1.0
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.63
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Shifu-B [Trj] | 20190901 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20190901 | 2013.8.14.323 |
| McAfee | GenericRXEY-JP!19F61B4E8A5C | 20190901 | 6.0.6.653 |
| Tencent | Win32.Trojan-banker.Shifu.Ecbe | 20190901 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(1 个事件)
| section | . |
动态指标
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
文件已被 VirusTotal 上 58 个反病毒引擎识别为恶意
(50 out of 58 个事件)
| APEX | Malicious |
| AVG | Win32:Shifu-B [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Trojan.Heur.kqW@XUK2H3i |
| AhnLab-V3 | Trojan/Win32.Shifu.R164118 |
| Antiy-AVL | Trojan/Win32.TSGeneric |
| Arcabit | Trojan.Heur.ED86B |
| Avast | Win32:Shifu-B [Trj] |
| Avira | TR/Dropper.Gen |
| BitDefender | Gen:Trojan.Heur.kqW@XUK2H3i |
| CAT-QuickHeal | Trojan.Zenshirsh.SL7 |
| ClamAV | Win.Trojan.Shifu-6330434-1 |
| Comodo | TrojWare.Win32.Shifu.AK@5v0un7 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.e8a5ca |
| Cylance | Unsafe |
| Cyren | W32/Shifu.A.gen!Eldorado |
| DrWeb | Trojan.MulDrop7.20629 |
| ESET-NOD32 | Win32/Spy.Shiz.NCR |
| Emsisoft | Gen:Trojan.Heur.kqW@XUK2H3i (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Shifu.A.gen!Eldorado |
| F-Secure | Trojan.TR/Dropper.Gen |
| FireEye | Generic.mg.19f61b4e8a5cad19 |
| Fortinet | W32/Generic.AP.2272DE!tr |
| GData | Win32.Trojan-Spy.Shiz.D |
| Ikarus | Trojan-Banker.ShiFu |
| Invincea | heuristic |
| Jiangmin | Trojan.Yakes.akc |
| K7AntiVirus | Spyware ( 004ce3951 ) |
| K7GW | Spyware ( 004ce3951 ) |
| Kaspersky | Trojan-Banker.Win32.Shifu.eph |
| Lionic | Trojan.Win32.Shifu.tnsd |
| MAX | malware (ai score=89) |
| McAfee | GenericRXEY-JP!19F61B4E8A5C |
| McAfee-GW-Edition | BehavesLike.Win32.TrojanShifu.cz |
| MicroWorld-eScan | Gen:Trojan.Heur.kqW@XUK2H3i |
| Microsoft | Backdoor:Win32/Simda!rfn |
| NANO-Antivirus | Trojan.Win32.Shiz.dvsrfy |
| Panda | Trj/GdSda.A |
| Qihoo-360 | HEUR/QVM20.1.96F7.Malware.Gen |
| Rising | Trojan.Shiz!1.A8EF (CLASSIC) |
| SUPERAntiSpyware | Spyware.Agent/Gen-Shiz |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Agent-BBUD |
| Symantec | Trojan.Gen.MBT |
| TACHYON | Trojan/W32.Agent.168448.TE |
| Tencent | Win32.Trojan-banker.Shifu.Ecbe |
| Trapmine | malicious.high.ml.score |
| TrendMicro | TSPY_SHIZ.SMCP |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2015-08-21 18:28:13
PE Imphash
29c4c5f8766667965cf6248336ce2ba0
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| . | 0x00001000 | 0x000021aa | 0x00002200 | 6.335800151355562 |
| . | 0x00004000 | 0x00000f4a | 0x00001000 | 6.40975155356642 |
| . | 0x00005000 | 0x00025abc | 0x00025600 | 0.7417474493433958 |
| . | 0x0002b000 | 0x000005cc | 0x00000600 | 0.0 |
Imports
Library KERNEL32.dll:
• 0x404048 GetLastError
• 0x40404c CloseHandle
• 0x404050 GetModuleFileNameW
• 0x404054 DeleteFileA
• 0x404058 GetProcessHeap
• 0x40405c WaitForSingleObject
• 0x404060 HeapFree
• 0x404064 HeapAlloc
• 0x404068 GetCommandLineW
• 0x40406c LocalFree
• 0x404070 GetVersionExA
• 0x404074 LocalAlloc
• 0x404078 LoadLibraryA
• 0x40407c FreeLibrary
• 0x404080 GetModuleHandleA
• 0x404084 GetProcAddress
• 0x404088 GetTempPathA
• 0x40408c GetCurrentProcessId
• 0x404090 GetModuleFileNameA
• 0x404094 GetVersionExW
• 0x404098 Sleep
• 0x40409c GlobalFindAtomA
• 0x4040a0 ExpandEnvironmentStringsA
• 0x4040a4 GetCurrentProcess
• 0x4040a8 GlobalAddAtomA
• 0x4040ac SetErrorMode
• 0x4040b0 lstrcpynA
• 0x4040b4 ExitProcess
• 0x4040b8 GetTickCount
• 0x4040bc CreateFileA
• 0x4040c0 GetShortPathNameA
• 0x4040c4 GetHandleInformation
• 0x4040c8 SetPriorityClass
• 0x4040cc GetCurrentThread
• 0x4040d0 WriteFile
• 0x4040d4 ReadFile
• 0x4040d8 SetThreadPriority
• 0x4040dc GetFileSizeEx
• 0x4040e0 CopyFileA
• 0x4040e4 SetFileAttributesA
• 0x4040e8 GetTempFileNameA
Library USER32.dll:
• 0x404130 wsprintfW
• 0x404134 DestroyWindow
• 0x404138 keybd_event
• 0x40413c GetMessageA
• 0x404140 SetTimer
• 0x404144 RegisterClassExA
• 0x404148 PostQuitMessage
• 0x40414c KillTimer
• 0x404150 TranslateMessage
• 0x404154 CreateWindowExA
• 0x404158 DefWindowProcA
• 0x40415c FlashWindow
• 0x404160 DispatchMessageA
• 0x404164 UpdateWindow
• 0x404168 ShowWindow
Library SHELL32.dll:
• 0x4040f8 ShellExecuteExW
• 0x4040fc ShellExecuteExA
• 0x404100 SHGetFolderPathW
• 0x404104 SHGetFolderPathA
Library PSAPI.DLL:
• 0x4040f0 GetModuleBaseNameW
Library SHLWAPI.dll:
• 0x40410c PathAppendW
• 0x404110 PathAddBackslashA
• 0x404114 PathFindFileNameA
• 0x404118 PathFileExistsA
• 0x40411c PathAddExtensionA
• 0x404120 PathIsDirectoryA
• 0x404124 PathCombineA
• 0x404128 StrStrNIW
Library ntdll.dll:
• 0x404170 RtlImageNtHeader
• 0x404174 _stricmp
• 0x404178 ZwClose
• 0x40417c memset
• 0x404180 _alloca_probe
• 0x404184 strstr
• 0x404188 _snprintf
• 0x40418c RtlUnwind
Library ADVAPI32.dll:
• 0x404000 CryptGetHashParam
• 0x404004 CryptAcquireContextA
• 0x404008 CryptCreateHash
• 0x40400c CryptDestroyHash
• 0x404010 CryptHashData
• 0x404014 OpenProcessToken
• 0x404018 GetSidSubAuthority
• 0x40401c GetSidSubAuthorityCount
• 0x404020 GetTokenInformation
• 0x404024 RegSetValueExA
• 0x404028 RegQueryValueExA
• 0x40402c RegCreateKeyA
• 0x404030 RegOpenKeyExA
• 0x404034 RegDeleteValueA
• 0x404038 RegFlushKey
• 0x40403c RegCloseKey
• 0x404040 CryptReleaseContext
L!This program cannot be run in DOS mode.
M+QPP3
@:u+;u
_^[UQSh
t}SWh~e
;u&t"t
@:uQ+Q
4muUZ95\B
E;0sQi
PYYt1hE@
W3WWWj
Wj[_^UV395(B
Ht;Ht/
^]%XA@
UXSVWj,3EVPE0
EPVEPj
VVPVVjdh
e_^[UE
SW33;t'
3;u'V5(A@
SVW3j<SV]}
PP E;u
3;tJSPPj%P
E_^[SV5@@
3_uuu}9u
ta9ut\EPVVu
tF9utOVu
t-VEPEPWu=
re^[UQe
Ee^UQe
;utj0Xh
@:u+@PPj
UQQEPj
SVW= @@
UQSVWj
VWj<3X}]
EPEPEPWVu
t&t"PEPVu
S3V3]9]
t\W3]}EPu
};t!SEPVWu
US3V9]
tD;t@Wh
;tJVPWWN
tkV5 A@
YYE_^E
WSSj#S
W3!}9}
EPPt.9}t)V
M3%9Hu
t*VHt F
`t$$L$(|$,tftb
AP32uS^
rK)rG9N
u/L$09N
a`t$$D$(|$,L$0PQ
rQL$<+L$
QL$<+L$
$rHV)^l$
QL$<+L$
+|$,|$
a`t$$L$(A@
+SVWEePEEE
Y_^[QVC20XC00U
]_^[]UL$
USVWUj
t ;t$$t
wwTw"wSww9wkwv{wwxww
|w|]|\|I|0%|=
|l|]|Q(||w
|f|)|(|!|N|W||B$|0|'|
xw\wGwWow
bwfwecwEw
wkw\wwdww
BOwAOw
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
RH a6dKg
ExitProcess
lstrcpynA
SetErrorMode
GlobalAddAtomA
GetCurrentProcess
ExpandEnvironmentStringsA
GlobalFindAtomA
GetVersionExW
GetModuleFileNameA
GetCurrentProcessId
GetTempPathA
GetProcAddress
GetModuleHandleA
FreeLibrary
LoadLibraryA
LocalAlloc
GetVersionExA
LocalFree
GetCommandLineW
HeapAlloc
HeapFree
WaitForSingleObject
GetProcessHeap
GetModuleFileNameW
GetLastError
CloseHandle
DeleteFileA
KERNEL32.dll
UpdateWindow
DispatchMessageA
FlashWindow
ShowWindow
DefWindowProcA
CreateWindowExA
TranslateMessage
KillTimer
PostQuitMessage
RegisterClassExA
SetTimer
GetMessageA
keybd_event
DestroyWindow
wsprintfW
USER32.dll
SHGetFolderPathA
ShellExecuteExW
SHGetFolderPathW
ShellExecuteExA
SHELL32.dll
CoUninitialize
CoInitializeEx
ole32.dll
GetModuleBaseNameW
PSAPI.DLL
PathFindFileNameA
PathFileExistsA
StrStrNIW
PathAppendW
SHLWAPI.dll
strstr
_snprintf
ntdll.dll
CreateFileA
GetShortPathNameA
GetHandleInformation
SetPriorityClass
GetCurrentThread
WriteFile
ReadFile
SetThreadPriority
GetFileSizeEx
CopyFileA
SetFileAttributesA
GetTempFileNameA
GetTickCount
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptHashData
OpenProcessToken
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
RegSetValueExA
RegQueryValueExA
RegCreateKeyA
RegOpenKeyExA
RegDeleteValueA
RegFlushKey
RegCloseKey
ADVAPI32.dll
PathAddBackslashA
PathAddExtensionA
PathIsDirectoryA
PathCombineA
ZwClose
RtlImageNtHeader
_stricmp
_alloca_probe
memset
RtlUnwind
E.LOVDNS.
dO K+O
<A #3m;
4dtDc}
zYI33KhhzJ6
/3!ij-;'*l{w
proggamcGn Otbeu_i
4Fs|]yPp5
(.rdat
lBN$eD
PQ0x0(
el oc$
n$] HV
yN1XG/}
!?"PEy
C;).9t0n
"TD_V|
Hl4FNb@fTL}HX=
y0q2WbVNS
dyYu_6
(tpb6\Y
#t&EbW
f$?(;h_yk
""W\S~
-L4lC
kb!gx!
h&Vt9\QQ(
ei(P]sHK173XS[hYs(dc
i$Xu4!
[]Ls$A\
HHmPYR2
1I\Xx0
ucj0!${
,D~LXQ+
u@EF):
`"H[1EPHS
,~Z?\5
A=EBGt
'i"<@u
$DeP|6N@
Kaq'B7`t1j
dl=OV+=
StCD),+
G<t8kP{i
}J@$hzW6A
YFq8Q#k#
%tPma-y
3mPD^mJ$,Q
VcYaA?
MQjX\KPQ4'
W(@^P%
'W8;f'uOK
W18hU HlD
^}%L!:mg&jTA
TbasV5*
]Jm|/tz
WS7PSYA
X]'F*N)j
[d$O>QP
WS19At
t/=c.'
#HX9wec
dEbD!
F%n B0*L49
D~p|CN"
B1E5VIC !Y
CP{N/=cI
+7[(0h/
LVyB2Zh [6q%
D7yHaaOgny2TMS
02E5YYKm
srBSLAGoFp
C:\WINDOWS\system32\08bfcee86793c7c800cd17cd3b7192600794f856accd3cef0a30a03268863e92.exe
C:\Documents and Settings\All Users\Application Data\db2680jdjj.exe
�/�c� �s�t�a�r�t� �"�"� �"�%�s�"� �%�s�
c�m�d�.�e�x�e�
2�.�1�.�0�.�3�
S�n�d�V�o�l�.�e�x�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
R�e�d�i�r�e�c�t�E�X�E�
c�m�d�.�e�x�e�
E�:�\�a�M�L�w�4�l�c�d�p�0�U�U�\�C�r�7�9�w�S�j�S�q�U�N�l�\�m�D�7�q�9�Z�R�o�\�J�l�U�7�z�Q�W�N�f�E�
E�:�\�f�t�M�L�\�8�1�P�H�b�s�v�c�i�v�C�\�P�P�a�B�q�f�f�I�p�\�p�p�D�F�p�k�\�j�e�5�6�R�m�2�Y�S�G�O�
*�W�a�r�n� �m�e� �i�f� �m�y� �b�a�t�t�e�r�y� �m�a�y� �n�e�e�d� �r�e�p�l�a�c�e�m�e�n�t�
P�o�w�e�r� �O�p�t�i�o�n�s�
W�i�n�d�o�w�s� �M�o�b�i�l�i�t�y� �C�e�n�t�e�r�
A�d�j�u�s�t� �s�c�r�e�e�n� �b�r�i�g�h�t�n�e�s�s�
B�a�t�t�e�r�y� �M�e�t�e�r�
C�u�r�r�e�n�t� �p�o�w�e�r� �p�l�a�n�:� �
U�n�k�n�o�w�n�2�Y�o�u�r� �c�u�r�r�e�n�t� �p�l�a�n� �m�i�g�h�t� �r�e�d�u�c�e� �s�y�s�t�e�m� �p�e�r�f�o�r�m�a�n�c�e�.�,�Y�o�u�r� �c�u�r�r�e�n�t� �p�l�a�n� �m�i�g�h�t� �r�e�d�u�c�e� �b�a�t�t�e�r�y� �l�i�f�e�.�:�Y�o�u�r� �c�u�r�r�e�n�t� �b�r�i�g�h�t�n�e�
s� �a� �p�r�o�b�l�e�m� �w�i�t�h� �y�o�u�r� �b�a�t�t�e�r�y�,� �s�o� �y�o�u�r� �c�o�m�p�u�t�e�r� �m�i�g�h�t� �s�h�u�t� �d�o�w�n� �s�u�d�d�e�n�l�y�.�P�B�a�t�t�e�r�y� �h�e�a�
h� �w�a�r�n�i�n�g�s� �a�r�e�
i�s�a�b�l�e�d�,� �s�o� �y�o�u�r� �c�o�m�p�u�
e�a�t�t�e�r�y� �M�e�t�e�r�
L�e�a�r�n� �h�o�w� �t�o� �c�o�n�s�e�r�v�e� �p�o�w�
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.