1.7
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.66
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | Trojan:Win32/Mydoom.17a | 20190527 | 0.3.0.5 |
| Avast | Win32:Mydoom-EG [Trj] | 20200615 | 18.4.3895.0 |
| Baidu | Win32.Worm-Email.Mydoom.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20200615 | 2013.8.14.323 |
| McAfee | Artemis!A4C0B39C9D4E | 20200615 | 6.0.6.653 |
| Tencent | Worm.Win32.Mydoom.l | 20200615 | 1.0.0.1 |
静态指标
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'UPX1', 'virtual_address': '0x00007000', 'virtual_size': '0x00005000', 'size_of_data': '0x00004600', 'entropy': 7.897902341253568} | entropy | 7.897902341253568 | description | 发现高熵的节 | |||||||||
| entropy | 0.8974358974358975 | description | 此PE文件的整体熵值较高 | |||||||||||
可执行文件使用UPX压缩
(2 个事件)
| section | UPX0 | description | 节名称指示UPX | ||||||
| section | UPX1 | description | 节名称指示UPX | ||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
生成一些 ICMP 流量
文件已被 VirusTotal 上 68 个反病毒引擎识别为恶意
(50 out of 68 个事件)
| ALYac | Worm.Mydoom |
| APEX | Malicious |
| AVG | Win32:Mydoom-EG [Trj] |
| Acronis | suspicious |
| Ad-Aware | Worm.Generic.23834 |
| AhnLab-V3 | Win32/Mydoom.worm.22020.H |
| Alibaba | Trojan:Win32/Mydoom.17a |
| Antiy-AVL | Worm[Email]/Win32.Mydoom |
| Arcabit | Worm.Generic.D5D1A |
| Avast | Win32:Mydoom-EG [Trj] |
| Avira | TR/BAS.Samca.zictf |
| Baidu | Win32.Worm-Email.Mydoom.a |
| BitDefender | Worm.Generic.23834 |
| BitDefenderTheta | AI:Packer.DFC754A81F |
| Bkav | W32.MyDoomLB.Worm |
| CAT-QuickHeal | Worm.Mydoom |
| ClamAV | Win.Worm.Mydoom-5 |
| Comodo | Worm.Win32.Mydoom.Q@308v |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.c9d4e7 |
| Cylance | Unsafe |
| Cynet | Malicious (score: 100) |
| Cyren | W32/Mydoom.CJDZ-5239 |
| DrWeb | Win32.HLLM.MyDoom.33808 |
| ESET-NOD32 | Win32/Mydoom.Q |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Mydoom.M |
| F-Secure | Email-Worm:W32/Mydoom.gen!A |
| FireEye | Generic.mg.a4c0b39c9d4e73cd |
| Fortinet | W32/MyDoom.M@mm |
| GData | Worm.Generic.23834 |
| Ikarus | Email-Worm.Win32.Mydoom |
| Invincea | heuristic |
| Jiangmin | I-Worm/Zhelatin.sq |
| K7AntiVirus | EmailWorm ( 0000439f1 ) |
| K7GW | EmailWorm ( 0000439f1 ) |
| Kaspersky | Email-Worm.Win32.Mydoom.l |
| Lionic | Worm.Win32.Mydoom.tpmO |
| MAX | malware (ai score=81) |
| Malwarebytes | Worm.Agent |
| McAfee | Artemis!A4C0B39C9D4E |
| McAfee-GW-Edition | BehavesLike.Win32.Mydoom.nc |
| MicroWorld-eScan | Worm.Generic.23834 |
| Microsoft | Worm:Win32/Mydoom.L@mm |
| NANO-Antivirus | Trojan.Win32.Mydoom.cuyllc |
| Paloalto | generic.ml |
| Panda | W32/Mydoom.DN.worm |
| Qihoo-360 | Worm.Win32.Mydoom.A |
| Rising | Worm.Mail.Win32.Mydoom.l (CLOUD) |
| SUPERAntiSpyware | Worm.MyDoom |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1970-01-01 08:00:00
PE Imphash
5d02f6de12eb07fb22fe87e05e50d6a0
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| UPX0 | 0x00001000 | 0x00006000 | 0x00000000 | 0.0 |
| UPX1 | 0x00007000 | 0x00005000 | 0x00004600 | 7.897902341253568 |
| .rsrc | 0x0000c000 | 0x00001000 | 0x00000800 | 2.6495694551935207 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0000c3c4 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0000c3c4 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x0000c4f0 | 0x00000022 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library ADVAPI32.dll:
• 0x80c59c RegCloseKey
Library MSVCRT.dll:
• 0x80c5a4 time
Library USER32.dll:
• 0x80c5ac wsprintfA
Library WS2_32.dll:
• 0x80c5b4 gethostname
L!This program cannot be run in DOS mode.
iiiiM,
hPD4e4(
M4M4M4|tld\4MTLD803M(
`XPD;@
IEFrame
ATH_Note
rctrl_renwn
c:\sDec
nSep3ug
/%s, %u
.2u:um
nkmrnetG
{Staiex
Kazaa Lk
ry P6I
W0RAR.v.3Z.od.key#
p 5.0 () C
lcomhdeRe$tvor.
dnsapi%{.dllphlp
w@kPa_9le
{cabu'mass
vGubm{l
crosoftd
the.bgold-Uk;s}ca
"Z+cre
iWKQg^
foG+lc-
zcWxrrsf.)OW
+rr ,ar+
og3gnu
.m{6Ov
;WRdN`do8a0;oa
lekk5bnda
ymav_-!'5b_
8o@d0(
@e*.*KAdtpRN
USERPROFILE
:\yaha0
`v.;D
7 e ig;`
lud A
nvQl\+n
:gb puw2D
k3Srb\2aqFqh
5'%i~Ba.=x|
\c$Yf/j
n*ikyQA9
"p3f,FoeSA
\k,Nv EXZrr
naht%w.^
aF:H$Wh'i|s W-1MTc
Ei+!d/.s
Z@vU<$t>?Pl,e%p>0|Bcts@$F
amsQaeA
(`r[a<b
1w-f6}
!b []=-
G_n!CZ]y
lbAs9Y2
Z Lkn,$T.
F:$f]
,YS5dG
;hjX>\lmpt
[STkMdbMHK66-3
L82:tt
+Djg9!?]:Fm1f
Ve-DAE
"MONWz
$<("P"C"8
N&!Vo<SDj=
tQ"K O4"a
x14c;<#n
ABCDEFGHIJK
6LMNOPQRSTUVWXYZ cfgt
jklmFpq
!_vwxyz23456789+/qsX-P
zExp 6.00.26
3IMEO,4P
uTBy@Mfid;
V9Jw,t6-Ty@m-PDt/xP
9Zr="R"s
q-V51O
48X.5sNPs+a^vI?Gp}appmI/%Gk
[mnOf&4nfn-EdAbMv64"DDi{QHL
\HC=u'%Zu>i7bk\2,
'-$uhjp
>a{QUIT
>'PTZ5
-xYIHEL
LO87`+
nTPS&)\\*
|2~^]H+
:.] KlhJ
of.twa
rer\\MicM/s7n5'O'n dYO+ CkfCu_+5
/eu]G? ;P_6OIX]
8*P7Sh
C_^w7[
_'F$3^D
|lfk=Pj
pxeDSE
c|pLh$;x
%pX+>u
wu&q<GG5Wqoh
Pi6twaire\Miicrosofiit\Winidows\iCurren
itVrsiion\RuH
p$Trl6y
I2\CSW|$
ldcC-o^S
jZY-i`;WR
6-F.;_
$j<_RP3
jh`OJ?b4q
fdg4u|`
YCppcM;u
u?IH+Sn
#<Kf#F
B0 ;xv+PV;tQ
3 @F;|/
wiiniGniet.dll[-
5PEKef9ut_
3$tv3Wj(-
B;POi8/x
6~W"B;}
8@le(7loC
WbPV$v5
\;C}0
>F@JuD.F'
V)$Y;t0Y|
b1?mp ,
K?GOGSU~m3f
ne,<};u<)Zt
Q0^]8PU
{;_t$@SDIC1\
U~R/('Rf4;
}e%Y-b$I0
nGUqtv
!cs_0?b
A$]~% {
pzw{ok
jd7FF6|=~
tVe;?Vd;t$hFBn
*gu;r_ipWl
JS:S>}tG
QSZxOO+N!
W*Xp0,
\<<@t?(T
+CY<Jo=B@9zO
Kyd+7h%
-0vYC1-NO/&<
'xqf,wOy/UH]
tb0UE,
0"8d5^7-S;1YU2vHf
x 0|8<
2+SJNr
F}.RU8
cbf0d_
x5FG['@
hv$~,\ l\t3D
Qm {+8
.5a>3K
Hy FQ~
J6f2/Xp
?GLa`;
bx3*oo
+KICY`D
h^ddk3T
o';Wto*9
vt\kQS
'UY3SQ g
g%vAa+qYDW\&^
]G7F(O
=khY(QR
h~8ZnQ;t
GWSYf;
j2.`h
r2Ojx26hR<P
f+eqkNdw "Z
?I7\d;
@ZA{+[
H_tu(n
}8h+|-;O
;}e;}a;WZ
;~C;~?+b
M-JSQaH
P=/sSu
V|Ehmd
[GdlcO`1vUMp6l:p
jQ4Mhp
> Fzr?0
1EpDMlu[4EP`
djk7&s
04Sof,
,\Micro
,sof\W,
,AB\WAP
,ab bF
,ile NaP,m
#*u=9kY1d
8F,ZF>h=
<U<puY6ql_
buG:uCR<hu
sup>Y<s
btN<db7x
75<w_u
Kfuc['{8
\P#NYsYZ
Pu%8.@+u
#<8P>|f
&P2 jKk
\.ocal 6rSeti\.Qngs-V=TemFp5fr
yJ5fI:F/Wu]
]4Mbk$b
=#Lf$a
LLa7PP1d[
CYRtg-
+0S6-h
.5PfO5
guj,(,
g*<u?m
0<Q'Fzd|s0K
zV5Xme
P9d{Vj.
$Pt7lK
Y`f[ 5g;Pl
^:#CYx
bD^:3rS
@PA`Wz
/h(ht!h`
JbG!=!!++
~$k/&;t
}d4H1A|(}.
3*HWS.
Y]G2~
_`EPF0
|$3FP;
[mx#(|
pe\#kkV^S&Y
hXPkWPQ
,>kA&5
54oE'J
Z(MrSPPY
lJS^8
#[=9"E@
K8!PxC
Q"FhWQ"Yz72G
^$cG|$l
xo?~E< r8<=t4<+t0<,<
t(<v aULv7GR<Y
Od3GX%dy
,l_HHt
"}5vBR
+D5uUtm1Oh\9
VRG-'(
vm-!+_|
D#NQPWNy
KDDBS}g^Y
1@&o4,;[;
@5~)XZP;
7l[fW!c
bFO><:t9.5
$8&4E?ao8:ua
0}9-G^u
abM*^&
/dV!IV'LYs
-SRg@C
'Y1Hh<
=+(~.*%8g
,X3+(J-
;t. .u
|#eXrk }
p&hh.`
9\X]$l
U3B@$`W
JIJHp`m
W{WP'O
RKhc4
ebKtW66
k|v*(\/#Rh
FAS5Cp"Y$
^xW0vvP
Je&"TnQra
+;rMSK%nv
J-TmtQ
$pPrYH;\y
.noj8f
wnYE;r
sm@f=AB
hh6Gfpn|#
|&^bBA+ZS
}^WB_X@
_(5^*'_
tSEFtP7
, aNM~XX
nl9YJ.u+YtV[i
X.Abvl7(d
_xFZ h
WN_KMe
CS;~S[`+{
Qr(`T,oYt>)
lOPuDHL%db
>q70}:
;?| 4l
w__;}a
YP"z'GC
lR tSMpW?xp5
hncaH0
wu)P/xAl
y@*-&@'_Z
!5&#cD
pBmu=i
fgT@EH5
[P71/}
&xE[f;
U`eb{[m&
&T#zW*
P]p=V^^Y[@~
n("F$A
l)>7`03V4i
G]%Djd
bNT!E"
~#6"azp
.l( G;(|
~k;~!,
rjv(k Nhu
9t&ET`
lsc:qRH
PGtop&0=
At-^(Eehz{
GF?x\G
HYWWh>x=I
U,TempFNAU
ve;GMGlobalAl
Cas[M$g+
ZgViewOfUnm
vHtked
von)Vaab{
sCopyx
]ESl$lqAP/h
De;y-amc
%[audeChl4M]UByt"A[s
RnIPoi
;i6`H.
3l0Ao 'Gg
g`VueE
_um{@0s
d#m{[1
,`BuffA
Low3lGwvr#w
#EAYMbp
GPGWHU
wwwwwww
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
wsprintfA
WDPQE$
QDaCxf
@m#qxD
#QARzR@)
2Z#p?4
)BdME-*Mr
BDvjCSD
p}D'JTs
>D!BwC
Yt;A&"
fFXBA1
Yl$#XDT
dz?_12
h?o>U&
DQ"QD'-
iR >>fE
$VDz3%
6'jN+)
DR }@p"
'd7DvR
pI6D4$
fyj2K:MP
PQCkDD+
s(Bk[J
g="`B6.
CJKCB>
NQ=3m,?
KSEi/_5
MM:eCf8U
"L:;?s
'D5tWM
sDM4fv
NC->&.
#LkJWR
;AMiBE
5?Bn?k
xIBL;=}
Z!DGB't
EhZB#1
/""gz4
iZ^X?=K
9mLFAf;z
}5D2'H
BSbLP7h
h?D"j7
#,MoA`
l?{eAo$
?+OBr:
bL8D iZ
[D,yAI
p!C!1U
s@kZzr
D `E(/Q./AZ
hbB+*#
$]?KBiT~
1M[C\>
mFE/EE
~i/Mk D
2xQ vmr
~E"A@v
$L&$*Ch|
iBfv=N
,.)GA`
pECBqt
!wE(it
]@{9$x
XCpD~B_
_)rD$0
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com |
AAAA fd3e:4f5a:5b81::1 AAAA fd3e:4f5a:5b81::1 |
131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 192.168.56.101 | 8.8.8.8 | 3 |
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.