1.1
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.53
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Baidu | Win32.Backdoor.Agent.es | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200909 | 2013.8.14.323 |
| McAfee | GenericRXAI-SO!DEABD75BC63F | 20200909 | 6.0.6.653 |
| Tencent | Trojan.TenThief.SSDT.bye | 20200909 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(4 个事件)
| section | .text\x00\x12 |
| section | .data\x00\x12 |
| section | .tls\x00\x00\x12 |
| section | .rsrc\x00\x12 |
一个或多个进程崩溃
(1 个事件)
动态指标
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 54 个反病毒引擎识别为恶意
(50 out of 54 个事件)
| ALYac | Generic.SysHijack.15A8C2F9 |
| APEX | Malicious |
| AVG | Win32:Evo-gen [Susp] |
| Acronis | suspicious |
| Ad-Aware | Generic.SysHijack.15A8C2F9 |
| AhnLab-V3 | Trojan/Win32.CSon.R2204 |
| Antiy-AVL | Trojan[Backdoor]/Win32.Yoddos.an |
| Arcabit | Generic.SysHijack.15A8C2F9 |
| Avira | WORM/Rbot.Gen |
| Baidu | Win32.Backdoor.Agent.es |
| BitDefender | Generic.SysHijack.15A8C2F9 |
| Bkav | W32.TheftProKM2.Rootkit |
| CAT-QuickHeal | Trojan.SysHijack.c4 |
| ClamAV | Win.Downloader.119706-1 |
| Comodo | TrojWare.Win32.TrojanDownloader.Small.DG@1d0x87 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cylance | Unsafe |
| Cynet | Malicious (score: 100) |
| Cyren | W32/QQhelper.C.gen!Eldorado |
| DrWeb | BackDoor.Darkshell.246 |
| ESET-NOD32 | a variant of Win32/Agent.NWM |
| Elastic | malicious (high confidence) |
| F-Secure | Trojan:W32/SystemHijack.gen!A |
| Fortinet | W32/Agent.AWE!tr |
| GData | Generic.SysHijack.15A8C2F9 |
| Ikarus | possible-Threat.Tool |
| Invincea | ML/PE-A + Mal/Emogen-Y |
| Jiangmin | TrojanDropper.Agent.ygl |
| K7AntiVirus | Trojan ( 002443921 ) |
| K7GW | Trojan ( 002443921 ) |
| Kaspersky | Backdoor.Win32.Yoddos.an |
| MAX | malware (ai score=81) |
| McAfee | GenericRXAI-SO!DEABD75BC63F |
| MicroWorld-eScan | Generic.SysHijack.15A8C2F9 |
| Microsoft | Trojan:Win32/Yoddos.A |
| NANO-Antivirus | Trojan.Win32.Scar.bjumn |
| Panda | W32/P2PWorm.QD.worm |
| Qihoo-360 | Backdoor.Win32.Agent.BP |
| Rising | Backdoor.UUBeat!1.6486 (CLASSIC) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/Emogen-Y |
| Symantec | ML.Attribute.HighConfidence |
| Tencent | Trojan.TenThief.SSDT.bye |
| TotalDefense | Win32/Yoddos.B |
| TrendMicro | BKDR_YODDOS.SM |
| TrendMicro-HouseCall | BKDR_YODDOS.SM |
| VBA32 | BScope.Trojan.Packed |
| VIPRE | Trojan.Win32.Generic!BT |
| Webroot | W32.Trojan.Yoddos |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2009-06-27 19:25:33
PE Imphash
b688b217446985a3e6405e2b615540aa
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text\x00\x12 | 0x00001000 | 0x000048a5 | 0x00004a00 | 6.239627278167547 |
| .rdata | 0x00006000 | 0x00000c86 | 0x00000e00 | 3.538334286665136 |
| .data\x00\x12 | 0x00007000 | 0x00002b3c | 0x00001a00 | 5.66490785103746 |
| .tls\x00\x00\x12 | 0x0000a000 | 0x00001000 | 0x00001000 | 3.429642363371091 |
| .rsrc\x00\x12 | 0x0000b000 | 0x00000260 | 0x00000400 | 4.223514597753271 |
| .reloc | 0x0000c000 | 0x00000018 | 0x00000200 | 0.19977565608732903 |
Imports
Library advapi32.dll:
• 0x406000 RegOpenKeyExA
• 0x406004 RegQueryValueExA
• 0x406008 DeleteService
• 0x40600c CreateServiceA
• 0x406010 RegOpenKeyA
• 0x406014 RegSetValueExA
• 0x406018 RegCloseKey
• 0x40601c RegisterServiceCtrlHandlerA
• 0x406020 SetServiceStatus
• 0x406024 StartServiceCtrlDispatcherA
• 0x406028 ControlService
• 0x40602c OpenSCManagerA
• 0x406030 OpenServiceA
• 0x406034 StartServiceA
• 0x406038 CloseServiceHandle
• 0x40603c OpenProcessToken
• 0x406040 LookupPrivilegeValueA
• 0x406044 AdjustTokenPrivileges
Library kernel32.dll:
• 0x40604c FreeLibrary
• 0x406050 GetProcAddress
• 0x406054 LoadLibraryA
• 0x406058 GetSystemDirectoryA
• 0x40605c GetStartupInfoA
• 0x406060 lstrcpy
• 0x406064 Sleep
• 0x406068 GetTickCount
• 0x40606c ResumeThread
• 0x406070 CreateProcessA
• 0x406074 SetThreadPriority
• 0x406078 GetCurrentThread
• 0x40607c SetPriorityClass
• 0x406080 GetCurrentProcess
• 0x406084 lstrcat
• 0x406088 GetShortPathNameA
• 0x40608c GetModuleFileNameA
• 0x406090 GetEnvironmentVariableA
• 0x406094 CloseHandle
• 0x406098 TerminateProcess
• 0x40609c CreateFileA
• 0x4060a0 CopyFileA
• 0x4060a4 GetLastError
• 0x4060a8 DeviceIoControl
• 0x4060ac GlobalFree
• 0x4060b0 LoadLibraryExA
• 0x4060b4 GlobalAlloc
• 0x4060b8 GetModuleHandleA
• 0x4060bc WriteFile
• 0x4060c0 ReadFile
• 0x4060c4 GetFileSize
• 0x4060c8 SetFileAttributesA
• 0x4060cc ExitProcess
• 0x4060d0 lstrcmpi
• 0x4060d4 SetErrorMode
• 0x4060d8 lstrlen
• 0x4060dc WaitForSingleObject
• 0x4060e0 CreateThread
• 0x4060e4 CreateMutexA
• 0x4060e8 DeleteFileA
• 0x4060ec ReleaseMutex
• 0x4060f0 OpenMutexA
• 0x4060f4 InterlockedExchange
• 0x4060f8 OutputDebugStringA
• 0x4060fc GetSystemDefaultUILanguage
• 0x406100 GlobalMemoryStatusEx
• 0x406104 GetCurrentProcessId
• 0x406108 VirtualAlloc
• 0x40610c VirtualQueryEx
• 0x406110 ReadProcessMemory
• 0x406114 GetThreadContext
• 0x406118 SetThreadContext
• 0x40611c WriteProcessMemory
• 0x406120 VirtualProtectEx
• 0x406124 VirtualFree
• 0x406128 GetWindowsDirectoryA
• 0x40612c GetVersionExA
Library msvcrt.dll:
• 0x406134 _ui64toa
• 0x406138 strcspn
• 0x40613c atoi
• 0x406140 _except_handler3
• 0x406144 sprintf
• 0x406148 memmove
• 0x40614c _exit
• 0x406150 _XcptFilter
• 0x406154 exit
• 0x406158 _acmdln
• 0x40615c __getmainargs
• 0x406160 _initterm
• 0x406164 __setusermatherr
• 0x406168 _adjust_fdiv
• 0x40616c __p__commode
• 0x406170 __p__fmode
• 0x406174 __set_app_type
• 0x406178 _controlfp
• 0x40617c _strlwr
• 0x406180 _strnicmp
• 0x406184 __CxxFrameHandler
• 0x406188 ??3@YAXPAX@Z
• 0x40618c puts
• 0x406190 rand
• 0x406194 srand
• 0x406198 strncpy
• 0x40619c ??2@YAPAXI@Z
• 0x4061a0 strstr
• 0x4061a4 printf
Library shell32.dll:
• 0x4061ac ShellExecuteA
Library shlwapi.dll:
• 0x4061b4 SHDeleteKeyA
Library ws2_32.dll:
• 0x4061cc WSASocketA
• 0x4061d0 htonl
• 0x4061d4 sendto
• 0x4061d8 inet_addr
• 0x4061dc setsockopt
• 0x4061e0 socket
• 0x4061e4 htons
• 0x4061e8 connect
• 0x4061ec send
• 0x4061f0 select
• 0x4061f4 __WSAFDIsSet
• 0x4061f8 recv
• 0x4061fc shutdown
• 0x406200 WSAIoctl
• 0x406204 gethostbyname
• 0x406208 closesocket
• 0x40620c WSAStartup
L!This program cannot be run in DOS mode.
ggg{g9{gEGgEGgg2gyhgRxg}agRichg
.rdata
.reloc
U@SVWEj@P
VWh\p@
3|$ T$
SUW=P`@
RUT$$UT$
SUV5T`@
3|$lfD$
3IQL$pRQ
SU_^][\
f8MZuCH<
WL$$PT$
QRUD$
T$(;u4f|(
tI)ft$
UL$$D(
SUVWD$
_^][ +PU
T$0D$$RL$8PQU2T$4
D$4RVPL$$L$$QVh@
F;j8rVh@
_^][ h@
t5SVh
v3WPD$
.aonI(
8=h(,IRWP,W9
t4Ht Hh
,D$ P$7
t3T$ j
PL$(PQhDq@
D$ Ph0@
HtWHt+Hui@
SVW3uu
VVVVVE
SUVWh0@
3|$D$D
+T$4T$4
T$4hL@
T$4hL@
D$4hL@
$t/3hH@
VfL$ PT$ VR
L$(fD$
fD$"D$ PV
3IQh0@
L$,QS$@
SSSh@4@
SSSh@4@
t"3;~
SSSh0:@
@t"3;~
SSSh5@
SSShP8@
SSSh;@
F;|SSSh<@
t#SSSh<@
SSSSShp=@
SSSh<@
SSSh >@
t"3;~
SSSh@C@
@t"3;~
SSSh@@
SSShD@
RPD$$D3"
L$4h,@
L$<PQj
|$|L$|D$|
L$<D$<@
|$$D$(j
RL$(T$
RQT$ D$
UVWD$p
L$IL$M
L$MD$D
L$QfL$UL$W
D$0PfL$6L$`D$a=h`@
D$DPfD$
|$hQt$ |$$fD$&
fD$6fD$8
t$t|$xfD$bT$`
D$tT$|j P
|$|fD$<
L$8T$dj
([_^3]d
SUD$HVPh
U\$(3h@
D$ D$$D$(h
fD$,|@
3;f\$.up=h`@
T$(j(RD$8
fD$*D$
t_^]3[
D$0SPV
T$(SRV
j5D$03D$ fD$
D$$D$(D$,h@
|$EfD$
3\$Df9
L$<L$@L$DL$HL$Li
D44F;|f
D$PT$H
t$4|$Yl$L
T$W\$Xf
PD$XPQ
QD$ fD$
3|$ jx
RT$(h$@
D$$QPS
T$$PRV
VW=d`@
QD$$fD$
3T$xSVW@
3|$$h4@
VPT$0VR
L$ L$$
T$(RL$,PT$PQR$
k]_^3[
3T$|SVW@
3|$(h4@
VPT$4VR
RL$ fD$
L$$L$(
T$,RL$0P$
]_^3[D
3|$!T$ f@
L$ Ph@
SU-d`@
IT$,QRV
r^][3_
UVWhp@
WD$$hp@
|$$3f|$$j
D$,QPh@
QD$ fD$
t_^]3[
t_^]3[
33SUVW|$$
9|$ D$
T$$u_^][
C\$(\$
/\$$G;
_L$(][_
3ANu[^
AD$ AT$
AD$0AT$
AD$,AT$(
T$,T$(
F\$(D$
T$(O:u
T$,O:u
T$0O:u
WF8NTPQf~
v{T$ j
;wmMt+Ut
UV@WL$
WVPUL$(
(IuRUP
|$,l$0
H8PTQL$
3|$8T$8D$
PPD$4P$
+0^[_]t
T$,QRPD$
9G4u"L$$;r
Rj@QPD$ P
PUW`D$
G4QSUPR
L$ ;D$(
L$ PD$
t{twSVWj
L$$T$ QL$
PQL$ D$
RT$ PQR
tFD$ L$
RT$(PQRL$
PUjh(b@
hSVWe3
EEP5 @
EPEPEP
0u>"u:Fu
<"u>"u
> vFuj
YY3%xa@
WSAIoctl
wf+13)+
w7f+~+~
wfw &wf)r5
wfw &wf)r=
wfw &wf)r
wfw &wf)r
wfw &wf)r
+<S[E3!
GQ2yUBU"
BtUJU"H
UhO/D$8
DnsFlushResolverCache
dnsapi.dll
\svchost.exe
CreateProcessInternalA
kernel32.dll
> nul
/C del
COMSPEC
JiangMin
InternetReadFile
InternetCloseHandle
InternetOpenUrlA
InternetOpenA
wininet.dll
WinSta0\Default
GetUrlCacheEntryInfoA
URLDownloadToCacheFileA
urlmon.dll
ShellExecuteA
Shell32.dll
L!This program cannot be run in DOS mode.
tEEP5 @
4UUUUUUfZ
UURichU
h.rdata
H.data
.reloc
N<"u>"u
t';Ms"
1E3PeuEEEEd
Y__^[]Q
E_^[]E
TSVWT$
URPQQh
t.T$4t
;v!4v\
UVWS33333[_^]
33333USVWj
_^[]Ul$
[RepairSSDT] Unloaded
[RepairSSDT] IRP_MJ_CREATE
[RepairSSDT] IRP_MJ_CLOSE
[DispatchIoctl]
rtyutjgkjguityutuczxcvasdfawerrrwrw 0x%x
assdfasdfhjlkhjklyuioyuiodwe 0x%x
[RepairSSDT] DriverEntry
c:\winddk\demo\repairssdt\bin\i386\RepairSSDT.pdb
DbgPrint
IoDeleteDevice
IoDeleteSymbolicLink
RtlInitUnicodeString
IofCompleteRequest
KeServiceDescriptorTable
IoCreateSymbolicLink
IoIsWdmVersionAvailable
IoCreateDevice
KeTickCount
ntoskrnl.exe
RtlUnwind
KeBugCheckEx
4444444
5-5[5k55
6'6/666=6D6]6i6~666666666R70888899
>$>)>2>9>
No fixups!
relo type %d found at .%X
strange NtQuerySystemInformation()!
Possibly KiServiceLimit==%08X
0x%x 0x%08X
&KiServiceTable==%08X
Dumping 'old' ServiceTable:
Can't find KiServiceTable...
Can't find KeServiceDescriptorTable
KeServiceDescriptorTable
Failed to load! LastError=%i
ntdll.dll
NtQuerySystemInformation
\\.\Dark2118
Start beep service ok
PCIDump
Load driver failed!
\drivers\PCIDump.sys
a,>g7{]
tBU}mv
$!IoFo
QM#bM,
UU5'uwb
*%I:ZJF|!
:#}l(Y
RX^g}Xo
N5Au\kt
R[VY6Sko+vu>8,
p4Sv{H,"i_w/4vkmon.dll
Description
SYSTEM\CurrentControlSet\Services\%s
SeShutdownPrivilege
Vip201101
%s SP%d
Win 98
Win 95
Win NT
Win 2000
Win XP
Win 2003
Win Vista
Find CPU Error
ProcessorNameString
HARDWARE\DESCRIPTION\System\CentralProcessor\0
%u.193.%d.%d
#%d<<<<<I@C<<<<<%s!
GET %s HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Host: %s:%d
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
Referer: http://%s
Connection: Keep-Alive
http://
GET / HTTP/1.1
Host: %s:%d
Pragma: no-cache
Connection: Keep-Alive
Cache-Control: no-cache
Referer: http://www.google.com
xq1986
Kernel32.dll
VirtualAllocEx
ZwUnmapViewOfSection
\Program Files\Internet Explorer\iexplore.exe
\explorer.exe
\Program Files\Internet Explorer\
advapi32.dll
RegOpenKeyExA
RegQueryValueExA
DeleteService
CreateServiceA
RegOpenKeyA
RegSetValueExA
RegCloseKey
RegisterServiceCtrlHandlerA
SetServiceStatus
StartServiceCtrlDispatcherA
ControlService
OpenSCManagerA
OpenServiceA
StartServiceA
CloseServiceHandle
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
kernel32.dll
FreeLibrary
GetProcAddress
LoadLibraryA
GetSystemDirectoryA
GetStartupInfoA
lstrcpy
GetTickCount
ResumeThread
CreateProcessA
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetCurrentProcess
lstrcat
GetShortPathNameA
GetModuleFileNameA
GetEnvironmentVariableA
CloseHandle
TerminateProcess
CreateFileA
CopyFileA
GetLastError
DeviceIoControl
GlobalFree
LoadLibraryExA
GlobalAlloc
GetModuleHandleA
WriteFile
ReadFile
GetFileSize
SetFileAttributesA
ExitProcess
lstrcmpi
SetErrorMode
lstrlen
WaitForSingleObject
CreateThread
CreateMutexA
DeleteFileA
ReleaseMutex
OpenMutexA
InterlockedExchange
OutputDebugStringA
GetSystemDefaultUILanguage
GlobalMemoryStatusEx
GetCurrentProcessId
VirtualAlloc
VirtualQueryEx
ReadProcessMemory
GetThreadContext
SetThreadContext
WriteProcessMemory
VirtualProtectEx
VirtualFree
GetWindowsDirectoryA
GetVersionExA
msvcrt.dll
_ui64toa
strcspn
_except_handler3
sprintf
memmove
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
_strlwr
_strnicmp
__CxxFrameHandler
??3@YAXPAX@Z
strncpy
??2@YAPAXI@Z
strstr
printf
shell32.dll
ShellExecuteA
shlwapi.dll
SHDeleteKeyA
user32.dll
ExitWindowsEx
wsprintfA
wvsprintfA
ws2_32.dll
WSASocketA
sendto
inet_addr
setsockopt
socket
connect
select
__WSAFDIsSet
shutdown
WSAIoctl
gethostbyname
closesocket
WSAStartup
h<$`D$,
h,``d$DD
4$UPD$
$d$ a`d$$5t$
a`t$ $
h%fD$@
D$Lh4t$PT
:`d$(``D$
a`d$ 5
l $>Bx.z@s
\�D�o�s�D�e�v�i�c�e�s�\�D�a�r�k�2�1�1�8�
\�D�o�s�D�e�v�i�c�e�s�\�G�l�o�b�a�l�\�D�a�r�k�2�1�1�8�
\�D�e�v�i�c�e�\�d�e�v�R�e�p�a�i�r�S�S�D�T�
Process Tree
- 03eba9740cfdaa44e541f6c7426ca61a18526355ab836fba83f3757370cdab28.exe (2660) "C:\Users\Administrator\AppData\Local\Temp\03eba9740cfdaa44e541f6c7426ca61a18526355ab836fba83f3757370cdab28.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.