会下很多广告程序,会替换chrome,firefox浏览器,有的360报毒。
下载后请于虚拟机中运行分析,勿直接运行!
[出自:jiwo.org]
程序加壳,但初步无法探测,探测信息如下:
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 721880 (0B03D8h) Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x59D8CCD9 -> Sat 07th Oct 2017 12:47:21 (GMT)
[TimeStamp] 0x59D8CCD9 -> Sat 07th Oct 2017 12:47:21 (GMT) | PE Header | - | Offset: 0x000000F8 | VA: 0x004000F8 | -
-> File Appears to be Digitally Signed @ Offset 0AF000h, size : 013D8h / 05080 byte(s)
[File Heuristics] -> Flag #1 : 00000000000000001000000000000100 (0x00008004)
[Entrypoint Section Entropy] : 7.95 (section #0) ".text " | Size : 0xA0A4D (657997) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 5 (0x5) | ImageSize 0x101000 (1052672) byte(s)
[VersionInfo] Company Name : Astra
[VersionInfo] Product Name : White
[VersionInfo] Product Version : 16.0.26431.15
[VersionInfo] File Version : 16.0.26431.15
[ModuleReport] [IAT] Modules -> VERSION.dll | SETUPAPI.dll | WININET.dll | KERNEL32.dll | USER32.dll | GDI32.dll | ADVAPI32.dll | OLEAUT32.dll | SHLWAPI.dll
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.219 Second(s) [0000000DBh (219) tick(s)] [506 of 580 scan(s) done]
一些可读的字符串如下:
PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGP
ADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI
NGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPA
DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
XPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDI
NGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPA
DDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN
GPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
DINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXX
PADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDIN
GXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD
DINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADD
INGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXP
ADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDING
XXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
INGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGP
ADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
?(?D?W?
8#8:8G8Y8a8i8s8{8
141:1A1W1`1f1n1{1
262E2M2\2b2
2B3H3q3
4&4/4<4N4Y4e4v4
5-535G5N5q5w5
6)6/6C6I6a6u6{6
7 7!7'7;7K7[7y7
8)878U8e8~8
9.9?9=:
= =2=8===D=K=Q=X=
>)>3>a>o>
?)?3?K?U?_?l?v?
0<0A0`0m0
949C9T9f9v9
2:8:>:
;9;\;
<'
>F>R>Y>i>o>v>
>/?;?M?S?f?w?
0-0:0@0F0R0h0y0
1%1h1t1~1
4)5/5M5b5
6:6a6o6
9#9.9A9h9w9
:(:>:E:U:[:b:k:r:z:
=$=*=:=E=W=j=u={=
1#1(1.1>1G1a1r1x1
3/3Q3a3h3|3
5&515I5^5
6!6*6;6T6c6
7"7T7b7t7
8$8/8Q8]8g8r8|8
9v9|9
:=:I:[:i:x:
<%=K=e=l=p=t=x=|=
=J>U>p>w>|>
? ?j?p?t?x?|?
0&0B0
2%2,2024282<2@2D2H2
30373<3@3D3a3
3*4044484<4
5H5`5f5r5
6+686B6L6T6b6
6-7C7v7
8I8N8j8}8
9`9r9
2<5@5H5L5T5X5
1T2\2d2l2t2|2
2P4X4
Y0W03
>0 0
AW`.k0
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
170921000000Z
180616235959Z0w1
6640471
Irkutsk1!0
proezd Trudovoi 40 pom 61
LOG,OOO1
LOG,OOO0
8BUfGI
-J,<
b:L\
?0=0;
0+0)
https://secure.comodo.net/CPS0C
<0:08
2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
h0f0>
2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
http://ocsp.comodoca.com0
dOA*
inmH_s
S8w
'b8o
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
130509000000Z
280508235959Z0}1
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
#KKc
:3FPs
^Lby
E0C0A
;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
e0c0;
/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
http://ocsp.comodoca.com0
TQ-R
DvWj
e #I
~ wa
zi'e
{:Q9
SN20s
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
100119000000Z
380118235959Z0
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
xH0E
HCgNr*
FNm>
|3WA<
PjUF
3:.\
1\:jG
B0@0
Dla5
s XFn
$iWx
jc!u
.i
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA
AW`.k0
171007124840Z0
Resource downloader0
---------------------------------------------------------------------------------------------------------------
左上角导航栏那么明显的“下载”按链接你看不见,那就点这儿 下载 吧!