能研判引擎

四阶段递进式推理架构:从原始证据到完整攻击链还原。不生成幻觉,每一步结论都建立在可验证的执行证据之上。

立即体验 查看实时分析

阶段递进推理

每一步推理都建立在前一步的证据之上。不跳跃、不猜测,逐步收敛到最终结论。

STAGE 01

Evidence

自动化样本采集:文件元数据、字符串提取、导入表分析、哈希计算

STAGE 02

Hypothesis

基于证据生成多条假设。网络后门?勒索软件?信息窃取?按概率排序

STAGE 03

Verification

针对每条假设执行验证命令。MITRE ATT&CK 技术映射,置信度量化评估

STAGE 04

Conclusion

攻击链完整还原。威胁等级评定、IOC 汇总、处置建议一键输出

时分析过程

观察 R1kkoSec 如何在 42 秒内完成一个恶意 DLL 样本的全链路分析

R1kkoSec Analysis Engine (Session: 0xA7F3)
Engine Active
EVIDENCE TERMINAL
--- sample: suspect.dll (148,736 bytes) ---
r1kko@analysis:~$ file suspect.dll
suspect.dll: PE32+ executable (DLL) x86-64, for MS Windows
r1kko@analysis:~$ sha256sum suspect.dll
a1b2c3d4e5f6...7890abcd suspect.dll
r1kko@analysis:~$ strings -n 8 suspect.dll | head -20
ws2_32.dll
kernel32.dll
CreateRemoteThread
VirtualAllocEx
aHR0cDovLzEwLjAuMS4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
--- 14 suspicious strings extracted ---
r1kko@analysis:~$ python3 -c "import base64; print(base64.b64decode('aHR0cDovLzEwLjAuMS4').decode())"
http://10.0.1.
r1kko@analysis:~$ objdump -x suspect.dll | grep -i import
IMPORT: ws2_32.dll (connect, send, recv, closesocket)
IMPORT: kernel32.dll (CreateRemoteThread, VirtualAllocEx, WriteProcessMemory)
IMPORT: advapi32.dll (RegSetValueExA)
--- dynamic analysis sandbox ---
r1kko@analysis:~$ strace -e network ./run_dll.sh 2>&1 | tail
connect(3, {sin_family=AF_INET, sin_port=htons(4443), sin_addr=inet_addr("10.0.1.50")}, 16) = 0
sendto(3, "POST /beacon HTTP/1.1\r\nHost: 10.0.1.50...")
r1kko@analysis:~$ volatility -f memdump.raw --profile=Win10 pslist | grep inject
0x8a01f000 svchost.exe 1284 INJECTED (suspect.dll mapped)
r1kko@analysis:~$ yara -r /rules/apt_backdoor.yar suspect.dll
[MATCH] APT29_Backdoor_DLL: suspect.dll (score: 92/100)
--- evidence collection complete ---
r1kko@analysis:~$
AI REASONING STREAM
EVIDENCE #1 — File Metadata
OBSERVED
PE32+ DLL (x86-64), 148KB. Imports: ws2_32.dll (network), kernel32.dll (process manipulation), advapi32.dll (registry).
Target sample is a Windows DLL with networking, process injection, and registry modification capabilities.
EVIDENCE #2 — String Analysis
OBSERVED
Base64 encoded URL fragment: aHR0cDovLzEwLjAuMS4http://10.0.1.
Registry key: HKLM\...\Run (autostart persistence)
Encoded C2 communication endpoint + persistence mechanism via registry Run key.
HYPOTHESIS — Threat Classification
H1 (Primary): Network-communicating backdoor with encoded C2 configuration, process injection for stealth, registry persistence.

H2: Information stealer with exfiltration channel.
H3: Ransomware loader (low probability — no crypto imports).
Confidence:
72%
VERIFY #1 — C2 Communication
VERIFIED
Sandbox execution confirmed: TCP connect to 10.0.1.50:4443, HTTP POST /beacon with host fingerprint data.
T1071.001 Application Layer Protocol — HTTP C2 beacon confirmed.
Confidence:
88%
VERIFY #2 — Process Injection
VERIFIED
Memory analysis: suspect.dll mapped into svchost.exe (PID 1284) via CreateRemoteThread + VirtualAllocEx.
T1055.001 DLL Injection — Defense evasion via process hollowing into trusted system process.
Confidence:
91%
VERIFY #3 — Persistence
VERIFIED
Registry autostart key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SvcHelper → suspect.dll path.
T1547.001 Registry Run Keys — Boot-time persistence confirmed.
Confidence:
94%
CONCLUSION — Threat Assessment
THREAT LEVEL: HIGH

Attack Chain: Initial Access → DLL Injection (svchost.exe) → Registry Persistence → HTTP C2 Beacon (10.0.1.50:4443)

MITRE Coverage: T1071.001 T1055.001 T1547.001 T1027.010 T1082

YARA Match: APT29_Backdoor_DLL (92/100)
Final Confidence:
94%

判报告输出

自动生成结构化安全评估报告,包含完整 MITRE ATT&CK 映射与处置建议

R1kkoSec Report — suspect.dll
Generated

CRITICAL Threat Assessment — suspect.dll

APT-grade backdoor DLL with full C2 communication, process injection, and persistence capabilities. YARA signature matches APT29 tooling family with 92% confidence.

Attack Chain Reconstruction

  • Step 1 Initial Access — DLL sideloading via legitimate application (delivery vector TBD)
  • Step 2 Execution — T1055.001 DLL injected into svchost.exe via CreateRemoteThread
  • Step 3 Persistence — T1547.001 Registry Run key SvcHelper ensures boot-time reload
  • Step 4 C2 — T1071.001 HTTP POST beacon to 10.0.1.50:4443/beacon every 30s
  • Step 5 Defense Evasion — T1027.010 Base64 encoded C2 config, process injection into trusted process
  • Step 6 Discovery — T1082 Host fingerprint (hostname, OS, user) sent in beacon payload

IOC Summary

  • IOC SHA256: a1b2c3d4e5f6...7890abcd
  • IOC C2 Server: 10.0.1.50:4443
  • IOC C2 URI: /beacon (HTTP POST)
  • IOC Registry: HKLM\...\Run\SvcHelper
  • IOC Injected Process: svchost.exe PID 1284

Priority Remediation

  • P0 Isolate affected host immediately. Block egress to 10.0.1.50 at firewall.
  • P1 Delete registry key SvcHelper, terminate injected svchost.exe (PID 1284).
  • P2 Push IOCs to EDR/SIEM. Full-network scan for lateral movement indicators.
42s
平均分析时间
6
MITRE ATT&CK 技术映射
94%
最终置信度

立即体验 R1kkoSec

将你的安全分析提升到 AI 驱动的新高度

启动工作空间 进入 CTF 靶场