VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

   File information

Behavior list
Behavior analysis report:         Habo file analysis

Basic Information

MD5:81462495893ccce88ecfd6a49e88f9a7
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Package names:com.sugen.ipcall
Minimum operating environment:Android 2.2.x
copyright:sugen

Key behavior

Behavior description: 打开注册表_检测虚拟机相关
details: \REGISTRY\USER\S-*\Software\VMware, Inc.
Behavior description: 跨进程写入数据
details: TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00400000, Size = 0x00000400
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00401000, Size = 0x00010c00
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00412000, Size = 0x00000200
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x7ffd5008, Size = 0x00000004
Behavior description: 获取TickCount值
details: TickCount = 5349688, SleepMilliseconds = 1.
Behavior description: 通过内存映射跨进程修改内存
details: TargetProcess = svchost.exe
Behavior description: 设置线程上下文
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe

Process behavior

Behavior description: 创建进程
details: ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe"
ImagePath = C:\WINDOWS\system32\svchost.exe, CmdLine = svchost.exe
Behavior description: 创建本地线程
details: TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2040, ThreadID = 672, StartAddress = 4F4039E0, Parameter = 00000000
TargetProcess: svchost.exe, InheritedFromPID = 1400, ProcessID = 1552, ThreadID = 1140, StartAddress = 77DC845A, Parameter = 00000000
Behavior description: 跨进程写入数据
details: TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00400000, Size = 0x00000400
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00401000, Size = 0x00010c00
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00412000, Size = 0x00000200
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x7ffd5008, Size = 0x00000004
Behavior description: 设置线程上下文
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
Behavior description: 枚举进程
details: N/A
Behavior description: 通过内存映射跨进程修改内存
details: TargetProcess = svchost.exe

File behavior

Behavior description: 创建文件
details: C:\Documents and Settings\Administrator\Local Settings\Application Data\prntxcqd.exe
Behavior description: 创建可执行文件
details: C:\Documents and Settings\Administrator\Local Settings\Application Data\prntxcqd.exe
Behavior description: 修改文件内容
details: C:\Documents and Settings\Administrator\Local Settings\Application Data\prntxcqd.exe ---> Offset = 0
Behavior description: 查找文件
details: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\svchost.exe

Registry behavior

Behavior description: 打开注册表_检测虚拟机相关
details: \REGISTRY\USER\S-*\Software\VMware, Inc.

Other behavior

Behavior description: 创建互斥体
details: 2GVWNQJz1
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Behavior description: 创建事件对象
details: EventName = Y2mNyaZ3
EventName = Global\crypt32LogoffEvent
Behavior description: 获取TickCount值
details: TickCount = 5349688, SleepMilliseconds = 1.
Behavior description: 打开事件
details: HookSwitchHookEnabledEvent
Global\crypt32LogoffEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Y2mNyaZ3
Behavior description: 可执行文件签名信息
details: C:\Documents and Settings\Administrator\Local Settings\Application Data\prntxcqd.exe(签名验证: 未通过)
Behavior description: 可执行文件MD5
details: C:\Documents and Settings\Administrator\Local Settings\Application Data\prntxcqd.exe ---> 7ff0e957615d696249207e1b23b79430
Behavior description: 打开互斥体
details: ShimCacheMutex

Activities

com.sugen.ipcall.ui.WelcomeActivity android.intent.action.MAIN
com.sugen.ipcall.ui.WelcomeActivity android.intent.category.LAUNCHER

Dangerous function

ContentResolver;->query 读取联系人、短信等数据库

Startup mode

com.sugen.ipcall.common.OutgoingCallReceiver

Permission list

android.permission.PROCESS_OUTGOING_CALLS 监视、修改有关拨出电话

File List

assets/phoneloc.dat
res/color/textview_color.xml
res/color/textview_color_under.xml
res/drawable/textview_color.xml
res/layout/about_view.xml
res/layout/activity_main.xml
res/layout/layout_welcome.xml
res/layout/popup_form.xml
res/menu/main.xml
AndroidManifest.xml
resources.arsc
res/drawable-hdpi/alert.png
res/drawable-hdpi/checkbox_checked.png
res/drawable-hdpi/checkbox_default.png
res/drawable-hdpi/custom_button.xml
res/drawable-hdpi/edit.png
res/drawable-hdpi/focused.png
res/drawable-hdpi/icon.png
res/drawable-hdpi/info.png
res/drawable-hdpi/loading.png
res/drawable-hdpi/logo.png
res/drawable-hdpi/nofocused.png
res/drawable-hdpi/top_bar_bg.png
res/drawable-ldpi/icon2.png
res/drawable-mdpi/ic_launcher.png
res/drawable-xhdpi/ic_launcher.png
res/drawable-xxhdpi/ic_launcher.png
classes.dex
lib/armeabi/libphoneloc-jni.so
META-INF/MANIFEST.MF
META-INF/CERT.SF
META-INF/CERT.RSA