比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2024-04-19 17:42:58 2024-04-19 17:45:09 131 秒

魔盾分数

3.0875

可疑的

文件详细信息

文件名 home
文件大小 1540568 字节
文件类型 ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=979c889cc9ca56a33ed67aeb4d2d05cb8db2df1b, for GNU/Linux 2.6.32, stripped
MD5 84413332e4e7138adc5d6f1f688ddd69
SHA1 4cbd71476656390d056d3b62d36df46adaad6c43
SHA256 471eba681164bd3eeee777514bc619952c9f484b22c8b9695610055a862e7c8a
SHA512 e990c85bce6c03f06db1429ebbe9078b281800f3420bbab4c1398cd04e18befda97a7d58c1263e011a0ad668e0d52dee859682c767f7ec9086e90625866f07e9
CRC32 1A7CC760
Ssdeep 24576:NBhwihXSC58hreuXZBXA94sjDphDH50poKAxKI8pIEuT4iWEW0PLYisKTKNINMSL:nhwKXSo8rHJBXm4YD3Z0HCiSpTjk01sM
Yara 登录查看Yara规则
找不到该样本 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
104.208.16.93 美国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
watson.microsoft.com A 104.208.16.93
CNAME legacywatson.trafficmanager.net
CNAME onedsblobprdcus07.centralus.cloudapp.azure.com

摘要

登录查看详细行为信息
没有可用的静态分析.
/lib64/ld-linux-x86-64.so.2
__gmon_start__
dlclose
dlsym
dlopen
dlerror
inflate
inflateInit_
inflateEnd
__errno_location
raise
waitpid
__xpg_basename
mkdtemp
fflush
strcpy
fchmod
readdir
fopen
strncmp
__strdup
perror
__isoc99_sscanf
closedir
signal
strncpy
mbstowcs
__lxstat
unlink
mkdir
realloc
getpid
strtok
symlink
calloc
strlen
prctl
dirname
rmdir
memcmp
clearerr
unsetenv
__fprintf_chk
stdout
memcpy
fclose
__vsnprintf_chk
strtoul
malloc
strcat
realpath
ftello
opendir
getenv
stderr
__snprintf_chk
readlink
execvp
strncat
fileno
fwrite
fread
__memcpy_chk
__fread_chk
strchr
__vfprintf_chk
__strcpy_chk
wcsdup
__xstat
__strcat_chk
strcmp
strerror
__libc_start_main
ferror
stpcpy
fseeko
snprintf
libdl.so.2
libz.so.1
libpthread.so.0
libc.so.6
GLIBC_2.2.5
GLIBC_2.7
GLIBC_2.14
GLIBC_2.3
GLIBC_2.3.4
1.3.1
malloc
fseek
fread
fopen
fwrite
calloc
pyi-contents-directory
pyi-runtime-tmpdir
[%d]
%s%c%s%c%s%c%s
%s%c%s.pkg
%s%c%s.exe
__main__
%s%c%s.py
__file__
_pyi_main_co
_MEIPASS2
_PYI_ONEDIR_MODE
_PYI_PROCNAME
/proc/self/exe
ld-%64[^.].so.%d
verbose
unbuffered
optimize
hash_seed
base_library.zip
lib-dynload
Py_DecRef
Py_DecodeLocale
Py_ExitStatusException
Py_Finalize
Py_InitializeFromConfig
Py_IsInitialized
Py_PreInitialize
PyConfig_Clear
PyConfig_InitIsolatedConfig
PyConfig_Read
PyConfig_SetBytesString
PyConfig_SetString
PyConfig_SetWideStringList
PyErr_Clear
PyErr_Fetch
PyErr_NormalizeException
PyErr_Occurred
PyErr_Print
PyErr_Restore
PyEval_EvalCode
PyImport_AddModule
PyImport_ExecCodeModule
PyImport_ImportModule
PyList_Append
PyMem_RawFree
PyModule_GetDict
PyObject_CallFunction
PyObject_CallFunctionObjArgs
PyObject_GetAttrString
PyObject_SetAttrString
PyObject_Str
PyRun_SimpleStringFlags
PyStatus_Exception
PySys_GetObject
PySys_SetObject
PyUnicode_AsUTF8
PyUnicode_Decode
PyUnicode_DecodeFSDefault
PyUnicode_FromFormat
PyUnicode_FromString
PyUnicode_Join
PyUnicode_Replace
PyMarshal_ReadObjectFromString
PyPreConfig_InitIsolatedConfig
_MEIPASS
%U?%llu
import sys; sys.stdout.flush(); (sys.__stdout__.flush if sys.__stdout__ is not sys.stdout else (lambda: None))()
import sys; sys.stderr.flush(); (sys.__stderr__.flush if sys.__stderr__ is not sys.stderr else (lambda: None))()
status_text
tk_library
tk.tcl
tclInit
tcl_findLibrary
rename ::source ::_source
_image_data
Tcl_Init
Tcl_CreateInterp
Tcl_FindExecutable
Tcl_DoOneEvent
Tcl_Finalize
Tcl_FinalizeThread
Tcl_DeleteInterp
Tcl_CreateThread
Tcl_GetCurrentThread
Tcl_MutexLock
Tcl_MutexUnlock
Tcl_ConditionFinalize
Tcl_ConditionNotify
Tcl_ConditionWait
Tcl_ThreadQueueEvent
Tcl_ThreadAlert
Tcl_GetVar2
Tcl_SetVar2
Tcl_CreateObjCommand
Tcl_GetString
Tcl_NewStringObj
Tcl_NewByteArrayObj
Tcl_SetVar2Ex
Tcl_GetObjResult
Tcl_EvalFile
Tcl_EvalEx
Tcl_EvalObjv
Tcl_Alloc
Tcl_Free
Tk_Init
Tk_GetNumMainWindows
TMPDIR
LD_LIBRARY_PATH
LD_LIBRARY_PATH_ORIG
LISTEN_PID
pyi-bootloader-ignore-signals
/var/tmp
/usr/tmp
PYINSTALLER_STRICT_UNPACK_MODE
;*3$"
GCC: (GNU) 4.8.5 20150623 (Red Hat 4.8.5-44)
GCC: (GNU) 10.2.1 20210130 (Red Hat 10.2.1-11)
e2hLX;0
zUaPB
a*,a)
没有防病毒引擎扫描信息!

进程树

cmd.exe, PID: 2540, 上一级进程 PID: 2248
services.exe, PID: 432, 上一级进程 PID: 344
svchost.exe, PID: 2868, 上一级进程 PID: 432
rundll32.exe, PID: 3004, 上一级进程 PID: 2540
svchost.exe, PID: 2348, 上一级进程 PID: 432
mspaint.exe, PID: 2372, 上一级进程 PID: 3004
WerFault.exe, PID: 2304, 上一级进程 PID: 2348
AcroRd32.exe, PID: 816, 上一级进程 PID: 304
mscorsvw.exe, PID: 2996, 上一级进程 PID: 432
mscorsvw.exe, PID: 1496, 上一级进程 PID: 432
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
104.208.16.93 美国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 23.15.196.139 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53
192.168.122.201 65178 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
watson.microsoft.com A 104.208.16.93
CNAME legacywatson.trafficmanager.net
CNAME onedsblobprdcus07.centralus.cloudapp.azure.com

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 23.15.196.139 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53
192.168.122.201 65178 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 40.405 seconds )

  • 16.413 BehaviorAnalysis
  • 12.197 Suricata
  • 11.15 NetworkAnalysis
  • 0.61 TargetInfo
  • 0.02 Strings
  • 0.012 AnalysisInfo
  • 0.002 Memory
  • 0.001 Static

Signatures ( 7.447 seconds )

  • 1.345 proprietary_url_bl
  • 0.849 api_spamming
  • 0.656 stealth_timeout
  • 0.63 stealth_decoy_document
  • 0.583 antiav_detectreg
  • 0.549 injection_createremotethread
  • 0.33 injection_runpe
  • 0.269 injection_explorer
  • 0.232 infostealer_ftp
  • 0.155 mimics_filetime
  • 0.134 reads_self
  • 0.124 stealth_file
  • 0.121 antianalysis_detectreg
  • 0.114 infostealer_im
  • 0.103 bootkit
  • 0.102 virus
  • 0.095 antivm_generic_scsi
  • 0.095 antivm_generic_disk
  • 0.067 infostealer_mail
  • 0.064 hancitor_behavior
  • 0.04 anormaly_invoke_kills
  • 0.038 antivm_generic_services
  • 0.035 shifu_behavior
  • 0.034 proprietary_anomaly_massive_file_ops
  • 0.03 kibex_behavior
  • 0.03 darkcomet_regkeys
  • 0.029 antivm_xen_keys
  • 0.027 antiav_detectfile
  • 0.027 antivm_parallels_keys
  • 0.025 geodo_banking_trojan
  • 0.025 recon_fingerprint
  • 0.023 betabot_behavior
  • 0.023 antivm_generic_diskreg
  • 0.019 stack_pivot
  • 0.019 antisandbox_productid
  • 0.018 proprietary_malicious_write_executeable_under_temp_to_regrun
  • 0.018 infostealer_bitcoin
  • 0.017 proprietary_anomaly_write_exe_and_obsfucate_extension
  • 0.015 kovter_behavior
  • 0.012 proprietary_anomaly_write_exe_and_dll_under_winroot_run
  • 0.011 proprietary_anomaly_invoke_vb_vba
  • 0.01 antiemu_wine_func
  • 0.01 infostealer_browser_password
  • 0.01 antivm_vbox_files
  • 0.01 antivm_vbox_keys
  • 0.01 antivm_vmware_keys
  • 0.01 proprietary_domain_bl
  • 0.009 rat_luminosity
  • 0.009 bypass_firewall
  • 0.009 antivm_generic_bios
  • 0.009 antivm_generic_cpu
  • 0.009 antivm_xen_keys
  • 0.009 antivm_hyperv_keys
  • 0.009 antivm_vbox_acpi
  • 0.009 antivm_vpc_keys
  • 0.009 packer_armadillo_regkey
  • 0.008 anomaly_persistence_autorun
  • 0.008 h1n1_behavior
  • 0.008 antivm_generic_system
  • 0.008 recon_programs
  • 0.007 proprietary_anomaly_terminated_process
  • 0.007 hawkeye_behavior
  • 0.007 antidbg_windows
  • 0.006 antivm_vbox_libs
  • 0.006 ransomware_files
  • 0.005 ransomware_extensions
  • 0.004 infostealer_browser
  • 0.004 ransomware_message
  • 0.004 sets_autoconfig_url
  • 0.004 ipc_namedpipe
  • 0.004 securityxploded_modules
  • 0.004 antidbg_devices
  • 0.004 network_http
  • 0.003 network_tor
  • 0.003 antiav_avast_libs
  • 0.003 antisandbox_sunbelt_libs
  • 0.003 disables_browser_warn
  • 0.003 rat_pcclient
  • 0.002 tinba_behavior
  • 0.002 rat_nanocore
  • 0.002 disables_spdy
  • 0.002 dridex_behavior
  • 0.002 antivm_vmware_libs
  • 0.002 kazybot_behavior
  • 0.002 antisandbox_sboxie_libs
  • 0.002 antiav_bitdefender_libs
  • 0.002 exec_crash
  • 0.002 disables_wfp
  • 0.002 antivm_vmware_files
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 codelux_behavior
  • 0.002 network_torgateway
  • 0.001 andromeda_behavior
  • 0.001 office_dl_write_exe
  • 0.001 office_write_exe
  • 0.001 anomaly_persistence_bootexecute
  • 0.001 anomaly_reset_winsock
  • 0.001 antivm_vbox_window
  • 0.001 Locky_behavior
  • 0.001 creates_largekey
  • 0.001 ransomeware_modifies_desktop_wallpaper
  • 0.001 antivm_vmware_events
  • 0.001 creates_nullvalue
  • 0.001 vawtrak_behavior
  • 0.001 cerber_behavior
  • 0.001 antisandbox_script_timer
  • 0.001 cryptowall_behavior
  • 0.001 sniffer_winpcap
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vpc_files
  • 0.001 antiemu_wine_reg
  • 0.001 banker_cridex
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 malicous_targeted_flame
  • 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
  • 0.001 proprietary_bad_drop
  • 0.001 network_cnc_http
  • 0.001 network_tor_service
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.662 seconds )

  • 0.58 ReportHTMLSummary
  • 0.082 Malheur
Task ID 744124
Mongo ID 66223da27e769a7c1a16ebfc
Cuckoo release 1.4-Maldun