SmartHawk

5.6

高危

62 个模型检测该样本为恶意！

重新分析

下载样本

ddc24f2e6ce31f41e8f9195c2612384abad5baf2797cd3a99f8e48de0430f184

01b426c7da2feb3a2169cd9b1638e0dd.exe

分析耗时

88s

最近分析

文件大小

220.5KB

静态报毒动态报毒 100% A + W32 AAXQK AI SCORE=83 CLASSIC CONFIDENCE DITERTAG ELDORADO EMAILWORM FAKEFOLDER FAMVT FBHTJQ GANEL GANELP GRIPTOLO HIGH CONFIDENCE IRCBOT JUCHED JUSHED KA@4CYSVX KCLOUD LENCERN LYJW MALICIOUS PE MAUVAISE NPKON NY2@AEK9M PROXY R18258 SCORE SMIA STATIC AI UNSAFE V6ZK0OWDJ9E ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Worm:Win32/Ganelp.6bad7d94	20190527	0.3.0.5
Avast	Win32:Dropper-GHV [Drp]	20201210	21.1.5827.0
Baidu	Win32.Trojan.Agent.dc	20190318	1.0.0.2
Kingsoft	Heur.SSC.2043.1216.(kcloud)	20201211	2017.9.26.565
McAfee	W32/Autorun.worm.bca	20201211	6.0.6.653
Tencent	Trojan.Win32.FakeFolder.bba	20201211	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

The executable uses a known packer (1 个事件)

packer

InstallShield 2000

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Foreign language identified in PE resource (1 个事件)

name

RT_VERSION

language

LANG_TURKISH

offset

0x000427e0

filetype

data

sublanguage

SUBLANG_DEFAULT

size

0x00000348

Creates executable files on the filesystem (1 个事件)

file	C:\Program Files (x86)\38c63b78\jusched.exe

Drops a binary and executes it (1 个事件)

file	C:\Program Files (x86)\38c63b78\jusched.exe

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Installs itself for autorun at Windows startup (1 个事件)

file	C:\Windows\Tasks\Update23.job

Operates on local firewall's policies and settings (1 个事件)

registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Generates some ICMP traffic

File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 个事件)

Bkav	W32.FamVT.LencerN.Trojan
Elastic	malicious (high confidence)
DrWeb	Trojan.Proxy.19251
MicroWorld-eScan	Worm.Generic.377591
FireEye	Generic.mg.01b426c7da2feb3a
CAT-QuickHeal	Trojan.Mauvaise.SL1
ALYac	Worm.Generic.377591
Cylance	Unsafe
AegisLab	Worm.Win32.Juched.lyjw
K7AntiVirus	EmailWorm ( 002a8f0e1 )
Alibaba	Worm:Win32/Ganelp.6bad7d94
K7GW	Trojan ( 001f4ea51 )
Cybereason	malicious.7da2fe
Arcabit	Worm.Generic.D5C2F7
BitDefenderTheta	Gen:NN.ZexaF.34670.ny2@aek9m!oO
Cyren	W32/Agent.KI.gen!Eldorado
Symantec	W32.Griptolo
TotalDefense	Win32/Agent.BCX
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Worm.Win32.Generic
BitDefender	Worm.Generic.377591
NANO-Antivirus	Trojan.Win32.Yo.fbhtjq
SUPERAntiSpyware	Trojan.Agent/Gen-Ganel
Avast	Win32:Dropper-GHV [Drp]
Rising	Trojan.Agent!1.C135 (CLASSIC)
Ad-Aware	Worm.Generic.377591
Emsisoft	Worm.Generic.377591 (B)
Comodo	Worm.Win32.Jushed.KA@4cysvx
F-Secure	Trojan.TR/Spy.Agent.586689
Baidu	Win32.Trojan.Agent.dc
VIPRE	Trojan.Win32.Autorun.BRF (v)
TrendMicro	WORM_GANELP.SMIA
McAfee-GW-Edition	BehavesLike.Win32.Autorun.dt
Sophos	ML/PE-A + W32/Autorun-BRF
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan/Generic.aaxqk
Webroot	W32.Trojan.Gen
Avira	TR/Spy.Agent.586689
MAX	malware (ai score=83)
Antiy-AVL	Trojan/Win32.Inject
Kingsoft	Heur.SSC.2043.1216.(kcloud)
Microsoft	Worm:Win32/Ganelp.E
ViRobot	Worm.Win32.Juched.574884
ZoneAlarm	HEUR:Worm.Win32.Generic
GData	Worm.Generic.377591
AhnLab-V3	Trojan/Win32.Npkon.R18258
Acronis	suspicious
McAfee	W32/Autorun.worm.bca

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1970-01-01 08:01:39

Imports

Library KERNEL32.dll:

• 0x43f268 GetLastError

• 0x43f26c GetSystemTime

• 0x43f270 MultiByteToWideChar

• 0x43f274 GetLocaleInfoA

• 0x43f278 GetModuleHandleA

• 0x43f27c FindNextFileA

• 0x43f280 FindFirstFileA

• 0x43f284 FlushFileBuffers

• 0x43f288 SetStdHandle

• 0x43f28c FindClose

• 0x43f290 Sleep

• 0x43f294 SetFilePointer

• 0x43f298 LCMapStringW

• 0x43f29c LCMapStringA

• 0x43f2a0 GetStringTypeW

• 0x43f2a4 ExitProcess

• 0x43f2a8 TerminateProcess

• 0x43f2ac GetCurrentProcess

• 0x43f2b0 GetStartupInfoA

• 0x43f2b4 GetCommandLineA

• 0x43f2b8 GetVersion

• 0x43f2bc DebugBreak

• 0x43f2c0 GetStdHandle

• 0x43f2c4 WriteFile

• 0x43f2c8 InterlockedDecrement

• 0x43f2cc OutputDebugStringA

• 0x43f2d0 GetProcAddress

• 0x43f2d4 LoadLibraryA

• 0x43f2d8 InterlockedIncrement

• 0x43f2dc GetModuleFileNameA

• 0x43f2e0 IsBadWritePtr

• 0x43f2e4 IsBadReadPtr

• 0x43f2e8 HeapValidate

• 0x43f2ec UnhandledExceptionFilter

• 0x43f2f0 FreeEnvironmentStringsA

• 0x43f2f4 FreeEnvironmentStringsW

• 0x43f2f8 WideCharToMultiByte

• 0x43f2fc GetEnvironmentStrings

• 0x43f300 GetEnvironmentStringsW

• 0x43f304 SetHandleCount

• 0x43f308 GetFileType

• 0x43f30c GetEnvironmentVariableA

• 0x43f310 GetVersionExA

• 0x43f314 HeapDestroy

• 0x43f318 HeapCreate

• 0x43f31c HeapFree

• 0x43f320 VirtualFree

• 0x43f324 RtlUnwind

• 0x43f328 SetConsoleCtrlHandler

• 0x43f32c HeapAlloc

• 0x43f330 HeapReAlloc

• 0x43f334 VirtualAlloc

• 0x43f338 GetCPInfo

• 0x43f33c GetACP

• 0x43f340 GetOEMCP

• 0x43f344 GetStringTypeA

• 0x43f348 CloseHandle

Library USER32.dll:

• 0x43f3a4 MessageBoxA

Library ADVAPI32.dll:

• 0x43f238 GetUserNameW

Library ole32.dll:

• 0x43f3d4 CoUninitialize

• 0x43f3d8 CoCreateInstance

• 0x43f3dc CoInitialize

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
ftp.tripod.com	A 209.202.252.54	209.202.252.54
dictio_802884.di.funpic.org
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
griptoloji.host-ed.net
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	51378	8.8.8.8	53
192.168.56.101	51808	8.8.8.8	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.