魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2017-08-22 22:08:57 | 2017-08-22 22:11:28 | 151 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp01-1 | win7-sp1-x64-hpdapp01-1 | KVM | 2017-08-22 22:09:03 | 2017-08-22 22:11:26 |
| 魔盾分数 |
|---|
10.0Razy |
文件详细信息
| 文件名 | yppy.exe |
|---|---|
| 文件大小 | 236032 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 95B3DABF |
| MD5 | c11b11850a37477b3507d8549d5c4c88 |
| SHA1 | 2e6cbb4089bede0270a3da1930a481c55fe47428 |
| SHA256 | 3e73a064af3c238ea9a905da8e56dfcfaae7a93519121ee14f8b07dba17ec798 |
| SHA512 | 4cb6a82a1f25be2303702a8d06217c83d4bfce77f8264e92aeda945670963e48992cf01ec4a97c9b923610fa40a2b5618caec6d300101d8cf77e5640099d0df3 |
| Ssdeep | 6144:stHgt2CYtfrff1W7ZgEreZr/2Q4bysnJzPPODY7r:sytt4Df1WFT+72Q4+spX |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2017-08-22 01:13:30 扫描结果: 38/64 |
特征
创建RWX内存
从文件自身的二进制镜像中读取数据
self_read: process: yppy.exe, pid: 2216, offset: 0x00000000, length: 0x00039a00
二进制文件可能包含加密或压缩数据
section: name: .rdata, entropy: 7.85, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0002a000, virtual_size: 0x00029e66
section: name: .data, entropy: 7.40, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000800, virtual_size: 0x00000bac
异常的二进制特征
anomaly: Actual checksum does not match that reported in PE header
文件已被至少十个VirusTotal上的反病毒引擎检测为病毒
MicroWorld-eScan: Gen:Variant.Razy.37493
nProtect: Trojan-Spy/W32.ZBot.236032.AL
McAfee: Trojan-FKZH!C11B11850A37
Cylance: Unsafe
K7GW: Trojan ( 004e21b01 )
K7AntiVirus: Trojan ( 004e21b01 )
Arcabit: Trojan.Razy.D9275
TrendMicro: Mal_SageCrypt-1h
ESET-NOD32: a variant of Win32/Kryptik.ETDE
TrendMicro-HouseCall: Mal_SageCrypt-1h
ClamAV: BC.Win.Packer.Troll-14
GData: Gen:Variant.Razy.37493
Kaspersky: Trojan-Spy.Win32.Zbot.wlvi
BitDefender: Gen:Variant.Razy.37493
NANO-Antivirus: Trojan.Win32.Zbot.emfrvy
Ad-Aware: Gen:Variant.Razy.37493
Emsisoft: Gen:Variant.Razy.37493 (B)
F-Secure: Gen:Variant.Razy.37493
DrWeb: Trojan.Siggen6.32796
Zillya: Trojan.Zbot.Win32.195257
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Downloader.dc
SentinelOne: static engine - malicious
Jiangmin: TrojanSpy.Zbot.fboa
Webroot: W32.Trojan.Gen
Antiy-AVL: Trojan[Spy]/Win32.Zbot
Endgame: malicious (high confidence)
ZoneAlarm: Trojan-Spy.Win32.Zbot.wlvi
ALYac: Gen:Variant.Razy.37493
MAX: malware (ai score=89)
Malwarebytes: Trojan.Zbot
Panda: Trj/GdSda.A
Rising: Malware.Undefined!8.C (tfe:5:ifUvH2pJh9U)
Yandex: TrojanSpy.Zbot!nZKqmPrQ4jQ
Ikarus: Trojan-PSW.Win32.Fareit
Fortinet: W32/Generic.AC.33EEDF!tr
AVG: Win32:Malware-gen
Avast: Win32:Malware-gen
运行截图
网络分析
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x0040672b |
| 声明校验值 | 0x00045dc1 |
| 实际校验值 | 0x00047c84 |
| 最低操作系统版本要求 | 5.0 |
| PDB路径 | V:\Arabian\Compilation\Professiona.pdb |
| 编译时间 | 2016-04-03 05:46:33 |
| 载入哈希 | 377e8af2d5ddf46f12c872c09b0fa142 |
版本信息
| LegalCopyright: | Copyright (c) 2006-2014 Incomedia s.r.l. |
| FileVersion: | 7.5.7.4 |
| CompanyName: | Incomedia s.r.l. |
| ProductName: | Engines Compuet |
| ProductVersion: | 7.5.7.4 |
| FileDescription: | Hereafter Iepm Higher Terminate |
| Translation: | 0x0409 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00005e5f | 0x00006000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 5.88 |
| .rdata | 0x00007000 | 0x00029e66 | 0x0002a000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 7.85 |
| .data | 0x00031000 | 0x00000bac | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.40 |
| .tls | 0x00032000 | 0x00000009 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .rsrc | 0x00033000 | 0x0000795c | 0x00007a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.93 |
| .reloc | 0x0003b000 | 0x000011a0 | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 4.64 |
导入
库 KERNEL32.dll:
• 0x407054 - LocalReAlloc
• 0x407058 - LocalAlloc
• 0x40705c - lstrlenW
• 0x407060 - lstrcpyW
• 0x407064 - MulDiv
• 0x407068 - OutputDebugStringA
• 0x40706c - LoadLibraryExA
• 0x407070 - lstrcpyA
• 0x407074 - lstrcatA
• 0x407078 - ExitProcess
• 0x40707c - LoadLibraryW
• 0x407080 - CloseHandle
• 0x407084 - FreeLibrary
• 0x407088 - GetProcAddress
• 0x40708c - GetSystemDirectoryA
• 0x407090 - LocalFree
• 0x407094 - GetCurrentProcessId
• 0x407098 - GetCurrentThreadId
• 0x40709c - GetTickCount
• 0x4070a0 - QueryPerformanceCounter
• 0x4070a4 - IsDebuggerPresent
• 0x4070a8 - SetUnhandledExceptionFilter
• 0x4070ac - UnhandledExceptionFilter
• 0x4070b0 - GetCurrentProcess
• 0x4070b4 - TerminateProcess
• 0x4070b8 - GetStartupInfoA
• 0x4070bc - InterlockedCompareExchange
• 0x4070c0 - Sleep
• 0x4070c4 - InterlockedExchange
• 0x4070c8 - GetVersionExA
• 0x4070cc - GetSystemInfo
• 0x4070d0 - CreateFileA
• 0x4070d4 - GetFileSize
• 0x4070d8 - SetEndOfFile
• 0x4070dc - LoadLibraryA
• 0x4070e0 - CreateIoCompletionPort
• 0x4070e4 - FindFirstVolumeMountPointA
• 0x4070e8 - FindNextVolumeMountPointA
• 0x4070ec - FindVolumeMountPointClose
• 0x4070f0 - GetLogicalDriveStringsA
• 0x4070f4 - GetVolumeNameForVolumeMountPointA
• 0x4070f8 - FileTimeToLocalFileTime
• 0x4070fc - FileTimeToSystemTime
• 0x407100 - EnumSystemCodePagesW
• 0x407104 - SetTimeZoneInformation
• 0x407108 - GetFileAttributesW
• 0x40710c - lstrlenA
• 0x407110 - GetModuleHandleW
• 0x407114 - GetModuleHandleA
• 0x407118 - GetLastError
• 0x40711c - GetSystemTimeAsFileTime
库 USER32.dll:
• 0x40725c - GetSysColor
• 0x407260 - LoadCursorA
• 0x407264 - LoadIconA
• 0x407268 - SetWindowTextA
• 0x40726c - DefWindowProcA
• 0x407270 - SendMessageA
• 0x407274 - UpdateWindow
• 0x407278 - SetMenuItemInfoA
• 0x40727c - GetMenuStringA
• 0x407280 - GetMenuItemInfoA
• 0x407284 - GetMenuItemID
• 0x407288 - CharLowerA
• 0x40728c - GetMenuState
• 0x407290 - GetMenuItemCount
• 0x407294 - CreateWindowExW
• 0x407298 - TrackPopupMenuEx
• 0x40729c - InsertMenuItemA
• 0x4072a0 - ReleaseDC
• 0x4072a4 - GetDC
• 0x4072a8 - LoadImageA
• 0x4072ac - RegisterClassExA
• 0x4072b0 - MessageBoxA
• 0x4072b4 - wsprintfA
• 0x4072b8 - GetSubMenu
• 0x4072bc - EndPaint
• 0x4072c0 - FillRect
• 0x4072c4 - BeginPaint
• 0x4072c8 - SendDlgItemMessageA
• 0x4072cc - GetDlgItem
• 0x4072d0 - EndDeferWindowPos
• 0x4072d4 - SetActiveWindow
• 0x4072d8 - DeferWindowPos
• 0x4072dc - BeginDeferWindowPos
• 0x4072e0 - SystemParametersInfoA
• 0x4072e4 - GetSystemMetrics
• 0x4072e8 - DrawFrameControl
• 0x4072ec - GetWindowLongA
• 0x4072f0 - SetTimer
• 0x4072f4 - InvalidateRect
• 0x4072f8 - FindWindowA
• 0x4072fc - ChildWindowFromPoint
• 0x407300 - SetCursorPos
• 0x407304 - GetParent
• 0x407308 - GetWindowRect
• 0x40730c - PtInRect
• 0x407310 - IsWindowVisible
• 0x407314 - GetCursorPos
• 0x407318 - ScreenToClient
• 0x40731c - GetClientRect
• 0x407320 - KillTimer
• 0x407324 - SetFocus
• 0x407328 - GetWindowThreadProcessId
• 0x40732c - SetForegroundWindow
• 0x407330 - GetDesktopWindow
• 0x407334 - GetWindow
库 GDI32.dll:
• 0x407018 - CreateFontA
• 0x40701c - GetDeviceCaps
• 0x407020 - SaveDC
• 0x407024 - DeleteDC
• 0x407028 - TextOutA
• 0x40702c - SelectObject
• 0x407030 - CreateCompatibleDC
• 0x407034 - CreateFontIndirectA
• 0x407038 - DeleteObject
• 0x40703c - RestoreDC
• 0x407040 - GetTextExtentPoint32A
• 0x407044 - GetStockObject
• 0x407048 - CreateCompatibleBitmap
• 0x40704c - SetTextColor
库 COMDLG32.dll:
• 0x407010 - GetOpenFileNameA
库 ADVAPI32.dll:
• 0x407000 - GetTraceEnableLevel
• 0x407004 - RegCloseKey
• 0x407008 - CryptAcquireContextA
库 SHELL32.dll:
• 0x407248 - SHGetFileInfoW
库 ole32.dll:
• 0x407354 - CoInitialize
• 0x407358 - CoCreateInstance
• 0x40735c - CoGetObject
• 0x407360 - StringFromGUID2
库 OLEAUT32.dll:
• 0x407200 - SafeArrayCreate
• 0x407204 - SafeArrayUnaccessData
• 0x407208 - SafeArrayAccessData
• 0x40720c - SafeArrayDestroy
• 0x407210 - SafeArrayCreateVector
• 0x407214 - SafeArrayPutElement
库 WININET.dll:
• 0x40733c - InternetCloseHandle
库 MSVCP90.dll:
• 0x407124 - ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
• 0x407128 - ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
• 0x40712c - ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
库 SHLWAPI.dll:
• 0x407250 - PathUnExpandEnvStringsA
• 0x407254 - PathIsUNCServerA
库 SETUPAPI.dll:
• 0x40721c - SetupDiCreateDeviceInfoList
• 0x407220 - SetupDiOpenDeviceInfoW
• 0x407224 - SetupDiSetSelectedDevice
• 0x407228 - SetupDiGetClassDevsW
• 0x40722c - SetupDiDestroyDeviceInfoList
• 0x407230 - SetupDiGetSelectedDriverA
• 0x407234 - SetupDiCallClassInstaller
• 0x407238 - SetupDiBuildDriverInfoList
• 0x40723c - SetupDiSetDeviceInstallParamsA
• 0x407240 - SetupDiGetDeviceInstallParamsA
库 wsnmp32.dll:
• 0x407368 - None
库 Wlanapi.dll:
• 0x407344 - WlanOpenHandle
• 0x407348 - WlanScan
• 0x40734c - WlanCloseHandle
库 MSVCR90.dll:
• 0x407134 - _onexit
• 0x407138 - _lock
• 0x40713c - __dllonexit
• 0x407140 - _unlock
• 0x407144 - _crt_debugger_hook
• 0x407148 - ?_type_info_dtor_internal_method@type_info@@QAEXXZ
• 0x40714c - ?terminate@@YAXXZ
• 0x407150 - __set_app_type
• 0x407154 - _encode_pointer
• 0x407158 - __p__fmode
• 0x40715c - __p__commode
• 0x407160 - _adjust_fdiv
• 0x407164 - __setusermatherr
• 0x407168 - _configthreadlocale
• 0x40716c - _initterm_e
• 0x407170 - _initterm
• 0x407174 - _acmdln
• 0x407178 - _ismbblead
• 0x40717c - _XcptFilter
• 0x407180 - _exit
• 0x407184 - _cexit
• 0x407188 - __getmainargs
• 0x40718c - _amsg_exit
• 0x407190 - malloc
• 0x407194 - sprintf
• 0x407198 - printf
• 0x40719c - _decode_pointer
• 0x4071a0 - __iob_func
• 0x4071a4 - fprintf
• 0x4071a8 - free
• 0x4071ac - exit
• 0x4071b0 - memmove_s
• 0x4071b4 - ??2@YAPAXI@Z
• 0x4071b8 - _invalid_parameter_noinfo
• 0x4071bc - ??0exception@std@@QAE@ABV01@@Z
• 0x4071c0 - _CxxThrowException
• 0x4071c4 - memset
• 0x4071c8 - _getdrive
• 0x4071cc - _mbsicmp
• 0x4071d0 - _mbschr
• 0x4071d4 - __CxxFrameHandler3
• 0x4071d8 - ??0exception@std@@QAE@XZ
• 0x4071dc - ??3@YAXPAX@Z
• 0x4071e0 - ??1exception@std@@UAE@XZ
• 0x4071e4 - ?what@exception@std@@UBEPBDXZ
• 0x4071e8 - _controlfp_s
• 0x4071ec - _invoke_watson
• 0x4071f0 - _except_handler4_common
• 0x4071f4 - ??0exception@std@@QAE@ABQBD@Z
• 0x4071f8 - swprintf_s
投放文件
行为分析
互斥量(Mutexes)
- DBWinMutex
- Global\{39C3E244-F44F-D280-6790-5BEDFA00207E}
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
yppy.exe PID: 2216, 上一级进程 PID: 2060
访问的文件
- \??\MountPointManager
- C:\Users\test\AppData\Local\Temp\\xee\x9c\x8c\x18\xe3\xb1\xb4\xe7\x9f\xa9\xe3\xb2\xa3\xe7\x9f\xa9\xef\xa1\xb8\xe7\x9f\xaf\x0e
- C:\Users\test\AppData\Local\Temp\{00000000-0000-0000-0000-000000000000}
- C:\Users\test\AppData\Local\Temp\\xde\x84
- C:\
- C:\Users\test\AppData\Local\Temp\yppy.exe
读取的文件
- C:\Users\test\AppData\Local\Temp\yppy.exe
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DigitalProductId
- HKEY_CURRENT_USER\
- HKEY_CURRENT_USER\(Default)
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DigitalProductId
- HKEY_CURRENT_USER\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
- HKEY_CURRENT_USER\(Default)
删除的注册表键
无信息
API解析
- setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
- setupapi.dll.CM_Get_Device_Interface_List_ExW
- comctl32.dll.#386
- kernel32.dll.HeapCreate
- kernel32.dll.HeapAlloc
- uxtheme.dll.IsThemeActive
- kernel32.dll.SetEvent
- kernel32.dll.GetProcessHeap
- kernel32.dll.Sleep
- kernel32.dll.GetProcAddress
- kernel32.dll.LoadLibraryA
- kernel32.dll.AddVectoredExceptionHandler
- kernel32.dll.CloseHandle
- kernel32.dll.InterlockedDecrement
- kernel32.dll.InterlockedExchange
- kernel32.dll.GetModuleHandleA
- kernel32.dll.InterlockedIncrement
- user32.dll.DestroyWindow
- user32.dll.CharLowerW
- user32.dll.DefWindowProcW
- user32.dll.UnregisterClassW
- user32.dll.GetWindowLongA
- cryptsp.dll.CryptAcquireContextW
- ntdll.dll.RtlInitializeCriticalSection
- ntdll.dll.RtlAllocateHeap
- kernel32.dll.IsWow64Process
- comctl32.dll.#321