SmartHawk

3.2

中危

3 个模型检测该样本为恶意！

重新分析

下载样本

cd304a93f96f35553e903654b6c46e40c4e60271880724bdefb7dcd267fcc7db

43dad16e2ee1349fcd5d30a6b4d5276b.exe

分析耗时

816s

最近分析

文件大小

368.1KB

静态报毒动态报毒 GEN|2|103 HFSADWARE

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀时间	查杀版本
McAfee	20160919	6.0.6.653
Alibaba	20160919	1.0
Baidu	20160914	1.0.0.2
Avast	20160919	8.0.1489.320
Tencent	20160919	1.0.0.1
Kingsoft	20160919	2013.8.14.323
CrowdStrike	20160725	1.0

This executable is signed

This executable has a PDB path (1 个事件)

pdb_path

E:\clientci\workspace\bdwebadapter_trunk_compile\Basic\Output\BinRelease\BDDownloadExe.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620946616.299924 GlobalMemoryStatusEx		success	1	0

Performs some HTTP requests (1 个事件)

request

GET http://szcloud.baidu.com/swapp/cloudpkg?req_data=%7B%22supplyid%22%3A120%2C%22com%22%3A0%2C%22way%22%3A1%2C%22guid%22%3A%223a076c1d21efa3933b8c9319da95dc56%22%2C%22time%22%3A%222021%2F05%2F14%22%2C%22cmd%22%3A%22101%22%7D

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 个事件)

Bkav	W32.HfsAdware.9CF6
AegisLab	Virus.Gen\|2\|103!c
AVG	Generic.7E6

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620946616.346924 GetAdaptersAddresses	flags: 15 family: 0	failed	111	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (13 个事件)

Time & API	Arguments	Status
1620946616.221924 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x00000118 process_identifier: 1432	failed
1620946616.221924 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x00000118 process_identifier: 1432	failed
1620946616.221924 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x00000118 process_identifier: 1432	failed
1620946616.221924 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x00000118 process_identifier: 1432	failed
1620946616.237924 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x00000118 process_identifier: 1432	failed
1620946616.237924 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x00000118 process_identifier: 1432	failed
1620946616.237924 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x00000118 process_identifier: 1432	failed
1620946616.237924 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x00000118 process_identifier: 1432	failed
1620946616.237924 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x00000118 process_identifier: 1432	failed
1620946616.237924 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x00000118 process_identifier: 1432	failed
1620946616.237924 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x00000118 process_identifier: 1432	failed
1620946616.252924 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x00000118 process_identifier: 1432	failed
1620946616.252924 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x00000118 process_identifier: 1432	failed

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2015-06-23 16:28:24

Imports

Library KERNEL32.dll:

• 0x445030 CreateFileW

• 0x445034 DeleteFileW

• 0x445038 DecodePointer

• 0x44503c ReadFile

• 0x445040 GetCurrentThreadId

• 0x445044 HeapAlloc

• 0x445048 HeapFree

• 0x44504c HeapReAlloc

• 0x445050 HeapSize

• 0x445054 GetProcessHeap

• 0x445058 ExpandEnvironmentStringsW

• 0x44505c QueryPerformanceCounter

• 0x445060 GetLocalTime

• 0x445064 GetTempPathW

• 0x445068 CreateProcessW

• 0x44506c CreateEventW

• 0x445070 ResetEvent

• 0x445074 InitializeCriticalSection

• 0x445078 EnterCriticalSection

• 0x44507c LeaveCriticalSection

• 0x445080 GetModuleFileNameW

• 0x445084 FreeLibrary

• 0x445088 GetCurrentProcess

• 0x44508c SetUnhandledExceptionFilter

• 0x445090 GetModuleHandleExW

• 0x445094 GlobalMemoryStatusEx

• 0x445098 GetCurrentProcessId

• 0x44509c WaitForMultipleObjects

• 0x4450a0 TerminateProcess

• 0x4450a4 GetCommandLineW

• 0x4450a8 CreateToolhelp32Snapshot

• 0x4450ac Process32FirstW

• 0x4450b0 lstrcmpiW

• 0x4450b4 Process32NextW

• 0x4450b8 GetFileAttributesW

• 0x4450bc GetVersionExW

• 0x4450c0 SetLastError

• 0x4450c4 SetEvent

• 0x4450c8 GetProcAddress

• 0x4450cc Sleep

• 0x4450d0 CopyFileW

• 0x4450d4 WideCharToMultiByte

• 0x4450d8 GetFileSize

• 0x4450dc WriteFile

• 0x4450e0 FindFirstFileW

• 0x4450e4 FindClose

• 0x4450e8 InterlockedDecrement

• 0x4450ec GlobalFree

• 0x4450f0 InterlockedIncrement

• 0x4450f4 DuplicateHandle

• 0x4450f8 GetSystemDirectoryW

• 0x4450fc DeviceIoControl

• 0x445100 CreateFileMappingW

• 0x445104 MapViewOfFile

• 0x445108 UnmapViewOfFile

• 0x44510c OpenProcess

• 0x445110 GetModuleHandleW

• 0x445114 ProcessIdToSessionId

• 0x445118 WTSGetActiveConsoleSessionId

• 0x44511c InterlockedExchange

• 0x445120 OutputDebugStringW

• 0x445124 GetSystemInfo

• 0x445128 GetModuleFileNameA

• 0x44512c EncodePointer

• 0x445130 GetStringTypeW

• 0x445134 IsDebuggerPresent

• 0x445138 ReadConsoleW

• 0x44513c SetStdHandle

• 0x445140 SetFilePointerEx

• 0x445144 GetTimeZoneInformation

• 0x445148 FlushFileBuffers

• 0x44514c GetCurrentDirectoryW

• 0x445150 GetFullPathNameW

• 0x445154 PeekNamedPipe

• 0x445158 GetFileInformationByHandle

• 0x44515c FileTimeToLocalFileTime

• 0x445160 GetConsoleMode

• 0x445164 LoadLibraryW

• 0x445168 InitializeCriticalSectionAndSpinCount

• 0x44516c SetEnvironmentVariableA

• 0x445170 RaiseException

• 0x445174 MultiByteToWideChar

• 0x445178 DeleteCriticalSection

• 0x44517c WaitForSingleObject

• 0x445180 GetLastError

• 0x445184 CloseHandle

• 0x445188 WriteConsoleW

• 0x44518c SetEndOfFile

• 0x445190 GetTickCount

• 0x445194 GetConsoleCP

• 0x445198 FreeEnvironmentStringsW

• 0x44519c GetEnvironmentStringsW

• 0x4451a0 GetSystemTimeAsFileTime

• 0x4451a4 GetFileType

• 0x4451a8 GetStdHandle

• 0x4451ac GetOEMCP

• 0x4451b0 GetACP

• 0x4451b4 IsValidCodePage

• 0x4451b8 AreFileApisANSI

• 0x4451bc ExitProcess

• 0x4451c0 EnumSystemLocalesW

• 0x4451c4 GetUserDefaultLCID

• 0x4451c8 IsValidLocale

• 0x4451cc GetLocaleInfoW

• 0x4451d0 LCMapStringW

• 0x4451d4 CompareStringW

• 0x4451d8 GetStartupInfoW

• 0x4451dc TlsFree

• 0x4451e0 TlsSetValue

• 0x4451e4 TlsGetValue

• 0x4451e8 TlsAlloc

• 0x4451ec UnhandledExceptionFilter

• 0x4451f0 GetCPInfo

• 0x4451f4 RtlUnwind

• 0x4451f8 CreateDirectoryW

• 0x4451fc FileTimeToSystemTime

• 0x445200 SystemTimeToTzSpecificLocalTime

• 0x445204 CreateThread

• 0x445208 ExitThread

• 0x44520c LoadLibraryExW

• 0x445210 IsProcessorFeaturePresent

• 0x445214 FindFirstFileExW

• 0x445218 GetDriveTypeW

Library USER32.dll:

• 0x445268 DispatchMessageW

• 0x44526c GetMessageW

• 0x445270 IsWindow

• 0x445274 FindWindowA

• 0x445278 DefWindowProcW

• 0x44527c TranslateMessage

• 0x445280 PostMessageW

• 0x445284 CreateWindowExW

• 0x445288 SetWindowLongW

• 0x44528c DestroyWindow

• 0x445290 SendMessageTimeoutW

Library ADVAPI32.dll:

• 0x445000 RegQueryValueExW

• 0x445004 RegDeleteValueW

• 0x445008 DuplicateTokenEx

• 0x44500c CreateProcessAsUserW

• 0x445010 GetTokenInformation

• 0x445014 OpenProcessToken

• 0x445018 RegQueryValueExA

• 0x44501c RegOpenKeyExA

• 0x445020 RegSetValueExW

• 0x445024 RegOpenKeyExW

• 0x445028 RegCloseKey

Library ole32.dll:

• 0x4452ac CLSIDFromString

• 0x4452b0 StringFromCLSID

Library SHELL32.dll:

• 0x445228 SHCreateDirectoryExW

• 0x44522c

• 0x445230 ShellExecuteW

• 0x445234 ShellExecuteExW

• 0x445238

• 0x44523c CommandLineToArgvW

• 0x445240 SHGetSpecialFolderPathW

Library SHLWAPI.dll:

• 0x445248 PathAppendW

• 0x44524c SHGetValueW

• 0x445250 PathRemoveFileSpecW

• 0x445254 PathFindFileNameW

• 0x445258 SHDeleteKeyW

• 0x44525c SHSetValueW

• 0x445260 PathFileExistsW

Library NETAPI32.dll:

• 0x445220 Netbios

Library WTSAPI32.dll:

• 0x4452a4 WTSQueryUserToken

Library USERENV.dll:

• 0x445298 CreateEnvironmentBlock

• 0x44529c DestroyEnvironmentBlock

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
szcloud.baidu.com	CNAME szcloud.n.shifen.com A 180.97.36.43	180.97.36.43
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49173	180.97.36.43 szcloud.baidu.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

URI	Data
http://szcloud.baidu.com/swapp/cloudpkg?req_data=%7B%22supplyid%22%3A120%2C%22com%22%3A0%2C%22way%22%3A1%2C%22guid%22%3A%223a076c1d21efa3933b8c9319da95dc56%22%2C%22time%22%3A%222021%2F05%2F14%22%2C%22cmd%22%3A%22101%22%7D	GET /swapp/cloudpkg?req_data=%7B%22supplyid%22%3A120%2C%22com%22%3A0%2C%22way%22%3A1%2C%22guid%22%3A%223a076c1d21efa3933b8c9319da95dc56%22%2C%22time%22%3A%222021%2F05%2F14%22%2C%22cmd%22%3A%22101%22%7D HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; QQPCMgr7.0) Host: szcloud.baidu.com

URI

Data

http://szcloud.baidu.com/swapp/cloudpkg?req_data=%7B%22supplyid%22%3A120%2C%22com%22%3A0%2C%22way%22%3A1%2C%22guid%22%3A%223a076c1d21efa3933b8c9319da95dc56%22%2C%22time%22%3A%222021%2F05%2F14%22%2C%22cmd%22%3A%22101%22%7D

GET /swapp/cloudpkg?req_data=%7B%22supplyid%22%3A120%2C%22com%22%3A0%2C%22way%22%3A1%2C%22guid%22%3A%223a076c1d21efa3933b8c9319da95dc56%22%2C%22time%22%3A%222021%2F05%2F14%22%2C%22cmd%22%3A%22101%22%7D HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; QQPCMgr7.0)
Host: szcloud.baidu.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.