1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
File Name :aaa.apk (File not down) |
File Size :21580 byte |
File Type :application/zip |
MD5:dfbe3bc3daa6ced5ff7ff0460e197c22 |
SHA1:4e77bb2019211adaf83d188bbc5ec878573d9848 |
Scanner results:9%Scanner(s) (3/32)found malware! |
Behavior analysis report: Habo file analysis |
Time: 2016-05-20 15:56:08 (CST) |
Scanner | Engine Ver | Sig Ver | Sig Date | Scan result | Time |
---|---|---|---|---|---|
antiy | AVL SDK 3.0 | 1970-01-01 | Found nothing | 5 | |
asquared | 9.0.0.4324 | 9.0.0.4324 | 2014-07-03 | Found nothing | 1 |
avast | 150725-1 | 4.7.4 | 2015-07-25 | Found nothing | 60 |
avg | 2109/8133 | 10.0.1405 | 2014-11-26 | Found nothing | 60 |
baidu | 2.0.1.0 | 4.1.3.52192 | 2.0.1.0 | Found nothing | 5 |
baidusd | 1.0 | 1.0 | 2014-04-02 | Found nothing | 1 |
bitdefender | 7.58469 | 7.90123 | 2014-12-25 | Found nothing | 60 |
clamav | 19861 | 0.97.5 | 2014-12-31 | Found nothing | 60 |
drweb | 5.0.2.3300 | 5.0.1.1 | 2014-12-31 | Found nothing | 60 |
fortinet | 23.345, 23.345 | 5.1.158 | 2014-12-08 | Found nothing | 60 |
fprot | 4.6.2.117 | 6.5.1.5418 | 2014-12-31 | Found nothing | 60 |
fsecure | 2014-04-02-01 | 9.13 | 2014-04-02 | Found nothing | 60 |
gdata | 25.6643 | 25.6643 | 2016-05-19 | Android.Trojan.AutoSMS.MN | 8 |
ikarus | 1.06.01 | V1.32.31.0 | 2014-12-08 | Found nothing | 60 |
jiangmin | 16.0.100 | 1.0.0.0 | 2015-07-25 | Found nothing | 40 |
kaspersky | 5.5.33 | 5.5.33 | 2014-04-01 | Found nothing | 60 |
kingsoft | 2.1 | 2.1 | 2013-09-22 | Android.Troj.iSMS.af.(kcloud) | 4 |
mcafee | 7638 | 5400.1158 | 2014-11-30 | Found nothing | 60 |
nod32 | 0920 | 3.0.21 | 2014-12-23 | Found nothing | 60 |
panda | 9.05.01 | 9.05.01 | 2015-07-26 | Found nothing | 4 |
pcc | 11.380.07 | 9.500-1005 | 2014-12-31 | Found nothing | 60 |
qh360 | 1.0.1 | 1.0.1 | 1.0.1 | Found nothing | 3 |
qqphone | 1.0.0.0 | 1.0.0.0 | 2014-12-09 | Found nothing | 60 |
quickheal | 14.00 | 14.00 | 2015-07-25 | Android.Agent.DB | 2 |
rising | 25.76.04.01 | 25.76.04.01 | 2015-07-24 | Found nothing | 1 |
sophos | 5.08 | 3.55.0 | 2014-12-01 | Found nothing | 60 |
symantec | 20141230.001 | 1.3.0.24 | 2014-12-30 | Found nothing | 60 |
tachyon | 9.9.9 | 9.9.9 | 2013-12-27 | Found nothing | 3 |
thehacker | 6.8.0.5 | 6.8.0.5 | 2015-07-23 | Found nothing | 1 |
tws | 17.47.17308 | 1.0.2.2108 | 2014-12-08 | Found nothing | 13 |
vba | 3.12.26.3 | 3.12.26.3 | 2014-12-31 | Found nothing | 60 |
virusbuster | 15.0.985.0 | 5.5.2.13 | 2014-12-05 | Found nothing | 60 |
权限列表 | |
---|---|
许可名称 | 信息 |
android.permission.READ_LOGS | 读取系统日志 |
android.permission.KILL_BACKGROUND_PROCESSES | 关闭后台进程 |
android.permission.RESTART_PACKAGES | 重启其他程序 |
android.permission.SYSTEM_ALERT_WINDOW | 显示系统窗口 |
android.permission.READ_PHONE_STATE | 读取电话状态 |
android.permission.RECEIVE_BOOT_COMPLETED | 接收开机启动广播 |
android.permission.WRITE_EXTERNAL_STORAGE | 写外部存储器(如:SD卡) |
android.permission.READ_EXTERNAL_STORAGE | 读外部存储器(如:SD卡) |
android.permission.RECEIVE_USER_PRESENT | |
android.permission.RECEIVE_SMS | 监控接收短信 |
android.permission.SEND_SMS | 发送短信 |
android.permission.READ_SMS | 读取短信 |
android.permission.WRITE_SMS | 写短信 |
android.permission.ACCESS_FINE_LOCATION | 获取精确的位置(通过GPS) |
安全评分 : |
基本信息 |
---|
MD5:dfbe3bc3daa6ced5ff7ff0460e197c22 |
包名:com.qihoo360.moqesds |
最低运行环境:Android 2.2.x |
版权: |
关键行为 | |
---|---|
行为描述: | 探测 Virtual PC是否存在 |
详情信息: | N/A |
行为描述: | 尝试打开调试器或监控软件的驱动设备对象 |
详情信息: | \??\SICE |
\??\SIWVID | |
\??\NTICE | |
行为描述: | 获取TickCount值 |
详情信息: | TickCount = 1076784, SleepMilliseconds = 50. |
TickCount = 1076800, SleepMilliseconds = 50. | |
TickCount = 1076846, SleepMilliseconds = 50. | |
TickCount = 1076862, SleepMilliseconds = 50. | |
TickCount = 1077534, SleepMilliseconds = 50. | |
TickCount = 1077612, SleepMilliseconds = 50. | |
TickCount = 1077628, SleepMilliseconds = 50. | |
TickCount = 1077643, SleepMilliseconds = 50. | |
TickCount = 1077659, SleepMilliseconds = 50. | |
TickCount = 1077675, SleepMilliseconds = 50. | |
TickCount = 1077690, SleepMilliseconds = 50. | |
TickCount = 1077706, SleepMilliseconds = 50. | |
TickCount = 1077721, SleepMilliseconds = 50. | |
TickCount = 1077737, SleepMilliseconds = 50. | |
TickCount = 1077753, SleepMilliseconds = 50. | |
行为描述: | 设置特殊文件夹属性 |
详情信息: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 | |
C:\Documents and Settings\Administrator\Local Settings\History | |
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5 | |
C:\Documents and Settings\Administrator\Cookies | |
C:\Documents and Settings\Administrator\IETldCache | |
行为描述: | 查找指定内核模块 |
详情信息: | lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动 |
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动 | |
行为描述: | 查找反病毒常用工具窗口 |
详情信息: | NtUserFindWindowEx: [Class,Window] = [OLLYDBG,] |
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,] | |
NtUserFindWindowEx: [Class,Window] = [pediy06,] | |
NtUserFindWindowEx: [Class,Window] = [FilemonClass,] | |
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com] | |
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,] | |
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com] | |
NtUserFindWindowEx: [Class,Window] = [RegmonClass,] | |
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com] |
进程行为 | |
---|---|
行为描述: | 创建本地线程 |
详情信息: | TargetProcess: 跑跑火神多功能辅助0515版.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 1532, StartAddress = 0057C3E7, Parameter = 005E3522 |
TargetProcess: 跑跑火神多功能辅助0515版.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 1544, StartAddress = 0057C3E7, Parameter = 005E3EC1 | |
TargetProcess: 跑跑火神多功能辅助0515版.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 1204, StartAddress = 0057C3E7, Parameter = 005E4F84 | |
TargetProcess: 跑跑火神多功能辅助0515版.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 168, StartAddress = 0057C3E7, Parameter = 005E5A35 | |
TargetProcess: 跑跑火神多功能辅助0515版.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 1868, StartAddress = 0057C3E7, Parameter = 005E6565 | |
TargetProcess: 跑跑火神多功能辅助0515版.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 2052, StartAddress = 0057C3E7, Parameter = 005E704B | |
TargetProcess: 跑跑火神多功能辅助0515版.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 2056, StartAddress = 0057C3E7, Parameter = 005E7C37 | |
TargetProcess: 跑跑火神多功能辅助0515版.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 2060, StartAddress = 0057C3E7, Parameter = 005E8745 | |
TargetProcess: 跑跑火神多功能辅助0515版.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 2064, StartAddress = 0057C3E7, Parameter = 005EBBED | |
TargetProcess: 跑跑火神多功能辅助0515版.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 2068, StartAddress = 0057C3E7, Parameter = 005ECC4B | |
TargetProcess: 跑跑火神多功能辅助0515版.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 2072, StartAddress = 0057C3E7, Parameter = 005EDD31 | |
TargetProcess: 跑跑火神多功能辅助0515版.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 2076, StartAddress = 0057C3E7, Parameter = 005EEB82 | |
TargetProcess: 跑跑火神多功能辅助0515版.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 2080, StartAddress = 0057C3E7, Parameter = 005EFAF3 | |
TargetProcess: 跑跑火神多功能辅助0515版.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 2084, StartAddress = 0057C3E7, Parameter = 005F144C | |
TargetProcess: 跑跑火神多功能辅助0515版.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 2088, StartAddress = 0057C3E7, Parameter = 005F245C | |
行为描述: | 枚举进程 |
详情信息: | N/A |
文件行为 | |
---|---|
行为描述: | 创建文件 |
详情信息: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\fzgx[1].txt |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\wpad[1].dat | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\shell_explorer_1[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\navcancl[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\920hs_com[1] | |
行为描述: | 覆盖已有文件 |
详情信息: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\navcancl[1] |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1] | |
行为描述: | 查找文件 |
详情信息: | FileName = C:\Documents and Settings |
FileName = C:\Documents and Settings\Administrator | |
FileName = C:\Documents and Settings\Administrator\Local Settings | |
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk | |
FileName = C:\WINDOWS\system32\Ras\*.pbk | |
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk | |
FileName = C:\WINDOWS | |
FileName = C:\WINDOWS\system32 | |
FileName = C:\WINDOWS\system32\urlmon.dll | |
FileName = C:\WINDOWS\system32\ieframe.dll | |
FileName = C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015082520150826\*.* | |
行为描述: | 删除文件 |
详情信息: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\fzgx[1].txt |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\wpad[1].dat | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\shell_explorer_1[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\ErrorPageTemplate[2] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\errorPageStrings[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\httpErrorPagesScripts[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\background_gradient[2] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\info_48[1] | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\bullet[1] | |
行为描述: | 设置特殊文件夹属性 |
详情信息: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 | |
C:\Documents and Settings\Administrator\Local Settings\History | |
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5 | |
C:\Documents and Settings\Administrator\Cookies | |
C:\Documents and Settings\Administrator\IETldCache | |
行为描述: | 修改文件内容 |
详情信息: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\navcancl[1] ---> Offset = 0 |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1] ---> Offset = 0 | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1] ---> Offset = 0 | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1] ---> Offset = 0 | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1] ---> Offset = 0 | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1] ---> Offset = 0 | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1] ---> Offset = 0 |
网络行为 | |
---|---|
行为描述: | 联网打开网址 |
详情信息: | InternetOpenUrlA: http://**.133.40.**:128/wpad.dat, hInternet = 0x00cc0010, Flags = 0x00000010 |
行为描述: | 连接指定站点 |
详情信息: | InternetConnectA: ServerName = do****om, PORT = 5120, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000 |
InternetConnectA: ServerName = sh****.1, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000 | |
InternetConnectA: ServerName = **.133.40.**, PORT = 128, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000010 | |
InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0010, Flags = 0x00000000 | |
行为描述: | 打开HTTP连接 |
详情信息: | InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0), hSession = 0x00cc0004 |
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004 | |
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0), hSession = 0x00cc0010 | |
行为描述: | 建立到一个指定的套接字连接 |
详情信息: | URL: do****om, IP: **.133.40.**:5120, SOCKET = 0x000004fc |
URL: do****om, IP: **.133.40.**:80, SOCKET = 0x000004dc | |
URL: do****om, IP: **.133.40.**:80, SOCKET = 0x000004ac | |
URL: do****om, IP: **.133.40.**:80, SOCKET = 0x000004b8 | |
URL: do****om, IP: **.133.40.**:80, SOCKET = 0x000004a0 | |
URL: wpad, IP: **.133.40.**:128, SOCKET = 0x0000032c | |
URL: sh****.1, IP: **.133.40.**:80, SOCKET = 0x0000039c | |
URL: sh****.1, IP: **.133.40.**:80, SOCKET = 0x00000220 | |
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000398 | |
行为描述: | 读取网络文件 |
详情信息: | hFile = 0x00cc000c, BytesToRead =1024, BytesRead = 1024. |
hFile = 0x00cc0018, BytesToRead =4010, BytesRead = 4010. | |
hFile = 0x00cc0014, BytesToRead =2048, BytesRead = 2048. | |
行为描述: | 发送HTTP包 |
详情信息: | GET /gx/fzgx.txt HTTP/1.1 Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://down.xixihz.com:5120/gx/fzgx.txt Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: do****om:5120 Cache-Control: no-cache |
GET /2345_34616_34616_deskonly.exe HTTP/1.1 Host: do****om Accept: */* Referer: http://down1.xixihz.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) Pragma: no-cache Cache-Control: no-cache Connection: close | |
GET /LMIns.exe HTTP/1.1 Host: do****om Accept: */* Referer: http://down1.xixihz.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) Pragma: no-cache Cache-Control: no-cache Connection: close | |
GET /pc/powerword2016/PowerWord.800.3085.exe HTTP/1.1 Host: do****om Accept: */* Referer: http://download.iciba.com/pc/powerword2016 User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) Pragma: no-cache Cache-Control: no-cache Connection: close | |
GET /unionpic/2345pic_lm_509188_v6.1.7268_silent.exe HTTP/1.1 Host: do****om Accept: */* Referer: http://download.2345.com/unionpic User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) Pragma: no-cache Cache-Control: no-cache Connection: close | |
GET /wpad.dat HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0) Host: **.133.40.**:128 | |
GET / HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: sh****.1 Connection: Keep-Alive | |
GET / HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/msword, */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive | |
行为描述: | 打开HTTP请求 |
详情信息: | HttpOpenRequestA: do****om:5120/gx/fzgx.txt, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80000000 |
HttpOpenRequestA: sh****.1:80/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400000 | |
HttpOpenRequestA: **.133.40.**:128/wpad.dat, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer: , Flags = 0x00000010 | |
HttpOpenRequestA: sh****.1:80/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010 | |
HttpOpenRequestA: ww****om:80/, hConnect = 0x00cc0010, hRequest = 0x00cc0014, Verb: GET, Referer: , Flags = 0x00400000 | |
行为描述: | 按名称获取主机地址 |
详情信息: | GetAddrInfoW: do****om |
gethostbyname: do****om | |
GetAddrInfoW: computer | |
GetAddrInfoW: wpad | |
GetAddrInfoW: sh****.1 | |
GetAddrInfoW: ww****om |
注册表行为 | |
---|---|
行为描述: | 修改注册表 |
详情信息: | \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\跑跑火神多功能辅助0515版\DEBUG\Trace Level | |
行为描述: | 删除注册表键值 |
详情信息: | \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer |
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL | |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\跑跑火神多功能辅助0515版\DEBUG\Trace Level |
其他行为 | |
---|---|
行为描述: | 探测 Virtual PC是否存在 |
详情信息: | N/A |
行为描述: | 创建互斥体 |
详情信息: | CTF.LBES.MutexDefaultS-* |
CTF.Compart.MutexDefaultS-* | |
CTF.Asm.MutexDefaultS-* | |
CTF.Layouts.MutexDefaultS-* | |
CTF.TMD.MutexDefaultS-* | |
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-* | |
RasPbFile | |
Local\ZonesCounterMutex | |
Local\ZoneAttributeCacheCounterMutex | |
Local\ZonesCacheCounterMutex | |
Local\ZonesLockedCacheCounterMutex | |
CritOpMutex | |
Local\!PrivacIE!SharedMemory!Mutex | |
MSCTF.Shared.MUTEX.ELH | |
行为描述: | 创建事件对象 |
详情信息: | EventName = DINPUTWINMM |
EventName = Global\userenv: User Profile setup event | |
EventName = Global\crypt32LogoffEvent | |
行为描述: | 查找指定窗口 |
详情信息: | NtUserFindWindowEx: [Class,Window] = [18467-41,] |
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,] | |
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,] | |
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,] | |
行为描述: | 尝试打开调试器或监控软件的驱动设备对象 |
详情信息: | \??\SICE |
\??\SIWVID | |
\??\NTICE | |
行为描述: | 搜索kernel32.dll基地址 |
详情信息: | Instruction Address = 0x0057c8f8 |
行为描述: | 调整进程token权限 |
详情信息: | SE_LOAD_DRIVER_PRIVILEGE |
行为描述: | 窗口信息 |
详情信息: | Pid = 912, Hwnd=0xe031e, Text = 请选择功能版本-点击我, ClassName = ComboBox. |
Pid = 912, Hwnd=0x6034e, Text = 启动辅助, ClassName = Button. | |
Pid = 912, Hwnd=0x80326, Text = 卸载辅助, ClassName = Button. | |
Pid = 912, Hwnd=0x70338, Text = 问题反馈联系邮箱:kf@920hs.com, ClassName = Static. | |
Pid = 912, Hwnd=0xa0300, Text = 用于学习交流,如有侵权,请告知,我们立即删除, ClassName = Static. | |
Pid = 912, Hwnd=0x29031a, Text = 避免出现错误代码,使用辅助请务必关闭杀毒软件, ClassName = Static. | |
Pid = 912, Hwnd=0xa030a, Text = 百度输入法, ClassName = Button(CheckBox). | |
Pid = 912, Hwnd=0xb02d8, Text = 跑跑火神9.8v0515, ClassName = #32770. | |
Pid = 912, Hwnd=0x103c6, Text = 您想运行或保存此文件吗?, ClassName = Static. | |
Pid = 912, Hwnd=0x103ca, Text = 名称:, ClassName = Static. | |
Pid = 912, Hwnd=0x103cc, Text = update.exe, ClassName = SysLink. | |
Pid = 912, Hwnd=0x103ce, Text = 发行者:, ClassName = Static. | |
Pid = 912, Hwnd=0x103d2, Text = 类型:, ClassName = Static. | |
Pid = 912, Hwnd=0x103d4, Text = 应用程序, 358KB, ClassName = Static. | |
Pid = 912, Hwnd=0x103d6, Text = 从:, ClassName = Static. | |
行为描述: | 调用Sleep函数 |
详情信息: | [1]: MilliSeconds = 100. |
[4]: MilliSeconds = 100. | |
[2]: MilliSeconds = 100. | |
[3]: MilliSeconds = 100. | |
[5]: MilliSeconds = 100. | |
[7]: MilliSeconds = 100. | |
[6]: MilliSeconds = 100. | |
[9]: MilliSeconds = 100. | |
[10]: MilliSeconds = 100. | |
[8]: MilliSeconds = 100. | |
行为描述: | 隐藏指定窗口 |
详情信息: | [Window,Class] = [,ComboLBox] |
[Window,Class] = [,AtlAxWin] | |
[Window,Class] = [,SysLink] | |
[Window,Class] = [,Static] | |
[Window,Class] = [文件大小未知,Static] | |
[Window,Class] = [打开此类文件前总是询问(&W),Button] | |
[Window,Class] = [发行者:,Static] | |
行为描述: | 获取TickCount值 |
详情信息: | TickCount = 1076784, SleepMilliseconds = 50. |
TickCount = 1076800, SleepMilliseconds = 50. | |
TickCount = 1076846, SleepMilliseconds = 50. | |
TickCount = 1076862, SleepMilliseconds = 50. | |
TickCount = 1077534, SleepMilliseconds = 50. | |
TickCount = 1077612, SleepMilliseconds = 50. | |
TickCount = 1077628, SleepMilliseconds = 50. | |
TickCount = 1077643, SleepMilliseconds = 50. | |
TickCount = 1077659, SleepMilliseconds = 50. | |
TickCount = 1077675, SleepMilliseconds = 50. | |
TickCount = 1077690, SleepMilliseconds = 50. | |
TickCount = 1077706, SleepMilliseconds = 50. | |
TickCount = 1077721, SleepMilliseconds = 50. | |
TickCount = 1077737, SleepMilliseconds = 50. | |
TickCount = 1077753, SleepMilliseconds = 50. | |
行为描述: | 查找指定内核模块 |
详情信息: | lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动 |
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动 | |
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动 | |
行为描述: | 查找反病毒常用工具窗口 |
详情信息: | NtUserFindWindowEx: [Class,Window] = [OLLYDBG,] |
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,] | |
NtUserFindWindowEx: [Class,Window] = [pediy06,] | |
NtUserFindWindowEx: [Class,Window] = [FilemonClass,] | |
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com] | |
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,] | |
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com] | |
NtUserFindWindowEx: [Class,Window] = [RegmonClass,] | |
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com] |
Activities | |
---|---|
活动名 | 类型 |
ji.qqqqqqqqq.wwwwwwwwwwww.eeeeeeeeee.JieMian | android.intent.category.DEFAULT |
com.qihoo360.mobilesafe.StartActivity | android.intent.action.MAIN |
com.qihoo360.mobilesafe.StartActivity | android.intent.category.LAUNCHER |
ji.qqqqqqqqq.wwwwwwwwwwww.eeeeeeeeee.JM07 | android.intent.action.VIEW |
ji.qqqqqqqqq.wwwwwwwwwwww.eeeeeeeeee.JM07 | android.intent.action.DELETE |
ji.qqqqqqqqq.wwwwwwwwwwww.eeeeeeeeee.JM07 | android.intent.category.DEFAULT |
危险函数 | |
---|---|
函数名称 | 信息 |
SmsManager;->sendMultipartTextMessage | 发送彩信 |
ContentResolver;->query | 读取联系人、短信等数据库 |
ContentResolver;->delete | 删除短信、联系人 |
ActivityManager;->restartPackage | 中断进程,可用于关闭杀软 |
启动方式 | |
---|---|
名称 | 信息 |
ji.qqqqqqqqq.wwwwwwwwwwww.eeeeeeeeee.JM04 | 监控短信(收到短信)启动服务 |
ji.qqqqqqqqq.wwwwwwwwwwww.eeeeeeeeee.JM04 | |
ji.qqqqqqqqq.wwwwwwwwwwww.eeeeeeeeee.JM04 | |
ji.qqqqqqqqq.wwwwwwwwwwww.eeeeeeeeee.JM04 | |
ji.qqqqqqqqq.wwwwwwwwwwww.eeeeeeeeee.JM04 | 开机启动服务 |
ji.qqqqqqqqq.wwwwwwwwwwww.eeeeeeeeee.JM04 | 屏幕解锁启动服务 |
ji.qqqqqqqqq.wwwwwwwwwwww.eeeeeeeeee.JM03 | 监控短信(收到短信)启动服务 |
ji.qqqqqqqqq.wwwwwwwwwwww.eeeeeeeeee.JM03 | |
ji.qqqqqqqqq.wwwwwwwwwwww.eeeeeeeeee.JM03 | |
ji.qqqqqqqqq.wwwwwwwwwwww.eeeeeeeeee.JM06 | |
权限列表 | |
---|---|
许可名称 | 信息 |
android.permission.READ_LOGS | 读取系统日志 |
android.permission.KILL_BACKGROUND_PROCESSES | 关闭后台进程 |
android.permission.RESTART_PACKAGES | 重启其他程序 |
android.permission.SYSTEM_ALERT_WINDOW | 显示系统窗口 |
android.permission.READ_PHONE_STATE | 读取电话状态 |
android.permission.RECEIVE_BOOT_COMPLETED | 接收开机启动广播 |
android.permission.WRITE_EXTERNAL_STORAGE | 写外部存储器(如:SD卡) |
android.permission.READ_EXTERNAL_STORAGE | 读外部存储器(如:SD卡) |
android.permission.RECEIVE_USER_PRESENT | |
android.permission.RECEIVE_SMS | 监控接收短信 |
android.permission.SEND_SMS | 发送短信 |
android.permission.READ_SMS | 读取短信 |
android.permission.WRITE_SMS | 写短信 |
android.permission.ACCESS_FINE_LOCATION | 获取精确的位置(通过GPS) |
服务列表 | |
---|---|
名称 | |
ji.qqqqqqqqq.wwwwwwwwwwww.eeeeeeeeee.JM01 |
文件列表 | |
---|---|
文件名 | 校验码 |
META-INF/MANIFEST.MF | 0x89af2c5e |
META-INF/APKIDE.SF | 0x9351a966 |
META-INF/APKIDE.RSA | 0xc3f4aaf5 |
AndroidManifest.xml | 0x961bf990 |
classes.dex | 0x1d907a0d |
res/drawable-mdpi/ic_launcher.png | 0xceb109b |
res/layout/main.xml | 0xddcbbfb1 |
res/xml/xyz.xml | 0x5174a133 |
resources.arsc | 0x575c5523 |
运行截图 |
---|
![]() |