魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2021-11-22 19:14:18	2021-11-22 19:14:52	34 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp03-1	win7-sp1-x64-shaapp03-1	KVM	2021-11-22 19:14:20	2021-11-22 19:14:53

魔盾分数
1.4 正常的

文件详细信息

文件名	Caption.exe
文件大小	122880 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	05A17FAF
MD5	3aff8124816a87cc1819fcc48f9189ab
SHA1	6268e30da98bfd3d482b5c4062f423578b340ead
SHA256	cc7c61288b469c45f0c215dd5ebceacd09485fdee3b8034245d26bebe1a451d2
SHA512	692de100e3164137c1c8fc06ccca4f8548097618037e74f3f4b49618a0408dea457f63b90cc75ff11fadc0373c8f1a532ae44ecd5f76044b043a9735f4e86678
Ssdeep	1536:bNpXUlzE0TmP1NQZ4L+9zeHBU51dHiWcSrhyO4s/a+yWktETkcQa:bNNekuI+9zGBUvdHBrhf4s/a+YtqOa
PEiD	无匹配
Yara	Advapi_Hash_API (Looks for advapi API functions) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) HasRichSignature (Detected Rich Signature) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) change_win_registry (Change registries to affect system) win_files_operation (Affect private profile) win_hook (Detected hook table access function) win_private_profile (Detected private profile access function) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal	VirusTotal查询失败

特征

魔盾安全Yara规则检测结果 - 安全告警

Warning: Looks for advapi API functions

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

运行截图

网络分析

TCP连接

IP地址	端口
96.16.122.56	80

UDP连接

IP地址	端口
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x00404b52
声明校验值	0x00000000
实际校验值	0x0002281a
最低操作系统版本要求	4.0
编译时间	2019-08-14 09:10:43
载入哈希	7c3404dec2c0e01a72742886cd7004c1

版本信息

LegalCopyright:	Microsoft Corporation. All rights reserved. \xe7\xe6\xe6\xe6
FileVersion:	7.1.33.0
CompanyName:	Microsoft Corporation. All rights reserved.
Comments:	Microsoft Caption
ProductName:	Caption
ProductVersion:	7.1.33.0
FileDescription:	Microsoft Caption
Translation:	0x0804 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0001368e	0x00014000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.49
.rdata	0x00015000	0x00003d46	0x00004000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.74
.data	0x00019000	0x0001365c	0x00004000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.46
.rsrc	0x0002d000	0x00000358	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.57

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_VERSION	0x0002d058	0x00000300	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.36	data

导入

库 ADVAPI32.dll:

• 0x415000 - CryptAcquireContextA

• 0x415004 - CryptCreateHash

• 0x415008 - CryptReleaseContext

• 0x41500c - CryptHashData

• 0x415010 - CryptDestroyHash

• 0x415014 - CryptGetHashParam

• 0x415018 - RegCloseKey

• 0x41501c - RegOpenKeyExA

• 0x415020 - RegSetValueExA

• 0x415024 - RegCreateKeyExA

库 KERNEL32.dll:

• 0x415098 - GetCPInfo

• 0x41509c - GetOEMCP

• 0x4150a0 - GetCommandLineA

• 0x4150a4 - RtlUnwind

• 0x4150a8 - TerminateProcess

• 0x4150ac - RaiseException

• 0x4150b0 - HeapSize

• 0x4150b4 - GetACP

• 0x4150b8 - UnhandledExceptionFilter

• 0x4150bc - FreeEnvironmentStringsA

• 0x4150c0 - FreeEnvironmentStringsW

• 0x4150c4 - GetEnvironmentStrings

• 0x4150c8 - SetHandleCount

• 0x4150cc - GetStdHandle

• 0x4150d0 - GetFileType

• 0x4150d4 - GetEnvironmentVariableA

• 0x4150d8 - GetVersionExA

• 0x4150dc - HeapDestroy

• 0x4150e0 - HeapCreate

• 0x4150e4 - VirtualFree

• 0x4150e8 - VirtualAlloc

• 0x4150ec - IsBadWritePtr

• 0x4150f0 - SetUnhandledExceptionFilter

• 0x4150f4 - LCMapStringW

• 0x4150f8 - GetStringTypeA

• 0x4150fc - GetStringTypeW

• 0x415100 - IsBadCodePtr

• 0x415104 - SetStdHandle

• 0x415108 - FlushFileBuffers

• 0x41510c - SetFilePointer

• 0x415110 - GetModuleHandleA

• 0x415114 - ExitProcess

• 0x415118 - HeapAlloc

• 0x41511c - HeapReAlloc

• 0x415120 - HeapFree

• 0x415124 - IsBadReadPtr

• 0x415128 - WriteFile

• 0x41512c - GetCurrentProcess

• 0x415130 - SetErrorMode

• 0x415134 - GetProcessVersion

• 0x415138 - LoadLibraryA

• 0x41513c - FreeLibrary

• 0x415140 - GetVersion

• 0x415144 - GlobalGetAtomNameA

• 0x415148 - GlobalAddAtomA

• 0x41514c - GlobalFindAtomA

• 0x415150 - GetLastError

• 0x415154 - GetProcAddress

• 0x415158 - SetLastError

• 0x41515c - MultiByteToWideChar

• 0x415160 - WideCharToMultiByte

• 0x415164 - InterlockedIncrement

• 0x415168 - lstrcpyA

• 0x41516c - GetModuleFileNameA

• 0x415170 - lstrcatA

• 0x415174 - WritePrivateProfileStringA

• 0x415178 - InterlockedDecrement

• 0x41517c - GlobalFlags

• 0x415180 - GetProcessHeap

• 0x415184 - lstrlenA

• 0x415188 - lstrcpynA

• 0x41518c - TlsGetValue

• 0x415190 - LocalReAlloc

• 0x415194 - TlsSetValue

• 0x415198 - EnterCriticalSection

• 0x41519c - GlobalReAlloc

• 0x4151a0 - LeaveCriticalSection

• 0x4151a4 - TlsFree

• 0x4151a8 - GlobalHandle

• 0x4151ac - GlobalUnlock

• 0x4151b0 - GlobalFree

• 0x4151b4 - DeleteCriticalSection

• 0x4151b8 - TlsAlloc

• 0x4151bc - InitializeCriticalSection

• 0x4151c0 - LocalFree

• 0x4151c4 - LocalAlloc

• 0x4151c8 - GlobalLock

• 0x4151cc - GlobalAlloc

• 0x4151d0 - GlobalDeleteAtom

• 0x4151d4 - lstrcmpA

• 0x4151d8 - lstrcmpiA

• 0x4151dc - GetCurrentThread

• 0x4151e0 - GetCurrentThreadId

• 0x4151e4 - LCMapStringA

• 0x4151e8 - GetStartupInfoA

• 0x4151ec - CreateProcessA

• 0x4151f0 - WaitForSingleObject

• 0x4151f4 - CreateFileA

• 0x4151f8 - GetFileSize

• 0x4151fc - ReadFile

• 0x415200 - GetEnvironmentStringsW

• 0x415204 - CloseHandle

库 USER32.dll:

• 0x41520c - RegisterWindowMessageA

• 0x415210 - SetForegroundWindow

• 0x415214 - GetForegroundWindow

• 0x415218 - GetMessagePos

• 0x41521c - GetMessageTime

• 0x415220 - DefWindowProcA

• 0x415224 - RemovePropA

• 0x415228 - CallWindowProcA

• 0x41522c - GetPropA

• 0x415230 - SetPropA

• 0x415234 - GetClassLongA

• 0x415238 - CreateWindowExA

• 0x41523c - DestroyWindow

• 0x415240 - GetMenuItemID

• 0x415244 - GetSubMenu

• 0x415248 - GetMenu

• 0x41524c - RegisterClassA

• 0x415250 - GetClassInfoA

• 0x415254 - WinHelpA

• 0x415258 - GetCapture

• 0x41525c - GetTopWindow

• 0x415260 - CopyRect

• 0x415264 - GetClientRect

• 0x415268 - AdjustWindowRectEx

• 0x41526c - GetSysColor

• 0x415270 - MapWindowPoints

• 0x415274 - LoadIconA

• 0x415278 - LoadCursorA

• 0x41527c - GetSysColorBrush

• 0x415280 - LoadStringA

• 0x415284 - DestroyMenu

• 0x415288 - IsIconic

• 0x41528c - GetWindowPlacement

• 0x415290 - GetSystemMetrics

• 0x415294 - SetFocus

• 0x415298 - ShowWindow

• 0x41529c - SetWindowPos

• 0x4152a0 - SetWindowLongA

• 0x4152a4 - GetDlgItem

• 0x4152a8 - GrayStringA

• 0x4152ac - DrawTextA

• 0x4152b0 - TabbedTextOutA

• 0x4152b4 - ReleaseDC

• 0x4152b8 - GetDC

• 0x4152bc - GetMenuItemCount

• 0x4152c0 - UnhookWindowsHookEx

• 0x4152c4 - GetWindowTextA

• 0x4152c8 - SetWindowTextA

• 0x4152cc - GetWindow

• 0x4152d0 - GetDlgCtrlID

• 0x4152d4 - GetWindowRect

• 0x4152d8 - PtInRect

• 0x4152dc - GetClassNameA

• 0x4152e0 - GetMenuCheckMarkDimensions

• 0x4152e4 - GetMenuState

• 0x4152e8 - ModifyMenuA

• 0x4152ec - SetMenuItemBitmaps

• 0x4152f0 - CheckMenuItem

• 0x4152f4 - EnableMenuItem

• 0x4152f8 - GetFocus

• 0x4152fc - GetNextDlgTabItem

• 0x415300 - GetActiveWindow

• 0x415304 - GetKeyState

• 0x415308 - CallNextHookEx

• 0x41530c - ValidateRect

• 0x415310 - IsWindowVisible

• 0x415314 - GetCursorPos

• 0x415318 - SetWindowsHookExA

• 0x41531c - GetParent

• 0x415320 - GetLastActivePopup

• 0x415324 - IsWindowEnabled

• 0x415328 - GetWindowLongA

• 0x41532c - EnableWindow

• 0x415330 - SetCursor

• 0x415334 - SendMessageA

• 0x415338 - PostMessageA

• 0x41533c - PostQuitMessage

• 0x415340 - PeekMessageA

• 0x415344 - GetMessageA

• 0x415348 - TranslateMessage

• 0x41534c - DispatchMessageA

• 0x415350 - SystemParametersInfoA

• 0x415354 - wsprintfA

• 0x415358 - MessageBoxA

• 0x41535c - ClientToScreen

• 0x415360 - LoadBitmapA

• 0x415364 - UnregisterClassA

库 GDI32.dll:

• 0x415034 - SaveDC

• 0x415038 - RestoreDC

• 0x41503c - SelectObject

• 0x415040 - GetStockObject

• 0x415044 - SetBkColor

• 0x415048 - SetTextColor

• 0x41504c - SetMapMode

• 0x415050 - SetViewportOrgEx

• 0x415054 - OffsetViewportOrgEx

• 0x415058 - SetViewportExtEx

• 0x41505c - ScaleViewportExtEx

• 0x415060 - SetWindowExtEx

• 0x415064 - ScaleWindowExtEx

• 0x415068 - GetClipBox

• 0x41506c - DeleteDC

• 0x415070 - GetDeviceCaps

• 0x415074 - PtVisible

• 0x415078 - RectVisible

• 0x41507c - TextOutA

• 0x415080 - ExtTextOutA

• 0x415084 - Escape

• 0x415088 - GetObjectA

• 0x41508c - CreateBitmap

• 0x415090 - DeleteObject

库 WINSPOOL.DRV:

• 0x41536c - DocumentPropertiesA

• 0x415370 - ClosePrinter

• 0x415374 - OpenPrinterA

库 COMCTL32.dll:

• 0x41502c - None

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

Caption.exe PID: 2472, 上一级进程 PID: 2172

访问的文件

C:\Users\test\AppData\Local\Temp\Caption.dat

读取的文件

C:\Users\test\AppData\Local\Temp\Caption.dat

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.IsProcessorFeaturePresent
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptReleaseContext