魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2016-08-26 17:01:38 | 2016-08-26 17:02:18 | 40 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-1 | win7-sp1-x64-1 | KVM | 2016-08-26 17:01:38 | 2016-08-26 17:02:16 |
| 魔盾分数 |
|---|
3.3可疑的 |
文件详细信息
| 文件名 | MiniTPFw.exe |
|---|---|
| 文件大小 | 59848 字节 |
| 文件类型 | PE32 executable (console) Intel 80386, for MS Windows |
| CRC32 | 0E23C82A |
| MD5 | 58bb62e88687791ad2ea5d8d6e3fe18b |
| SHA1 | 0ffb029064741d10c9cf3f629202aa97167883de |
| SHA256 | f02fa7ddab2593492b9b68e3f485e59eb755380a9235f6269705f6d219dff100 |
| SHA512 | cd36b28f87be9cf718f0c44bf7c500d53186edc08889bcfa5222041ff31c5cbee509b186004480efbd99c36b2233182ae0969447f4051510e1771a73ed209da5 |
| Ssdeep | 768:BSODywYihzSrVPdQsNruuGYOLO3NNkFlBi1jSZIfjeGdJARt03juFGu:BSKywYDdQsQuG5L27Ui1SPRt0qf |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2016-06-22 15:30:30 扫描结果: 0/55 |
特征
一个进程创建了一个隐藏窗口
Process: MiniTPFw.exe -> ThunderFW.exe
发起了一些HTTP请求
url: http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D
url: http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAz%2FezKc%2F387jS1UKrJYJro%3D
检测到网络活动但没有显示在API日志中
运行截图
网络分析
访问主机记录
| 直接访问 | IP地址 | 国家名 |
|---|---|---|
| 是 | 23.44.155.27 | United States |
| 否 | 23.41.75.27 | United States |
域名解析
| 域名 | 响应 |
|---|---|
| ocsp.verisign.com |
A 23.41.75.27
CNAME ocsp-ds.ws.symantec.com.edgekey.net CNAME e8218.dscb1.akamaiedge.net |
TCP连接
| IP地址 | 端口 |
|---|---|
| 23.41.75.27 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.255 | 137 |
| 192.168.122.69 | 53197 |
| 192.168.122.69 | 64810 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 239.255.255.250 | 1900 |
| 40.69.40.157 | 123 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com |
| http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAz%2FezKc%2F387jS1UKrJYJro%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAz%2FezKc%2F387jS1UKrJYJro%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com |
| http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAz%2FezKc%2F387jS1UKrJYJro%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAz%2FezKc%2F387jS1UKrJYJro%3D HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com |
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00402cda |
| 声明校验值 | 0x00012a3f |
| 实际校验值 | 0x00012a3f |
| 最低操作系统版本要求 | 5.0 |
| PDB路径 | d:\Project\MiniTPFw\MiniTPFw\Release\MiniTPFw.pdb |
| 编译时间 | 2014-01-07 14:46:58 |
版本信息
| LegalCopyright: | Copyright (c) 2014 Thunder Networking Technologies,LTD |
| InternalName: | MiniTPFw |
| FileVersion: | 1, 0, 0, 1 |
| ProductName: | MiniTPFw Application |
| ProductVersion: | 1, 0, 0, 1 |
| FileDescription: | MiniTPFw Application |
| OriginalFilename: | MiniTPFw.exe |
| Translation: | 0x0804 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00008aeb | 0x00008c00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.51 |
| .rdata | 0x0000a000 | 0x00002ab4 | 0x00002c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.20 |
| .data | 0x0000d000 | 0x00001a1c | 0x00000e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.71 |
| .rsrc | 0x0000f000 | 0x00000504 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.51 |
覆盖
| 偏移量: | 0x0000d000 |
| 大小: | 0x000019c8 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x0000f0a0 | 0x000002fc | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.37 | data |
| RT_MANIFEST | 0x0000f39c | 0x00000165 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.78 | ASCII text, with CRLF line terminators |
导入
库 SHELL32.dll:
• 0x40a0f0 - ShellExecuteW
库 KERNEL32.dll:
• 0x40a000 - DeleteCriticalSection
• 0x40a004 - GetCurrentDirectoryW
• 0x40a008 - GetLocalTime
• 0x40a00c - RtlUnwind
• 0x40a010 - RaiseException
• 0x40a014 - GetModuleHandleW
• 0x40a018 - GetProcAddress
• 0x40a01c - TlsGetValue
• 0x40a020 - TlsAlloc
• 0x40a024 - TlsSetValue
• 0x40a028 - TlsFree
• 0x40a02c - InterlockedIncrement
• 0x40a030 - SetLastError
• 0x40a034 - GetCurrentThreadId
• 0x40a038 - GetLastError
• 0x40a03c - InterlockedDecrement
• 0x40a040 - TerminateProcess
• 0x40a044 - GetCurrentProcess
• 0x40a048 - UnhandledExceptionFilter
• 0x40a04c - SetUnhandledExceptionFilter
• 0x40a050 - IsDebuggerPresent
• 0x40a054 - HeapFree
• 0x40a058 - HeapAlloc
• 0x40a05c - Sleep
• 0x40a060 - ExitProcess
• 0x40a064 - WriteFile
• 0x40a068 - GetStdHandle
• 0x40a06c - GetModuleFileNameA
• 0x40a070 - GetModuleFileNameW
• 0x40a074 - FreeEnvironmentStringsW
• 0x40a078 - GetEnvironmentStringsW
• 0x40a07c - GetCommandLineW
• 0x40a080 - SetHandleCount
• 0x40a084 - GetFileType
• 0x40a088 - GetStartupInfoA
• 0x40a08c - HeapCreate
• 0x40a090 - VirtualFree
• 0x40a094 - QueryPerformanceCounter
• 0x40a098 - GetTickCount
• 0x40a09c - GetCurrentProcessId
• 0x40a0a0 - GetSystemTimeAsFileTime
• 0x40a0a4 - LeaveCriticalSection
• 0x40a0a8 - EnterCriticalSection
• 0x40a0ac - GetCPInfo
• 0x40a0b0 - GetACP
• 0x40a0b4 - GetOEMCP
• 0x40a0b8 - IsValidCodePage
• 0x40a0bc - VirtualAlloc
• 0x40a0c0 - HeapReAlloc
• 0x40a0c4 - HeapSize
• 0x40a0c8 - LoadLibraryA
• 0x40a0cc - InitializeCriticalSectionAndSpinCount
• 0x40a0d0 - GetLocaleInfoA
• 0x40a0d4 - GetStringTypeA
• 0x40a0d8 - MultiByteToWideChar
• 0x40a0dc - GetStringTypeW
• 0x40a0e0 - LCMapStringA
• 0x40a0e4 - WideCharToMultiByte
• 0x40a0e8 - LCMapStringW
库 USER32.dll:
• 0x40a0f8 - wsprintfW
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
- ThunderFW.exe MiniThunderPlatform2016-04-2822:01:59 "C:\Users\test\AppData\Local\Temp\MiniThunderPlatform.exe"
创建的服务
无信息
启动的服务
无信息
进程
MiniTPFw.exe PID: 1624, 上一级进程 PID: 1472
访问的文件
- C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
- C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\MiniTPFw.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsGetValue
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsFree
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- advapi32.dll.UnregisterTraceGuids
- comctl32.dll.#321