魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2019-01-21 21:42:24 2019-01-21 21:45:16 172 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2019-01-21 21:42:29 2019-01-21 21:45:18
魔盾分数

5.6

可疑的

文件详细信息

文件名 整合包生成器.exe
文件大小 712704 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 17CBACA0
MD5 572dd9a348c4bd4a5f7f889d001ec4bc
SHA1 142b9e40eadf21d30e029297a35f6f32a2d6f134
SHA256 3adf86590dfd2cce27906dd7001f63fcdd4cad42c71fc8870b6d1c0b0aa47a20
SHA512 432f7ac07cf1ccd36ede9fba3ac87c3b6535a95954728adc0cda0c110bf1a66c6489d2f8b4be8a854f0af18d459ead2b260c0dbc25e85252f4c0abc73c3fcef2
Ssdeep 12288:pz9WeBneuUGNG/MC86kdOlEQbKKeqbJBLBkAZSz68:pzYYnRUIGC6sQEQbNbPZSzn
PEiD 无匹配
Yara
  • IsPE32 (Detected 32bit PE signature)
  • IsWindowsGUI ()
  • HasRichSignature (Detected Rich Signature)
  • DebuggerTiming__Ticks ()
  • create_process (Create a new process)
  • screenshot (Detected take screenshot function)
  • keylogger (Run a keylogger)
  • win_registry (Affect system registries)
  • change_win_registry (Change registries to affect system)
  • win_private_profile (Affect private profile)
  • win_files_operation (Affect private profile)
  • win_hook (Affect hook table)
  • Maldun_Anomoly_Combined_Activities_7 (Detects malicious behaviors from a small size app)
  • without_attachments (Detected no presence of any attachment)
  • with_images (Detected the presence of an or several images)
  • without_urls (Detected no presence of any url)
  • Big_Numbers1 (Looks for big numbers 32:sized)
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • MD5_Constants (Look for MD5 constants)
  • DES_sbox (Look for DES [sbox])
  • Maldun_Abnormal_Hash_alg (Detects program has the encryption or decription logic)
VirusTotal 无此文件扫描结果

特征

可能通过原始硬盘更改安装了内核劫持(bookit)组件
尝试重启虚拟运行环境
魔盾安全Yara规则检测结果 - 高危
Informational: Detected Rich Signature
Informational: Create a new process
Warning: Detected take screenshot function
Warning: Run a keylogger
Warning: Affect system registries
Warning: Affect private profile
Warning: Affect hook table
Critical: Detects malicious behaviors from a small size app
Informational: Detected no presence of any attachment
Informational: Detected the presence of an or several images
Informational: Detected no presence of any url
Informational: Looks for big numbers 32:sized
Informational: Look for CRC32 [poly]
Warning: Look for CRC32 table
Informational: Look for MD5 constants
Informational: Look for DES [sbox]
Warning: Detects program has the encryption or decription logic

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x0045f797
声明校验值 0x00000000
实际校验值 0x000bc1a2
最低操作系统版本要求 4.0
编译时间 2016-04-26 16:41:40
载入哈希 6a7aa5c5a98b59b5e39e75c0c4a18c15

版本信息

LegalCopyright: www.xiaodao.la
FileVersion: 1.0.0.0
CompanyName: QQ\uff1a253957
Comments: www.xiaodao.la
ProductName: www.xiaodao.la
ProductVersion: 1.0.0.0
FileDescription: www.xiaodao.la
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0007d30a 0x0007e000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.58
.rdata 0x0007f000 0x000141d6 0x00015000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.50
.data 0x00094000 0x000268e8 0x00014000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.89
.rsrc 0x000bb000 0x00005778 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.76

导入

库 KERNEL32.dll:
0x47f170 - SetEndOfFile
0x47f174 - UnlockFile
0x47f178 - LockFile
0x47f17c - FlushFileBuffers
0x47f180 - SetFilePointer
0x47f184 - GetCurrentProcess
0x47f188 - DuplicateHandle
0x47f18c - lstrcpynA
0x47f190 - SetLastError
0x47f194 - FileTimeToLocalFileTime
0x47f198 - FileTimeToSystemTime
0x47f19c - LocalFree
0x47f1a0 - MultiByteToWideChar
0x47f1a4 - WideCharToMultiByte
0x47f1a8 - InterlockedDecrement
0x47f1ac - CreateSemaphoreA
0x47f1b0 - ResumeThread
0x47f1b4 - ReleaseSemaphore
0x47f1b8 - SetStdHandle
0x47f1bc - IsBadCodePtr
0x47f1c0 - IsBadReadPtr
0x47f1c4 - CompareStringW
0x47f1c8 - CompareStringA
0x47f1cc - SetUnhandledExceptionFilter
0x47f1d0 - GetStringTypeW
0x47f1d4 - GetStringTypeA
0x47f1d8 - IsBadWritePtr
0x47f1dc - VirtualAlloc
0x47f1e0 - LCMapStringW
0x47f1e4 - LCMapStringA
0x47f1e8 - SetEnvironmentVariableA
0x47f1ec - VirtualFree
0x47f1f0 - HeapCreate
0x47f1f4 - HeapDestroy
0x47f1f8 - GetEnvironmentVariableA
0x47f1fc - GetFileType
0x47f200 - GetStdHandle
0x47f204 - SetHandleCount
0x47f208 - GetEnvironmentStringsW
0x47f20c - GetEnvironmentStrings
0x47f210 - FreeEnvironmentStringsW
0x47f214 - FreeEnvironmentStringsA
0x47f218 - UnhandledExceptionFilter
0x47f21c - GetACP
0x47f220 - HeapSize
0x47f224 - EnterCriticalSection
0x47f228 - LeaveCriticalSection
0x47f22c - GetProfileStringA
0x47f230 - WriteFile
0x47f234 - ReadFile
0x47f238 - GetLastError
0x47f23c - WaitForMultipleObjects
0x47f240 - CreateFileA
0x47f244 - SetEvent
0x47f248 - FindResourceA
0x47f24c - LoadResource
0x47f250 - LockResource
0x47f254 - GetModuleFileNameA
0x47f258 - GetCurrentThreadId
0x47f25c - ExitProcess
0x47f260 - GlobalSize
0x47f264 - GlobalFree
0x47f268 - DeleteCriticalSection
0x47f26c - InitializeCriticalSection
0x47f270 - lstrcatA
0x47f274 - lstrlenA
0x47f278 - WinExec
0x47f27c - lstrcpyA
0x47f280 - FindNextFileA
0x47f284 - GlobalReAlloc
0x47f288 - HeapFree
0x47f28c - HeapReAlloc
0x47f290 - GetProcessHeap
0x47f294 - HeapAlloc
0x47f298 - GetFullPathNameA
0x47f29c - FreeLibrary
0x47f2a0 - LoadLibraryA
0x47f2a4 - GetVersionExA
0x47f2a8 - WritePrivateProfileStringA
0x47f2ac - CreateThread
0x47f2b0 - CreateEventA
0x47f2b4 - Sleep
0x47f2b8 - GlobalAlloc
0x47f2bc - GlobalLock
0x47f2c0 - GlobalUnlock
0x47f2c4 - FindFirstFileA
0x47f2c8 - FindClose
0x47f2cc - GetFileAttributesA
0x47f2d0 - TerminateProcess
0x47f2d4 - GetLocalTime
0x47f2d8 - GetSystemTime
0x47f2dc - GetTimeZoneInformation
0x47f2e0 - RaiseException
0x47f2e4 - RtlUnwind
0x47f2e8 - GetStartupInfoA
0x47f2ec - GetOEMCP
0x47f2f0 - GetCPInfo
0x47f2f4 - GetProcessVersion
0x47f2f8 - SetErrorMode
0x47f2fc - GlobalFlags
0x47f300 - GetCurrentThread
0x47f304 - GetFileTime
0x47f308 - GetFileSize
0x47f30c - TlsGetValue
0x47f310 - LocalReAlloc
0x47f314 - TlsSetValue
0x47f318 - TlsFree
0x47f31c - GlobalHandle
0x47f320 - TlsAlloc
0x47f324 - LocalAlloc
0x47f328 - SetCurrentDirectoryA
0x47f32c - GetVolumeInformationA
0x47f330 - GetModuleHandleA
0x47f334 - GetProcAddress
0x47f338 - lstrcmpA
0x47f33c - GetVersion
0x47f340 - GlobalGetAtomNameA
0x47f344 - GlobalAddAtomA
0x47f348 - GlobalFindAtomA
0x47f34c - GlobalDeleteAtom
0x47f350 - lstrcmpiA
0x47f354 - MulDiv
0x47f358 - GetCommandLineA
0x47f35c - GetTickCount
0x47f360 - WaitForSingleObject
0x47f364 - CloseHandle
0x47f368 - InterlockedIncrement
库 USER32.dll:
0x47f38c - OpenClipboard
0x47f390 - SetClipboardData
0x47f394 - EmptyClipboard
0x47f398 - GetSystemMetrics
0x47f39c - GetCursorPos
0x47f3a0 - MessageBoxA
0x47f3a4 - SetWindowPos
0x47f3a8 - SendMessageA
0x47f3ac - DestroyCursor
0x47f3b0 - SetParent
0x47f3b4 - GetClipboardData
0x47f3b8 - PostMessageA
0x47f3bc - GetTopWindow
0x47f3c0 - GetParent
0x47f3c4 - GetFocus
0x47f3c8 - GetClientRect
0x47f3cc - InvalidateRect
0x47f3d0 - ValidateRect
0x47f3d4 - UpdateWindow
0x47f3d8 - CloseClipboard
0x47f3dc - wsprintfA
0x47f3e0 - EqualRect
0x47f3e4 - GetWindowRect
0x47f3e8 - SetForegroundWindow
0x47f3ec - IsWindow
0x47f3f0 - DestroyMenu
0x47f3f4 - IsChild
0x47f3f8 - ReleaseDC
0x47f3fc - IsRectEmpty
0x47f400 - FillRect
0x47f404 - GetDC
0x47f408 - SetCursor
0x47f40c - LoadCursorA
0x47f410 - SetCursorPos
0x47f414 - SetActiveWindow
0x47f418 - GetSysColor
0x47f41c - SetWindowLongA
0x47f420 - GetWindowLongA
0x47f424 - RedrawWindow
0x47f428 - EnableWindow
0x47f42c - IsWindowVisible
0x47f430 - OffsetRect
0x47f434 - PtInRect
0x47f438 - DestroyIcon
0x47f43c - IntersectRect
0x47f440 - InflateRect
0x47f444 - SetRect
0x47f448 - SetScrollPos
0x47f44c - SetScrollRange
0x47f450 - GetScrollRange
0x47f454 - SetCapture
0x47f458 - GetCapture
0x47f45c - ReleaseCapture
0x47f460 - LoadIconA
0x47f464 - TranslateMessage
0x47f468 - DrawFrameControl
0x47f46c - DrawEdge
0x47f470 - DrawFocusRect
0x47f474 - WindowFromPoint
0x47f478 - GetMessageA
0x47f47c - DispatchMessageA
0x47f480 - SetRectEmpty
0x47f484 - RegisterClipboardFormatA
0x47f488 - CreateIconFromResourceEx
0x47f48c - CreateIconFromResource
0x47f490 - DrawIconEx
0x47f494 - CreatePopupMenu
0x47f498 - AppendMenuA
0x47f49c - ModifyMenuA
0x47f4a0 - CreateMenu
0x47f4a4 - CreateAcceleratorTableA
0x47f4a8 - GetDlgCtrlID
0x47f4ac - GetSubMenu
0x47f4b0 - EnableMenuItem
0x47f4b4 - ClientToScreen
0x47f4b8 - EnumDisplaySettingsA
0x47f4bc - LoadImageA
0x47f4c0 - SystemParametersInfoA
0x47f4c4 - ShowWindow
0x47f4c8 - IsWindowEnabled
0x47f4cc - TranslateAcceleratorA
0x47f4d0 - GetKeyState
0x47f4d4 - CopyAcceleratorTableA
0x47f4d8 - PostQuitMessage
0x47f4dc - IsZoomed
0x47f4e0 - GetClassInfoA
0x47f4e4 - GetWindowTextA
0x47f4e8 - GetWindowTextLengthA
0x47f4ec - CharUpperA
0x47f4f0 - GetWindowDC
0x47f4f4 - BeginPaint
0x47f4f8 - EndPaint
0x47f4fc - TabbedTextOutA
0x47f500 - DrawTextA
0x47f504 - GrayStringA
0x47f508 - GetDlgItem
0x47f50c - DestroyWindow
0x47f510 - CreateDialogIndirectParamA
0x47f514 - EndDialog
0x47f518 - GetNextDlgTabItem
0x47f51c - GetWindowPlacement
0x47f520 - RegisterWindowMessageA
0x47f524 - GetForegroundWindow
0x47f528 - GetLastActivePopup
0x47f52c - GetMessageTime
0x47f530 - RemovePropA
0x47f534 - CallWindowProcA
0x47f538 - GetPropA
0x47f53c - UnhookWindowsHookEx
0x47f540 - SetPropA
0x47f544 - GetClassLongA
0x47f548 - CallNextHookEx
0x47f54c - SetWindowsHookExA
0x47f550 - CreateWindowExA
0x47f554 - GetMenuItemID
0x47f558 - GetMenuItemCount
0x47f55c - RegisterClassA
0x47f560 - GetScrollPos
0x47f564 - UnregisterClassA
0x47f568 - AdjustWindowRectEx
0x47f56c - MapWindowPoints
0x47f570 - SendDlgItemMessageA
0x47f574 - ScrollWindowEx
0x47f578 - IsDialogMessageA
0x47f57c - SetWindowTextA
0x47f580 - MoveWindow
0x47f584 - CheckMenuItem
0x47f588 - SetMenuItemBitmaps
0x47f58c - GetMenuState
0x47f590 - GetMenuCheckMarkDimensions
0x47f594 - GetClassNameA
0x47f598 - GetDesktopWindow
0x47f59c - LoadStringA
0x47f5a0 - GetSysColorBrush
0x47f5a4 - DefWindowProcA
0x47f5a8 - GetSystemMenu
0x47f5ac - DeleteMenu
0x47f5b0 - GetMenu
0x47f5b4 - SetMenu
0x47f5b8 - PeekMessageA
0x47f5bc - IsIconic
0x47f5c0 - SetFocus
0x47f5c4 - GetActiveWindow
0x47f5c8 - GetWindow
0x47f5cc - DestroyAcceleratorTable
0x47f5d0 - SetWindowRgn
0x47f5d4 - GetMessagePos
0x47f5d8 - ScreenToClient
0x47f5dc - ChildWindowFromPointEx
0x47f5e0 - CopyRect
0x47f5e4 - LoadBitmapA
0x47f5e8 - WinHelpA
0x47f5ec - KillTimer
0x47f5f0 - SetTimer
库 GDI32.dll:
0x47f024 - GetClipRgn
0x47f028 - CreatePolygonRgn
0x47f02c - SelectClipRgn
0x47f030 - DeleteObject
0x47f034 - CreateDIBitmap
0x47f038 - GetSystemPaletteEntries
0x47f03c - CreatePalette
0x47f040 - StretchBlt
0x47f044 - SelectPalette
0x47f048 - RealizePalette
0x47f04c - GetDIBits
0x47f050 - GetWindowExtEx
0x47f054 - GetViewportOrgEx
0x47f058 - GetWindowOrgEx
0x47f05c - BeginPath
0x47f060 - EndPath
0x47f064 - PathToRegion
0x47f068 - CreateEllipticRgn
0x47f06c - CreateRoundRectRgn
0x47f070 - GetTextColor
0x47f074 - GetBkMode
0x47f078 - GetBkColor
0x47f07c - GetROP2
0x47f080 - GetStretchBltMode
0x47f084 - GetPolyFillMode
0x47f088 - CreateCompatibleBitmap
0x47f08c - CreateDCA
0x47f090 - CreateBitmap
0x47f094 - SelectObject
0x47f098 - GetObjectA
0x47f09c - CreatePen
0x47f0a0 - PatBlt
0x47f0a4 - CombineRgn
0x47f0a8 - SetStretchBltMode
0x47f0ac - FillRgn
0x47f0b0 - CreateSolidBrush
0x47f0b4 - GetStockObject
0x47f0b8 - CreateFontIndirectA
0x47f0bc - EndPage
0x47f0c0 - EndDoc
0x47f0c4 - DeleteDC
0x47f0c8 - StartDocA
0x47f0cc - StartPage
0x47f0d0 - BitBlt
0x47f0d4 - CreateCompatibleDC
0x47f0d8 - Ellipse
0x47f0dc - Rectangle
0x47f0e0 - LPtoDP
0x47f0e4 - DPtoLP
0x47f0e8 - GetCurrentObject
0x47f0ec - RoundRect
0x47f0f0 - GetTextExtentPoint32A
0x47f0f4 - GetDeviceCaps
0x47f0f8 - SaveDC
0x47f0fc - RestoreDC
0x47f100 - SetBkMode
0x47f104 - SetPolyFillMode
0x47f108 - SetROP2
0x47f10c - SetTextColor
0x47f110 - SetMapMode
0x47f114 - SetViewportOrgEx
0x47f118 - OffsetViewportOrgEx
0x47f11c - SetViewportExtEx
0x47f120 - ScaleViewportExtEx
0x47f124 - SetWindowOrgEx
0x47f128 - SetWindowExtEx
0x47f12c - ScaleWindowExtEx
0x47f130 - GetClipBox
0x47f134 - ExcludeClipRect
0x47f138 - MoveToEx
0x47f13c - LineTo
0x47f140 - CreateRectRgnIndirect
0x47f144 - SetBkColor
0x47f148 - CreateRectRgn
0x47f14c - GetTextMetricsA
0x47f150 - Escape
0x47f154 - ExtTextOutA
0x47f158 - TextOutA
0x47f15c - RectVisible
0x47f160 - PtVisible
0x47f164 - GetViewportExtEx
0x47f168 - ExtSelectClipRgn
库 WINMM.dll:
0x47f5f8 - midiStreamRestart
0x47f5fc - midiStreamClose
0x47f600 - midiOutReset
0x47f604 - midiStreamStop
0x47f608 - midiStreamOut
0x47f60c - midiOutPrepareHeader
0x47f610 - midiStreamProperty
0x47f614 - midiStreamOpen
0x47f618 - midiOutUnprepareHeader
0x47f61c - waveOutOpen
0x47f620 - waveOutGetNumDevs
0x47f624 - waveOutClose
0x47f628 - waveOutReset
0x47f62c - waveOutPause
0x47f630 - waveOutWrite
0x47f634 - waveOutPrepareHeader
0x47f638 - waveOutUnprepareHeader
库 WINSPOOL.DRV:
0x47f640 - ClosePrinter
0x47f644 - DocumentPropertiesA
0x47f648 - OpenPrinterA
库 ADVAPI32.dll:
0x47f000 - RegCloseKey
0x47f004 - RegOpenKeyExA
0x47f008 - RegSetValueExA
0x47f00c - RegQueryValueA
0x47f010 - RegCreateKeyExA
库 SHELL32.dll:
0x47f380 - ShellExecuteA
0x47f384 - Shell_NotifyIconA
库 ole32.dll:
0x47f68c - OleUninitialize
0x47f690 - CLSIDFromString
0x47f694 - OleInitialize
库 OLEAUT32.dll:
0x47f370 - UnRegisterTypeLib
0x47f374 - RegisterTypeLib
0x47f378 - LoadTypeLib
库 COMCTL32.dll:
0x47f018 - ImageList_Destroy
0x47f01c - None
库 WS2_32.dll:
0x47f650 - ioctlsocket
0x47f654 - recv
0x47f658 - getpeername
0x47f65c - accept
0x47f660 - recvfrom
0x47f664 - WSAAsyncSelect
0x47f668 - closesocket
0x47f66c - WSACleanup
0x47f670 - inet_ntoa
库 comdlg32.dll:
0x47f678 - GetFileTitleA
0x47f67c - GetSaveFileNameA
0x47f680 - GetOpenFileNameA
0x47f684 - ChooseColorA

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

__________________.exe PID: 2424, 上一级进程 PID: 2296

访问的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\Temp\kernel32.dll
  • C:\Users\test\AppData\Local\Temp\kernel32.DLL
  • \??\physicaldrive0
  • C:\Users\test\AppData\Local\Temp\ntdll.dll
读取的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • \??\physicaldrive0
修改的文件
  • \??\physicaldrive0
删除的文件 无信息
注册表键 无信息
读取的注册表键 无信息
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • cryptbase.dll.SystemFunction036
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • kernel32.dll.LocalAlloc
  • kernel32.dll.LocalFree
  • kernel32.dll.CreateFileA
  • kernel32.dll.SetFilePointer
  • kernel32.dll.ReadFile
  • kernel32.dll.CloseHandle
  • kernel32.dll.WriteFile
  • ntdll.dll.RtlAdjustPrivilege
  • ntdll.dll.RtlInitUnicodeString
  • kernel32.dll.lstrcpyn
  • ntdll.dll.NtRaiseHardError