魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2022-05-28 00:43:45 | 2022-05-28 00:44:19 | 34 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp03-1 | win7-sp1-x64-shaapp03-1 | KVM | 2022-05-28 00:43:46 | 2022-05-28 00:44:23 |
| 魔盾分数 |
|---|
10.0恶意的 |
文件详细信息
| 文件名 | blyat.exe |
|---|---|
| 文件大小 | 662528 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 24EAE8A2 |
| MD5 | bc7fc83ce9762eb97dc28ed1b79a0a10 |
| SHA1 | 54df8f078ea7d43b25daea54e4f0a30da530289e |
| SHA256 | fea935d2d0fb1abadb900f009b4c40bb8a91fd9e25cc76ed4f9dae08960566d5 |
| SHA512 | 3b83de962fe1eae9362e659bd5efa61598da94983d0889e0859fd3488444e4d75ad295dc8089ef1ff37db0ce0bc3a2cb1e42f7e038d7b7d907d63e1633541ff2 |
| Ssdeep | 12288:egJbjIuu9HRr/nJIGaINK/lGRgOUqmq9kR6lhKXghaQlwt2NYtahQjqOeb:egKJRr7NK/cRgOnmq9g61Xm2z |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2018-12-17 17:34:55 扫描结果: 45/68 |
特征
创建RWX内存
魔盾安全Yara检测结果 - 普通
二进制文件可能包含加密或压缩数据
section: name: , entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0002f000, virtual_size: 0x00069000
section: name: , entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0000d000, virtual_size: 0x00023000
section: name: , entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0000e200, virtual_size: 0x00024000
section: name: , entropy: 7.99, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00005000, virtual_size: 0x00008000
section: name: .data, entropy: 7.92, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0004b200, virtual_size: 0x0004c000
可执行文件可能使用VMProtect打包
section: {'name': '.vmp0', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'virtual_address': '0x00111000', 'size_of_data': '0x00003000', 'entropy': '6.67', 'virtual_size': '0x00002e5f', 'characteristics_raw': '0x60000060'}
异常的二进制特征
anomaly: Found duplicated section names
可疑的样本异常终止
可能通过原始硬盘更改安装了内核劫持(bookit)组件
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
Bkav: W32.TarfraneAB.Trojan
MicroWorld-eScan: Trojan.Agent.DLIY
CAT-QuickHeal: Trojan.DiskWriter
ALYac: Trojan.Diskwriter.gen
Cylance: Unsafe
CrowdStrike: malicious_confidence_90% (W)
BitDefender: Trojan.Agent.DLIY
K7GW: Trojan ( 00536e141 )
K7AntiVirus: Trojan ( 00536e141 )
Invincea: heuristic
Cyren: W32/Trojan.OWNF-6871
Symantec: ML.Attribute.HighConfidence
ESET-NOD32: a variant of Win32/Agent.ZTX
TrendMicro-HouseCall: TROJ_GEN.F0C2C00L118
Paloalto: generic.ml
Kaspersky: Trojan.Win32.DiskWriter.ccj
NANO-Antivirus: Trojan.Win32.DiskWriter.fksxms
Avast: Win32:Malware-gen
Rising: Trojan.Agent!8.B1E (CLOUD)
Ad-Aware: Trojan.Agent.DLIY
Sophos: Mal/Generic-S
F-Secure: Trojan.Agent.DLIY
DrWeb: Trojan.NtRootKit.19689
Zillya: Trojan.DiskWriter.Win32.290
TrendMicro: TROJ_GEN.F0C2C00L118
McAfee-GW-Edition: BehavesLike.Win32.Ramnit.jc
Trapmine: malicious.high.ml.score
Emsisoft: Trojan.Agent.DLIY (B)
Webroot: W32.Trojan.Gen
Avira: TR/Agent.erhzb
Fortinet: W32/Agent.ZTX!tr
Microsoft: Trojan:Win32/Occamy.C
AegisLab: Trojan.Win32.DiskWriter.4!c
ZoneAlarm: Trojan.Win32.DiskWriter.ccj
AhnLab-V3: Trojan/Win32.Agent.C2876741
McAfee: RDN/Generic.dx
VBA32: Trojan.DiskWriter
Malwarebytes: Trojan.Agent.UKN
Arcabit: Trojan.Agent.DLIY
Tencent: Win32.Trojan.Mbrmodifier.Auto
Ikarus: Virus.Win32.VBInject
GData: Trojan.Agent.DLIY
AVG: Win32:Malware-gen
Panda: Trj/CI.A
Qihoo-360: Win32/Trojan.20b
运行截图
网络分析
TCP连接
| IP地址 | 端口 |
|---|---|
| 23.33.33.178 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00401000 |
| 声明校验值 | 0x000a976a |
| 实际校验值 | 0x000a976a |
| 最低操作系统版本要求 | 5.1 |
| 编译时间 | 2018-06-12 21:40:25 |
| 载入哈希 | 1d4128d8d965e4b46d890fb87b60b15c |
| 图标 |  |
| 图标精确哈希值 | fb1093bdb81a01abef2584f71d265f39 |
| 图标相似性哈希值 | 3d7c03120ff255d136b551b9ed191d74 |
版本信息
| LegalCopyright: | Copyright\xc21988-2018 Kingsoft Corporation. All rights reserved. |
| MIMEType: | |
| InternalName: | ksolaunch |
| FileVersion: | 10,1,0,7671 |
| CompanyName: | Zhuhai Kingsoft Office Software Co.,Ltd |
| ProductName: | WPS Office |
| ProductVersion: | 10,1,0,7671 |
| FileDescription: | WPS Office |
| OriginalFilename: | ksolaunch.exe |
| Translation: | 0x0000 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| 0x00001000 | 0x00069000 | 0x0002f000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 8.00 | |
| 0x0006a000 | 0x00023000 | 0x0000d000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 8.00 | |
| 0x0008d000 | 0x00024000 | 0x0000e200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 8.00 | |
| .rsrc | 0x000b1000 | 0x00005000 | 0x00004200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 5.00 |
| 0x000b6000 | 0x00008000 | 0x00005000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.99 | |
| 0x000be000 | 0x00006000 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 | |
| .data | 0x000c4000 | 0x0004c000 | 0x0004b200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.92 |
| .adata | 0x00110000 | 0x00001000 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .vmp0 | 0x00111000 | 0x00002e5f | 0x00003000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.67 |
| .reloc | 0x00114000 | 0x00000064 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 1.50 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x000b47e0 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.65 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x000b47e0 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.65 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x000b47e0 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.65 | GLS_BINARY_LSB_FIRST |
| RT_GROUP_ICON | 0x000b4c48 | 0x00000030 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.46 | MS Windows icon resource - 3 icons, 48x48 |
| RT_VERSION | 0x000b4c78 | 0x0000036c | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.51 | data |
| RT_MANIFEST | 0x000b4fe4 | 0x0000015a | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.80 | ASCII text, with CRLF line terminators |
导入
库 kernel32.dll:
• 0x4c4bf8 - GetProcAddress
• 0x4c4bfc - GetModuleHandleA
• 0x4c4c00 - LoadLibraryA
库 user32.dll:
• 0x4c4cf6 - GetDesktopWindow
库 advapi32.dll:
• 0x4c4cfe - ReportEventA
库 oleaut32.dll:
• 0x4c4d06 - VariantChangeTypeEx
库 kernel32.dll:
• 0x4c4d0e - RaiseException
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
blyat.exe PID: 2496, 上一级进程 PID: 2252
访问的文件
- C:\Users\test\AppData\Local\Temp\blyat.exe
- C:\Users
- C:\Users\test
- C:\Users\test\AppData
- C:\Users\test\AppData\Local
- C:\Users\test\AppData\Local\Temp
- C:\Users\test\AppData\Local\Temp\aspr_keys.ini
- C:
- \??\PhysicalDrive0
- C:\Users\test\AppData\Local\Temp\01.dat
- C:\Users\test\AppData\Local\Temp\02.dat
读取的文件
- C:
- \??\PhysicalDrive0
- C:\Users\test\AppData\Local\Temp\01.dat
- C:\Users\test\AppData\Local\Temp\02.dat
修改的文件
- C:
- \??\PhysicalDrive0
- C:\Users\test\AppData\Local\Temp\01.dat
- C:\Users\test\AppData\Local\Temp\02.dat
删除的文件
- C:\Users\test\AppData\Local\Temp\01.dat
- C:\Users\test\AppData\Local\Temp\02.dat
注册表键
- HKEY_CURRENT_USER\Software\Borland\Locales
- HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\blyat.exe
- HKEY_CURRENT_USER\Software\Borland\Locales\(Default)
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\blyat.exe
- HKEY_CURRENT_USER\Software\Borland\Locales\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.VirtualAlloc
- kernel32.dll.VirtualFree
- kernel32.dll.GetCurrentThreadId
- kernel32.dll.DeleteCriticalSection
- kernel32.dll.LeaveCriticalSection
- kernel32.dll.EnterCriticalSection
- kernel32.dll.InitializeCriticalSection
- kernel32.dll.LocalFree
- kernel32.dll.LocalAlloc
- kernel32.dll.VirtualQuery
- kernel32.dll.WideCharToMultiByte
- kernel32.dll.MultiByteToWideChar
- kernel32.dll.lstrlenA
- kernel32.dll.lstrcpynA
- kernel32.dll.lstrcpyA
- kernel32.dll.LoadLibraryExA
- kernel32.dll.GetThreadLocale
- kernel32.dll.GetStartupInfoA
- kernel32.dll.GetProcAddress
- kernel32.dll.GetModuleHandleA
- kernel32.dll.GetModuleFileNameA
- kernel32.dll.GetLocaleInfoA
- kernel32.dll.GetLastError
- kernel32.dll.GetCommandLineA
- kernel32.dll.FreeLibrary
- kernel32.dll.FindFirstFileA
- kernel32.dll.FindClose
- kernel32.dll.ExitProcess
- kernel32.dll.WriteFile
- kernel32.dll.UnhandledExceptionFilter
- kernel32.dll.SetFilePointer
- kernel32.dll.SetEndOfFile
- kernel32.dll.RtlUnwind
- kernel32.dll.ReadFile
- kernel32.dll.RaiseException
- kernel32.dll.GetStdHandle
- kernel32.dll.GetFileSize
- kernel32.dll.GetSystemTime
- kernel32.dll.GetFileType
- kernel32.dll.CreateFileA
- kernel32.dll.CloseHandle
- user32.dll.GetKeyboardType
- user32.dll.LoadStringA
- user32.dll.MessageBoxA
- user32.dll.CharNextA
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegOpenKeyExA
- advapi32.dll.RegCloseKey
- oleaut32.dll.VariantChangeTypeEx
- oleaut32.dll.VariantCopyInd
- oleaut32.dll.VariantClear
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString
- oleaut32.dll.SysReAllocStringLen
- oleaut32.dll.SysAllocStringLen
- kernel32.dll.TlsSetValue
- kernel32.dll.TlsGetValue
- kernel32.dll.TlsFree
- kernel32.dll.TlsAlloc
- advapi32.dll.RegSetValueExA
- advapi32.dll.RegSetValueA
- advapi32.dll.RegQueryInfoKeyA
- advapi32.dll.RegEnumKeyExA
- advapi32.dll.RegCreateKeyExA
- kernel32.dll.WritePrivateProfileStringA
- kernel32.dll.WaitForSingleObject
- kernel32.dll.VirtualUnlock
- kernel32.dll.VirtualLock
- kernel32.dll.Sleep
- kernel32.dll.SetThreadPriority
- kernel32.dll.SetFileAttributesA
- kernel32.dll.RemoveDirectoryA
- kernel32.dll.QueryPerformanceFrequency
- kernel32.dll.QueryPerformanceCounter
- kernel32.dll.LoadLibraryA
- kernel32.dll.IsBadReadPtr
- kernel32.dll.GlobalUnlock
- kernel32.dll.GlobalHandle
- kernel32.dll.GlobalLock
- kernel32.dll.GlobalFree
- kernel32.dll.GlobalAlloc
- kernel32.dll.GetWindowsDirectoryA
- kernel32.dll.GetVolumeInformationA
- kernel32.dll.GetVersionExA
- kernel32.dll.GetThreadPriority
- kernel32.dll.GetTempPathA
- kernel32.dll.GetTempFileNameA
- kernel32.dll.GetSystemInfo
- kernel32.dll.GetPrivateProfileStringA
- kernel32.dll.GetLocalTime
- kernel32.dll.GetFileAttributesA
- kernel32.dll.GetExitCodeProcess
- kernel32.dll.GetDriveTypeA
- kernel32.dll.GetDiskFreeSpaceA
- kernel32.dll.GetDateFormatA
- kernel32.dll.GetCurrentThread
- kernel32.dll.GetCurrentProcess
- kernel32.dll.GetCurrentDirectoryA
- kernel32.dll.GetCPInfo
- kernel32.dll.FormatMessageA
- kernel32.dll.FindNextFileA
- kernel32.dll.FileTimeToLocalFileTime
- kernel32.dll.FileTimeToDosDateTime
- kernel32.dll.EnumCalendarInfoA
- kernel32.dll.DeviceIoControl
- kernel32.dll.DeleteFileA
- kernel32.dll.CreateProcessA
- kernel32.dll.CreateEventA
- kernel32.dll.CreateDirectoryA
- kernel32.dll.CopyFileA
- kernel32.dll.CompareStringA
- version.dll.VerQueryValueA
- version.dll.GetFileVersionInfoSizeA
- version.dll.GetFileVersionInfoA
- gdi32.dll.CreateFontA
- gdi32.dll.CreateDIBitmap
- user32.dll.TranslateMessage
- user32.dll.ShowWindow
- user32.dll.SetWindowTextA
- user32.dll.SetWindowPos
- user32.dll.SetFocus
- user32.dll.SetDlgItemTextA
- user32.dll.SetClipboardData
- user32.dll.SendMessageA
- user32.dll.SendDlgItemMessageA
- user32.dll.RegisterClassA
- user32.dll.PostQuitMessage
- user32.dll.PeekMessageA
- user32.dll.OpenClipboard
- user32.dll.MsgWaitForMultipleObjects
- user32.dll.LoadIconA
- user32.dll.LoadCursorA
- user32.dll.IsClipboardFormatAvailable
- user32.dll.GetWindowTextA
- user32.dll.GetWindowRect
- user32.dll.GetSystemMetrics
- user32.dll.GetMessageA
- user32.dll.GetFocus
- user32.dll.GetDlgItemTextA
- user32.dll.GetDlgItem
- user32.dll.GetDesktopWindow
- user32.dll.GetDC
- user32.dll.GetAsyncKeyState
- user32.dll.GetActiveWindow
- user32.dll.EndDialog
- user32.dll.EnableWindow
- user32.dll.EmptyClipboard
- user32.dll.DispatchMessageA
- user32.dll.DialogBoxIndirectParamA
- user32.dll.DestroyWindow
- user32.dll.DefWindowProcA
- user32.dll.CreateWindowExA
- user32.dll.CloseClipboard
- ole32.dll.CoCreateGuid
- wsock32.dll.ioctlsocket
- wsock32.dll.WSACancelBlockingCall
- wsock32.dll.WSAIsBlocking
- wsock32.dll.gethostbyname
- wsock32.dll.send
- wsock32.dll.recv
- wsock32.dll.connect
- wsock32.dll.WSACleanup
- wsock32.dll.closesocket
- wsock32.dll.shutdown
- wsock32.dll.socket
- wsock32.dll.WSAStartup
- kernel32.dll.GetLongPathNameA
- kernel32.dll.GetDiskFreeSpaceExA
- kernel32.dll.MapViewOfFile
- kernel32.dll.FindResourceA
- kernel32.dll.UnmapViewOfFile
- kernel32.dll.CreateFileMappingA
- kernel32.dll.IsDebuggerPresent
- kernel32.dll.GetCurrentProcessId
- kernel32.dll.SetLastError
- ntdll.dll.NtContinue
- ntdll.dll.NtRaiseException
- ntdll.dll.KiUserExceptionDispatcher
- ntdll.dll.NtQuerySystemInformation
- ntdll.dll.NtAllocateVirtualMemory
- ntdll.dll.NtFreeVirtualMemory
- ntdll.dll.NtMapViewOfSection
- kernel32.dll.HeapAlloc
- kernel32.dll.HeapFree
- kernel32.dll.GetCommandLineW
- kernel32.dll.HeapSetInformation
- kernel32.dll.GetStartupInfoW
- kernel32.dll.TerminateProcess
- kernel32.dll.SetUnhandledExceptionFilter
- kernel32.dll.InitializeCriticalSectionAndSpinCount
- kernel32.dll.GetModuleFileNameW
- kernel32.dll.HeapCreate
- kernel32.dll.FreeEnvironmentStringsW
- kernel32.dll.GetEnvironmentStringsW
- kernel32.dll.InterlockedIncrement
- kernel32.dll.InterlockedDecrement
- kernel32.dll.HeapSize
- kernel32.dll.WriteConsoleW
- kernel32.dll.LoadLibraryW
- kernel32.dll.HeapReAlloc
- kernel32.dll.LCMapStringW
- kernel32.dll.GetStringTypeW
- kernel32.dll.GetProcessHeap
- kernel32.dll.GetVersion
- kernel32.dll.CompareStringW
- kernel32.dll.SetConsoleMode
- kernel32.dll.GetSystemDirectoryW
- kernel32.dll.CreateFileW
- kernel32.dll.GetTickCount
- kernel32.dll.GetModuleHandleW
- kernel32.dll.ReadConsoleInputA
- user32.dll.GetProcessWindowStation
- user32.dll.GetUserObjectInformationW
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsGetValue
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsFree
- ntdll.dll.RtlGetVersion
- kernel32.dll.IsWow64Process