本帖最后由 数字无名 于 2016-4-20 16:50 编辑
KFA miss
哈勃分析:
基本信息
文件名称:
Jameco Electronics.doc
MD5: c72c5265060460edf72711fcce1a52f0
文件类型: Word
上传时间: 2016-04-20 16:48:47
出品公司: N/A
版本: N/A
壳或编译器信息: N/A
子文件信息:
Data / bc84edc06f3c06e4fefca1c6e0d3d391 / Unknown
WordDocument / 04d13753e74420efb244071ea07c37e3 / Unknown
1Table / 2fd958533ee31dabc335bec3a9d6436d / zip
ThisDocument / 486bc611520717e56151411dd1c038c2 / Unknown
_VBA_PROJECT / 77708c58fa9cc8587dfade999607f6bb / Unknown
WAvINgcc / 03d6e36911bd50961af9f5990672e83e / Unknown
uExJnunD / 51cf49b9e38dd1b08297bac099e062fb / Unknown
QnFEjE / 0838ba822cd404a66c70ce9ce343600b / Unknown
[5]SummaryInformation / 595f7e024e1a8eb720317b9deaa04536 / Unknown
[5]DocumentSummaryInformation / c5e76327413ab128b716ba4b7515f7dd / Unknown
__SRP_0 / 1247b268e02cfce08eeab5ee6c728f2e / Unknown
__SRP_2 / 7ee1169fd06f7848092ec8777a200176 / Unknown
__SRP_3 / aa684a72bfd5edad86c66bf0f7acfa5d / Unknown
o / 3fe0d6ab0f3b42c6ccfa8ac2065e8bdb / Unknown
LTZERnOQeJWJH / 2aac6a1951f25e1deeab4759ed0b8a79 / Unknown
mSKXHNusxP / 97d9c9c8e04fd56e0c17c72ac6978845 / Unknown
cxolzW / 0df0e14ce9353643f324b01abbf23081 / Unknown
dir / fba5c1a93af9add08f1bde8e7eb78cc9 / Unknown
f / 42645aea6e9b7785f87bc53b2b6f1bce / Unknown
关键行为
行为描述: 检测自身是否被调试
详情信息:
N/A
行为描述: 获取窗口截图信息
详情信息:
Foreground window Info: HWND = 0x00000000, DC = 0x1601089f.
文件行为
行为描述: 创建文件
详情信息:
C:\Users\Administrator\AppData\Local\Temp\~DF2BEF4ACCD4964334.TMP
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dot
C:\Users\Administrator\AppData\Local\Temp\~DF7F024AFF2A76AFF5.TMP
C:\Users\Administrator\AppData\Local\%temp%\1461098693.792367.doc
C:\Users\Administrator\AppData\Local\Temp\~WRF0000.tmp
C:\Users\Administrator\AppData\Local\Temp\~DFD75B495CFB9A0065.TMP
C:\Users\Administrator\AppData\Local\Temp\VBE\MSForms.exd
C:\Users\Administrator\AppData\Roaming\Microsoft\Forms\WINWORD.box
C:\Users\Administrator\AppData\Local\Temp\~DFE26CB27B542A6AFF.TMP
C:\Users\Administrator\AppData\Local\Temp\~DF2F034893696073A5.TMP
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\b70c.LNK
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\EB93A6.LNK
C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\Administrator\AppData\Roaming\Microsoft\Proof\CUSTOM.DIC
C:\Users\Administrator\AppData\Roaming\Microsoft\Proof\~$CUSTOM.DIC
行为描述: 覆盖已有文件
详情信息:
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Word11.pip
行为描述: 复制文件
详情信息:
C:\PROGRA~2\MICROS~1\OFFICE\DATA\OPA11.BAK ---> C:\PROGRA~2\MICROS~1\OFFICE\DATA\opa11.dat
行为描述: 删除文件
详情信息:
C:\Users\Administrator\AppData\Local\Temp\~DF2BEF4ACCD4964334.TMP
C:\Users\Administrator\AppData\Local\Temp\~DF7F024AFF2A76AFF5.TMP
C:\Users\Administrator\AppData\Local\Temp\~DFD75B495CFB9A0065.TMP
C:\Users\Administrator\AppData\Roaming\Microsoft\Forms\WINWORD.box
C:\Users\Administrator\AppData\Local\Temp\~DF2F034893696073A5.TMP
C:\Users\Administrator\AppData\Roaming\Microsoft\Proof\~$CUSTOM.DIC
C:\Users\Administrator\AppData\Roaming\Microsoft\Proof\CUSTOM.DIC
C:\Users\Administrator\AppData\Local\Temp\~DFE26CB27B542A6AFF.TMP
C:\Users\Administrator\AppData\Local\%temp%\1461098693.830001.doc
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dot
C:\Users\Administrator\AppData\Local\Temp\~WRF0000.tmp
行为描述: 重命名文件
详情信息:
C:\Users\Administrator\AppData\Roaming\Microsoft\Proof\~WRI0001 ---> C:\Users\Administrator\AppData\Roaming\Microsoft\Proof\CUSTOM.DIC
行为描述: 修改文件内容
详情信息:
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dot ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dot ---> Offset = 54
C:\Users\Administrator\AppData\Local\%temp%\1461098693.820904.doc ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\1461098693.821228.doc ---> Offset = 54
C:\Users\Administrator\AppData\Local\Temp\VBE\MSForms.exd ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\VBE\MSForms.exd ---> Offset = 4
C:\Users\Administrator\AppData\Local\Temp\VBE\MSForms.exd ---> Offset = 8
C:\Users\Administrator\AppData\Local\Temp\VBE\MSForms.exd ---> Offset = 12
C:\Users\Administrator\AppData\Local\Temp\VBE\MSForms.exd ---> Offset = 16
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\b70c.LNK ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\index.dat ---> Offset = 28
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\EB93A6.LNK ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\1461098693.823838.doc ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Proof\~$CUSTOM.DIC ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Proof\~$CUSTOM.DIC ---> Offset = 54
注册表行为
行为描述: 修改注册表
详情信息:
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\ki�
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\MTTT
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\yj�
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\WORDFiles
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\ProductFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\1k�
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\VBAFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Common\ReviewCycle\ReviewToken
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\DocumentRecovery\26CDA\26CDA
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2080F232-A413-4CB3-82EE-7D4927004BF5}\2.0\
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2080F232-A413-4CB3-82EE-7D4927004BF5}\2.0\FLAGS\
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2080F232-A413-4CB3-82EE-7D4927004BF5}\2.0\0\win32\
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2080F232-A413-4CB3-82EE-7D4927004BF5}\2.0\HELPDIR\
\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\
\REGISTRY\USER\S-*\Software\Microsoft\GDIPlus\FontCachePath
行为描述: 删除注册表键值
详情信息:
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\yj�
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\1k�
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\ki�
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\DocumentRecovery\26CDA\26CDA
\REGISTRY\USER\S-*\Software\Microsoft\Office\Common\Assistant\CurrAsstState
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\MTTT
行为描述: 删除注册表键
详情信息:
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\DocumentRecovery\26CDA\
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\DocumentRecovery\
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\
其他行为
行为描述: 检测自身是否被调试
详情信息:
N/A
行为描述: 创建互斥体
详情信息:
Local\Mutex_MSOSharedMem
Local\Mso97SharedDg19211105606Mutex
Local\Mso97SharedDg20321105606Mutex
Global\MTX_MSO_Formal1_S-*
Global\MTX_MSO_AdHoc1_S-*
Local\Mso97SharedDg19521105606Mutex
Local\Mso97SharedDg19531105606Mutex
Local\Mso97SharedDg19541105606Mutex
Skd5yLHImeSCMutextCfgPersist_H_S-*
Local\Mso97SharedDg19551105606Mutex
OfficeAssistantStateMutex
KYIMEShareCachedData.MutexObject.Administrator
KYTransactionServer.MutexObject.Administrator
Local\SqmSysTray
DBWinMutex
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [,_WwB]
[Window,Class] = [,ComboLBox]
[Window,Class] = [iFazWZfOQHJ,ThunderDFrame]
[Window,Class] = [,DesignerWindow]
[Window,Class] = [UserForm1,ThunderDFrame]
[Window,Class] = [,Edit]
[Window,Class] = [,Button]
行为描述: 查找指定窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [MSOBALLOON,]
NtUserFindWindowEx: [Class,Window] = [MsoHelp10,]
NtUserFindWindowEx: [Class,Window] = [AgentAnim,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MsoHelp11,]
行为描述: 窗口信息
详情信息:
Pid = 2520, Hwnd=0x11016e, Text = MsoDockTop, ClassName = MsoCommandBarDock.
行为描述: 获取窗口截图信息
详情信息:
Foreground window Info: HWND = 0x00000000, DC = 0x1601089f.
行为描述: 创建事件对象
详情信息:
EventName = OleDfRootCD12207E9FB6BA18
EventName = OleDfRoot1C6F4F599CEE5F78
EventName = OleDfRoot768C87A8AC4B170A
EventName = OleDfRootB0E25A5670E1D1D2
|
发表于 2016-4-20 04:47:18
