恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp03-1	2024-03-27 21:36:54	2024-03-27 21:37:24	30 秒

魔盾分数

0.05

正常的

文件详细信息

文件名	NodDriver.sys
文件大小	40112 字节
文件类型	PE32+ executable (native) x86-64, for MS Windows
MD5	d27eb3a66b7559b2643275ef868f44bc
SHA1	1b04c9f47f607f45e3f12f75e88712df5a526110
SHA256	243d9570b8e41f303feca8f7aeef43fba189c8eebf9f24a25986723608a221ed
SHA512	7ec13b430ae7a5b9cf09151264c49f4f4e7428507563bd1659f120be3344525b0caa6695727750b0b09f3223502842b466233806e6a1c077ae779ceff0bb0f1d
CRC32	C823C4BE
Ssdeep	768:iKjykyPqDMAAkbzCAYALCfWR/r/gSqeyfSr/g7RoZL5n:iKjyVvwEGCOV/MQ/KRQ5n
Yara	登录查看Yara规则
	找不到该样本提交漏报

登录查看威胁特征

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x140000000
入口地址	0x14000a310
声明校验值	0x0000dc22
实际校验值	0x0000dc22
最低操作系统版本要求	10.0
PDB路径	I:\NecAimi\VS Projects\NodProtect\x64\Release\NodDriver.pdb
编译时间	2024-02-06 10:55:25
载入哈希	27b30fedac0a545025e9e31fab99af25

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

微软证书验证 (Sign Tool)

SHA1	时间戳	有效性	错误
4caf1e77dd4639412e48864b728993565a9cdd2c	None	否	WinVerifyTrust returned error 0x800B0101

证书链	Certificate Chain 1
发行给	VeriSign Class 3 Public Primary Certification Authority - G5
发行人	VeriSign Class 3 Public Primary Certification Authority - G5
有效期	Thu Jul 17 075959 2036
SHA1 哈希	4eb6d578499b1ccf5f581ead56be3d9b6744a5e5

证书链	Certificate Chain 2
发行给	VeriSign Class 3 Code Signing 2010 CA
发行人	VeriSign Class 3 Public Primary Certification Authority - G5
有效期	Sat Feb 08 075959 2020
SHA1 哈希	495847a93187cfb8c71f840cb7b41497ad95c64f

证书链	Certificate Chain 3
发行给	Nanjing xScaler Information Technology Co.,Ltd
发行人	VeriSign Class 3 Code Signing 2010 CA
有效期	Wed Aug 21 075959 2013
SHA1 哈希	d23360d5b1e7469ea4215486804e5d1d87ae66bc

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x000044dd	0x00004600	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.21
.rdata	0x00006000	0x00000ef0	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_READ	3.73
.data	0x00007000	0x000001e8	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.30
.pdata	0x00008000	0x000003c0	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_NOT_PAGED\|IMAGE_SCN_MEM_READ	4.08
PAGE	0x00009000	0x00000743	0x00000800	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.77
INIT	0x0000a000	0x00000fc0	0x00001000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.56
.rsrc	0x0000b000	0x000003d8	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	3.42
.reloc	0x0000c000	0x00000044	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	1.02

覆盖

偏移量	0x00007e00
大小	0x00001eb0

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_RCDATA	0x0000b0b0	0x00000037	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.52	ASCII text, with no line terminators
RT_VERSION	0x0000b0e8	0x000002ec	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.45	data

导入

库: FLTMGR.SYS:

• 0x140006000 FltAllocateContext

• 0x140006008 FltSetStreamContext

• 0x140006010 FltSetStreamHandleContext

• 0x140006018 FltGetStreamContext

• 0x140006020 FltReleaseContext

• 0x140006028 FltSetCallbackDataDirty

• 0x140006030 FltAllocatePoolAlignedWithTag

• 0x140006038 FltFreePoolAlignedWithTag

• 0x140006040 FltGetFileNameInformation

• 0x140006048 FltReleaseFileNameInformation

• 0x140006050 FltParseFileNameInformation

• 0x140006058 FltReadFile

• 0x140006060 FltQueryInformationFile

• 0x140006068 FltGetVolumeContext

• 0x140006070 FltGetRequestorProcess

• 0x140006078 FltDoCompletionProcessingWhenSafe

• 0x140006080 FltRegisterFilter

• 0x140006088 FltUnregisterFilter

• 0x140006090 FltStartFiltering

• 0x140006098 FltSetVolumeContext

• 0x1400060a0 FltGetDiskDeviceObject

• 0x1400060a8 FltGetVolumeProperties

• 0x1400060b0 FltGetVolumeName

• 0x1400060b8 FltGetVolumeFromName

• 0x1400060c0 FltObjectDereference

• 0x1400060c8 FltLockUserBuffer

• 0x1400060d0 FltCreateCommunicationPort

• 0x1400060d8 FltCloseCommunicationPort

• 0x1400060e0 FltCloseClientPort

• 0x1400060e8 FltSendMessage

• 0x1400060f0 FltBuildDefaultSecurityDescriptor

• 0x1400060f8 FltFreeSecurityDescriptor

库: ksecdd.sys:

• 0x140006108 BCryptOpenAlgorithmProvider

• 0x140006110 BCryptGetProperty

• 0x140006118 BCryptCloseAlgorithmProvider

• 0x140006120 BCryptDestroyKey

• 0x140006128 BCryptCreateHash

• 0x140006130 BCryptHashData

• 0x140006138 BCryptFinishHash

• 0x140006140 BCryptDestroyHash

库: ntoskrnl.exe:

• 0x140006150 RtlCopyUnicodeString

• 0x140006158 ExAllocatePoolWithTag

• 0x140006160 ExInitializeResourceLite

• 0x140006168 RtlInitUnicodeString

• 0x140006170 RtlCompareMemory

• 0x140006178 KeEnterCriticalRegion

• 0x140006180 KeLeaveCriticalRegion

• 0x140006188 ExFreePoolWithTag

• 0x140006190 ExAcquireResourceExclusiveLite

• 0x140006198 ExReleaseResourceLite

• 0x1400061a0 PsGetProcessId

• 0x1400061a8 wcscmp

• 0x1400061b0 strncmp

• 0x1400061b8 DbgPrint

• 0x1400061c0 KeGetCurrentIrql

• 0x1400061c8 __C_specific_handler

• 0x1400061d0 RtlAppendUnicodeToString

• 0x1400061d8 ExInitializeNPagedLookasideList

• 0x1400061e0 ExDeleteNPagedLookasideList

• 0x1400061e8 ObfDereferenceObject

• 0x1400061f0 ZwClose

• 0x1400061f8 ZwOpenKey

• 0x140006200 ZwDeleteValueKey

• 0x140006208 ZwFlushKey

• 0x140006210 ZwQueryValueKey

• 0x140006218 IoVolumeDeviceToDosName

• 0x140006220 wcsncmp

• 0x140006228 wcsrchr

• 0x140006230 wcsstr

• 0x140006238 KeAcquireSpinLockRaiseToDpc

• 0x140006240 KeReleaseSpinLock

• 0x140006248 SeLocateProcessImageName

• 0x140006250 ExQueryDepthSList

• 0x140006258 ExpInterlockedPopEntrySList

• 0x140006260 ExpInterlockedPushEntrySList

• 0x140006268 MmBuildMdlForNonPagedPool

• 0x140006270 MmMapLockedPagesSpecifyCache

• 0x140006278 IoAllocateMdl

• 0x140006280 IoFreeMdl

• 0x140006288 KeDelayExecutionThread

• 0x140006290 KeWaitForSingleObject

• 0x140006298 PsCreateSystemThread

• 0x1400062a0 PsTerminateSystemThread

• 0x1400062a8 ObReferenceObjectByHandle

• 0x1400062b0 PsThreadType

• 0x1400062b8 ExEnterCriticalRegionAndAcquireResourceExclusive

• 0x1400062c0 ExReleaseResourceAndLeaveCriticalRegion

• 0x1400062c8 MmForceSectionClosed

• 0x1400062d0 MmFlushImageSection

• 0x1400062d8 CcUninitializeCacheMap

• 0x1400062e0 CcPurgeCacheSection

• 0x1400062e8 CcFlushCache

.text
h.rdata
H.data
.pdata
HPAGE
`INIT
b.rsrc
B.reloc
fD9dE
L9- ?
I:\NecAimi\VS Projects\NodProtect\x64\Release\NodDriver.pdb
.text$mn
.text$mn$00
.text$mn$21
.text$s
.text$x
.idata$5
.00cfg
.gfids
.rdata
.rdata$zzzdbg
.xdata
.data
.pdata
PAGE$s
PAGE$x
INIT$s
.idata$2
.idata$3
.idata$4
.idata$6
.rsrc$01
.rsrc$02
FltAllocateContext
FltSetStreamContext
FltSetStreamHandleContext
FltGetStreamContext
FltReleaseContext
FltSetCallbackDataDirty
FltAllocatePoolAlignedWithTag
FltFreePoolAlignedWithTag
FltGetFileNameInformation
FltReleaseFileNameInformation
FltParseFileNameInformation
FltReadFile
FltQueryInformationFile
FltGetVolumeContext
FltGetRequestorProcess
FltDoCompletionProcessingWhenSafe
FltRegisterFilter
FltUnregisterFilter
FltStartFiltering
FltSetVolumeContext
FltGetDiskDeviceObject
FltGetVolumeProperties
FltGetVolumeName
FltGetVolumeFromName
FltObjectDereference
FltLockUserBuffer
FltCreateCommunicationPort
FltCloseCommunicationPort
FltCloseClientPort
FltSendMessage
FltBuildDefaultSecurityDescriptor
FltFreeSecurityDescriptor
FLTMGR.SYS
BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptCreateHash
BCryptHashData
BCryptFinishHash
BCryptDestroyHash
ksecdd.sys
RtlCopyUnicodeString
ExAllocatePoolWithTag
ExInitializeResourceLite
RtlInitUnicodeString
RtlCompareMemory
KeEnterCriticalRegion
KeLeaveCriticalRegion
ExFreePoolWithTag
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
PsGetProcessId
wcscmp
strncmp
DbgPrint
KeGetCurrentIrql
__C_specific_handler
RtlAppendUnicodeToString
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
ObfDereferenceObject
ZwClose
ZwOpenKey
ZwDeleteValueKey
ZwFlushKey
ZwQueryValueKey
IoVolumeDeviceToDosName
wcsncmp
wcsrchr
wcsstr
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
SeLocateProcessImageName
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
MmBuildMdlForNonPagedPool
MmMapLockedPagesSpecifyCache
IoAllocateMdl
IoFreeMdl
KeDelayExecutionThread
KeWaitForSingleObject
PsCreateSystemThread
PsTerminateSystemThread
ObReferenceObjectByHandle
PsThreadType
ExEnterCriticalRegionAndAcquireResourceExclusive
ExReleaseResourceAndLeaveCriticalRegion
MmForceSectionClosed
MmFlushImageSection
CcUninitializeCacheMap
CcPurgeCacheSection
CcFlushCache
ntoskrnl.exe
SAMPLE_IDENTIFIER{dd38f7fc-d7bd-488b-9242-7d8754cde80d}
ObjectLength
HashDigestLength
explorer.exeregproc
regkey
reparse
regext
regtime
DebugFlags
\Instances\NodDriver Instance
CheckIn
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
FileDescription
Nod Filter Driver
FileVersion
10.0.10011.16384
InternalName
NodDriver.sys
LegalCopyright
Copyright (c) Nod.
OriginalFilename
NodDriver.sys
ProductName
Nod Filter Driver
ProductVersion
10.0.10011.16384
VarFileInfo
Translation

没有防病毒引擎扫描信息!

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49158	96.16.55.7	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	59401	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49158	96.16.55.7	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	59401	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 19.327 seconds )

13.251 Suricata
3.038 VirusTotal
1.854 NetworkAnalysis
0.497 Static
0.408 peid
0.259 TargetInfo
0.011 AnalysisInfo
0.005 Strings
0.002 BehaviorAnalysis
0.002 Memory

Signatures ( 1.581 seconds )

1.465 proprietary_url_bl
0.013 ransomware_files
0.012 antiav_detectreg
0.012 ransomware_extensions
0.009 proprietary_domain_bl
0.007 network_http
0.005 anomaly_persistence_autorun
0.005 antiav_detectfile
0.005 infostealer_ftp
0.004 geodo_banking_trojan
0.003 infostealer_bitcoin
0.003 infostealer_im
0.003 stealth_modify_uac_prompt
0.002 tinba_behavior
0.002 rat_nanocore
0.002 antianalysis_detectreg
0.002 antivm_vbox_files
0.002 disables_browser_warn
0.002 infostealer_mail
0.002 stealth_hide_notifications
0.002 stealth_modify_security_center_warnings
0.001 betabot_behavior
0.001 cerber_behavior
0.001 antivm_parallels_keys
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 proprietary_malicious_drop_executable_file_to_temp_folder
0.001 proprietary_bad_drop
0.001 network_cnc_http
0.001 office_security
0.001 locker_regedit
0.001 ransomware_radamant
0.001 rat_pcclient
0.001 rat_spynet
0.001 recon_fingerprint
0.001 stealth_hiddenreg
0.001 stealth_web_history

Reporting ( 0.592 seconds )

0.536 ReportHTMLSummary
0.056 Malheur


Task ID	743144
Mongo ID	660421347e769a7994a59c30
Cuckoo release	1.4-Maldun