魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2024-03-27 14:47:17 | 2024-03-27 14:47:52 | 35 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp02-1 | win7-sp1-x64-shaapp02-1 | KVM | 2024-03-27 14:47:17 | 2024-03-27 14:47:55 |
| 魔盾分数 |
|---|
10.0恶意的 |
文件详细信息
| 文件名 | setup名单_6005.exe |
|---|---|
| 文件大小 | 964832 字节 |
| 文件类型 | PE32+ executable (GUI) x86-64, for MS Windows |
| CRC32 | 974246A9 |
| MD5 | c19e4e33de1edafcf09bc203e8d8fba2 |
| SHA1 | 17b7c068fb3cc83f94648ce1bd42b61c01206bc1 |
| SHA256 | 94913436fe18dfdc8b8c9734e6c06981005c5613dce35267c769a930e67d83d8 |
| SHA512 | f90ecbf01955be7df0c090956c8564f4e37cf1830799bbe3499f86a781aeb76a382c1266d797328f16c30383103b6c8648dc79239e467f638a1974b90633ed58 |
| Ssdeep | 12288:XGrZDCLgMutQ2d1YKogh4KgNK30M34x23zPkxgdpuXdV1dCFo2a/zG7:XGN4gMuX1t4KgN63zjP6g2zMoV |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | VirusTotal查询失败 |
特征
创建RWX内存
专有的Yara检测结果 - 普通
二进制文件可能包含加密或压缩数据
section: name: .text, entropy: 7.82, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x000c4400, virtual_size: 0x000c4398
检查系统制造商,可能被用来实现反虚拟机
异常的二进制特征
anomaly: Found duplicated section names
可疑的样本异常终止
检查Bios版本,可能被用来实现反虚拟机
检查注册表中的磁盘驱动器,可能被用来实现反虚拟机
通过ACPI技术检测VirtualBox系统
通过注册表键检测VirtualBox系统
通过注册表键检测VMware系统
运行截图
网络分析
TCP连接
| IP地址 | 端口 |
|---|---|
| 23.11.213.29 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
静态分析
PE 信息
| 初始地址 | 0x140000000 |
|---|---|
| 入口地址 | 0x140121f58 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x000f09d9 |
| 最低操作系统版本要求 | 5.2 |
| 编译时间 | 2024-03-21 07:14:55 |
| 载入哈希 | 6bacdfff9e1d109d8cef8d11bec512c0 |
版本信息
| LegalCopyright: | Copyright (C) 2009-2022 Oracle Corporation |
| InternalName: | VBoxHeadless |
| FileVersion: | 6.1.36.152435 |
| CompanyName: | Oracle Corporation |
| PrivateBuild: | Private build by Administrator |
| ProductName: | Oracle VM VirtualBox |
| ProductVersion: | 6.1.36.152435 |
| FileDescription: | VirtualBox Headless Frontend |
| OriginalFilename: | VBoxHeadless.exe |
| Translation: | 0x0409 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000153e2 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .rdata | 0x00017000 | 0x000075b2 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .data | 0x0001f000 | 0x000041a4 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .pdata | 0x00024000 | 0x00001410 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .vdata | 0x00026000 | 0x0000068c | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .vdata | 0x00027000 | 0x00023600 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .text | 0x0004b000 | 0x000c3478 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .data | 0x0010f000 | 0x000097f0 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .text | 0x00119000 | 0x000c4398 | 0x000c4400 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 7.82 |
| .data | 0x001de000 | 0x000002b0 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.31 |
| .reloc | 0x001df000 | 0x00000048 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 0.92 |
| .rsrc | 0x001e0000 | 0x000234dc | 0x00023600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.70 |
导入
库 WINHTTP.dll:
• 0x1401de290 - WinHttpOpen
库 USER32.dll:
• 0x1401de298 - CharLowerA
库 KERNEL32.dll:
• 0x1401de2a0 - GetProcessHeap
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
setup_______6005.exe PID: 2524, 上一级进程 PID: 2180
访问的文件
- C:\Users\test\AppData\Local\Temp\MSCVRT.DLL
- C:\Windows\sysnative\MSCVRT.DLL
- C:\Windows\system\MSCVRT.DLL
- C:\Windows\MSCVRT.DLL
- C:\ProgramData\Oracle\Java\javapath\MSCVRT.DLL
- C:\Windows\sysnative\wbem\MSCVRT.DLL
- C:\Windows\sysnative\WindowsPowerShell\v1.0\MSCVRT.DLL
- C:\Program Files (x86)\WinRAR\MSCVRT.DLL
- C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
- C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
- HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
- HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
- HKEY_LOCAL_MACHINE\HARDWARE\Description\System
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate
- HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
- HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__
- HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\VBOX__
- HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxSF
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vioscsi
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\viostor
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VirtIO-FS Service
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VirtioSerial
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BALLOON
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BalloonService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netkvm
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters
- HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
- HKEY_LOCAL_MACHINE\SOFTWARE\Wine
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\IDE
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- winhttp.dll.WinHttpOpen
- user32.dll.CharLowerA
- kernel32.dll.GetProcessHeap
- kernel32.dll.MultiByteToWideChar
- kernel32.dll.DeleteFileA
- kernel32.dll.SetEndOfFile
- kernel32.dll.CreateFileW
- kernel32.dll.CreateFileA
- kernel32.dll.WriteConsoleW
- kernel32.dll.SetStdHandle
- kernel32.dll.GetStringTypeW
- kernel32.dll.IsValidLocale
- kernel32.dll.EnumSystemLocalesA
- kernel32.dll.GetLocaleInfoA
- kernel32.dll.GetUserDefaultLCID
- kernel32.dll.IsValidCodePage
- kernel32.dll.Sleep
- kernel32.dll.InitializeCriticalSection
- kernel32.dll.DeleteCriticalSection
- kernel32.dll.EnterCriticalSection
- kernel32.dll.LeaveCriticalSection
- kernel32.dll.GetLastError
- kernel32.dll.HeapFree
- kernel32.dll.HeapAlloc
- kernel32.dll.HeapReAlloc
- kernel32.dll.GetProcAddress
- kernel32.dll.GetModuleHandleW
- kernel32.dll.ExitProcess
- kernel32.dll.GetCommandLineW
- kernel32.dll.GetStartupInfoW
- kernel32.dll.RaiseException
- kernel32.dll.RtlPcToFileHeader
- kernel32.dll.RtlLookupFunctionEntry
- kernel32.dll.RtlUnwindEx
- kernel32.dll.WideCharToMultiByte
- kernel32.dll.LCMapStringW
- kernel32.dll.GetCPInfo
- kernel32.dll.TerminateProcess
- kernel32.dll.GetCurrentProcess
- kernel32.dll.UnhandledExceptionFilter
- kernel32.dll.SetUnhandledExceptionFilter
- kernel32.dll.IsDebuggerPresent
- kernel32.dll.RtlVirtualUnwind
- kernel32.dll.RtlCaptureContext
- kernel32.dll.SetHandleCount
- kernel32.dll.GetStdHandle
- kernel32.dll.InitializeCriticalSectionAndSpinCount
- kernel32.dll.GetFileType
- kernel32.dll.HeapSetInformation
- kernel32.dll.GetVersion
- kernel32.dll.HeapCreate
- kernel32.dll.WriteFile
- kernel32.dll.GetModuleFileNameW
- kernel32.dll.ReadFile
- kernel32.dll.SetFilePointer
- kernel32.dll.GetConsoleCP
- kernel32.dll.GetConsoleMode
- kernel32.dll.FlushFileBuffers
- kernel32.dll.CloseHandle
- kernel32.dll.LoadLibraryW
- kernel32.dll.GetLocaleInfoW
- kernel32.dll.FlsGetValue
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsFree
- kernel32.dll.SetLastError
- kernel32.dll.GetCurrentThreadId
- kernel32.dll.FlsAlloc
- kernel32.dll.FreeEnvironmentStringsW
- kernel32.dll.GetEnvironmentStringsW
- kernel32.dll.QueryPerformanceCounter
- kernel32.dll.GetTickCount
- kernel32.dll.GetCurrentProcessId
- kernel32.dll.GetSystemTimeAsFileTime
- kernel32.dll.HeapSize
- kernel32.dll.GetACP
- kernel32.dll.GetOEMCP
- winhttp.dll.WinHttpQueryDataAvailable
- winhttp.dll.WinHttpOpenRequest
- winhttp.dll.WinHttpConnect
- winhttp.dll.WinHttpSendRequest
- winhttp.dll.WinHttpReceiveResponse
- winhttp.dll.WinHttpReadData
- winhttp.dll.WinHttpCloseHandle
- ntdll.dll.NtSetContextThread
- ntdll.dll.NtClose
- ntdll.dll.NtGetContextThread
- ntdll.dll.NtOpenThread
- ntdll.dll.NtQuerySystemInformation
- ntdll.dll.NtFreeVirtualMemory
- ntdll.dll.NtAllocateVirtualMemory
- kernel32.dll.CheckRemoteDebuggerPresent
- kernel32.dll.RegEnumKeyExA
- kernel32.dll.RegQueryInfoKeyA
- shlwapi.dll.PathCombineA
- kernel32.dll.GetWindowsDirectoryA
- kernel32.dll.GetFileAttributesA
- kernel32.dll.RegCloseKey
- shell32.dll.StrStrIA
- kernel32.dll.RegQueryValueExA
- kernel32.dll.RegOpenKeyExA
- ntdll.dll.NtSetInformationThread
- kernel32.dll.RemoveVectoredExceptionHandler
- kernel32.dll.AddVectoredExceptionHandler
- kernel32.dll.GetThreadContext
- kernel32.dll.GetCurrentThread
- ntdll.dll.NtQueryInformationProcess
- kernel32.dll.GetModuleHandleA
- winmm.dll.timeSetEvent
- winmm.dll.timeKillEvent
- kernel32.dll.VirtualProtect
- kernel32.dll.IsProcessorFeaturePresent
- kernel32.dll.InitializeSListHead
- kernel32.dll.InterlockedFlushSList
- kernel32.dll.TlsAlloc
- kernel32.dll.TlsGetValue
- kernel32.dll.TlsSetValue
- kernel32.dll.TlsFree
- kernel32.dll.FreeLibrary
- kernel32.dll.LoadLibraryExW
- kernel32.dll.GetModuleHandleExW
- kernel32.dll.FindClose
- kernel32.dll.FindFirstFileExW
- kernel32.dll.FindNextFileW
- kernel32.dll.GetCommandLineA
- kernel32.dll.GetConsoleOutputCP
- kernel32.dll.SetFilePointerEx
- kernel32.dll.InitializeCriticalSectionEx
- kernel32.dll.LCMapStringEx
- kernel32.dll.AreFileApisANSI
- kernel32.dll.EnumSystemFirmwareTables
- kernel32.dll.GetSystemFirmwareTable
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle