國家高速網路與計算中心 TWMAN

最新消息

系統簡介

安裝說明

操作說明

分析報告

聯絡我們

Taiwan Malware Analysis Net, TWMAN - Analysis Report
   
臺灣惡意程式分析網，抬丸郎 - 分析報告 Last Update : 2010-06-19   


http://twman.sourceforge.net    



>> Summary report for 0f488fd5cfa94d0ad0bd376034d286af created at Mon Aug 16 08:23:30 CST 2010 <<




>> Host file changes - Host File 被修改處 <<
    
>> Registry Run Key changes - Registry Run Key 被修改處 << 
   


>> Registry Service Key changes - Registry Service Key 被修改處 <<  
 
>> ssdeep info (  Fuzzy Hashing )<<  
768:sSOPZU3/dNGEas1yDrv2GPmiuzJ0RUUd1F56GFpIEppYRaqzaUQIlPVIcPWRrOYd:GbzPeOLT6daqzaEecPWR7hIQBErsr,
"0f488fd5cfa94d0ad0bd376034d286af"

>> 網路連線記錄 <<

IP 192.168.0.110.57982 > 168.95.1.1.53: UDP, length 34
IP 168.95.1.1.53 > 192.168.0.110.57982: UDP, length 473
IP 192.168.0.110.123 > 207.46.197.32.123: UDP, length 48
IP 192.168.0.110.123 > 207.46.197.32.123: UDP, length 48
IP 192.168.0.110.61649 > 168.95.1.1.53: UDP, length 35
IP 168.95.1.1.53 > 192.168.0.110.61649: UDP, length 437
IP 192.168.0.110.1034 > 203.69.113.26.80: tcp 0
IP 203.69.113.26.80 > 192.168.0.110.1034: tcp 0
IP 192.168.0.110.1034 > 203.69.113.26.80: tcp 0
IP 192.168.0.110.1034 > 203.69.113.26.80: tcp 204
IP 203.69.113.26.80 > 192.168.0.110.1034: tcp 0
IP 203.69.113.26.80 > 192.168.0.110.1034: tcp 983
IP 192.168.0.110.1034 > 203.69.113.26.80: tcp 0
IP 192.168.0.110.1034 > 203.69.113.26.80: tcp 0

>> NPASCAN - 警政署惡意程式偵測工具 <<
-==<<警政署惡意程式偵測工具 NPASCAN v1.7 >>==-
Current User : TWMAN-SINGLE-01\Administrator
Current IP : 192.168.0.110
Start Time : 20 April 2010 18:51:23
------------------Start Scan-----------------------
掃瞄完成!!未偵測到相關惡意程式!
-------------------End Scan------------------------

>> CWSandBox VirusScan Report <<
VSCAN Version:3.2.1861.2 (Feb 22 2009 19:30:04);run at:: Apr 20 10:54:01 2010
defs version: 5444 (2009-10-12T17:47:12)
command line: c:\SBScanV3\vscan /l c:\virus.txt /def c:\SBDefsV3 C:\WINDOWS\system32\sandnet.exe
[ 15], No threat , , , ,C:\WINDOWS\system32\sandnet.exe
1 objects processed in 0 secs, 0 fps
0 threats detected, 0 suspicious files

>> Advanced Intrusion Detection Environment-檔案異動偵測 <<

Start timestamp: 2010-04-20 19:02:15

Summary:
Total number of files: 29933
Added files: 20
Removed files: 0
Changed files: 19

---------------------------------------------------
Added files:
---------------------------------------------------

added: /mnt/images/Documents and Settings/Administrator/twman.cgi@res=startfauxserver.2
added: /mnt/images/Documents and Settings/Administrator/wget-log.5
added: /mnt/images/Documents and Settings/Administrator/wget-log.6
added: /mnt/images/Program Files/Alcohol Soft/Alcohol 120/StarWind/logs/sw_ae-20100420-184859.log
added: /mnt/images/System Volume Information/_restore{399113A8-6E6F-4DCA-A398-D03564F81D09}/RP24/A0003605.ini
added: /mnt/images/System Volume Information/_restore{399113A8-6E6F-4DCA-A398-D03564F81D09}/RP24/A0003606.ini
added: /mnt/images/System Volume Information/_restore{399113A8-6E6F-4DCA-A398-D03564F81D09}/RP24/A0003607.ini
added: /mnt/images/System Volume Information/_restore{399113A8-6E6F-4DCA-A398-D03564F81D09}/RP24/A0003608.exe
added: /mnt/images/System Volume Information/_restore{399113A8-6E6F-4DCA-A398-D03564F81D09}/RP24/A0003609.ini
added: /mnt/images/System Volume Information/_restore{399113A8-6E6F-4DCA-A398-D03564F81D09}/RP24/A0003610.ini
added: /mnt/images/System Volume Information/_restore{399113A8-6E6F-4DCA-A398-D03564F81D09}/RP24/A0003611.ini
added: /mnt/images/System Volume Information/_restore{399113A8-6E6F-4DCA-A398-D03564F81D09}/RP24/change.log.6
added: /mnt/images/WINDOWS/Prefetch/VSCAN.EXE-078A4CD1.pf
added: /mnt/images/WINDOWS/Prefetch/CONVERTZ.EXE-0824DEF1.pf
added: /mnt/images/WINDOWS/Prefetch/DD.EXE-065AC9AE.pf
added: /mnt/images/WINDOWS/Prefetch/SHUTDOWN.EXE-12DAD820.pf
added: /mnt/images/memdump.img
added: /mnt/images/NPASCAN.txt
added: /mnt/images/ok.txt
added: /mnt/images/virus.txt

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /mnt/images/Documents and Settings/Administrator/Local Settings/Temp/AdobeARM.log
changed: /mnt/images/Documents and Settings/Administrator/Local Settings/Temp/jusched.log
changed: /mnt/images/System Volume Information/_restore{399113A8-6E6F-4DCA-A398-D03564F81D09}/RP24/change.log
changed: /mnt/images/WINDOWS/Prefetch/NOTEPAD.EXE-336351A9.pf
changed: /mnt/images/WINDOWS/Prefetch/NPASCAN.EXE-1F4DCEFB.pf
changed: /mnt/images/WINDOWS/Prefetch/WGET.EXE-37D5C025.pf
changed: /mnt/images/WINDOWS/Prefetch/WMIADAP.EXE-2DF425B2.pf
changed: /mnt/images/WINDOWS/Prefetch/WMIPRVSE.EXE-28F301A9.pf
changed: /mnt/images/WINDOWS/Prefetch/NTOSBOOT-B00DFAAD.pf
changed: /mnt/images/WINDOWS/system32/wbem/Logs/FrameWork.log
changed: /mnt/images/WINDOWS/system32/wbem/Logs/wbemcore.log
changed: /mnt/images/WINDOWS/system32/wbem/Logs/wbemess.log
changed: /mnt/images/WINDOWS/system32/wbem/Logs/wmiprov.log
changed: /mnt/images/WINDOWS/system32/prfh0404.dat
changed: /mnt/images/WINDOWS/system32/sandnet.exe
changed: /mnt/images/WINDOWS/system32/CatRoot2/dberr.txt
changed: /mnt/images/WINDOWS/system32/prfc0404.dat
changed: /mnt/images/WINDOWS/WindowsUpdate.log
changed: /mnt/images/WINDOWS/Debug/UserMode/userenv.log

---------------------------------------------------------
臺灣惡意程式分析網，抬丸郎 - 分析報告 2010-04-19 版
Core By Truman 0.1 Modify By TonTon ( TonTon@nchc.org.tw )

財團法人國家實驗研究院｜國家高速網路與計算中心｜TaiWan Malware Analysis Net ( 臺灣惡意程式分析網 ) - TWMAN ( 抬丸郎 )
Core By Truman 0.1｜Developed By TonTon ( Mail : TonTon@nchc.narl.org.tw )｜Design by IDN-Mei & Temaki｜Last Update : 2010/12/14 | 首頁