魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2024-04-19 13:33:01 2024-04-19 13:35:10 129 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp03-1 win7-sp1-x64-shaapp03-1 KVM 2024-04-19 13:33:01 2024-04-19 13:35:12
魔盾分数

3.9

可疑的

文件详细信息

文件名 wsock32.dll
文件大小 280576 字节
文件类型 PE32 executable (DLL) (console) Intel 80386, for MS Windows
CRC32 B36DAF44
MD5 2433ddadfdb3dd670cbf2897dd1ac38c
SHA1 708a3a6c41fd20a9bcb34fb5bd4a8875bce09a8d
SHA256 86cd587bd87dc5245eadfb7e8c6ebcc4d20d148cd3005d95a863c0ee992083c4
SHA512 50189683ecaffa02af3e2f91d88a1b0620f07f2991458301c7960192cc2e5205ea70791472b1b3c057ed6e29d832c28849c72dd97e4aa0a8ba9b56bcc86d44f7
Ssdeep 6144:QXqWcA6EGLd0a6KFAryDOfgF3ptG8/V8o45qmbr5sMXJOmyuD:QTd69LqaFVD0gpHG8d8oIqYrNZMuD
PEiD 无匹配
Yara
  • BLOWFISH_Constants (Look for Blowfish constants)
  • IsPE32 (Detected a 32bit PE sample)
  • IsDLL (Detect a DLL sample)
  • IsConsole (Detected a console program sample)
  • IsPacked (Detected Entropy signature)
  • HasDebugData (Detected Debug Data)
  • HasRichSignature (Detected Rich Signature)
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • network_udp_sock (Communications over UDP socket)
  • network_tcp_listen (Listen for incoming communication)
  • network_tcp_socket (Detected network communications over RAW socket)
  • network_dns (Detected network communications use DNS)
  • create_process (Detection function for creating a new process)
  • win_private_profile (Detected private profile access function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal VirusTotal查询失败

特征

创建RWX内存
二进制文件可能包含加密或压缩数据
section: name: .pdata\x00\x01, entropy: 7.90, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0002b000, virtual_size: 0x0002b000
section: name: .vmp1, entropy: 7.93, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00011c00, virtual_size: 0x00011a7a
专有的Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
可执行文件可能使用VMProtect打包
section: {'name': '.vmp0', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'virtual_address': '0x00006000', 'size_of_data': '0x00000200', 'entropy': '4.12', 'virtual_size': '0x00000108', 'characteristics_raw': '0x60000060'}
异常的二进制特征
anomaly: Unprintable characters found in section name

运行截图

网络分析

TCP连接

IP地址 端口
104.114.76.194 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x3fd10000
入口地址 0x3fd11120
声明校验值 0x00052208
实际校验值 0x00052208
最低操作系统版本要求 6.1
PDB路径 wsock32.pdb
编译时间 2009-07-14 09:12:03
载入哈希 1d57147ac707bdced59ba259d35cb8b4
导出DLL库名称 WSOCK32.dll

版本信息

LegalCopyright: \xc2 Microsoft Corporation. All rights reserved.
InternalName: wsock32.dll
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
CompanyName: Microsoft Corporation
ProductName: Microsoft\xc2 Windows\xc2 Operating System
ProductVersion: 6.1.7600.16385
FileDescription: Windows Socket 32-Bit DLL
OriginalFilename: wsock32.dll
Translation: 0x0409 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text\x00m\x01 0x00001000 0x00002d40 0x00002e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.59
.data 0x00004000 0x00000348 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.23
.rsrc 0x00005000 0x00000510 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.99
.vmp0 0x00006000 0x00000108 0x00000200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 4.12
.Silvana 0x00007000 0x00003000 0x00003000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 6.72
.pdata\x00\x01 0x0000a000 0x0002b000 0x0002b000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.90
.vmp1 0x00035000 0x00011a7a 0x00011c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.93

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
MUI 0x00005448 0x000000c8 LANG_ENGLISH SUBLANG_ENGLISH_US 2.69 data
RT_VERSION 0x000050b0 0x00000398 LANG_ENGLISH SUBLANG_ENGLISH_US 3.60 data

导入

库 WS2_32.dll:
0x3fd11000 - WSARecv
0x3fd11004 - getsockopt
0x3fd11008 - WSARecvFrom
0x3fd1100c - setsockopt
库 msvcrt.dll:
0x3fd11014 - _except_handler4_common
0x3fd11018 - _amsg_exit
0x3fd1101c - _initterm
0x3fd11020 - free
0x3fd11024 - malloc
0x3fd11028 - _XcptFilter
库 KERNEL32.dll:
0x3fd11030 - InterlockedExchange
0x3fd11034 - SetLastError
0x3fd11038 - InterlockedCompareExchange
0x3fd1103c - QueryPerformanceCounter
0x3fd11040 - SetUnhandledExceptionFilter
0x3fd11044 - UnhandledExceptionFilter
0x3fd11048 - GetCurrentProcess
0x3fd1104c - TerminateProcess
0x3fd11050 - GetSystemTimeAsFileTime
0x3fd11054 - GetCurrentProcessId
0x3fd11058 - GetCurrentThreadId
0x3fd1105c - GetTickCount
0x3fd11060 - Sleep
库 KERNEL32.dll:
0x3fd17289 - LoadLibraryA
0x3fd1728d - GetModuleHandleA
0x3fd17291 - GetProcAddress
0x3fd17295 - FreeLibrary
0x3fd17299 - VirtualProtect
0x3fd1729d - GetCurrentDirectoryA
0x3fd172a1 - CreateProcessA
0x3fd172a5 - CloseHandle
0x3fd172a9 - GetCurrentProcessId
0x3fd172ad - GetSystemTimeAsFileTime
0x3fd172b1 - QueryPerformanceCounter
0x3fd172b5 - GetModuleFileNameA
0x3fd172b9 - CreateFileA
0x3fd172bd - GetFileSize
0x3fd172c1 - ReadFile
0x3fd172c5 - GetCurrentProcessId
0x3fd172c9 - OpenProcess
0x3fd172cd - VirtualProtectEx
0x3fd172d1 - WriteProcessMemory
0x3fd172d5 - InterlockedCompareExchange
0x3fd172d9 - WritePrivateProfileStringA
0x3fd172dd - CreateThread
0x3fd172e1 - InterlockedCompareExchange
0x3fd172e5 - InterlockedCompareExchange
0x3fd172e9 - InterlockedCompareExchange
0x3fd172ed - InterlockedCompareExchange
0x3fd172f1 - InterlockedCompareExchange
0x3fd172f5 - InterlockedCompareExchange
0x3fd172f9 - InterlockedCompareExchange
库 MSVCRT.dll:
0x3fd17400 - fopen
0x3fd17404 - fread
0x3fd17408 - fclose
0x3fd1740c - ftell
0x3fd17410 - fseek
0x3fd17414 - strstr
0x3fd17418 - sprintf
0x3fd1741c - _mbsnbicmp
0x3fd17420 - memmove
0x3fd17424 - memset
0x3fd17428 - strncpy
0x3fd1742c - _strnicmp
0x3fd17430 - strstr
0x3fd17434 - _mbsnbicmp
0x3fd17438 - _mbsnbicmp
0x3fd1743c - _mbsnbicmp
0x3fd17440 - _mbsnbicmp
0x3fd17444 - _mbsnbicmp
0x3fd17448 - _mbsnbicmp
0x3fd1744c - _mbsnbicmp
0x3fd17450 - _mbsnbicmp
0x3fd17454 - _mbsnbicmp
库 MFC42.dll:
0x3fd174ca - None
0x3fd174ce - None
0x3fd174d2 - None
0x3fd174d6 - None
0x3fd174da - None
0x3fd174de - None
0x3fd174e2 - None
0x3fd174e6 - None
0x3fd174ea - None
0x3fd174ee - None

导出

序列 地址 名称
1141 0x3fd13382 AcceptEx
1111 0x3fd13393 EnumProtocolsA
1112 0x3fd133aa EnumProtocolsW
1142 0x3fd133c1 GetAcceptExSockaddrs
1109 0x3fd133de GetAddressByNameA
1110 0x3fd133f8 GetAddressByNameW
1115 0x3fd13412 GetNameByTypeA
1116 0x3fd13429 GetNameByTypeW
1119 0x3fd13440 GetServiceA
1120 0x3fd13454 GetServiceW
1113 0x3fd13468 GetTypeByNameA
1114 0x3fd1347f GetTypeByNameW
24 0x3fd13496 MigrateWinsockConfiguration
1130 0x3fd134ba NPLoadNameSpaces
1117 0x3fd134d3 SetServiceA
1118 0x3fd134e7 SetServiceW
1140 0x3fd134fb TransmitFile
500 0x3fd13510 WEP
102 0x3fd1351b WSAAsyncGetHostByAddr
103 0x3fd13538 WSAAsyncGetHostByName
105 0x3fd13555 WSAAsyncGetProtoByName
104 0x3fd13573 WSAAsyncGetProtoByNumber
107 0x3fd13593 WSAAsyncGetServByName
106 0x3fd135b0 WSAAsyncGetServByPort
101 0x3fd135cd WSAAsyncSelect
108 0x3fd135e3 WSACancelAsyncRequest
113 0x3fd13600 WSACancelBlockingCall
116 0x3fd1361d WSACleanup
111 0x3fd1362f WSAGetLastError
114 0x3fd13646 WSAIsBlocking
1107 0x3fd1365b WSARecvEx
109 0x3fd1366d WSASetBlockingHook
112 0x3fd13687 WSASetLastError
115 0x3fd1369e WSAStartup
110 0x3fd136b0 WSAUnhookBlockingHook
1000 0x3fd136cd WSApSetPostRoutine
151 0x3fd136e7 __WSAFDIsSet
1 0x3fd136fb accept
2 0x3fd13709 bind
3 0x3fd13715 closesocket
4 0x3fd13728 connect
1106 0x3fd13737 dn_expand
51 0x3fd13749 gethostbyaddr
52 0x3fd1375e gethostbyname
57 0x3fd13773 gethostname
1101 0x3fd13786 getnetbyname
5 0x3fd1379b getpeername
53 0x3fd137ae getprotobyname
54 0x3fd137c4 getprotobynumber
55 0x3fd137dc getservbyname
56 0x3fd137f1 getservbyport
6 0x3fd13806 getsockname
7 0x3fd1186e getsockopt
8 0x3fd13819 htonl
9 0x3fd13826 htons
10 0x3fd13833 inet_addr
1100 0x3fd13844 inet_network
11 0x3fd13859 inet_ntoa
12 0x3fd1386a ioctlsocket
13 0x3fd1387d listen
14 0x3fd1388b ntohl
15 0x3fd13898 ntohs
1102 0x3fd138a5 rcmd
16 0x3fd117a8 recv
17 0x3fd11808 recvfrom
1103 0x3fd138b2 rexec
1104 0x3fd138c0 rresvport
1108 0x3fd138d2 s_perror
18 0x3fd138e3 select
19 0x3fd138f1 send
20 0x3fd138fd sendto
1105 0x3fd1390b sethostname
21 0x3fd118e0 setsockopt
22 0x3fd1391f shutdown
23 0x3fd1392f socket

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

rundll32.exe PID: 2564, 上一级进程 PID: 2248

访问的文件
  • C:\Users\test\AppData\Local\Temp\wsock32.dll
  • C:\Users\test\AppData\Local\Temp\wsock32.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\wsock32.dll.124.Manifest
  • C:\Users\test\AppData\Local\Temp\wsock32.dll.2.Manifest
  • C:\Windows\SysWOW64\rundll32.exe
  • C:\Users\test\AppData\Local\Temp\MFC42.dll
  • C:\Windows\System32\mfc42.dll
  • C:\Users\test\AppData\Local\Temp\ODBC32.dll
  • C:\Windows\System32\odbc32.dll
  • C:\Windows\System32\MFC42LOC.DLL
  • C:\Windows\System32\MFC42LOC.DLL.DLL
  • C:\Windows\sysnative\MFC42LOC.DLL
  • C:\Windows\sysnative\MFC42LOC.DLL.DLL
  • C:\Windows\SysWOW64\SelfCode.dll
  • C:\Windows\System32\SelfCode.dll
  • C:\Windows\system\SelfCode.dll
  • C:\Windows\SelfCode.dll
  • C:\Users\test\AppData\Local\Temp\SelfCode.dll
  • C:\ProgramData\Oracle\Java\javapath\SelfCode.dll
  • C:\Windows\System32\wbem\SelfCode.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\SelfCode.dll
  • C:\Program Files (x86)\WinRAR\SelfCode.dll
读取的文件
  • C:\Users\test\AppData\Local\Temp\wsock32.dll
  • C:\Users\test\AppData\Local\Temp\wsock32.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\wsock32.dll.124.Manifest
  • C:\Users\test\AppData\Local\Temp\wsock32.dll.2.Manifest
  • C:\Windows\SysWOW64\rundll32.exe
  • C:\Windows\System32\mfc42.dll
  • C:\Windows\System32\odbc32.dll
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BidInterface\Loader
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\ODBC
  • HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.TryEnterCriticalSection
  • kernel32.dll.SetCriticalSectionSpinCount
  • wsock32.dll.#1