魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2020-07-14 13:27:40 2020-07-14 13:28:21 41 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2020-07-14 13:27:44 2020-07-14 13:28:22
魔盾分数

1.4

正常的

文件详细信息

文件名 烛龙.exe
文件大小 459264 字节
文件类型 PE32 executable (console) Intel 80386, for MS Windows
CRC32 44343F76
MD5 472e80d5b3778f3d48dc81b558a5faf3
SHA1 595d70eec018d64099a23b9cc3fd37b28d7a73f9
SHA256 e4f6b14419ef77c9d670a2f28ae95d6c6ea15cb8b0f3e1c8040bc1d7cba0153f
SHA512 049dad82e09b9b693fa4351967df71ddeb87497a0c28a1850b2caa931543c5cbdbed5291ec187d1cfe9ab8f4e68cb94f626d0db9c6178c4ee858055c4e41091e
Ssdeep 6144:735EgwfnnIjxOSBEWUwihyvec5Y1oiLd4akZZkfQVCStbrDo:T5EgWnnQ5GWUbhyveu+o0dPkZafyrU
PEiD 无匹配
Yara
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • anti_dbg (Detected self protection if being debugged)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_files_operation (Affect private profile)
  • win_private_profile (Detected private profile access function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • IsPE32 (Detected a 32bit PE sample)
  • IsConsole (Detected a console program sample)
  • HasDebugData (Detected Debug Data)
  • HasRichSignature (Detected Rich Signature)
VirusTotal 无此文件扫描结果

特征

魔盾安全Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

运行截图

无运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x0045446c
声明校验值 0x00000000
实际校验值 0x00073082
最低操作系统版本要求 6.0
PDB路径 D:\\xe5\xb7\xa5\xe5\x85\xb7\xe6\xba\x90\xe7\xa0\x81\C#\xe6\xba\x90\xe7\xa0\x81\\xe7\x83\x9b\xe9\xbe\x99\xe5\x85\x8d\xe8\xb4\xb9\xe7\x89\x88\Release\\xe7\x83\x9b\xe9\xbe\x99.pdb
编译时间 2020-07-14 13:26:39
载入哈希 ac4357ac3926fa94809ed9d51f74372c

版本信息

LegalCopyright: uu_ball
InternalName: uu_ball.exe
FileVersion: 2.1.2.0
CompanyName: uu_ball.exe
ProductName: uu_ball
ProductVersion: 2.1.2.0
FileDescription: uu_ball
OriginalFilename: uu_ball.exe
Translation: 0x0004 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00054082 0x00054200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.03
.rdata 0x00056000 0x00003e0e 0x00004000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.74
.data 0x0005a000 0x00012e84 0x00012c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.90
.rsrc 0x0006d000 0x00002b00 0x00002c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.78
.reloc 0x00070000 0x000023c8 0x00002400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.74

导入

库 KERNEL32.dll:
0x456000 - WriteProcessMemory
0x456004 - ReadProcessMemory
0x456008 - SetConsoleTextAttribute
0x45600c - GetStdHandle
0x456010 - Sleep
0x456014 - GetPrivateProfileIntA
0x456018 - GetPrivateProfileStringA
0x45601c - SetConsoleTitleA
0x456020 - GetModuleHandleA
0x456024 - FreeConsole
0x456028 - CreateThread
0x45602c - Process32First
0x456030 - Module32Next
0x456034 - OpenProcess
0x456038 - CreateToolhelp32Snapshot
0x45603c - Process32Next
0x456040 - CloseHandle
0x456044 - GetLastError
0x456048 - TlsGetValue
0x45604c - SetLastError
0x456050 - TlsFree
0x456054 - TlsAlloc
0x456058 - TlsSetValue
0x45605c - RtlUnwind
0x456060 - InterlockedIncrement
0x456064 - InterlockedDecrement
0x456068 - GetVersion
0x45606c - GetCommandLineA
0x456070 - IsBadCodePtr
0x456074 - SetStdHandle
0x456078 - FlushFileBuffers
0x45607c - LCMapStringA
0x456080 - FreeLibrary
0x456084 - WriteFile
0x456088 - CreateDirectoryA
0x45608c - GetFileSize
0x456090 - ReadFile
0x456094 - GetLocalTime
0x456098 - IsBadReadPtr
0x45609c - HeapReAlloc
0x4560a0 - ExitProcess
0x4560a4 - HeapFree
0x4560a8 - DeleteCriticalSection
0x4560ac - TerminateThread
0x4560b0 - GetExitCodeThread
0x4560b4 - SetHandleInformation
0x4560b8 - GetComputerNameA
0x4560bc - LoadLibraryA
0x4560c0 - InitializeCriticalSection
0x4560c4 - GetVolumeInformationA
0x4560c8 - DeviceIoControl
0x4560cc - CreateFileA
0x4560d0 - RtlMoveMemory
0x4560d4 - HeapAlloc
0x4560d8 - GetProcessHeap
0x4560dc - GetTickCount
0x4560e0 - QueryPerformanceFrequency
0x4560e4 - LeaveCriticalSection
0x4560e8 - GetWindowsDirectoryA
0x4560ec - EnterCriticalSection
0x4560f0 - lstrcpyn
0x4560f4 - GetProcAddress
0x4560f8 - WideCharToMultiByte
0x4560fc - MultiByteToWideChar
0x456100 - GetModuleHandleW
0x456104 - IsDebuggerPresent
0x456108 - InitializeSListHead
0x45610c - GetSystemTimeAsFileTime
0x456110 - GetCurrentThreadId
0x456114 - GetCurrentProcessId
0x456118 - QueryPerformanceCounter
0x45611c - IsProcessorFeaturePresent
0x456120 - TerminateProcess
0x456124 - GetCurrentProcess
0x456128 - GetStringTypeW
0x45612c - GetStringTypeA
0x456130 - SetFilePointer
0x456134 - GetOEMCP
0x456138 - GetACP
0x45613c - GetCPInfo
0x456140 - IsBadWritePtr
0x456144 - VirtualAlloc
0x456148 - RaiseException
0x45614c - LCMapStringW
0x456150 - SetUnhandledExceptionFilter
0x456154 - UnhandledExceptionFilter
0x456158 - VirtualFree
0x45615c - GetFileType
0x456160 - HeapCreate
0x456164 - HeapDestroy
0x456168 - GetVersionExA
0x45616c - GetEnvironmentVariableA
0x456170 - GetEnvironmentStringsW
0x456174 - GetEnvironmentStrings
0x456178 - FreeEnvironmentStringsW
0x45617c - FreeEnvironmentStringsA
0x456180 - GetStartupInfoA
0x456184 - GetModuleFileNameA
0x456188 - SetHandleCount
库 USER32.dll:
0x4561d0 - PeekMessageA
0x4561d4 - GetMessageA
0x4561d8 - TranslateMessage
0x4561dc - DispatchMessageA
0x4561e0 - GetAsyncKeyState
0x4561e4 - wsprintfA
0x4561e8 - MessageBoxA
0x4561ec - CloseWindowStation
0x4561f0 - CreateWindowStationA
库 MSVCP140.dll:
0x456190 - ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
0x456194 - ?uncaught_exception@std@@YA_NXZ
0x456198 - ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z
0x45619c - ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
0x4561a0 - ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
0x4561a4 - ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z
0x4561a8 - ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@M@Z
0x4561ac - ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z
0x4561b0 - ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
0x4561b4 - ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
0x4561b8 - ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
0x4561bc - ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
0x4561c0 - ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
0x4561c4 - ?_Xlength_error@std@@YAXPBD@Z
0x4561c8 - ?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEHXZ
库 VCRUNTIME140.dll:
0x4561f8 - _except_handler4_common
0x4561fc - memcpy
0x456200 - memset
0x456204 - __current_exception_context
0x456208 - _CxxThrowException
0x45620c - __CxxFrameHandler3
0x456210 - __std_terminate
0x456214 - __std_exception_destroy
0x456218 - __std_exception_copy
0x45621c - memmove
0x456220 - strstr
0x456224 - __current_exception
库 api-ms-win-crt-convert-l1-1-0.dll:
0x45622c - atof
库 api-ms-win-crt-stdio-l1-1-0.dll:
0x4562b8 - getchar
0x4562bc - __p__commode
0x4562c0 - _set_fmode
库 api-ms-win-crt-runtime-l1-1-0.dll:
0x456260 - _invalid_parameter_noinfo_noreturn
0x456264 - _seh_filter_exe
0x456268 - terminate
0x45626c - _controlfp_s
0x456270 - _crt_atexit
0x456274 - _register_onexit_function
0x456278 - _initialize_onexit_table
0x45627c - _set_app_type
0x456280 - _register_thread_local_exe_atexit_callback
0x456284 - _c_exit
0x456288 - _cexit
0x45628c - __p___argv
0x456290 - __p___argc
0x456294 - _configure_narrow_argv
0x456298 - _exit
0x45629c - exit
0x4562a0 - _initterm_e
0x4562a4 - _initterm
0x4562a8 - _get_initial_narrow_environment
0x4562ac - _initialize_narrow_environment
0x4562b0 - system
库 api-ms-win-crt-string-l1-1-0.dll:
0x4562c8 - strncpy
库 api-ms-win-crt-heap-l1-1-0.dll:
0x456234 - _callnewh
0x456238 - malloc
0x45623c - _set_new_mode
0x456240 - free
库 api-ms-win-crt-math-l1-1-0.dll:
0x456250 - _CIatan2
0x456254 - _libm_sse2_sqrt_precise
0x456258 - __setusermatherr
库 api-ms-win-crt-locale-l1-1-0.dll:
0x456248 - _configthreadlocale

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

无信息
访问的文件 无信息
读取的文件 无信息
修改的文件 无信息
删除的文件 无信息
注册表键 无信息
读取的注册表键 无信息
修改的注册表键 无信息
删除的注册表键 无信息
API解析 无信息