x64-hpdapp01-2	KVM	2020-02-04 14:23:01	2020-02-04 14:28:50

魔盾分数
4.95 可疑的

文件详细信息

文件名	CF滑稽猫w7_vmp.exe
文件大小	4845568 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	967CCEA4
MD5	ae4c20c06a1e38e5034d08068f331029
SHA1	1f45b8a60bb61a49bdee1f21c3c7a2b10696410b
SHA256	e2d63988071256a3c924b8cf950f373bfcbdfef79530be49abcd57a86beb9874
SHA512	d17b0350cf4cb3669fbbb908657af077ce7ed31b48c0a94e42fb870a1958e70f442d72d36b3e9e43b86a2dc8f8b57ec545140326eb7468b27ec1829c31a841d8
Ssdeep	98304:Z881FujWMSIIFyd+RcPraiUAdyIptXOxvsEc1zyhrW5jY2Uf:eEuKHFycRMLcIphX1z+W1Y2o
PEiD	无匹配
Yara	DebuggerCheck__RemoteAPI () DebuggerHiding__Thread () DebuggerTiming__Ticks (Detected timing ticks function) ThreadControl__Context () vmdetect (Possibly employs anti-virtualization techniques) anti_dbg (Detected self protection if being debugged) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) change_win_registry (Change registries to affect system) win_files_operation (Affect private profile) win_hook (Detected hook table access function) win_private_profile (Detected private profile access function) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files) with_urls (Detected the presence of an or several urls) RijnDael_AES (Look for RijnDael AES) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) IsPacked (Detected Entropy signature) HasOverlay (Detected Overlay signature) HasTaggantSignature (Detected Taggant Signature) HasRichSignature (Detected Rich Signature)
VirusTotal	无此文件扫描结果

特征

二进制文件可能包含加密或压缩数据

section: name: .text, entropy: 8.00, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0038a000, virtual_size: 0x0050d000

section: name: .vmp, entropy: 7.48, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x000fe000, virtual_size: 0x000fe000

section: name: .vmp, entropy: 7.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00001000, virtual_size: 0x00001000

魔盾安全Yara规则检测结果 - 安全告警

Informational: Possibly employs anti-virtualization techniques

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

Informational: Detected Taggant Signature

可执行文件可能使用VMProtect打包

section: {'name': '.vmp', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'virtual_address': '0x0050e000', 'size_of_data': '0x000fe000', 'entropy': '7.48', 'virtual_size': '0x000fe000', 'characteristics_raw': '0xe8000020'}

异常的二进制特征

anomaly: Found duplicated section names

运行截图

无运行截图

网络分析

无信息

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x00a0a1bf
声明校验值	0x004a4ea4
实际校验值	0x004a4ea4
最低操作系统版本要求	4.0
编译时间	2020-02-04 13:15:55
载入哈希	ecdece3dc58998410c5e06cb99b28368

版本信息

LegalCopyright:	\u4f5c\u8005\u7248\u6743\u6240\u6709 \u8bf7\u5c0a\u91cd\u5e76\u4f7f\u7528\u6b63\u7248
FileVersion:	8.6.0.0
Comments:	\u672c\u7a0b\u5e8f\u4f7f\u7528\u6613\u8bed\u8a00\u7f16\u5199(http://www.eyuyan.com)
ProductName:	\u6613\u8bed\u8a00\u7a0b\u5e8f
ProductVersion:	8.6.0.0
FileDescription:	\u6613\u8bed\u8a00\u7a0b\u5e8f
Translation:	0x0804 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0050d000	0x0038a000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	8.00
.vmp	0x0050e000	0x000fe000	0x000fe000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.48
.idata	0x0060c000	0x00001000	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	1.43
.rsrc	0x0060d000	0x00012000	0x00012000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.41
.vmp	0x0061f000	0x00001000	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.98

覆盖

偏移量:	0x0049d000
大小:	0x00002000

导入

库 WINMM.dll:

• 0xa0c2f6 - midiStreamOut

库 WS2_32.dll:

• 0xa0c302 - WSAAsyncSelect

库 KERNEL32.dll:

• 0xa0c30e - GetTimeZoneInformation

库 USER32.dll:

• 0xa0c31a - DefWindowProcA

库 GDI32.dll:

• 0xa0c326 - ExtSelectClipRgn

库 WINSPOOL.DRV:

• 0xa0c332 - DocumentPropertiesA

库 ADVAPI32.dll:

• 0xa0c33e - RegOpenKeyExA

库 SHELL32.dll:

• 0xa0c34a - ShellExecuteA

库 ole32.dll:

• 0xa0c356 - CoGetClassObject

库 OLEAUT32.dll:

• 0xa0c362 - VariantTimeToSystemTime

库 COMCTL32.dll:

• 0xa0c36e - ImageList_Add

库 oledlg.dll:

• 0xa0c37a - None

库 comdlg32.dll:

• 0xa0c386 - ChooseColorA

库 MSVCRT.dll:

• 0xa0c392 - strncpy

库 IPHLPAPI.DLL:

• 0xa0c39e - GetInterfaceInfo

库 PSAPI.DLL:

• 0xa0c3aa - GetMappedFileNameW

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

无信息

访问的文件 无信息

读取的文件 无信息

修改的文件 无信息

删除的文件 无信息

注册表键 无信息

读取的注册表键 无信息

修改的注册表键 无信息

删除的注册表键 无信息

API解析 无信息