魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2018-03-23 21:58:11 | 2018-03-23 21:58:43 | 32 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp01-1 | win7-sp1-x64-hpdapp01-1 | KVM | 2018-03-23 21:58:21 | 2018-03-23 21:58:43 |
| 魔盾分数 |
|---|
0.0正常的 |
出错啦 :-(
- Task #141234: Analysis failed: Function raised an error: Unable to execute the initial process, analysis aborted.
文件详细信息
| 文件名 | wayprotect64.sys |
|---|---|
| 文件大小 | 2763000 字节 |
| 文件类型 | PE32+ executable (native) x86-64, for MS Windows |
| CRC32 | 72905C3E |
| MD5 | d6e8478a6c110aa4202c586f02aad377 |
| SHA1 | 02a8b0426dbb7ea7516758f5a53b658bd62bd1cf |
| SHA256 | d7325f5f55f7514a62792ef55a7968afcc87f4e2b11b25055bf6aae4faff14e5 |
| SHA512 | c0b904e63794a2c60e9d96f8c240fd9643374fbc6f24af9113c6402faa5064bdd6d5a5b605c15a3ce44239ab70dba5a468b9ccba8f6d352ee11412ea6b25e3db |
| Ssdeep | 49152:aIVZjIyWCPkmAGnH8QOirPk0lonLzRS8k4wSYJP+UmTg2SsIVK6LUEYOKBrqIzYC:NjIyNsmAWcnircwO/CIzYozrsBGf |
| PEiD | 无匹配 |
| Yara | 无Yara规则匹配 |
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2018-03-15 23:55:22 扫描结果: 0/66 |
特征
样本的签名证书合法
二进制文件可能包含加密或压缩数据
section: name: .vmp2, entropy: 7.57, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00299e00, virtual_size: 0x00299c30
可执行文件可能使用VMProtect打包
section: {'name': '.vmp0', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'virtual_address': '0x00012000', 'size_of_data': '0x00000000', 'entropy': '0.00', 'virtual_size': '0x001a049b', 'characteristics_raw': '0x68000060'}
运行截图
网络分析
TCP连接
| IP地址 | 端口 |
|---|---|
| 23.5.251.27 | 80 |
| 23.5.251.27 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com |
| http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEH7hTCUOAM0tC1dj5IZGaRw%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEH7hTCUOAM0tC1dj5IZGaRw%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: sf.symcd.com |
静态分析
PE 信息
| 初始地址 | 0x140000000 |
|---|---|
| 入口地址 | 0x1401b6cb2 |
| 声明校验值 | 0x002a7666 |
| 实际校验值 | 0x002a7666 |
| 最低操作系统版本要求 | 6.3 |
| 编译时间 | 2017-10-10 23:53:45 |
| 载入哈希 | 8fe84f3e62e173780b4b4f3999e597ac |
版本信息
| LegalCopyright: | \xa9 Mist Games EIRELI 2017 |
| InternalName: | WayProtect.sys |
| FileVersion: | 4.0.0.0 |
| CompanyName: | Mist Games EIRELI |
| ProductName: | WayProtect |
| ProductVersion: | 4.0.0.0 |
| FileDescription: | WayProtect Driver |
| OriginalFilename: | WayProtect.sys |
| Translation: | 0x0409 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00003210 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .rdata | 0x00005000 | 0x00004a10 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_READ | 0.00 |
| .data | 0x0000a000 | 0x00003ce4 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .pdata | 0x0000e000 | 0x00000330 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_READ | 0.00 |
| PAGE | 0x0000f000 | 0x00001987 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| INIT | 0x00011000 | 0x0000078c | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .vmp0 | 0x00012000 | 0x001a049b | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .vmp1 | 0x001b3000 | 0x00000008 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.12 |
| .vmp2 | 0x001b4000 | 0x00299c30 | 0x00299e00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 7.57 |
| .reloc | 0x0044e000 | 0x00000084 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 1.39 |
| .rsrc | 0x0044f000 | 0x00000340 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 2.76 |
导入
库 ntoskrnl.exe:
• 0x1402e5000 - RtlInitUnicodeString
• 0x1402e5008 - RtlUnicodeStringToAnsiString
• 0x1402e5010 - RtlCopyUnicodeString
• 0x1402e5018 - KeQueryTimeIncrement
• 0x1402e5020 - KeInitializeGuardedMutex
• 0x1402e5028 - KeAcquireGuardedMutex
• 0x1402e5030 - KeReleaseGuardedMutex
• 0x1402e5038 - ExAllocatePoolWithTag
• 0x1402e5040 - ExFreePoolWithTag
• 0x1402e5048 - IoGetCurrentProcess
• 0x1402e5050 - ObRegisterCallbacks
• 0x1402e5058 - ObUnRegisterCallbacks
• 0x1402e5060 - PsGetCurrentProcessId
• 0x1402e5068 - PsGetThreadProcessId
• 0x1402e5070 - RtlDowncaseUnicodeString
• 0x1402e5078 - __C_specific_handler
• 0x1402e5080 - PsProcessType
• 0x1402e5088 - PsThreadType
• 0x1402e5090 - ZwCreateFile
• 0x1402e5098 - ZwReadFile
• 0x1402e50a0 - ZwClose
• 0x1402e50a8 - RtlGetVersion
• 0x1402e50b0 - IofCompleteRequest
• 0x1402e50b8 - IoCreateSymbolicLink
• 0x1402e50c0 - IoDeleteDevice
• 0x1402e50c8 - IoDeleteSymbolicLink
• 0x1402e50d0 - KeBugCheck
• 0x1402e50d8 - IoGetRequestorProcessId
• 0x1402e50e0 - IoGetRequestorProcess
• 0x1402e50e8 - SeLocateProcessImageName
• 0x1402e50f0 - MmGetSystemRoutineAddress
• 0x1402e50f8 - IoCreateDevice
• 0x1402e5100 - ObOpenObjectByPointer
• 0x1402e5108 - ZwSetSecurityObject
• 0x1402e5110 - IoDeviceObjectType
• 0x1402e5118 - _snwprintf
• 0x1402e5120 - RtlLengthSecurityDescriptor
• 0x1402e5128 - SeCaptureSecurityDescriptor
• 0x1402e5130 - RtlCreateSecurityDescriptor
• 0x1402e5138 - RtlSetDaclSecurityDescriptor
• 0x1402e5140 - RtlAbsoluteToSelfRelativeSD
• 0x1402e5148 - IoIsWdmVersionAvailable
• 0x1402e5150 - SeExports
• 0x1402e5158 - wcschr
• 0x1402e5160 - _wcsnicmp
• 0x1402e5168 - RtlLengthSid
• 0x1402e5170 - RtlAddAccessAllowedAce
• 0x1402e5178 - RtlGetSaclSecurityDescriptor
• 0x1402e5180 - RtlGetDaclSecurityDescriptor
• 0x1402e5188 - RtlGetGroupSecurityDescriptor
• 0x1402e5190 - RtlGetOwnerSecurityDescriptor
• 0x1402e5198 - ZwOpenKey
• 0x1402e51a0 - ZwCreateKey
• 0x1402e51a8 - ZwQueryValueKey
• 0x1402e51b0 - ZwSetValueKey
• 0x1402e51b8 - RtlFreeUnicodeString
• 0x1402e51c0 - KeBugCheckEx
库 ntoskrnl.exe:
• 0x1402e51d0 - ExAllocatePool
• 0x1402e51d8 - NtQuerySystemInformation
• 0x1402e51e0 - ExFreePoolWithTag
• 0x1402e51e8 - IoAllocateMdl
• 0x1402e51f0 - MmProbeAndLockPages
• 0x1402e51f8 - MmMapLockedPagesSpecifyCache
• 0x1402e5200 - MmUnlockPages
• 0x1402e5208 - IoFreeMdl
• 0x1402e5210 - KeQueryActiveProcessors
• 0x1402e5218 - KeSetSystemAffinityThread
• 0x1402e5220 - KeRevertToUserAffinityThread
• 0x1402e5228 - DbgPrint
库 HAL.dll:
• 0x1402e5238 - KeQueryPerformanceCounter
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
访问的文件
无信息
读取的文件
无信息
修改的文件
无信息
删除的文件
无信息
注册表键
无信息
读取的注册表键
无信息
修改的注册表键
无信息
删除的注册表键
无信息
API解析
无信息