分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
---|---|---|---|---|
文件 (Windows) | win7-sp1-x64-shaapp02-1 | 2022-05-28 00:57:39 | 2022-05-28 00:59:01 | 82 秒 |
文件名 | Ransom.FrozrLock.exe |
---|---|
文件大小 | 790016 字节 |
文件类型 | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5 | 1d2679334ade760f4a102250f6567542 |
SHA1 | d00e7bd09fd09f80dc85ee2614446b55228d76d4 |
SHA256 | 89284ff8858d739741dfc8007f02548489786ed3d1dace339ad7157b6921a0f5 |
SHA512 | d5598eebadd35ad64b49a769f71490b49457b4bb6478853d0ecc68409d7a35a87a0f0dcc20db2b32c07133838abbef25505daed514d434ce374fde9603c0ced1 |
CRC32 | 3012DEE1 |
Ssdeep | 24576:s2+x3v8wxTll5U/2oWtJ8c2PSaQxRkiNhEZZe:+18wxhbJimxR3EZZ |
Yara | 登录查看Yara规则 |
找不到该样本 提交误报 |
直接 | IP | 安全评级 | 地理位置 |
---|---|---|---|
否 | 104.18.115.97 | 美国 |
域名 | 安全评级 | 响应 |
---|---|---|
icanhazip.com |
A 104.18.114.97 A 104.18.115.97 |
|
iwantmyfiles.asia | NXDOMAIN |
初始地址 | 0x00400000 |
---|---|
入口地址 | 0x004c800a |
声明校验值 | 0x00000000 |
实际校验值 | 0x000c4c76 |
最低操作系统版本要求 | 4.0 |
编译时间 | 2017-07-20 16:24:10 |
载入哈希 | f34d5f2d4577ed6d9ceec516c1f5a744 |
Translation | |
---|---|
LegalCopyright | |
Assembly Version | |
InternalName | |
FileVersion | |
CompanyName | |
LegalTrademarks | |
Comments | |
ProductName | |
ProductVersion | |
FileDescription | |
OriginalFilename |
名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
---|---|---|---|---|---|
\x05W\h0f| | 0x00002000 | 0x000ad7a0 | 0x000ad800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 8.00 |
.text | 0x000b0000 | 0x00012598 | 0x00012600 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 5.72 |
.rsrc | 0x000c4000 | 0x00000710 | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.81 |
.reloc | 0x000c6000 | 0x0000000c | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 0.09 |
0x000c8000 | 0x00000010 | 0x00000200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.14 |
直接 | IP | 安全评级 | 地理位置 |
---|---|---|---|
否 | 104.18.115.97 | 美国 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 49167 | 104.18.115.97 icanhazip.com | 80 |
192.168.122.201 | 49160 | 23.213.230.137 | 80 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 53118 | 192.168.122.1 | 53 |
192.168.122.201 | 57526 | 192.168.122.1 | 53 |
192.168.122.201 | 63246 | 192.168.122.1 | 53 |
域名 | 安全评级 | 响应 |
---|---|---|
icanhazip.com |
A 104.18.114.97 A 104.18.115.97 |
|
iwantmyfiles.asia | NXDOMAIN |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 49167 | 104.18.115.97 icanhazip.com | 80 |
192.168.122.201 | 49160 | 23.213.230.137 | 80 |
源地址 | 源端口 | 目标地址 | 目标端口 |
---|---|---|---|
192.168.122.201 | 53118 | 192.168.122.1 | 53 |
192.168.122.201 | 57526 | 192.168.122.1 | 53 |
192.168.122.201 | 63246 | 192.168.122.1 | 53 |
URI | HTTP数据 |
---|---|
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
URL专业沙箱检测 -> http://icanhazip.com/ | GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive |
URL专业沙箱检测 -> http://icanhazip.com/ | GET / HTTP/1.1 Host: icanhazip.com |
无SMTP流量.
无IRC请求.
无ICMP流量.
无 CIF 结果
Timestamp | Source IP | Source Port | Destination IP | Destination Port | Protocol | SID | Signature | Category |
---|---|---|---|---|---|---|---|---|
2022-05-28 00:58:35.844874+0800 | 192.168.122.201 | 49167 | 104.18.115.97 | 80 | TCP | 2017398 | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) | Attempted Information Leak |
2022-05-28 00:58:36.114848+0800 | 192.168.122.201 | 49167 | 104.18.115.97 | 80 | TCP | 2017398 | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) | Attempted Information Leak |
2022-05-28 00:58:36.293445+0800 | 192.168.122.201 | 49167 | 104.18.115.97 | 80 | TCP | 2017398 | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) | Attempted Information Leak |
2022-05-28 00:58:37.063887+0800 | 192.168.122.201 | 49167 | 104.18.115.97 | 80 | TCP | 2017398 | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) | Attempted Information Leak |
2022-05-28 00:58:37.232439+0800 | 192.168.122.201 | 49167 | 104.18.115.97 | 80 | TCP | 2017398 | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) | Attempted Information Leak |
2022-05-28 00:58:37.400875+0800 | 192.168.122.201 | 49167 | 104.18.115.97 | 80 | TCP | 2017398 | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) | Attempted Information Leak |
2022-05-28 00:58:37.779152+0800 | 192.168.122.201 | 49167 | 104.18.115.97 | 80 | TCP | 2017398 | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) | Attempted Information Leak |
No TLS
No Suricata HTTP
HTML 总结报告 (需15-60分钟同步) |
下载 |
---|
Task ID | 692596 |
---|---|
Mongo ID | 62910393dc327b07f30dd316 |
Cuckoo release | 1.4-Maldun |