魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2018-07-20 20:07:15	2018-07-20 20:09:35	140 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp01-2	win7-sp1-x64-shaapp01-2	KVM	2018-07-20 20:07:15	2018-07-20 20:09:32

魔盾分数
10.0 恶意的

文件详细信息

文件名	Server.exe
文件大小	360448 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	D505C563
MD5	b414f495e3925c20866202ca2a3c3ed1
SHA1	9f86df9bcf4677f7bf67795176d0af0b845c16f4
SHA256	ad0f42157ad5933a3024c5e03b02ce59f03b1d5020f9625f7c873b29462a2b43
SHA512	240e5a238d3033ea58a1c8ce47951a0f049899eec0ea5435107d5e52f62e4126b6e9f4e3d97a735c5ef4a0aca3bd787a39c5347619c282bd2152d840c40a6311
Ssdeep	6144:HsRuN0f+Fxx9wz45sO+sIk4W0FB/oZWfmB/oZWfM6Vh+b:L0f+Fxx9wa7MBwgmBwgLVh+b
PEiD	无匹配
Yara	IsPE32 () IsWindowsGUI () HasRichSignature (Rich Signature Check) anti_dbg (Checks if being debugged) create_service (Create a windows service) network_dropper (File downloader/dropper) network_tcp_socket (Communications over RAW socket) network_dns (Communications use DNS) escalate_priv (Escalade priviledges) screenshot (Take screenshot) keylogger (Run a keylogger) rat_rdp (Remote Administration toolkit enable RDP) win_mutex (Create or check mutex) win_registry (Affect system registries) win_token (Affect system token) win_private_profile (Affect private profile) win_files_operation (Affect private profile) win_hook (Affect hook table) Str_Win32_Winsock2_Library (Match Winsock 2 API library declaration) Str_Win32_Wininet_Library (Match Windows Inet API library declaration) Str_Win32_Internet_API (Match Windows Inet API call) without_urls (Rule to detect the no presence of any url) without_attachments (Rule to detect the no presence of any attachment) without_images (Rule to detect the no presence of any image) Armadillo_v171 () Microsoft_Visual_Cpp_v60 () Microsoft_Visual_Cpp_v50v60_MFC_additional () Microsoft_Visual_Cpp_50 () Microsoft_Visual_Cpp_v50v60_MFC () Armadillo_v171_additional () Armadillo_v4x () Microsoft_Visual_Cpp ()
VirusTotal	VirusTotal链接 VirusTotal扫描时间: 2018-07-20 08:30:31 扫描结果: 35/67

特征

强制将一个创建的进程加载为另一个不相关进程的子进程

投放出一个二进制文件并执行它

binary: C:\Windows\svchost.exe

魔盾wping.org 域名信誉系统

Greylist: cx820329965.f3322.net

魔盾wping.org IP地址信誉系统

Greylist: 123.191.74.46

将自己装载到Windows开机自动启动项目

service name: Cdefgh

service path: C:\Windows\svchost.exe

生成一个自己的复制文件

copy: C:\Windows\svchost.exe

文件已被至少十个VirusTotal上的反病毒引擎检测为病毒

MicroWorld-eScan: Gen:Win32.Malware.wq0@aWCJqcni

ALYac: Gen:Win32.Malware.wq0@aWCJqcni

K7GW: Riskware ( 0040eff71 )

K7AntiVirus: Riskware ( 0040eff71 )

Invincea: heuristic

Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9516

TrendMicro-HouseCall: BKDR_ZEGOST.SM53

Avast: Win32:Malware-gen

ClamAV: Win.Trojan.Generic-6305873-0

Kaspersky: HEUR:Trojan.Win32.Generic

BitDefender: Gen:Win32.Malware.wq0@aWCJqcni

NANO-Antivirus: Trojan.Win32.Farfli.ewqsqn

Rising: Trojan.Kryptik!1.AAD1 (CLASSIC)

Ad-Aware: Gen:Win32.Malware.wq0@aWCJqcni

F-Secure: Gen:Win32.Malware.wq0@aWCJqcni

DrWeb: Trojan.DownLoader26.55378

Zillya: Trojan.Farfli.Win32.31015

TrendMicro: BKDR_ZEGOST.SM53

McAfee-GW-Edition: Packed-MW!B414F495E392

Emsisoft: Gen:Win32.Malware.wq0@aWCJqcni (B)

Fortinet: W32/Kryptik.FHSE!tr

Antiy-AVL: Trojan/Win32.Siscos

Arcabit: Gen:Win32.Malware.E59914

ZoneAlarm: HEUR:Trojan.Win32.Generic

Microsoft: Backdoor:Win32/Zegost

McAfee: Packed-MW!B414F495E392

MAX: malware (ai score=86)

VBA32: Trojan.Siscos

Cylance: Unsafe

ESET-NOD32: a variant of Win32/Farfli.BLH

Tencent: Win32.Trojan.Killav.Pcie

GData: Gen:Win32.Malware.wq0@aWCJqcni

AVG: Win32:Malware-gen

Cybereason: malicious.5e3925

Qihoo-360: Win32/Trojan.a01

运行截图

网络分析

访问主机记录

直接访问	IP地址	国家名
否	123.191.74.46	China

域名解析

域名	响应
cx820329965.f3322.net	A 123.191.74.46

UDP连接

IP地址	端口
192.168.122.1	53

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x00405b15
声明校验值	0x00000000
实际校验值	0x0005be7d
最低操作系统版本要求	4.0
编译时间	2018-01-02 15:40:16
载入哈希	8f99dd454591142e7afc9ece75de9ae8
图标
图标精确哈希值	5a79a7139650236d5ee934f61e7ee5ce
图标相似性哈希值	0d1b8ed1ec5bcebfa873de911727a8ef

版本信息

LegalCopyright:	Copyright \xa9 1998-2013 VMware, Inc.
InternalName:	vmui
FileVersion:	10.0.1 build-1379776
CompanyName:	VMware, Inc.
ProductName:	VMware Workstation
ProductVersion:	10.0.1 build-1379776
FileDescription:	VMware Workstation
OriginalFilename:	vmware.exe
Translation:	0x0409 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0001995a	0x0001a000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.57
.rdata	0x0001b000	0x00005990	0x00006000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.54
.data	0x00021000	0x00011ba8	0x0000e000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.32
.rsrc	0x00033000	0x00028bb4	0x00029000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.57

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
MD5	0x00033f80	0x00000014	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.58	ASCII text, with CRLF line terminators
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_ICON	0x000577fc	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	GLS_BINARY_LSB_FIRST
RT_DIALOG	0x000591f8	0x00000254	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	data
RT_DIALOG	0x000591f8	0x00000254	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	data
RT_DIALOG	0x000591f8	0x00000254	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	data
RT_DIALOG	0x000591f8	0x00000254	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	data
RT_DIALOG	0x000591f8	0x00000254	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	data
RT_DIALOG	0x000591f8	0x00000254	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	data
RT_DIALOG	0x000591f8	0x00000254	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	data
RT_DIALOG	0x000591f8	0x00000254	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	data
RT_DIALOG	0x000591f8	0x00000254	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	data
RT_DIALOG	0x000591f8	0x00000254	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	data
RT_DIALOG	0x000591f8	0x00000254	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	data
RT_DIALOG	0x000591f8	0x00000254	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	data
RT_DIALOG	0x000591f8	0x00000254	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	data
RT_DIALOG	0x000591f8	0x00000254	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_STRING	0x0005b678	0x0000002c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.08	data
RT_GROUP_ICON	0x0005b87c	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.08	MS Windows icon resource - 1 icon, 16x16
RT_GROUP_ICON	0x0005b87c	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.08	MS Windows icon resource - 1 icon, 16x16
RT_GROUP_ICON	0x0005b87c	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.08	MS Windows icon resource - 1 icon, 16x16
RT_GROUP_ICON	0x0005b87c	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.08	MS Windows icon resource - 1 icon, 16x16
RT_GROUP_ICON	0x0005b87c	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.08	MS Windows icon resource - 1 icon, 16x16
RT_GROUP_ICON	0x0005b87c	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.08	MS Windows icon resource - 1 icon, 16x16
RT_GROUP_ICON	0x0005b87c	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.08	MS Windows icon resource - 1 icon, 16x16
RT_VERSION	0x0005b890	0x00000324	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.50	data

导入

库 KERNEL32.dll:

• 0x41b0f0 - ExitProcess

• 0x41b0f4 - TerminateProcess

• 0x41b0f8 - HeapSize

• 0x41b0fc - GetACP

• 0x41b100 - GetEnvironmentVariableA

• 0x41b104 - GetVersionExA

• 0x41b108 - HeapDestroy

• 0x41b10c - HeapCreate

• 0x41b110 - IsBadWritePtr

• 0x41b114 - SetUnhandledExceptionFilter

• 0x41b118 - UnhandledExceptionFilter

• 0x41b11c - FreeEnvironmentStringsA

• 0x41b120 - FreeEnvironmentStringsW

• 0x41b124 - GetEnvironmentStrings

• 0x41b128 - GetEnvironmentStringsW

• 0x41b12c - GetCommandLineA

• 0x41b130 - GetStdHandle

• 0x41b134 - GetFileType

• 0x41b138 - GetStringTypeA

• 0x41b13c - GetStringTypeW

• 0x41b140 - LCMapStringA

• 0x41b144 - LCMapStringW

• 0x41b148 - IsBadCodePtr

• 0x41b14c - SetStdHandle

• 0x41b150 - GetStartupInfoA

• 0x41b154 - GetProfileStringA

• 0x41b158 - RaiseException

• 0x41b15c - HeapFree

• 0x41b160 - RtlUnwind

• 0x41b164 - FlushFileBuffers

• 0x41b168 - SetFilePointer

• 0x41b16c - GetCurrentProcess

• 0x41b170 - SetErrorMode

• 0x41b174 - SizeofResource

• 0x41b178 - WritePrivateProfileStringA

• 0x41b17c - GetOEMCP

• 0x41b180 - GetCPInfo

• 0x41b184 - GetProcessVersion

• 0x41b188 - GlobalFlags

• 0x41b18c - TlsGetValue

• 0x41b190 - LocalReAlloc

• 0x41b194 - TlsSetValue

• 0x41b198 - GlobalReAlloc

• 0x41b19c - TlsFree

• 0x41b1a0 - GlobalHandle

• 0x41b1a4 - TlsAlloc

• 0x41b1a8 - LocalAlloc

• 0x41b1ac - EnterCriticalSection

• 0x41b1b0 - LeaveCriticalSection

• 0x41b1b4 - DeleteCriticalSection

• 0x41b1b8 - InitializeCriticalSection

• 0x41b1bc - GetLastError

• 0x41b1c0 - GlobalFree

• 0x41b1c4 - GetModuleFileNameA

• 0x41b1c8 - GlobalAlloc

• 0x41b1cc - GetCurrentThread

• 0x41b1d0 - lstrcpynA

• 0x41b1d4 - GlobalLock

• 0x41b1d8 - GlobalUnlock

• 0x41b1dc - MulDiv

• 0x41b1e0 - WideCharToMultiByte

• 0x41b1e4 - SetLastError

• 0x41b1e8 - FindResourceA

• 0x41b1ec - LoadResource

• 0x41b1f0 - LockResource

• 0x41b1f4 - GetVersion

• 0x41b1f8 - lstrcatA

• 0x41b1fc - GetCurrentThreadId

• 0x41b200 - GlobalGetAtomNameA

• 0x41b204 - lstrcmpiA

• 0x41b208 - GlobalAddAtomA

• 0x41b20c - GlobalFindAtomA

• 0x41b210 - GlobalDeleteAtom

• 0x41b214 - lstrcpyA

• 0x41b218 - GetModuleHandleA

• 0x41b21c - lstrcmpA

• 0x41b220 - MultiByteToWideChar

• 0x41b224 - InterlockedDecrement

• 0x41b228 - InterlockedIncrement

• 0x41b22c - LocalFree

• 0x41b230 - lstrlenA

• 0x41b234 - WriteFile

• 0x41b238 - CloseHandle

• 0x41b23c - IsBadReadPtr

• 0x41b240 - VirtualAlloc

• 0x41b244 - FreeLibrary

• 0x41b248 - VirtualFree

• 0x41b24c - GetProcessHeap

• 0x41b250 - HeapReAlloc

• 0x41b254 - HeapAlloc

• 0x41b258 - LoadLibraryA

• 0x41b25c - GetProcAddress

• 0x41b260 - SetHandleCount

库 USER32.dll:

• 0x41b268 - IsDialogMessageA

• 0x41b26c - SetWindowTextA

• 0x41b270 - ShowWindow

• 0x41b274 - IsWindowEnabled

• 0x41b278 - GetNextDlgTabItem

• 0x41b27c - EnableMenuItem

• 0x41b280 - CheckMenuItem

• 0x41b284 - SetMenuItemBitmaps

• 0x41b288 - ModifyMenuA

• 0x41b28c - GetMenuState

• 0x41b290 - LoadBitmapA

• 0x41b294 - GetMenuCheckMarkDimensions

• 0x41b298 - InflateRect

• 0x41b29c - PostQuitMessage

• 0x41b2a0 - SetCursor

• 0x41b2a4 - ValidateRect

• 0x41b2a8 - GetActiveWindow

• 0x41b2ac - TranslateMessage

• 0x41b2b0 - GetMessageA

• 0x41b2b4 - CreateDialogIndirectParamA

• 0x41b2b8 - EndDialog

• 0x41b2bc - LoadStringA

• 0x41b2c0 - GetClassNameA

• 0x41b2c4 - PtInRect

• 0x41b2c8 - LoadCursorA

• 0x41b2cc - GetSysColorBrush

• 0x41b2d0 - EndPaint

• 0x41b2d4 - BeginPaint

• 0x41b2d8 - GetWindowDC

• 0x41b2dc - ReleaseDC

• 0x41b2e0 - GetDC

• 0x41b2e4 - ClientToScreen

• 0x41b2e8 - PostMessageA

• 0x41b2ec - UpdateWindow

• 0x41b2f0 - SendDlgItemMessageA

• 0x41b2f4 - MapWindowPoints

• 0x41b2f8 - PeekMessageA

• 0x41b2fc - DispatchMessageA

• 0x41b300 - GetFocus

• 0x41b304 - SetActiveWindow

• 0x41b308 - IsWindow

• 0x41b30c - SetFocus

• 0x41b310 - AdjustWindowRectEx

• 0x41b314 - ScreenToClient

• 0x41b318 - IsWindowVisible

• 0x41b31c - GetTopWindow

• 0x41b320 - GetParent

• 0x41b324 - GetCapture

• 0x41b328 - WinHelpA

• 0x41b32c - wsprintfA

• 0x41b330 - GetClassInfoA

• 0x41b334 - RegisterClassA

• 0x41b338 - GetMenu

• 0x41b33c - GetMenuItemCount

• 0x41b340 - GetSubMenu

• 0x41b344 - GetMenuItemID

• 0x41b348 - GetDlgItem

• 0x41b34c - GetWindowTextLengthA

• 0x41b350 - GetWindowTextA

• 0x41b354 - GetDlgCtrlID

• 0x41b358 - GetKeyState

• 0x41b35c - DestroyWindow

• 0x41b360 - CreateWindowExA

• 0x41b364 - SetWindowsHookExA

• 0x41b368 - CallNextHookEx

• 0x41b36c - GetClassLongA

• 0x41b370 - SetPropA

• 0x41b374 - UnhookWindowsHookEx

• 0x41b378 - GetPropA

• 0x41b37c - CallWindowProcA

• 0x41b380 - RemovePropA

• 0x41b384 - DefWindowProcA

• 0x41b388 - GetMessageTime

• 0x41b38c - GetMessagePos

• 0x41b390 - GetLastActivePopup

• 0x41b394 - GetForegroundWindow

• 0x41b398 - SetForegroundWindow

• 0x41b39c - GetWindow

• 0x41b3a0 - GetWindowLongA

• 0x41b3a4 - SetWindowLongA

• 0x41b3a8 - SetWindowPos

• 0x41b3ac - RegisterWindowMessageA

• 0x41b3b0 - OffsetRect

• 0x41b3b4 - IntersectRect

• 0x41b3b8 - SystemParametersInfoA

• 0x41b3bc - GetWindowPlacement

• 0x41b3c0 - IsIconic

• 0x41b3c4 - GetSystemMetrics

• 0x41b3c8 - GetClientRect

• 0x41b3cc - DrawIcon

• 0x41b3d0 - GetSystemMenu

• 0x41b3d4 - SendMessageA

• 0x41b3d8 - LoadIconA

• 0x41b3dc - EnableWindow

• 0x41b3e0 - GrayStringA

• 0x41b3e4 - DrawTextA

• 0x41b3e8 - TabbedTextOutA

• 0x41b3ec - SetTimer

• 0x41b3f0 - UnregisterClassA

• 0x41b3f4 - HideCaret

• 0x41b3f8 - ShowCaret

• 0x41b3fc - ExcludeUpdateRgn

• 0x41b400 - DrawFocusRect

• 0x41b404 - KillTimer

• 0x41b408 - CreatePopupMenu

• 0x41b40c - AppendMenuA

• 0x41b410 - GetCursorPos

• 0x41b414 - TrackPopupMenu

• 0x41b418 - DestroyMenu

• 0x41b41c - InvalidateRect

• 0x41b420 - CopyRect

• 0x41b424 - GetSysColor

• 0x41b428 - FillRect

• 0x41b42c - GetWindowRect

• 0x41b430 - SetWindowRgn

• 0x41b434 - IsWindowUnicode

• 0x41b438 - CharNextA

• 0x41b43c - DefDlgProcA

• 0x41b440 - MessageBoxA

库 GDI32.dll:

• 0x41b020 - GetBrushOrgEx

• 0x41b024 - CreatePatternBrush

• 0x41b028 - SetPixelV

• 0x41b02c - GetBitmapDimensionEx

• 0x41b030 - CreateCompatibleBitmap

• 0x41b034 - CreateCompatibleDC

• 0x41b038 - BitBlt

• 0x41b03c - PtVisible

• 0x41b040 - RectVisible

• 0x41b044 - TextOutA

• 0x41b048 - ExtTextOutA

• 0x41b04c - Escape

• 0x41b050 - GetClipBox

• 0x41b054 - SetTextColor

• 0x41b058 - SetBkColor

• 0x41b05c - GetObjectA

• 0x41b060 - DeleteDC

• 0x41b064 - SaveDC

• 0x41b068 - RestoreDC

• 0x41b06c - SelectObject

• 0x41b070 - GetStockObject

• 0x41b074 - SetBkMode

• 0x41b078 - SetMapMode

• 0x41b07c - SetViewportOrgEx

• 0x41b080 - OffsetViewportOrgEx

• 0x41b084 - SetViewportExtEx

• 0x41b088 - ScaleViewportExtEx

• 0x41b08c - SetWindowOrgEx

• 0x41b090 - SetWindowExtEx

• 0x41b094 - ScaleWindowExtEx

• 0x41b098 - SelectClipRgn

• 0x41b09c - GetBkColor

• 0x41b0a0 - IntersectClipRect

• 0x41b0a4 - MoveToEx

• 0x41b0a8 - LineTo

• 0x41b0ac - DeleteObject

• 0x41b0b0 - GetDeviceCaps

• 0x41b0b4 - CreateBitmap

• 0x41b0b8 - PatBlt

• 0x41b0bc - SetBrushOrgEx

• 0x41b0c0 - GetTextColor

• 0x41b0c4 - GetBkMode

• 0x41b0c8 - CreateFontA

• 0x41b0cc - CreateSolidBrush

• 0x41b0d0 - CreatePen

• 0x41b0d4 - CreateRectRgn

• 0x41b0d8 - CreateRoundRectRgn

• 0x41b0dc - OffsetRgn

• 0x41b0e0 - CreateDIBitmap

• 0x41b0e4 - GetTextExtentPointA

• 0x41b0e8 - CombineRgn

库 WINSPOOL.DRV:

• 0x41b448 - DocumentPropertiesA

• 0x41b44c - ClosePrinter

• 0x41b450 - OpenPrinterA

库 ADVAPI32.dll:

• 0x41b000 - RegSetValueExA

• 0x41b004 - RegQueryValueExA

• 0x41b008 - RegOpenKeyExA

• 0x41b00c - RegCreateKeyExA

• 0x41b010 - RegCloseKey

库 COMCTL32.dll:

• 0x41b018 - None

投放文件

svchost.exe

文件名	svchost.exe
相关文件	C:\Windows\svchost.exe
文件大小	360448 bytes
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	b414f495e3925c20866202ca2a3c3ed1
SHA1	9f86df9bcf4677f7bf67795176d0af0b845c16f4
SHA256	ad0f42157ad5933a3024c5e03b02ce59f03b1d5020f9625f7c873b29462a2b43
SHA512	240e5a238d3033ea58a1c8ce47951a0f049899eec0ea5435107d5e52f62e4126b6e9f4e3d97a735c5ef4a0aca3bd787a39c5347619c282bd2152d840c40a6311
Ssdeep	6144:HsRuN0f+Fxx9wz45sO+sIk4W0FB/oZWfmB/oZWfM6Vh+b:L0f+Fxx9wa7MBwgmBwgLVh+b
VirusTotal	搜索相关分析

行为分析

互斥量(Mutexes)

DBWinMutex
cx820329965.f3322.net:7777:Cdefgh

执行的命令

C:\Windows\svchost.exe
C:\Windows\svchost.exe Win7

创建的服务

Cdefgh

启动的服务

Cdefgh

进程

Server.exe PID: 1904, 上一级进程 PID: 1608

services.exe PID: 424, 上一级进程 PID: 332

svchost.exe PID: 1312, 上一级进程 PID: 424

svchost.exe PID: 2164, 上一级进程 PID: 1312

访问的文件

C:\Users\test\AppData\Local\Temp\Server.exe
C:\Windows\svchost.exe
C:\Windows\System32\31260170.bak
C:\Windows\Temp

读取的文件

C:\Users\test\AppData\Local\Temp\Server.exe
C:\Windows\System32\31260170.bak

修改的文件

C:\Windows\svchost.exe
C:\Windows\System32\31260170.bak

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdefgh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\Description
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\InstallTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\MarkTime

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir

修改的注册表键

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\Description
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\InstallTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Cdefgh\MarkTime

删除的注册表键 无信息

API解析

kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.GetLastError
kernel32.dll.GlobalMemoryStatusEx
kernel32.dll.HeapAlloc
kernel32.dll.GetProcessHeap
kernel32.dll.VirtualProtect
kernel32.dll.HeapFree
kernel32.dll.SetEvent
kernel32.dll.CopyFileA
kernel32.dll.CreateEventA
kernel32.dll.lstrcmpiA
kernel32.dll.Process32Next
kernel32.dll.Process32First
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.GetFileAttributesA
kernel32.dll.OutputDebugStringA
kernel32.dll.GetModuleHandleA
kernel32.dll.CreateProcessA
kernel32.dll.GetVersionExA
kernel32.dll.GetModuleFileNameA
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.GetCurrentProcess
kernel32.dll.CloseHandle
kernel32.dll.FreeLibrary
kernel32.dll.GetLocalTime
kernel32.dll.lstrlenA
kernel32.dll.CreateFileA
kernel32.dll.WriteFile
kernel32.dll.lstrcatA
kernel32.dll.GetTickCount
kernel32.dll.LocalAlloc
kernel32.dll.VirtualFree
kernel32.dll.LocalSize
kernel32.dll.LocalFree
kernel32.dll.lstrcpyA
kernel32.dll.Sleep
kernel32.dll.InterlockedExchange
kernel32.dll.VirtualAlloc
kernel32.dll.WaitForSingleObject
user32.dll.wsprintfA
user32.dll.GetClassNameA
user32.dll.GetWindow
user32.dll.GetWindowTextA
user32.dll.GetLastInputInfo
user32.dll.FindWindowA
advapi32.dll.SetServiceStatus
advapi32.dll.RegSetValueExA
advapi32.dll.StartServiceCtrlDispatcherA
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegQueryValueA
advapi32.dll.RegCloseKey
advapi32.dll.RegisterServiceCtrlHandlerA
advapi32.dll.OpenProcessToken
advapi32.dll.DuplicateTokenEx
advapi32.dll.SetTokenInformation
advapi32.dll.CreateProcessAsUserA
advapi32.dll.OpenSCManagerA
advapi32.dll.OpenServiceA
advapi32.dll.DeleteService
advapi32.dll.OpenEventLogA
advapi32.dll.ClearEventLogA
advapi32.dll.CloseEventLog
advapi32.dll.RegOpenKeyA
advapi32.dll.StartServiceA
advapi32.dll.UnlockServiceDatabase
advapi32.dll.ChangeServiceConfig2A
advapi32.dll.LockServiceDatabase
advapi32.dll.CreateServiceA
advapi32.dll.CloseServiceHandle
msvcrt.dll.malloc
msvcrt.dll._stricmp
msvcrt.dll._strupr
msvcrt.dll._adjust_fdiv
msvcrt.dll._initterm
msvcrt.dll._onexit
msvcrt.dll.??3@YAXPAX@Z
msvcrt.dll.memcpy
msvcrt.dll.ceil
msvcrt.dll._ftol
msvcrt.dll.__CxxFrameHandler
msvcrt.dll._CxxThrowException
msvcrt.dll.memset
msvcrt.dll.??2@YAPAXI@Z
msvcrt.dll.memcmp
msvcrt.dll.exit
msvcrt.dll.strstr
msvcrt.dll.strcpy
msvcrt.dll.strncpy
msvcrt.dll.strlen
msvcrt.dll.strrchr
msvcrt.dll.atoi
msvcrt.dll.strcspn
msvcrt.dll.rand
msvcrt.dll._strcmpi
msvcrt.dll.strcat
msvcrt.dll._except_handler3
msvcrt.dll.memmove
msvcrt.dll.strcmp
msvcrt.dll.realloc
msvcrt.dll.free
msvcrt.dll._beginthreadex
msvcrt.dll.strchr
msvcrt.dll.??1type_info@@UAE@XZ
msvcrt.dll.__dllonexit
urlmon.dll.URLDownloadToFileA
wininet.dll.InternetGetConnectedState
kernel32.dll.CreateMutexA
kernel32.dll.ReleaseMutex
kernel32.dll.ResetEvent
kernel32.dll.CancelIo
kernel32.dll.TerminateThread
kernel32.dll.GetExitCodeProcess
kernel32.dll.ExpandEnvironmentStringsA
kernel32.dll.GetSystemInfo
kernel32.dll.GetSystemDirectoryA
kernel32.dll.MoveFileA
kernel32.dll.MoveFileExA
kernel32.dll.WTSGetActiveConsoleSessionId
user32.dll.ExitWindowsEx
user32.dll.MessageBoxA
user32.dll.IsWindowVisible
user32.dll.SendMessageA
user32.dll.EnumWindows
ws2_32.dll.WSAStartup
ws2_32.dll.WSACleanup
ws2_32.dll.socket
ws2_32.dll.gethostbyname
ws2_32.dll.htons
ws2_32.dll.connect
ws2_32.dll.send
ws2_32.dll.recv
ws2_32.dll.closesocket
ws2_32.dll.setsockopt
ws2_32.dll.WSAIoctl
ws2_32.dll.select
ws2_32.dll.getsockname
ws2_32.dll.gethostname
advapi32.dll.QueryServiceStatus
advapi32.dll.ControlService
advapi32.dll.RegCreateKeyExA
advapi32.dll.RegDeleteKeyA
advapi32.dll.RegDeleteValueA
user32.dll.OpenInputDesktop
user32.dll.OpenDesktopA
user32.dll.CloseDesktop
user32.dll.GetThreadDesktop
user32.dll.GetUserObjectInformationA
user32.dll.SetThreadDesktop
kernel32.dll.GetCurrentThreadId
userenv.dll.CreateEnvironmentBlock
sechost.dll.ConvertSidToStringSidW
sspicli.dll.GetUserNameExW