SmartHawk

2.6

中危

61 个模型检测该样本为恶意！

重新分析

下载样本

c9877b30431c82bfcb5d3dd7c1829740038d49485d12ab884b5ff60f66092503

ae776af3a2d11e7c06de71acaf1178b9.exe

分析耗时

71s

最近分析

文件大小

73.0KB

静态报毒动态报毒 100% AI SCORE=80 BANLOAD CLASSIC CONFIDENCE CSTQAJ DARKSHELL DUMPMODULEINFECTIOUSNME FAMVT FILEINFECTOR HIGH CONFIDENCE INFECTED JADTRE KA@558NXG KUDJ M1R5 MALICIOUS PE MIKCER NIMNUL OTWYCAL PATCHLOAD PCARRIER R + W32 RAMNIT ROUE SCORE SMALL STATIC AI TRIUSOR UNSAFE VJADTRE WALI WAPOMI 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	W32/Kudj	20201211	6.0.6.653
Alibaba	Virus:Win32/Nimnul.22b452c3	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Avast	Other:Malware-gen [Trj]	20201210	21.1.5827.0
Baidu	Win32.Virus.Otwycal.d	20190318	1.0.0.2
Kingsoft		20201211	2017.9.26.565

This executable has a PDB path (1 个事件)

pdb_path

C:\Jenkins\jobs\miktex-2.9\workspace\build-x86\binlib\fc-match.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	.gfids
section	.00cfg
section	DC\x99\xd0\xa3u\x98

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

6.935007267122661

section

{'size_of_data': '0x00004200', 'virtual_address': '0x00014000', 'entropy': 6.935007267122661, 'name': 'DC\\x99\\xd0\\xa3u\\x98', 'virtual_size': '0x00005000'}

description

A section with a high entropy has been found

entropy

0.22916666666666666

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)

Bkav	W32.FamVT.DumpModuleInfectiousNME.PE
Elastic	malicious (high confidence)
DrWeb	BackDoor.Darkshell.246
MicroWorld-eScan	Win32.VJadtre.3
FireEye	Generic.mg.ae776af3a2d11e7c
Qihoo-360	Virus.Win32.Agent.P
McAfee	W32/Kudj
Cylance	Unsafe
Zillya	Virus.Nimnul.Win32.5
Sangfor	Malware
K7AntiVirus	Virus ( 0040f7441 )
Alibaba	Virus:Win32/Nimnul.22b452c3
K7GW	Virus ( 0040f7441 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Win32.VJadtre.3
BitDefenderTheta	AI:FileInfector.991137D00F
Cyren	W32/PatchLoad.E
Symantec	W32.Wapomi.C!inf
TotalDefense	Win32/Nimnul.A
APEX	Malicious
Avast	Other:Malware-gen [Trj]
ClamAV	Win.Malware.Triusor-6802611-0
Kaspersky	Virus.Win32.Nimnul.f
BitDefender	Win32.VJadtre.3
NANO-Antivirus	Trojan.Win32.Banload.cstqaj
Paloalto	generic.ml
ViRobot	Win32.Ramnit.F
Ad-Aware	Win32.VJadtre.3
Emsisoft	Win32.VJadtre.3 (B)
Comodo	Virus.Win32.Wali.KA@558nxg
F-Secure	Malware.W32/Jadtre.B
Baidu	Win32.Virus.Otwycal.d
VIPRE	Virus.Win32.Small.acea (v)
TrendMicro	PE_WAPOMI.BM
McAfee-GW-Edition	BehavesLike.Win32.Infected.lt
Sophos	Mal/Generic-R + W32/Nimnul-A
SentinelOne	Static AI - Malicious PE
Jiangmin	Win32/Nimnul.f
Avira	W32/Jadtre.B
MAX	malware (ai score=80)
Antiy-AVL	Virus/Win32.Nimnul.f
Gridinsoft	Trojan.Heur!.03002201
Microsoft	Virus:Win32/Mikcer.B
AegisLab	Virus.Win32.Nimnul.m1R5
ZoneAlarm	Virus.Win32.Nimnul.f
GData	Win32.Virus.Wapomi.A
Cynet	Malicious (score: 100)
AhnLab-V3	Win32/VJadtre.Gen
VBA32	Virus.Nimnul.19209
ALYac	Win32.VJadtre.3

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2016-08-09 02:34:01

Imports

Library MiKTeX209-app.dll:

• 0x40e0a0 ?Finalize@Application@App@MiKTeX@@UAEXXZ

• 0x40e0a4 ??0Application@App@MiKTeX@@QAE@XZ

• 0x40e0a8 ?Sorry@Application@App@MiKTeX@@SAXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABVMiKTeXException@Core@3@@Z

• 0x40e0ac ?Sorry@Application@App@MiKTeX@@SAXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABVexception@5@@Z

• 0x40e0b0 ??1Application@App@MiKTeX@@UAE@XZ

• 0x40e0b4 ?Init@Application@App@MiKTeX@@UAEXAAV?$vector@PADV?$allocator@PAD@std@@@std@@@Z

Library MiKTeX209-fontconfig.dll:

• 0x40e0e8 FcPatternFormat

• 0x40e0ec FcStrFree

• 0x40e0f0 FcObjectSetDestroy

• 0x40e0f4 FcFontMatch

• 0x40e0f8 FcFontRenderPrepare

• 0x40e0fc FcFontSort

• 0x40e100 FcObjectSetCreate

• 0x40e104 FcFini

• 0x40e108 FcPatternDestroy

• 0x40e10c FcPatternFilter

• 0x40e110 FcPatternCreate

• 0x40e114 FcNameParse

• 0x40e118 FcFontSetAdd

• 0x40e11c FcFontSetDestroy

• 0x40e120 FcFontSetCreate

• 0x40e124 FcObjectSetAdd

• 0x40e128 FcFontSetSortDestroy

• 0x40e12c FcDefaultSubstitute

• 0x40e130 FcPatternPrint

• 0x40e134 FcConfigSubstitute

Library MiKTeX209-getopt.dll:

• 0x40e174 getopt_long

• 0x40e178 MIKTEX_GETOPT_optind

• 0x40e17c MIKTEX_GETOPT_optarg

Library MiKTeX209-util.dll:

• 0x40e1ac ?WideCharToUTF8@StringUtil@Util@MiKTeX@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PB_W@Z

Library MSVCP140.dll:

• 0x40e068 ?_Xbad_alloc@std@@YAXXZ

• 0x40e06c ?_Xout_of_range@std@@YAXPBD@Z

• 0x40e070 ?_Xlength_error@std@@YAXPBD@Z

Library VCRUNTIME140.dll:

• 0x40e1dc memset

• 0x40e1e0 _except_handler4_common

• 0x40e1e4 __std_exception_destroy

• 0x40e1e8 __std_exception_copy

• 0x40e1ec memmove

• 0x40e1f0 _CxxThrowException

• 0x40e1f4 __CxxFrameHandler3

• 0x40e1f8 memcpy

• 0x40e1fc __std_type_info_destroy_list

Library api-ms-win-crt-runtime-l1-1-0.dll:

• 0x40e2cc _initterm

• 0x40e2d0 _initterm_e

• 0x40e2d4 _exit

• 0x40e2d8 _initialize_onexit_table

• 0x40e2dc __p___argc

• 0x40e2e0 __p___wargv

• 0x40e2e4 _set_app_type

• 0x40e2e8 _register_thread_local_exe_atexit_callback

• 0x40e2ec _execute_onexit_table

• 0x40e2f0 _seh_filter_exe

• 0x40e2f4 _initialize_narrow_environment

• 0x40e2f8 terminate

• 0x40e2fc _controlfp_s

• 0x40e300 _configure_narrow_argv

• 0x40e304 _seh_filter_dll

• 0x40e308 _cexit

• 0x40e30c _initialize_wide_environment

• 0x40e310 _configure_wide_argv

• 0x40e314 _crt_at_quick_exit

• 0x40e318 _c_exit

• 0x40e31c _crt_atexit

• 0x40e320 _invalid_parameter_noinfo_noreturn

• 0x40e324 _get_initial_wide_environment

• 0x40e328 _register_onexit_function

• 0x40e32c exit

Library api-ms-win-crt-stdio-l1-1-0.dll:

• 0x40e370 __acrt_iob_func

• 0x40e374 __p__commode

• 0x40e378 _set_fmode

• 0x40e37c __stdio_common_vfprintf

• 0x40e380 fputs

Library api-ms-win-crt-heap-l1-1-0.dll:

• 0x40e230 _callnewh

• 0x40e234 free

• 0x40e238 _set_new_mode

• 0x40e23c malloc

Library api-ms-win-crt-math-l1-1-0.dll:

• 0x40e29c __setusermatherr

Library api-ms-win-crt-locale-l1-1-0.dll:

• 0x40e26c _configthreadlocale

Library api-ms-win-crt-string-l1-1-0.dll:

• 0x40e3b4 _strdup

Library KERNEL32.dll:

• 0x40e000 IsProcessorFeaturePresent

• 0x40e004 IsDebuggerPresent

• 0x40e008 UnhandledExceptionFilter

• 0x40e00c SetUnhandledExceptionFilter

• 0x40e010 GetStartupInfoW

• 0x40e014 GetModuleHandleW

• 0x40e018 InitializeSListHead

• 0x40e01c GetSystemTimeAsFileTime

• 0x40e020 GetCurrentThreadId

• 0x40e024 GetCurrentProcessId

• 0x40e028 QueryPerformanceCounter

• 0x40e02c TerminateProcess

• 0x40e030 GetCurrentProcess

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.