魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2024-04-25 23:35:00 2024-04-25 23:35:36 36 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp03-1 win7-sp1-x64-shaapp03-1 KVM 2024-04-25 23:35:01 2024-04-25 23:35:37
魔盾分数

0.4

正常的

文件详细信息

文件名 TheoraLib.dll
文件大小 319488 字节
文件类型 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
CRC32 1CAAEDDC
MD5 da84e68153d99f070afce4d9306d0e28
SHA1 d2ba8c4fdf792e0095d76ac3bebc201dc7351155
SHA256 1c0aa6a34a181bd3c9af99ac1655174c5533f84486968ff1aef9e3ee62891932
SHA512 8465f2e98fa471cc2847ff0d36dff65171d35fb32ea9f69617ed8749502569187afca2e62d98f416c7a0ef2be7d0885d6f1f288cb78fccd9e335c56322d521a6
Ssdeep 3072:1LYm9WPuwFORc8OqkGnFKgru8THDNRzEH8JoEmd55uaPMR0Ix5sAg0FujXj1tgF8:1uugXL6KgruORozyDR0K5sAObkvY
PEiD 无匹配
Yara
  • CRC32b_poly_Constant (Look for CRC32b [poly])
  • IsPE32 (Detected a 32bit PE sample)
  • IsDLL (Detect a DLL sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • HasRichSignature (Detected Rich Signature)
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • anti_dbg (Detected self protection if being debugged)
  • win_files_operation (Affect private profile)
VirusTotal VirusTotal查询失败

特征

创建RWX内存
专有的Yara检测结果 - 普通

运行截图

无运行截图

网络分析

TCP连接

IP地址 端口
104.96.163.78 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x10000000
入口地址 0x1001e71e
声明校验值 0x00000000
实际校验值 0x0004e9df
最低操作系统版本要求 4.0
编译时间 2011-09-29 12:46:48
载入哈希 7d70d2f15cfe840b4874191b0f81fb49
导出DLL库名称 TheoraLib.dll

版本信息

Translation: 0x0411 0x04b0
LegalCopyright: Copyright (C) 2009 Ko-Ta
InternalName: TheoraLib(C++ version)
FileVersion: 1.0.0.0
CompanyName:
ProductName: TheoraLib
ProductVersion: 1.0.0.0
FileDescription: TheoraLib - OggTheoraDecoder (libtheora MMX include)
OriginalFilename: TheoraLib.DLL

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0002de34 0x0002e000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.79
.rdata 0x0002f000 0x0001903a 0x0001a000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.28
.data 0x00049000 0x000033d8 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.89
.rsrc 0x0004d000 0x00000410 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.74
.reloc 0x0004e000 0x00001f60 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 4.59

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_VERSION 0x0004d0a0 0x00000318 LANG_ENGLISH SUBLANG_ENGLISH_US 3.38 data
RT_MANIFEST 0x0004d3b8 0x00000056 LANG_ENGLISH SUBLANG_ENGLISH_US 4.66 ASCII text, with CRLF line terminators

导入

库 KERNEL32.dll:
0x1002f000 - GetLastError
0x1002f004 - HeapReAlloc
0x1002f008 - HeapAlloc
0x1002f00c - HeapFree
0x1002f010 - GetCurrentThreadId
0x1002f014 - GetCommandLineA
0x1002f018 - GetVersionExA
0x1002f01c - GetProcessHeap
0x1002f020 - GetProcAddress
0x1002f024 - GetModuleHandleA
0x1002f028 - ExitProcess
0x1002f02c - DeleteCriticalSection
0x1002f030 - LeaveCriticalSection
0x1002f034 - EnterCriticalSection
0x1002f038 - HeapDestroy
0x1002f03c - HeapCreate
0x1002f040 - VirtualFree
0x1002f044 - VirtualAlloc
0x1002f048 - HeapSize
0x1002f04c - TerminateProcess
0x1002f050 - GetCurrentProcess
0x1002f054 - UnhandledExceptionFilter
0x1002f058 - SetUnhandledExceptionFilter
0x1002f05c - IsDebuggerPresent
0x1002f060 - RaiseException
0x1002f064 - SetFilePointer
0x1002f068 - MultiByteToWideChar
0x1002f06c - SetHandleCount
0x1002f070 - GetStdHandle
0x1002f074 - GetFileType
0x1002f078 - GetStartupInfoA
0x1002f07c - CloseHandle
0x1002f080 - WriteFile
0x1002f084 - GetModuleFileNameA
0x1002f088 - TlsGetValue
0x1002f08c - TlsAlloc
0x1002f090 - TlsSetValue
0x1002f094 - TlsFree
0x1002f098 - InterlockedIncrement
0x1002f09c - SetLastError
0x1002f0a0 - InterlockedDecrement
0x1002f0a4 - Sleep
0x1002f0a8 - FreeEnvironmentStringsA
0x1002f0ac - GetEnvironmentStrings
0x1002f0b0 - FreeEnvironmentStringsW
0x1002f0b4 - WideCharToMultiByte
0x1002f0b8 - GetEnvironmentStringsW
0x1002f0bc - QueryPerformanceCounter
0x1002f0c0 - GetTickCount
0x1002f0c4 - GetCurrentProcessId
0x1002f0c8 - GetSystemTimeAsFileTime
0x1002f0cc - GetCPInfo
0x1002f0d0 - GetACP
0x1002f0d4 - GetOEMCP
0x1002f0d8 - IsValidCodePage
0x1002f0dc - LCMapStringA
0x1002f0e0 - LCMapStringW
0x1002f0e4 - LoadLibraryA
0x1002f0e8 - InitializeCriticalSection
0x1002f0ec - RtlUnwind
0x1002f0f0 - SetStdHandle
0x1002f0f4 - GetConsoleCP
0x1002f0f8 - GetConsoleMode
0x1002f0fc - FlushFileBuffers
0x1002f100 - GetStringTypeA
0x1002f104 - GetStringTypeW
0x1002f108 - GetLocaleInfoA
0x1002f10c - WriteConsoleA
0x1002f110 - GetConsoleOutputCP
0x1002f114 - WriteConsoleW
0x1002f118 - CreateFileA

导出

序列 地址 名称
1 0x10003920 theoralib_m_comment
2 0x10003790 theoralib_m_create
3 0x10003890 theoralib_m_decodeframe
4 0x10003870 theoralib_m_exists
5 0x100037f0 theoralib_m_free
6 0x10003910 theoralib_m_info
7 0x10003830 theoralib_m_init
8 0x10003840 theoralib_m_load
9 0x100038e0 theoralib_m_nowframe
10 0x100038d0 theoralib_m_setdecodemode
11 0x100038b0 theoralib_m_setvrevers
12 0x100038f0 theoralib_m_totalframe
13 0x10003900 theoralib_m_totaltime
14 0x10003a80 theoralib_w_comment
15 0x10003930 theoralib_w_create
16 0x10003a20 theoralib_w_decodesample
17 0x10003a00 theoralib_w_exists
18 0x10003990 theoralib_w_free
19 0x10003a70 theoralib_w_info
20 0x100039d0 theoralib_w_init
21 0x100039e0 theoralib_w_load
22 0x10003a40 theoralib_w_nowsample
23 0x10003a50 theoralib_w_totalsample
24 0x10003a60 theoralib_w_totaltime

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

rundll32.exe PID: 2488, 上一级进程 PID: 2252

访问的文件
  • C:\Users\test\AppData\Local\Temp\TheoraLib.dll
  • C:\Users\test\AppData\Local\Temp\TheoraLib.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\TheoraLib.dll.124.Manifest
读取的文件
  • C:\Users\test\AppData\Local\Temp\TheoraLib.dll
  • C:\Users\test\AppData\Local\Temp\TheoraLib.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\TheoraLib.dll.124.Manifest
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\TheoraLib.dll
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\TheoraLib.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.FlsAlloc
  • kernel32.dll.FlsGetValue
  • kernel32.dll.FlsSetValue
  • kernel32.dll.FlsFree
  • kernel32.dll.InitializeCriticalSectionAndSpinCount
  • kernel32.dll.IsProcessorFeaturePresent
  • theoralib.dll.#1