魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2019-01-22 03:08:38 2019-01-22 03:11:41 183 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2019-01-22 03:08:42 2019-01-22 03:11:43
魔盾分数

10.0

Servstart

文件详细信息

文件名 Cache.dat
文件大小 25600 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 08D56460
MD5 201b0dcb7234bcde0a0d71eeb99ced6b
SHA1 2853c2b1171f9990800891580802c6d562f826c7
SHA256 ca1a82ee601bd2def5d4fd6b2e84df4289691a34a23496a23bb8d51465828065
SHA512 d0ad460835ef2e4aa671e4cbaa7f0af4dc3f76938ed20ac6f2e307201b814a318f7d40cf552456f5233c8264734be703c6f2b130b95565601ab4c9d3d87a390a
Ssdeep 384:G4vo0B5ugihbUgVmDh4bGBoRlFvWcpmdCUwQZdJNqnWi7UB8c1oOOuK+wy+y:+02UgIeKBSU/Xis8cQy+y
PEiD 无匹配
Yara
  • IsPE32 (Detected 32bit PE signature)
  • IsWindowsGUI ()
  • HasRichSignature (Detected Rich Signature)
  • DebuggerTiming__Ticks ()
  • create_process (Create a new process)
  • network_dropper (File downloader/dropper)
  • win_mutex (Create or check mutex)
  • win_registry (Affect system registries)
  • change_win_registry (Change registries to affect system)
  • Maldun_Anomoly_Combined_Activities_3 (Detects system change with a file drop)
  • Maldun_Anomoly_Combined_Activities_7 (Detects malicious behaviors from a small size app)
  • without_attachments (Detected no presence of any attachment)
  • without_images (Detected no presence of any image)
  • without_urls (Detected no presence of any url)
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2016-07-05 23:11:11
扫描结果: 42/54

特征

魔盾wping.org 域名信誉系统
Greylist: soojoy.f3322.net
强制将一个创建的进程加载为另一个不相关进程的子进程
从磁盘上删除自身的原始二进制
将自己装载到Windows开机自动启动项目
service name: 111
service path: C:\Windows\system32\amqwwq.exe
通过进程尝试长时间延迟分析任务
Process: amqwwq.exe tried to sleep 677 seconds, actually delayed analysis time by 0 seconds
魔盾安全Yara规则检测结果 - 高危
Informational: Detected Rich Signature
Informational: Create a new process
Warning: File downloader/dropper
Warning: Affect system registries
Critical: Detects system change with a file drop
Critical: Detects malicious behaviors from a small size app
Informational: Detected no presence of any attachment
Informational: Detected no presence of any image
Informational: Detected no presence of any url
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
MicroWorld-eScan: Generic.ServStart.814746FC
nProtect: Generic.ServStart.814746FC
McAfee: Trojan-FGAW!201B0DCB7234
Malwarebytes: Trojan.Agent.FVA
VIPRE: Trojan.Win32.Nitol.b (v)
K7AntiVirus: Trojan ( 0048f1971 )
BitDefender: Generic.ServStart.814746FC
K7GW: Trojan ( 0048f1971 )
Baidu: Win32.Trojan.ServStart.j
F-Prot: W32/QQhelper.C.gen!Eldorado
Symantec: Backdoor.Trojan
ESET-NOD32: a variant of Win32/ServStart.DT
TrendMicro-HouseCall: WORM_NITOL.SMB0
Avast: Win32:Nitol-B [Trj]
Kaspersky: HEUR:Trojan.Win32.Generic
NANO-Antivirus: Trojan.Win32.DownLoader15.dvjcqs
ViRobot: Trojan.Win32.Z.Servstart.25600.C[h]
AegisLab: Troj.W32.Generic!c
Ad-Aware: Generic.ServStart.814746FC
Sophos: Mal/Behav-116
F-Secure: Generic.ServStart.814746FC
DrWeb: Trojan.DownLoader15.47152
Zillya: Trojan.ServStart.Win32.5894
TrendMicro: WORM_NITOL.SMB0
McAfee-GW-Edition: BehavesLike.Win32.Backdoor.mm
Emsisoft: Generic.ServStart.814746FC (B)
Cyren: W32/QQhelper.C.gen!Eldorado
Jiangmin: Trojan.Generic.abxpt
Avira: WORM/Rbot.Gen
Microsoft: TrojanDownloader:Win32/Yemrok.A
Arcabit: Generic.ServStart.DC6E9AFC
AhnLab-V3: Trojan/Win32.Agent.N1663380932
GData: Generic.ServStart.814746FC
ALYac: Generic.ServStart.814746FC
AVware: Trojan.Win32.Nitol.b (v)
VBA32: BScope.Trojan.Win32.Inject.2
Tencent: Win32.Worm.Rbot.Hmhn
Ikarus: Trojan.Win32.ServStart
Fortinet: W32/Agent.QUB!tr
AVG: Win32/DH{ZzYD?}
Panda: Trj/CI.A
Qihoo-360: HEUR/QVM07.1.Malware.Gen

运行截图

网络分析

访问主机记录

直接访问 IP地址 国家名
173.254.202.168 United States

域名解析

域名 响应
soojoy.f3322.net A 173.254.202.168

UDP连接

IP地址 端口
192.168.122.1 53

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x00404f9f
声明校验值 0x00000000
实际校验值 0x000111a3
最低操作系统版本要求 4.0
编译时间 2015-01-28 17:43:36
载入哈希 8569656ff3314023cf8db4198febb66e

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000041ba 0x00004200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.13
.rdata 0x00006000 0x0000102c 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.51
.data 0x00008000 0x00000c34 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.85

导入

库 KERNEL32.dll:
0x406038 - lstrcatA
0x40603c - lstrcpyA
0x406040 - GetEnvironmentVariableA
0x406044 - GetShortPathNameA
0x406048 - GetModuleFileNameA
0x40604c - ExitProcess
0x406050 - GetLastError
0x406054 - CreateMutexA
0x406058 - GetCurrentProcess
0x40605c - CopyFileA
0x406060 - GetSystemDirectoryA
0x406064 - GlobalMemoryStatusEx
0x406068 - GetComputerNameA
0x40606c - GetSystemDefaultUILanguage
0x406070 - GetModuleHandleA
0x406074 - TerminateProcess
0x406078 - SetPriorityClass
0x40607c - GetCurrentThread
0x406080 - SetThreadPriority
0x406084 - CreateProcessA
0x406088 - ResumeThread
0x40608c - WaitForSingleObject
0x406090 - CloseHandle
0x406094 - GetTempPathA
0x406098 - LoadLibraryA
0x40609c - GetProcAddress
0x4060a0 - WinExec
0x4060a4 - CreateThread
0x4060a8 - lstrlenA
0x4060ac - Sleep
0x4060b0 - ExitThread
0x4060b4 - GetTickCount
0x4060b8 - GetStartupInfoA
库 USER32.dll:
0x406144 - wsprintfA
库 ADVAPI32.dll:
0x406000 - OpenSCManagerA
0x406004 - CreateServiceA
0x406008 - OpenServiceA
0x40600c - StartServiceA
0x406010 - RegOpenKeyA
0x406014 - RegSetValueExA
0x406018 - CloseServiceHandle
0x40601c - RegCloseKey
0x406020 - RegOpenKeyExA
0x406024 - StartServiceCtrlDispatcherA
0x406028 - RegisterServiceCtrlHandlerA
0x40602c - SetServiceStatus
0x406030 - RegQueryValueExA
库 WS2_32.dll:
0x40614c - WSAStartup
0x406150 - send
0x406154 - select
0x406158 - __WSAFDIsSet
0x40615c - recv
0x406160 - setsockopt
0x406164 - connect
0x406168 - closesocket
0x40616c - WSAIoctl
0x406170 - socket
0x406174 - htons
0x406178 - gethostbyname
0x40617c - inet_addr
0x406180 - sendto
0x406184 - WSASocketA
0x406188 - htonl
库 MSVCRT.dll:
0x4060c0 - rand
0x4060c4 - __p__commode
0x4060c8 - _controlfp
0x4060cc - ??1type_info@@UAE@XZ
0x4060d0 - ??3@YAXPAX@Z
0x4060d4 - __set_app_type
0x4060d8 - memcpy
0x4060dc - atoi
0x4060e0 - strcpy
0x4060e4 - strncpy
0x4060e8 - strcspn
0x4060ec - strstr
0x4060f0 - strcat
0x4060f4 - sprintf
0x4060f8 - localtime
0x4060fc - time
0x406100 - exit
0x406104 - memset
0x406108 - strncmp
0x40610c - strlen
0x406110 - _except_handler3
0x406114 - _adjust_fdiv
0x406118 - malloc
0x40611c - __CxxFrameHandler
0x406120 - _CxxThrowException
0x406124 - _exit
0x406128 - _XcptFilter
0x40612c - _acmdln
0x406130 - __getmainargs
0x406134 - _initterm
0x406138 - __setusermatherr
0x40613c - __p__fmode

投放文件

无信息

行为分析

互斥量(Mutexes)
  • 111
执行的命令
  • C:\Windows\system32\cmd.exe /c del C:\Users\test\AppData\Local\Temp\Cache.dat > nul
  • C:\Windows\SysWOW64\amqwwq.exe
创建的服务
  • 111
启动的服务
  • 111

进程

Cache.dat PID: 2444, 上一级进程 PID: 2300

services.exe PID: 428, 上一级进程 PID: 332

amqwwq.exe PID: 2580, 上一级进程 PID: 428

cmd.exe PID: 2672, 上一级进程 PID: 2444

访问的文件
  • C:\Users\test\AppData\Local\Temp\Cache.dat
  • C:\Windows\System32\amqwwq.exe
  • C:\Windows\Temp
  • C:\Windows\System32\tzres.dll
  • C:\Users\test\AppData\Local\Temp
  • C:\Users
  • C:\Users\test
  • C:\Users\test\AppData
  • C:\Users\test\AppData\Local
  • \??\nul
  • C:\
读取的文件
  • C:\Users\test\AppData\Local\Temp\Cache.dat
  • C:\Windows\System32\tzres.dll
修改的文件
  • C:\Windows\System32\amqwwq.exe
  • \??\nul
删除的文件
  • C:\Users\test\AppData\Local\Temp\Cache.dat
注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\111
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\Description
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\WOW64
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
  • HKEY_USERS\S-1-5-18
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_USERS\.DEFAULT\Environment
  • HKEY_USERS\.DEFAULT\Volatile Environment
  • HKEY_USERS\.DEFAULT\Volatile Environment\0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\Environment
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProductName
  • HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
  • HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\WOW64
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\Environment
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProductName
  • HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
修改的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\Description
删除的注册表键 无信息
API解析
  • kernel32.dll.SetThreadUILanguage
  • kernel32.dll.CopyFileExW
  • kernel32.dll.IsDebuggerPresent
  • kernel32.dll.SetConsoleInputExeNameW