Assiste.com - Sécurité informatique - Vie privée sur le Web - Neutralité d'Internet

cr  01.04.2012      r+  01.06.2024      r-  15.07.2024      Pierre Pinard.         (Alertes et avis de sécurité au jour le jour)

ThreatExpert - Sandbox gratuite en ligne

Qualité du service : 1,5/5

Sandbox Online (Behaviourial information - Informations comportementales)

Conseil : ouvrir un compte (lien "Register", en haut à droite). Il est ensuite beaucoup plus facile d'utiliser ThreatExpert, dont retrouver tous ses propres résultats d'analyses, depuis le tout premier, il y a des années, jusqu'au dernier (Onglet ThreatExpert reportsThreatExpert Sandbox gratuite en ligne Browse/Search My Reports). La possibilité de soumettre un échantillon sans ouvrir de compte se trouve à https://www.threatexpert.com/filescan.aspx.

ThreatExpert permet une analyse comportementale (Sandboxing) d'un fichier dont la taille ne doit pas dépasser 5 MO (cette limitation est très pénalisante).

Les résultats de l'analyse (le rapport) ne sont pas aussi complets, loin s'en faut, que ceux de sandboxes comme Joe Sandbox File Analyzer ou Hybrid Analysis ou malwr Sandbox, mais ThreatExpert est très facile à utiliser.

Possibilité de télécharger et installer une applet Java pour soumettre directement un fichier à ThreatExpert, sans passer par un navigateur Internet :
https://www.threatexpert.com/submissionapplet.aspx

Au bout de 10 à 20 minutes (selon la charge du serveur et l'échantillon à analyser), un courrier entrant vous donne le lien vers le résultat d'analyse.

Un outil de recherche intéressant de ThreatExpert : Online Side-Effect Scanner. Si vous notez, dans votre ordinateur, quelque chose d'inconnu (une clé du Registre Windows inexplicable, un CLSID, un nom de fichier qui ne vous dit rien, une URL inconnue, etc. ...) saisissez la dans ce formulaire et ThreatExpert balaiera sa base de données pour vous dire s'il l'a déjà rencontrée et dans quelles circonstances.

ThreatExpert semble à l'abandon depuis son rachat par Symantec le 18.08.2008 et pédale dans le vide.

Notes :

  • ThreatExpert était, à l'origine, un service de la société PC Tools, fondée en 2003 (site WinGuides.com) et rachetée le 18.08.2008 par Symantec (Norton).
  • Les copyrights de ThreatExpert sont de 2008 et un outil (Memory Scanner) est en version beta depuis le 01.03.2008.
  • Le plus récent message dans leur blog est daté du 14.10.2010.
  • La base de données des échantillons malicieux découverts par ThreatExpert est de 1670 échantillons alors que, depuis le temps (depuis 2003), elle devrait être de plusieurs millions d'échantillons. Les noms des échantillons correspondent à des malveillances antédiluviennes.
  • ThreatExpert semble à l'abandon depuis son rachat par Symantec le 18.08.2008 et pédale dans le vide.




Exemple de rapport (ici, PCCleaner.exe, un inutilitaire - Analyse VirusTotal)

Submission Summary:

  • Submission details:
    • Submission received: 4 March 2016, 07:55:09
    • Processing time: 8 min 18 sec
    • Submitted sample:
      • File MD5: 0x9E02E9BC593BF6754C59F08BF69591D2
      • File SHA-1: 0x00207DAC5DEC3CB7C3DFEB4716A207CB52E41E7D
      • Filesize: 2 035 144 bytes
  • Summary of the findings:
What's been foundSeverity Level
Capability to send out email message(s) with the built-in SMTP client engine.ThreatExpert
Downloads/requests other files from Internet.ThreatExpert
Creates a startup registry entry.ThreatExpert

Technical Details:

ThreatExpertFile System Modifications
  • The following files were created in the system:
#Filename(s)File SizeFile HashAlias
1%CommonPrograms%\PC Cleaner\Check updates.lnk741 bytesMD5: 0xAD5D4B00032BC7CE601F882D0F594FB0 SHA-1: 0x9D1B69E41E91D4EC89641B16315662C8561678A7(not available)
2%CommonPrograms%\PC Cleaner\Help.lnk713 bytesMD5: 0x82539496997414FAFA602A43C587D795 SHA-1: 0x33A4DC15C7204FF0D61A126EDAA0D8C20C5E774B(not available)
3%CommonPrograms%\PC Cleaner\PC Cleaner on the Web.lnk708 bytesMD5: 0x731C04B784EEA168EB68CC1BB88EFE31 SHA-1: 0x6CCEF038FE04D3C13CE74AF18E98689C3B068E02(not available)
4%CommonPrograms%\PC Cleaner\PC Cleaner.lnk713 bytesMD5: 0xCB7FA909D231BC88F5C16E367C6A5389 SHA-1: 0x01EF6A614CDBA81886A2766803E1F881D0434C6E(not available)
5%CommonPrograms%\PC Cleaner\Uninstall PC Cleaner.lnk708 bytesMD5: 0x068EE266E67A1B159A1034AEDB8CECA0 SHA-1: 0xF1172E9FF86FBE4AF63D742E7E452BFC31BE4ECC(not available)
6%DesktopDir%\PC Cleaner.lnk701 bytesMD5: 0x8068F388E8D55D5F419089E184ADE2E4 SHA-1: 0xBDEB95D2C249964F51CAF0CE16F4BD4D4CDC621B(not available)
7%ProgramFiles%\PC Cleaner\Animation.gif16 555 bytesMD5: 0x5318090C04B824B1712494A2A69030FF SHA-1: 0x9952069B25B2A9B4C45D018DB4A78EC4E9FCF0C0(not available)
8%ProgramFiles%\PC Cleaner\CookiesException.txt712 bytesMD5: 0xADF1E0B95E3F048A59B91541C0528D03 SHA-1: 0x1E740571514584DC69BD60D14D419419D070A5FE(not available)
9%ProgramFiles%\PC Cleaner\English.ini30 183 bytesMD5: 0x51126ABD45170E80950FBC2DF893A42F SHA-1: 0xD86C649FD33FAE98DE845F0E93211FF344902329(not available)
10%ProgramFiles%\PC Cleaner\file_id.diz890 bytesMD5: 0x81EA40CD7521BDA4848C8014D8638A49 SHA-1: 0x5154413BEF2D29CF3D0E3F4738440D82768C4DAD(not available)
11%ProgramFiles%\PC Cleaner\French.ini36 257 bytesMD5: 0x49749A3A498AE831E72B9C7E3BD898FE SHA-1: 0x21B9A1F773C974347926CA19214B720236525F1D(not available)
12%ProgramFiles%\PC Cleaner\German.ini35 629 bytesMD5: 0xABBA4C7C708E354F5AAAFE5ED38A816E SHA-1: 0x889D4284ADE54FF4E0379D94F6B5F33AD9E13E21(not available)
13%ProgramFiles%\PC Cleaner\HomePage.url51 bytesMD5: 0x37BD10AD97861B52EE123C10508BFAA7 SHA-1: 0xA212EF6E1C334DB7CCA1D17DA020C0BF0B8B09C4(not available)
14%ProgramFiles%\PC Cleaner\PCCleaner.chm35 960 bytesMD5: 0xEC66EAE61939CE51FB9830996150DB0A SHA-1: 0xCF672C8B447A33B4633A63B5FB5332ACF934676C(not available)
15%ProgramFiles%\PC Cleaner\PCCleaner.exe0 bytesMD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709(not available)
16%ProgramFiles%\PC Cleaner\PCCSchedule.exe1 668 360 bytesMD5: 0xDF1AE67BF8CFF8B3FD09462C68FB51D5 SHA-1: 0xB582FDCCDE95147B791A283666974A9E0FC76501(not available)
17%ProgramFiles%\PC Cleaner\PCCUninstaller.exe246 024 bytesMD5: 0xC87156C22180B6C4E89DDDFDEEE240F9 SHA-1: 0xD8B647AB32CDB665C3207D4234AE2D2046E4B5F4Worm.Win32.Antinny [Ikarus]
18%ProgramFiles%\PC Cleaner\Spanish.ini35 845 bytesMD5: 0x05EE11DECA3A18C9BB363D46909B9A38 SHA-1: 0x5C4CD7304FBA988F0CECE1534833CC7BC3EBE8DB(not available)
19%ProgramFiles%\PC Cleaner\sqlite3.dll520 234 bytesMD5: 0x0F66E8E2340569FB17E774DAC2010E31 SHA-1: 0x406BB6854E7384FF77C0B847BF2F24F3315874A3(not available)
20%ProgramFiles%\PC Cleaner\StartupList.txt83 501 bytesMD5: 0x90912E30318806838ACD72812A782EE9 SHA-1: 0x7D166DDD2821C6B7E7EB16729D1ED6596390A863(not available)
21%ProgramFiles%\PC Cleaner\unins000.dat9 232 bytesMD5: 0x7771777A630AFFCF27E5D84EAFAE35B2 SHA-1: 0x4D85C1268375706AF1A7D44147B237BD94F26F3E(not available)
22%ProgramFiles%\PC Cleaner\unins000.exe717 985 bytesMD5: 0x951760F9B54C03BEDDC7D312083FBE89 SHA-1: 0x9494B58504393DF1F2FED47AE7E053D2ECBA3342(not available)
23[file and pathname of the sample #1]2 035 144 bytesMD5: 0x9E02E9BC593BF6754C59F08BF69591D2 SHA-1: 0x00207DAC5DEC3CB7C3DFEB4716A207CB52E41E7D(not available)
  • Notes:
    • %CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
    • %DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
    • %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
  • The following directories were created:
    • %CommonPrograms%\PC Cleaner
    • %AppData%\PC Cleaner
    • %AppData%\PC Cleaner\Backup
    • %AppData%\PC Cleaner\Log
    • %AppData%\PC Cleaner\Undo
    • %ProgramFiles%\PC Cleaner
  • Notes:
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

ThreatExpertMemory Modifications
  • There were new processes created in the system:
Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]81 920 bytes
pccuninstaller.exe%ProgramFiles%\pc cleaner\pccuninstaller.exe266 240 bytes
[filename of the sample #1 without extension].tmp%Temp%\is-CSBBH.tmp\[filename of the sample #1 without extension].tmp770 048 bytes
PCCleaner.exe%ProgramFiles%\PC Cleaner\PCCleaner.exe20 058 112 bytes
  • Notes:
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

ThreatExpertRegistry Modifications
  • The following Registry Keys were created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1
    • HKEY_CURRENT_USER\Software\PC Cleaner
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1]
      • Inno Setup: Setup Version = "5.5.3 (a)"
      • Inno Setup: App Path = "%ProgramFiles%\PC Cleaner"
      • InstallLocation = "%ProgramFiles%\PC Cleaner\"
      • Inno Setup: Icon Group = "PC Cleaner"
      • Inno Setup: User = "%UserName%"
      • Inno Setup: Selected Tasks = "desktopicon"
      • Inno Setup: Deselected Tasks = ""
      • Inno Setup: Language = "en"
      • DisplayName = "PC Cleaner v4.0"
      • UninstallString = ""%ProgramFiles%\PC Cleaner\unins000.exe""
      • QuietUninstallString = ""%ProgramFiles%\PC Cleaner\unins000.exe" /SILENT"
      • DisplayVersion = "4.0"
      • Publisher = "PCHelpSoft"
      • NoModify = 0x00000001
      • NoRepair = 0x00000001
      • InstallDate = "20160304"
      • MajorVersion = 0x00000004
      • MinorVersion = 0x00000000
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • PC Cleaner = "%ProgramFiles%\pc cleaner\PCCSchedule.exe"
        so that PCCSchedule.exe runs every time Windows starts
    • [HKEY_CURRENT_USER\Software\PC Cleaner]
      • LastScanDate = 21 D4 E3 9A 2A B8 E4 40
      • LastScanFound = 0x000001B8
      • ItemsToFix = 0x00000119
      • ItemsToClean = 0x0000009F
      • JunkFiles = 0x00000075
      • ItemsFixed = 0x00000000
      • ItemsCleaned = 0x00000000
      • ResidualFilesCleaned = 0x00000000
      • LastScanChecked = "1110011"
      • DisplayName = "PC Cleaner"
      • Version = "4.0"
      • InstallationDate = 1E 03 64 93 2A B8 E4 40
      • AppStart = 0x00000003
      • LastUpdateChecking = 1E 03 64 93 2A B8 E4 40
      • UpdateReminderDisabled = 0x00000000
      • LogDir = "%AppData%\PC Cleaner\Log"
      • UndoDir = "%AppData%\PC Cleaner\Undo"
      • ItemsToRegistryScan = "1111111111"
      • ItemsToPrivacyScan = "1111"
      • ItemsToRecoveryScan = "1111"
      • UseExclusions = 0x00000001
      • ShowRebootMessage = 0x00000001
      • ShowRecycleBin = 0x00000001
      • StartWithWindows = 0x00000001
      • Reminder = 0x00000001
      • StartupNotifier = 0x00000001
      • CacheNotifier = 0x00000000
      • s_SmartMode = 0x00000000
      • s_SmartScan = 0x00000001
      • s_SmartDate = 2B 27 65 93 0A B8 E4 40
      • s_Enable = 0x00000000
      • s_Time = 2B 27 65 93 2A B8 E4 40
      • BuildID = "PCHS_PCC40"
      • UpgradeID = "PCHS_PCC40"
      • UpgradeIDPro = "PCHS_PCC40_PLAT"
      • InstallStat = 0x00000001

ThreatExpertOther details
  • Analysis of the file resources indicate the following possible countries of origin:
ThreatExpertRussian Federation
ThreatExpertNetherlands
  • To mark the presence in the system, the following Mutex objects were created:
    • PCCSchedule
    • madExceptSettingsMtx$41c
    • PCCleaner
    • madExceptSettingsMtx$5d0
    • HookTThread$5d0
    • _!SHMSFTHISTORY!_
    • madExceptSettingsMtx$778
    • PCCUninstaller
    • madExceptSettingsMtx$e4
    • HookTThread$e4
  • The following Host Names were requested from a host database:
    • service.smartpcupdate.com
    • localhost
  • The following Internet Connection was established:
Server NameServer PortConnect as UserConnection Password
www.pchelpsoft.com80(null)(null)
  • The following GET requests were made:
    • pc-cleaner/uninstall-offer/?ver=410
    • pc-cleaner/uninstall-offer/index.jpg
  • The following HTTP URLs were started reading:
    • https://service.smartpcupdate.com/rpc/sendspminstall?partner=PCHS_PCC4_EN_ID410&build=4.0&compiler=June2014
    • https://service.smartpcupdate.com/rpc/sendspmuninstall?partner=PCHS_PCC4_EN_ID410&build=4.0&compiler=June2014
    • https://service.smartpcupdate.com/rpc/sendspminstall?partner=PCHS_PCC40&build=4.0&compiler=

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2016 ThreatExpert. All rights reserved.