魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2019-01-22 04:32:26 | 2019-01-22 04:35:40 | 194 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp01-2 | win7-sp1-x64-hpdapp01-2 | KVM | 2019-01-22 04:32:32 | 2019-01-22 04:35:41 |
| 魔盾分数 |
|---|
10.0Malicious |
文件详细信息
| 文件名 | Client.exe |
|---|---|
| 文件大小 | 1376256 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 946701D5 |
| MD5 | 0f9aa6337c2eb06f3d23cbc2cb2f13a1 |
| SHA1 | 95904d40df2bdb312577187af3d4922f9c1ea391 |
| SHA256 | 9a92a5d2fade596d8ed1122186dff72f1cd4ab9a9aad5c7951a833d469c721c2 |
| SHA512 | 6bb148c46e53dfea71cf545dae42643a3a25d415f06b9355090534226619e28bf67923db30289f7dbf9b2f8ff4efd96294a9cc737eff7f5b56f6b603429c53b2 |
| Ssdeep | 24576:IyEKgsEcmE7t8iokE1f6CEOxcXEPpYJv9CVBro:Ng3qt83kNwcUA9A |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2018-04-20 12:22:31 扫描结果: 41/68 |
特征
创建RWX内存
魔盾安全Yara检测结果 - 普通
Informational: Detected Entropy signature
Informational: Detected Rich Signature
Informational: Detected no presence of any attachment
Informational: Detected no presence of any image
Informational: Detected no presence of any url
二进制文件可能包含加密或压缩数据
section: name: .vmp1, entropy: 7.92, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00105000, virtual_size: 0x00104c1f
可执行文件可能使用VMProtect打包
section: {'name': '.vmp0', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'virtual_address': '0x00040000', 'size_of_data': '0x00000000', 'entropy': '0.00', 'virtual_size': '0x000d5d47', 'characteristics_raw': '0xe0000060'}
尝试阻止沙箱线程以防止恶意行为被记录
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
Bkav: HW32.Packed.3401
MicroWorld-eScan: Trojan.GenericKD.30606142
CAT-QuickHeal: Trojan.IGENERIC
McAfee: Artemis!0F9AA6337C2E
K7GW: Trojan ( 004b0a511 )
K7AntiVirus: Trojan ( 004b0a511 )
TrendMicro: TROJ_GEN.R011C0RDE18
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9640
Symantec: Trojan.Gen.2
TrendMicro-HouseCall: TROJ_GEN.R011C0RDE18
Avast: Win32:Malware-gen
BitDefender: Trojan.GenericKD.30606142
AegisLab: Troj.Black.Gen2!c
Ad-Aware: Trojan.GenericKD.30606142
Sophos: Mal/VMProtBad-A
Comodo: UnclassifiedMalware
F-Secure: Trojan.GenericKD.30606142
VIPRE: Trojan.Win32.Generic!BT
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.BadFile.tc
Emsisoft: Trojan.GenericKD.30606142 (B)
Cyren: W32/Trojan.FPDQ-3744
Avira: TR/Black.Gen2
Fortinet: W32/VMProtBad.A!tr
Endgame: malicious (high confidence)
Arcabit: Trojan.Generic.D1D3033E
Microsoft: Trojan:Win32/Delpem.A
ALYac: Trojan.GenericKD.30606142
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=95)
Cylance: Unsafe
ESET-NOD32: a variant of Win32/Packed.VMProtect.ABO
Tencent: Win32.Trojan.Black.Jcs
Yandex: Trojan.VMProtect!
Ikarus: Trojan.Win32.VMProtect
eGambit: Unsafe.AI_Score_76%
GData: Trojan.GenericKD.30606142
AVG: Win32:Malware-gen
Cybereason: malicious.0df2bd
Paloalto: generic.ml
CrowdStrike: malicious_confidence_100% (W)
运行截图
网络分析
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00612515 |
| 声明校验值 | 0x0015c7c3 |
| 实际校验值 | 0x0015c7c3 |
| 最低操作系统版本要求 | 5.0 |
| 编译时间 | 2017-02-06 23:51:13 |
| 载入哈希 | 8e39f364491cf4102a7a4d0238ebb3c7 |
版本信息
| LegalCopyright: | \u7248\u6743\u6240\u6709 (C) 2017 |
| InternalName: | Client |
| FileVersion: | 1, 0, 0, 1 |
| CompanyName: | QQ\uff1a45955437 |
| PrivateBuild: | |
| LegalTrademarks: | |
| Comments: | \u6b8b\u82b1 |
| ProductName: | Client \u5e94\u7528\u7a0b\u5e8f |
| SpecialBuild: | |
| ProductVersion: | 1, 0, 0, 1 |
| FileDescription: | Client Microsoft \u57fa\u7840\u7c7b\u5e94\u7528\u7a0b\u5e8f |
| OriginalFilename: | Client.EXE |
| Translation: | 0x0804 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x0002aa2f | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .rdata | 0x0002c000 | 0x0000a8d0 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .data | 0x00037000 | 0x00008ca8 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .vmp0 | 0x00040000 | 0x000d5d47 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .vmp1 | 0x00116000 | 0x00104c1f | 0x00105000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.92 |
| .rsrc | 0x0021b000 | 0x00049a42 | 0x0004a000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.16 |
导入
库 KERNEL32.dll:
• 0x60b000 - GetVersion
• 0x60b004 - GetVersionExA
• 0x60b008 - GlobalHandle
库 USER32.dll:
• 0x60b010 - GetClassNameA
库 GDI32.dll:
• 0x60b018 - GetBkColor
库 comdlg32.dll:
• 0x60b020 - GetOpenFileNameA
库 WINSPOOL.DRV:
• 0x60b028 - OpenPrinterA
库 ADVAPI32.dll:
• 0x60b030 - RegCreateKeyExA
库 COMCTL32.dll:
• 0x60b038 - ImageList_Destroy
库 oledlg.dll:
• 0x60b040 - None
库 ole32.dll:
• 0x60b048 - CoRegisterMessageFilter
库 OLEPRO32.DLL:
• 0x60b050 - None
库 OLEAUT32.dll:
• 0x60b058 - SysAllocStringByteLen
库 WS2_32.dll:
• 0x60b060 - closesocket
库 KERNEL32.dll:
• 0x60b068 - GetModuleFileNameW
库 KERNEL32.dll:
• 0x60b070 - GetModuleHandleA
• 0x60b074 - LoadLibraryA
• 0x60b078 - LocalAlloc
• 0x60b07c - LocalFree
• 0x60b080 - GetModuleFileNameA
• 0x60b084 - ExitProcess
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
Client.exe PID: 2456, 上一级进程 PID: 2312
访问的文件
- C:\Users\test\AppData\Local\Temp\Client.exe
- C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
- C:\Users\test\AppData\Local\Temp\Client.exe
- C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Control Panel\Desktop
- HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
读取的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsGetValue
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsFree
- kernel32.dll.IsProcessorFeaturePresent
- comctl32.dll.InitCommonControlsEx
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- comctl32.dll.RegisterClassNameW
- uxtheme.dll.EnableThemeDialogTexture
- uxtheme.dll.OpenThemeData
- imm32.dll.ImmIsIME