魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2021-04-21 22:08:04	2021-04-21 22:08:31	27 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp03-1	win7-sp1-x64-shaapp03-1	KVM	2021-04-21 22:08:04	2021-04-21 22:08:33

魔盾分数
1.55 正常的

文件详细信息

文件名	aaa.exe
文件大小	123904 字节
文件类型	PE32+ executable (GUI) x86-64, for MS Windows
CRC32	C9B08EE0
MD5	fa9b9fbaf58ad3a1b83c6f98e67446c7
SHA1	b71add49ca093a94d979319dc323f1f8d1235190
SHA256	9fdc678b76cec3189f1d0ad32f838de1c3a5ec1b0aca4ee9df4aa1c65ebe6c94
SHA512	8092365c8dd0c24e3fe4d3f3f6100e4f9bab1be13dec9b6e5140057aa73c920017c37b9ab20d12d269c9c225e41006f8bdd4c599cdb5dcc3e3916b26e8a47c72
Ssdeep	3072:TDq7d/EgyrW9qMB/2SfPNYBIM6yUTh2n6hF:a7egyrMq2/Pfdh2nSF
PEiD	无匹配
Yara	RijnDael_AES_CHAR (Look for RijnDael AES (check2) [char]) RijnDael_AES_LONG (Look for RijnDael AES) with_images (Detected the presence of an or several images) IsPE64 (Detected a 64bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) HasDebugData (Detected Debug Data) HasRichSignature (Detected Rich Signature) DebuggerTiming__PerformanceCounter () anti_dbg (Detected self protection if being debugged) network_http (Detected communications function over HTTP) win_mutex (Create or check mutex) win_files_operation (Affect private profile)
VirusTotal	VirusTotal查询失败

特征

魔盾安全Yara规则检测结果 - 安全告警

Warning: Look for RijnDael AES

检测到网络活动但没有显示在API日志中

ip: 23.210.215.89

domain: acroipm.adobe.com

运行截图

无运行截图

网络分析

域名解析

域名	响应
acroipm.adobe.com	A 23.210.215.89 CNAME acroipm.adobe.com.edgesuite.net CNAME a1983.dscd.akamai.net A 104.116.243.120

TCP连接

IP地址	端口
23.210.215.89	80

UDP连接

IP地址	端口
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

静态分析

PE 信息

初始地址	0x140000000
入口地址	0x140003ec8
声明校验值	0x00000000
实际校验值	0x0002cd3e
最低操作系统版本要求	6.0
编译时间	2021-04-20 16:00:08
载入哈希	b65e828ef41d80dd35d27a35b0e43f9d
图标
图标精确哈希值	9bb381fe083cac2e6a108ebacab6777b
图标相似性哈希值	2560d83fffabc772a603f8cd35f190fe

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0000d5b0	0x0000d600	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.43
.rdata	0x0000f000	0x00009be6	0x00009c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.87
.data	0x00019000	0x00002d80	0x00000c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.18
.pdata	0x0001c000	0x00000f9c	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.81
.gfids	0x0001d000	0x000000c4	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	0.97
.rsrc	0x0001e000	0x00004790	0x00004800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.65
.reloc	0x00023000	0x0000062c	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	4.76

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_ICON	0x0001e0f0	0x00004228	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.10	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294967295, next used block 4294967295
RT_GROUP_ICON	0x00022318	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	1.92	MS Windows icon resource - 1 icon, 64x64
RT_MANIFEST	0x00022330	0x0000045b	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.33	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators

导入

库 KERNEL32.dll:

• 0x14000f000 - FindFirstFileA

• 0x14000f008 - VirtualProtect

• 0x14000f010 - HeapFree

• 0x14000f018 - SetLastError

• 0x14000f020 - VirtualFree

• 0x14000f028 - WriteFile

• 0x14000f030 - VirtualAlloc

• 0x14000f038 - FindNextFileA

• 0x14000f040 - lstrlenA

• 0x14000f048 - FindClose

• 0x14000f050 - CreateMutexA

• 0x14000f058 - Sleep

• 0x14000f060 - GetLastError

• 0x14000f068 - CreateFileA

• 0x14000f070 - LoadLibraryA

• 0x14000f078 - CloseHandle

• 0x14000f080 - GetNativeSystemInfo

• 0x14000f088 - GetSystemInfo

• 0x14000f090 - GetModuleFileNameA

• 0x14000f098 - HeapAlloc

• 0x14000f0a0 - GetProcAddress

• 0x14000f0a8 - GetProcessHeap

• 0x14000f0b0 - GlobalMemoryStatusEx

• 0x14000f0b8 - FreeLibrary

• 0x14000f0c0 - IsBadReadPtr

• 0x14000f0c8 - FlushFileBuffers

• 0x14000f0d0 - lstrcatA

• 0x14000f0d8 - CreateFileW

• 0x14000f0e0 - SetFilePointerEx

• 0x14000f0e8 - HeapSize

• 0x14000f0f0 - GetConsoleMode

• 0x14000f0f8 - GetConsoleCP

• 0x14000f100 - SetStdHandle

• 0x14000f108 - FreeEnvironmentStringsW

• 0x14000f110 - GetEnvironmentStringsW

• 0x14000f118 - GetCommandLineW

• 0x14000f120 - GetCommandLineA

• 0x14000f128 - GetCPInfo

• 0x14000f130 - GetOEMCP

• 0x14000f138 - IsValidCodePage

• 0x14000f140 - GetWindowsDirectoryA

• 0x14000f148 - RtlCaptureContext

• 0x14000f150 - RtlLookupFunctionEntry

• 0x14000f158 - RtlVirtualUnwind

• 0x14000f160 - UnhandledExceptionFilter

• 0x14000f168 - SetUnhandledExceptionFilter

• 0x14000f170 - GetCurrentProcess

• 0x14000f178 - TerminateProcess

• 0x14000f180 - IsProcessorFeaturePresent

• 0x14000f188 - QueryPerformanceCounter

• 0x14000f190 - GetCurrentProcessId

• 0x14000f198 - GetCurrentThreadId

• 0x14000f1a0 - GetSystemTimeAsFileTime

• 0x14000f1a8 - InitializeSListHead

• 0x14000f1b0 - IsDebuggerPresent

• 0x14000f1b8 - GetStartupInfoW

• 0x14000f1c0 - GetModuleHandleW

• 0x14000f1c8 - RtlPcToFileHeader

• 0x14000f1d0 - RaiseException

• 0x14000f1d8 - RtlUnwindEx

• 0x14000f1e0 - EnterCriticalSection

• 0x14000f1e8 - LeaveCriticalSection

• 0x14000f1f0 - DeleteCriticalSection

• 0x14000f1f8 - InitializeCriticalSectionAndSpinCount

• 0x14000f200 - TlsAlloc

• 0x14000f208 - TlsGetValue

• 0x14000f210 - TlsSetValue

• 0x14000f218 - TlsFree

• 0x14000f220 - LoadLibraryExW

• 0x14000f228 - ExitProcess

• 0x14000f230 - GetModuleHandleExW

• 0x14000f238 - QueryPerformanceFrequency

• 0x14000f240 - MultiByteToWideChar

• 0x14000f248 - WideCharToMultiByte

• 0x14000f250 - GetStdHandle

• 0x14000f258 - GetACP

• 0x14000f260 - LCMapStringW

• 0x14000f268 - GetFileType

• 0x14000f270 - HeapReAlloc

• 0x14000f278 - GetStringTypeW

• 0x14000f280 - FindFirstFileExA

• 0x14000f288 - WriteConsoleW

库 WININET.dll:

• 0x14000f298 - InternetSetOptionA

• 0x14000f2a0 - InternetCrackUrlA

• 0x14000f2a8 - InternetOpenA

• 0x14000f2b0 - InternetQueryOptionA

• 0x14000f2b8 - HttpQueryInfoA

• 0x14000f2c0 - InternetCloseHandle

• 0x14000f2c8 - HttpSendRequestA

• 0x14000f2d0 - InternetConnectA

• 0x14000f2d8 - InternetReadFile

• 0x14000f2e0 - HttpOpenRequestA

投放文件

无信息

行为分析

互斥量(Mutexes)

kuujjujaaa.exe

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

aaa.exe PID: 2484, 上一级进程 PID: 2152

访问的文件 无信息

读取的文件 无信息

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.LCMapStringEx