| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| McAfee | GenericRXJS-EQ!584A90A46491 | 20200413 | 6.0.6.653 |
| Alibaba | 20190527 | 0.3.0.5 | |
| Avast | Win32:PUPX-gen [PUP] | 20200412 | 18.4.3895.0 |
| Baidu | 20190318 | 1.0.0.2 | |
| Kingsoft | 20200413 | 2013.8.14.323 | |
| Tencent | 20200413 | 1.0.0.1 | |
| CrowdStrike | 20190702 | 1.0 |
| section | .didata |
| suspicious_features | GET method with no useragent header | suspicious_request | GET http://dj-updates.com//stat.counter/?app=vkdj&c1=cinst_start_Windows%207%20x64_av-clean&advert_key=ZWMwMDAxMDVhMzAwMTljYzAwMDAxOWJmMDAxOWJmMDAxOWJmZGUwMGM4ODMyNg==&uid= | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET http://dj-updates.com//client.config/?app=vk_downloader&format=xml&uid=B2785848-06A1-417E-B3B0-0692D6A8C0E8-E2A6769EA3FB4B6D6A1B3FEB3384FF4F&version=1.7.1.153&w_info=cl_downloader&advert_key=ZWMwMDAxMDVhMzAwMTljYzAwMDAxOWJmMDAxOWJmMDAxOWJmZGUwMGM4ODMyNg== | ||||||
| suspicious_features | POST method with no referer header | suspicious_request | POST https://update.googleapis.com/service/update2?cup2key=10:961693851&cup2hreq=eab5207369b7314da738452c2ac02e10b75fb366b44b3d57b2a0725d4ab37040 | ||||||
| request | GET http://dj-updates.com//stat.counter/?app=vkdj&c1=cinst_start_Windows%207%20x64_av-clean&advert_key=ZWMwMDAxMDVhMzAwMTljYzAwMDAxOWJmMDAxOWJmMDAxOWJmZGUwMGM4ODMyNg==&uid= |
| request | GET http://dj-updates.com//client.config/?app=vk_downloader&format=xml&uid=B2785848-06A1-417E-B3B0-0692D6A8C0E8-E2A6769EA3FB4B6D6A1B3FEB3384FF4F&version=1.7.1.153&w_info=cl_downloader&advert_key=ZWMwMDAxMDVhMzAwMTljYzAwMDAxOWJmMDAxOWJmMDAxOWJmZGUwMGM4ODMyNg== |
| request | HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe |
| request | HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620755296&mv=m&mvi=1&pl=23&shardbypass=yes |
| request | HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=253465646a23305e&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620755296&mv=m&mvi=3 |
| request | POST https://update.googleapis.com/service/update2?cup2key=10:961693851&cup2hreq=eab5207369b7314da738452c2ac02e10b75fb366b44b3d57b2a0725d4ab37040 |
| request | POST https://update.googleapis.com/service/update2?cup2key=10:961693851&cup2hreq=eab5207369b7314da738452c2ac02e10b75fb366b44b3d57b2a0725d4ab37040 |
| file | C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmelgafobnkionkmolbpeinpgefobndm |
| file | C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjnomeoannjmahmmmgpckeigjcmoioea |
| file | C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppiaojpbclpegkkkmikabinlpbahhbha |
| file | C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdjdjkkjoiomafnihnobkinnfjnnlhdg |
| file | C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\djgdgdcfmdkficbifbnaacknblbkhhoc |
| file | C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifbelakdiigbhajfdkjccemmmbdlbifg |
| file | C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlmophpcjeihmbejobmmkoghokakinne |
| file | C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgepjdjmkimgmfhddapeafignhjnpghc |
| file | C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\akgdkknilkblpjcgpjmbjgpamneokmag |
| file | C:\ProgramData\duwud\7zxa.dll |
| file | C:\ProgramData\duwud\7za.dll |
| file | C:\ProgramData\kx2m59\VKontakteDJ.exe |
| file | C:\ProgramData\fprupafhnc.js |
| file | C:\ProgramData\duwud\7za.exe |
| file | C:\Users\Administrator\Desktop\Game Of Thrones Winter is coming.lnk |
| cmdline | "C:\Windows\System32\schtasks.exe" /Delete /TN VK_DJ /F |
| cmdline | SCHTASKS /Delete /TN VK_DJ /F |
| cmdline | "C:\Windows\System32\cmd.exe" /c move /Y "C:\ProgramData\kx2m59" "C:\ProgramData\VkontakteDJ" |
| cmdline | cmd.exe /c move /Y "C:\ProgramData\kx2m59" "C:\ProgramData\VkontakteDJ" |
| cmdline | "C:\Windows\System32\cmd.exe" /c rd /S/Q C:\ProgramData\kx2m59 |
| entropy | 7.867656194438293 | section | {'size_of_data': '0x0070b200', 'virtual_address': '0x0020d000', 'entropy': 7.867656194438293, 'name': '.rsrc', 'virtual_size': '0x0070c000'} | description | A section with a high entropy has been found | |||||||||
| entropy | 0.7717205221485127 | description | Overall entropy of this PE file is high | |||||||||||
| cmdline | "C:\Windows\System32\schtasks.exe" /Delete /TN VK_DJ /F |
| cmdline | SCHTASKS /Delete /TN VK_DJ /F |
| host | 172.217.24.14 | |||
| host | 203.208.41.66 | |||
| wmi | select * from AntiVirusProduct |
| wmi | select * from Win32_Process |
| wmi | select * from Win32_OperatingSystem |
| parent_process | wscript.exe | martian_process | "C:\Windows\System32\schtasks.exe" /Delete /TN VK_DJ /F | ||||||
| parent_process | wscript.exe | martian_process | SCHTASKS /Delete /TN VK_DJ /F | ||||||
| parent_process | wscript.exe | martian_process | C:\ProgramData\duwud\7za.exe e C:\ProgramData\s111yt.zip -pvkd -y -oC:\ProgramData\kx2m59 | ||||||
| parent_process | wscript.exe | martian_process | cmd /c rd /S/Q C:\ProgramData\kx2m59 | ||||||
| parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c move /Y "C:\ProgramData\kx2m59" "C:\ProgramData\VkontakteDJ" | ||||||
| parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c rd /S/Q C:\ProgramData\kx2m59 | ||||||
| parent_process | wscript.exe | martian_process | "C:\ProgramData\duwud\7za.exe" e C:\ProgramData\s111yt.zip -pvkd -y -oC:\ProgramData\kx2m59 | ||||||
| parent_process | wscript.exe | martian_process | cmd.exe /c move /Y "C:\ProgramData\kx2m59" "C:\ProgramData\VkontakteDJ" | ||||||
| DrWeb | Program.VKontakteDJ.95 |
| MicroWorld-eScan | Gen:Variant.Ulise.98438 |
| FireEye | Generic.mg.584a90a46491964a |
| CAT-QuickHeal | PUA.MediadrugPMF.S11139230 |
| McAfee | GenericRXJS-EQ!584A90A46491 |
| Zillya | Trojan.Agent.JS.5208 |
| K7AntiVirus | Trojan ( 0055d9fb1 ) |
| K7GW | Trojan ( 0055d9fb1 ) |
| Arcabit | Trojan.Ulise.D18086 |
| Symantec | ML.Attribute.HighConfidence |
| ESET-NOD32 | a variant of JS/Agent.OHD |
| Avast | Win32:PUPX-gen [PUP] |
| Kaspersky | not-a-virus:HEUR:AdWare.Win32.VKDJ.pef |
| BitDefender | Gen:Variant.Ulise.98438 |
| NANO-Antivirus | Riskware.Win32.VKDJ.hedrra |
| Rising | Trojan.Agent!8.B1E (RDMK:cmRtazpH3U5+9T5XckSGLxKpJedX) |
| Endgame | malicious (high confidence) |
| F-Secure | Heuristic.HEUR/AGEN.1125968 |
| McAfee-GW-Edition | BehavesLike.Win32.Dropper.tc |
| Emsisoft | Gen:Variant.Ulise.98438 (B) |
| Ikarus | Trojan.JS.Agent |
| Jiangmin | AdWare.VKDJ.qy |
| Webroot | W32.Trojan.Gen |
| Avira | HEUR/AGEN.1125968 |
| MAX | malware (ai score=88) |
| Antiy-AVL | GrayWare/Win32.VKontakte.dj |
| Microsoft | Trojan:Win32/Wacatac.D!ml |
| ZoneAlarm | not-a-virus:HEUR:AdWare.Win32.VKDJ.pef |
| GData | Gen:Variant.Ulise.98438 |
| AhnLab-V3 | PUP/Win32.Helper.R325967 |
| Acronis | suspicious |
| VBA32 | BScope.Adware.VKDJ |
| ALYac | Gen:Variant.Ulise.98438 |
| Ad-Aware | Gen:Variant.Ulise.98438 |
| Malwarebytes | PUP.Optional.VkontakteDJ |
| APEX | Malicious |
| Fortinet | W32/VKontakte.DJ!tr |
| AVG | Win32:PUPX-gen [PUP] |
| Panda | Trj/Genetic.gen |
| file | C:\Windows\SysWOW64\wscript.exe |
| file | C:\Windows\System32\cmd.exe |
| file | C:\ProgramData\duwud\7za.exe |
| file | C:\Windows\System32\schtasks.exe |
| dead_host | 172.217.24.14:443 |
| dead_host | 172.217.160.78:443 |
| Ordinal | Address | Name |
|---|---|---|
| 3 | 0x43fc04 | @@Avast@Finalize |
| 2 | 0x43fbe4 | @@Avast@Initialize |
| 5 | 0x46f64c | @@Filecapture@Finalize |
| 4 | 0x46f62c | @@Filecapture@Initialize |
| 7 | 0x473e88 | @@Gamesform@Finalize |
| 6 | 0x473e68 | @@Gamesform@Initialize |
| 9 | 0x4773c4 | @@Install@Finalize |
| 8 | 0x4773a4 | @@Install@Initialize |
| 11 | 0x48d2d4 | @@Installthread@Finalize |
| 10 | 0x48d2b4 | @@Installthread@Initialize |
No hosts contacted.
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49204 | 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com | 80 |
| 192.168.56.101 | 49205 | 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com | 80 |
| 192.168.56.101 | 49200 | 203.208.40.98 update.googleapis.com | 443 |
| 192.168.56.101 | 49203 | 203.208.41.65 redirector.gvt1.com | 80 |
| 192.168.56.101 | 49184 | 54.36.175.115 dj-updates.com | 80 |
| 192.168.56.101 | 49185 | 54.36.175.115 dj-updates.com | 80 |
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 50568 | 114.114.114.114 | 53 |
| 192.168.56.101 | 51808 | 114.114.114.114 | 53 |
| 192.168.56.101 | 51963 | 114.114.114.114 | 53 |
| 192.168.56.101 | 53380 | 114.114.114.114 | 53 |
| 192.168.56.101 | 54178 | 114.114.114.114 | 53 |
| 192.168.56.101 | 55368 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56539 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58970 | 114.114.114.114 | 53 |
| 192.168.56.101 | 60221 | 114.114.114.114 | 53 |
| 192.168.56.101 | 60384 | 114.114.114.114 | 53 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 123 | 20.189.79.72 time.windows.com | 123 |
| 192.168.56.101 | 49713 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 51378 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 53237 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 56804 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 57236 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 58367 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 60123 | 224.0.0.252 | 5355 |
| URI | Data |
|---|---|
| http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe | HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com |
| http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=253465646a23305e&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620755296&mv=m&mvi=3 | HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=253465646a23305e&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620755296&mv=m&mvi=3 HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com |
| http://dj-updates.com//client.config/?app=vk_downloader&format=xml&uid=B2785848-06A1-417E-B3B0-0692D6A8C0E8-E2A6769EA3FB4B6D6A1B3FEB3384FF4F&version=1.7.1.153&w_info=cl_downloader&advert_key=ZWMwMDAxMDVhMzAwMTljYzAwMDAxOWJmMDAxOWJmMDAxOWJmZGUwMGM4ODMyNg== | GET //client.config/?app=vk_downloader&format=xml&uid=B2785848-06A1-417E-B3B0-0692D6A8C0E8-E2A6769EA3FB4B6D6A1B3FEB3384FF4F&version=1.7.1.153&w_info=cl_downloader&advert_key=ZWMwMDAxMDVhMzAwMTljYzAwMDAxOWJmMDAxOWJmMDAxOWJmZGUwMGM4ODMyNg== HTTP/1.1 Host: dj-updates.com Connection: close |
| http://dj-updates.com//stat.counter/?app=vkdj&c1=cinst_start_Windows%207%20x64_av-clean&advert_key=ZWMwMDAxMDVhMzAwMTljYzAwMDAxOWJmMDAxOWJmMDAxOWJmZGUwMGM4ODMyNg==&uid= | GET //stat.counter/?app=vkdj&c1=cinst_start_Windows%207%20x64_av-clean&advert_key=ZWMwMDAxMDVhMzAwMTljYzAwMDAxOWJmMDAxOWJmMDAxOWJmZGUwMGM4ODMyNg==&uid= HTTP/1.1 Host: dj-updates.com Connection: close |
| http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620755296&mv=m&mvi=1&pl=23&shardbypass=yes | HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620755296&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o7dn7e.gvt1.com |
No ICMP traffic performed.
No IRC requests performed.
No Suricata Alerts
No Suricata TLS
No Snort Alerts