查看: 3879|回复: 26
收起左侧

[可疑文件] VT Detection ratio: 5 / 47 chp.exe OA free 勉强及格

[复制链接]
墨家小子
发表于 2013-5-20 10:24:05 | 显示全部楼层 |阅读模式
本帖最后由 墨家小子 于 2013-5-20 14:01 编辑







https://www.virustotal.com/en/fi ... nalysis/1369016290/

https://www.virustotal.com/en/fi ... nalysis/1369016297/

https://www.virustotal.com/en/fi ... nalysis/1369016327/

Open Process        C:\Sandbox\AA\Firefox\user\current\AppData\Roaming\pejo\chp.exe        cmd.exe        0x1fffff               
10:17:18 2013/5/20        Open Thread        C:\Sandbox\AA\Firefox\user\current\AppData\Roaming\pejo\chp.exe        cmd.exe        0x1fffff               
10:17:13 2013/5/20        Create Process        C:\Sandbox\AA\Firefox\user\current\AppData\Roaming\pejo\chp.exe        cmd.exe                       
10:16:53 2013/5/20        Create Process        C:\Windows\SysWOW64\cmd.exe        chp.exe
                       
10:16:40 2013/5/20        Write protected registry area        C:\Windows\SysWOW64\reg.exe        HKEY_CURRENT_USER\user\current\software\Microsoft\Windows\CurrentVersion\Run        0x2        1
       
10:16:33 2013/5/20        Open Process        C:\Sandbox\AA\Firefox\user\current\4u8uwstfkwfx8.exe        cmd.exe        0x1fffff
               
10:16:22 2013/5/20        Create Process        C:\Windows\SysWOW64\cmd.exe        reg.exe       
               
10:16:17 2013/5/20        Open Thread        C:\Sandbox\AA\Firefox\user\current\4u8uwstfkwfx8.exe        cmd.exe        0x1fffff
               
10:16:00 2013/5/20        Open Process        C:\Sandbox\AA\Firefox\user\current\uz6quskg4dmi0.exe        cmd.exe        0x1fffff               
10:15:55 2013/5/20        Create Process        C:\Windows\System32\cmd.exe        attrib.exe                       
10:15:55 2013/5/20        Create Process        C:\Sandbox\AA\Firefox\user\current\4u8uwstfkwfx8.exe        cmd.exe                       
10:15:51 2013/5/20        Open Thread        C:\Sandbox\AA\Firefox\user\current\uz6quskg4dmi0.exe        cmd.exe        0x1fffff               
10:15:37 2013/5/20        Write protected registry area        C:\Sandbox\AA\Firefox\user\current\4u8uwstfkwfx8.exe        HKEY_CURRENT_USER\user\current\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap        0x2        1
       
10:15:31 2013/5/20        Create Process        C:\Sandbox\AA\Firefox\user\current\uz6quskg4dmi0.exe        cmd.exe
                       
10:15:28 2013/5/20        Manipulate protected file objects        C:\Sandbox\AA\Firefox\user\current\4u8uwstfkwfx8.exe        \device\harddiskvolume1\sandbox\AA\firefox\user\current\appdata\roaming\a.bat        0x120196               
10:15:17 2013/5/20        Write protected registry area        C:\Sandbox\AA\Firefox\user\current\uz6quskg4dmi0.exe        HKEY_CURRENT_USER\user\current\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap        0x2        1       
10:15:14 2013/5/20        Create Process        C:\Program Files (x86)\Java\jre7\bin\java.exe        4u8uwstfkwfx8.exe                       
10:15:13 2013/5/20        Manipulate protected file objects        C:\Sandbox\AA\Firefox\user\current\uz6quskg4dmi0.exe        \device\harddiskvolume1\sandbox\AA\firefox\user\current\appdata\roaming\pejo\libblkmaker_jansson-0.1-0.dll        0x120196               
10:15:10 2013/5/20        Open Process        C:\Program Files (x86)\Java\jre7\bin\java.exe        uz6quskg4dmi0.exe        0x1fffff               
10:15:07 2013/5/20        Open Thread        C:\Program Files (x86)\Java\jre7\bin\java.exe        uz6quskg4dmi0.exe        0x1fffff               
10:14:56 2013/5/20        Create Process        C:\Program Files (x86)\Java\jre7\bin\java.exe        uz6quskg4dmi0.exe                       
10:14:53 2013/5/20        Manipulate protected file objects        C:\Program Files (x86)\Java\jre7\bin\java.exe        \device\harddiskvolume1\sandbox\AA\firefox\user\current\uz6quskg4dmi0.exe        0x120196

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
墨家小子
 楼主| 发表于 2013-5-20 13:55:16 | 显示全部楼层
本帖最后由 墨家小子 于 2013-5-20 13:58 编辑

贴一个OA free的

运行之后虽说被添加启动项,OA没有拦截,但重启之后……

拦截日志(从下往上看,红色部分是重启之后OA的拦截动作,重启之前看不到OA拦截木马添加启动项):

Type,Date/Time,Action,Description,Misc
Program Guard: kernel event,2013/5/20 13:37:42,None,"OADriver: OB_OPERATION_HANDLE_CREATE, 2672 -> 1228, Mask: 9 - 100000",1228 - oasrv.exe 2672 - XueTr.exe

Program Guard: 1.bat -> scvhost.exe,2013/5/20 13:37:28,Blocked,C:\Users\Firefox3\AppData\Roaming\pejo\1.bat(0) wants to start C:\Users\Firefox3\AppData\Roaming\pejo\scvhost.exe(0)

Program Guard: 1.bat,2013/5/20 13:37:18,Allowed,C:\Users\Firefox3\AppData\Roaming\pejo\chp.exe -> C:\Users\Firefox3\AppData\Roaming\pejo\1.bat

Program Guard: chp.exe,2013/5/20 13:37:15,Allowed,C:\Windows\system32\cmd.exe -> C:\Users\Firefox3\AppData\Roaming\pejo\chp.exe

Program Guard: AdMunch.exe -> AM32-33707.dll,2013/5/20 13:37:10,Allowed,C:\Users\Firefox3\Desktop\soft\Ad Muncher4.93\AdMunch.exe(2568) wants to set global hook to (C:\Users\Firefox3\Desktop\soft\Ad Muncher4.93\AM32-33707.dll)
Autorun detected: vifier.bat,2013/5/20 13:37:05,Blocked,C:\Users\Firefox3\AppData\Roaming\pejo\vifier.bat   --- 木马启动项启动前被OA抓住了

Program Guard: kernel event,2013/5/20 13:37:01,None,"OADriver: PostMessage, Msg: 49218/c042  1556 -> 3000, Deny (protected)",1556 - taskhost.exe 3000 - OAhlp.exe
Program Guard: kernel event,2013/5/20 13:36:52,None,"OADriver: PostMessage, Msg: 799/31f  1440 -> 2684, Deny (protected)",1440 - dwm.exe 2684 - oaui.exe
Program Guard: kernel event,2013/5/20 13:36:33,None,"OADriver: OB_OPERATION_HANDLE_DUPLICATE, PID: 512, pid: 1228, Mask: 1FFFFF - 1FF414",1228 - oasrv.exe 512 - services.exe
Program Guard: kernel event,2013/5/20 13:36:33,None,"OADriver: OB_OPERATION_HANDLE_DUPLICATE, PID: 512, pid: 1188, Mask: 1FFFFF - 1FF414",1188 - OAcat.exe 512 - services.exe
Firewall: Automatic decision,2013/5/20 13:36:30,Allowed,"C:\Windows\system32\svchost.exe, Incoming UDP access allowed to: 0.0.0.0:65305"
Service started,2013/5/20 13:36:23,None,C:\Program Files\Online Armor\oasrv.exe
System boot,2013/5/20 13:36:23,None,System boot at: 2013/5/20 13:35:40
Service stopped,2013/5/20 13:35:17,None,C:\Program Files\Online Armor\oasrv.exe
System shutdown,2013/5/20 13:35:15,None,System shutdown at: 2013/5/20 13:35:15

Program Guard: kernel event,2013/5/20 13:35:15,None,"OADriver: OB_OPERATION_HANDLE_DUPLICATE, PID: 512, pid: 1220, Mask: 1FFFFF - 1FF414",1220 - oasrv.exe 512 - services.exe

Program Guard: kernel event,2013/5/20 13:35:15,None,"OADriver: OB_OPERATION_HANDLE_DUPLICATE, PID: 512, pid: 1180, Mask: 1FFFFF - 1FF414",1180 - OAcat.exe 512 - services.exe

Program Guard: kernel event,2013/5/20 13:34:56,None,"OADriver: OB_OPERATION_HANDLE_CREATE, 3032 -> 1220, Mask: 9 - 100000",1220 - oasrv.exe 3032 - XueTr.exe

Program Guard: 1.bat -> scvhost.exe,2013/5/20 13:34:29,Blocked,C:\Users\Firefox3\AppData\Roaming\pejo\1.bat(0) wants to start C:\Users\Firefox3\AppData\Roaming\pejo\scvhost.exe(0)

Program Guard: 1.bat,2013/5/20 13:34:28,Allowed,C:\Users\Firefox3\AppData\Roaming\pejo\chp.exe -> C:\Users\Firefox3\AppData\Roaming\pejo\1.bat

Program Guard: chp.exe,2013/5/20 13:34:18,Allowed,C:\Windows\system32\cmd.exe -> C:\Users\Firefox3\AppData\Roaming\pejo\chp.exe

Program Guard: vifier.bat -> reg.exe,2013/5/20 13:34:06,Allowed,C:\Users\Firefox3\AppData\Roaming\pejo\vifier.bat(0) wants to start C:\Windows\system32\reg.exe(0)    --- 实际上就在这里OA已经悲剧了,reg会添加启动项

Program Guard: kernel event,2013/5/20 13:34:05,None,"OADriver: OB_OPERATION_HANDLE_DUPLICATE, PID: 2864, pid: 1040, SP: 2308863120, TP: 2308863120, Mask: 1FFFFF - 1FF414",1040 - cmd.exe 2864 - uz6quskg4dmi0.exe

Program Guard: vifier.bat,2013/5/20 13:34:04,Allowed,C:\Users\Firefox3\Desktop\uz6quskg4dmi0\uz6quskg4dmi0.exe -> C:\Users\Firefox3\AppData\Roaming\pejo\vifier.bat

Program Guard: uz6quskg4dmi0.exe -> cmd.exe,2013/5/20 13:34:04,Allowed,C:\Users\Firefox3\Desktop\uz6quskg4dmi0\uz6quskg4dmi0.exe(2864) wants to start C:\Windows\system32\cmd.exe(1040)

Program Guard: uz6quskg4dmi0.exe -> libblkmaker_jansson-0.1-0.dll,2013/5/20 13:33:17,Allowed,C:\Users\Firefox3\Desktop\uz6quskg4dmi0\uz6quskg4dmi0.exe wants to create executable file C:\Users\Firefox3\AppData\Roaming\pejo\libblkmaker_jansson-0.1-0.dll

Program Guard: uz6quskg4dmi0.exe,2013/5/20 13:33:14,Allowed,C:\Windows\Explorer.EXE -> C:\Users\Firefox3\Desktop\uz6quskg4dmi0\uz6quskg4dmi0.exe

Program Guard: uz6quskg4dmi0.exe,2013/5/20 13:32:45,Blocked,C:\Windows\Explorer.EXE -> C:\Users\Firefox3\Desktop\uz6quskg4dmi0\uz6quskg4dmi0.exe
墨家小子
 楼主| 发表于 2013-5-20 10:25:13 | 显示全部楼层
10:16:40 2013/5/20        Write protected registry area        C:\Windows\SysWOW64\reg.exe        HKEY_CURRENT_USER\user\current\software\Microsoft\Windows\CurrentVersion\Run        0x2        1

这是要逆天啊
zdlzp
发表于 2013-5-20 10:45:56 | 显示全部楼层
2、3过火绒

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
墨家小子
 楼主| 发表于 2013-5-20 10:50:07 | 显示全部楼层
zdlzp 发表于 2013-5-20 10:45
2、3过火绒

除了第一张截图,火绒菊花不保啊
这个系统进程看来也要严防,像咖啡的自定义规则那样
zdlzp
发表于 2013-5-20 10:54:36 | 显示全部楼层
推荐允许
墨家小子
 楼主| 发表于 2013-5-20 10:59:31 | 显示全部楼层
zdlzp 发表于 2013-5-20 10:54
推荐允许

没办法,系统程序添加启动项很正常

看来只能限制系统程序添加启动项了,所有system32里面的exe添加启动项都要弹窗就好了
rasis
发表于 2013-5-20 11:00:03 | 显示全部楼层
4u8uwstfkwfx8.zip=>4u8uwstfkwfx8.exe        具有木马特征程序(Win32/Trojan.e6d)        已删除
uz6quskg4dmi0.zip=>uz6quskg4dmi0.exe        HEUR/Malware.QVM06.Gen        已删除
fireold
发表于 2013-5-20 11:47:56 | 显示全部楼层
gd
*** Process ***

Process: 5684
File name: 4u8uwstfkwfx8.exe
Path: c:\users\abc\downloads\4u8uwstfkwfx8\4u8uwstfkwfx8.exe

Publisher: Unknown publisher
Creation date: 05/20/13 03:35:36
Modification date: 05/20/13 02:15:14

Started by: explorer.exe
Publisher: Microsoft Windows


*** Actions ***

The program is trying to create a startup item to launch a program automatically at system startup.
An executable file was stored in a suspicious location.
A suspicious location is referenced in startup.


*** Quarantine ***

The following files were moved into quarantine:
C:\Users\abc\AppData\Roaming\a.bat
C:\Users\abc\Downloads\4u8uwstfkwfx8\4u8uwstfkwfx8.exe

The following registry entries were deleted:

\REGISTRY\USER\S-1-5-21-2966477666-36215007-1111156643-1001\Control Panel\Desktop || SCRNSAVE.EXE

YGLh7XLtwHJyYmJyctBycnJyYmLgcqIrJ2hyggunQicpdHJCJwi3cpJycnKCgConKSYnJwi4coJiYnKCgC4nJyYmJwe5YuHtcreQLScH6XKCKyYmJ7igLCe4YmJygguNcoIrJiYnuNAuJ5diYnJyCf9ycigmJieHcKdycnCocnJycmJicLhycnJyYmJwyHJyYmJycnDocnJycmJicLqSYVljtoJycVljpnKSYVljtnJw23KCcoJiYnDscnIvJiYn93D8cpIuJiYn6XCOcnIOAA
Rules version: 4.1.0
OS: Windows 6.1 Service Pack 1.0 Build: 7601 - Workstation 32bit OS
dll version: 30732

"C:\Users\abc\Downloads\4u8uwstfkwfx8\4u8uwstfkwfx8.exe"
C:\Windows\Explorer.EXE


--------------------------------------------------
*** Process ***

Process: 4016
File name: bjg.exe
Path: c:\program files\bjg\bjg.exe

Publisher: Unknown publisher
Creation date: 05/20/13 03:35:51
Modification date: 05/20/13 02:15:14

Started by: explorer.exe
Publisher: Microsoft Windows


*** Actions ***

The attributes "system" and "hidden" are set for this program.
An executable file was stored in a suspicious location.


*** Quarantine ***

The following files were moved into quarantine:
C:\Program Files\bjg\bjg.exe
C:\Users\abc\AppData\Roaming\a.bat

The following registry entries were deleted:


YGLRKLrQcnJycmJi4HKCLyfHcnIJZ3JycnJiYnAnJycnJyYGp0InJ3RyYmJwKycnJycmBrli0Sj4kC4nLCYmJwzKcsJiYnLC0CgnLCYmJwztcqJiYnKi4C0WLAn+cnJycmJicKhycnJyYmJwuHJycnJiYnDocnJycmJicLpy4TVmKykXlzVmKicXXmO2gnD8cnIpJiYnl3COcrIAAA
Rules version: 4.1.0
OS: Windows 6.1 Service Pack 1.0 Build: 7601 - Workstation 32bit OS
dll version: 30732

"c:\Program Files\bjg\bjg.exe" C:\Users\abc\Documents\G Data log ID 2.txt
C:\Windows\Explorer.EXE

fireold
发表于 2013-5-20 11:58:13 | 显示全部楼层
bd





本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
liangxy
头像被屏蔽
发表于 2013-5-20 12:12:59 | 显示全部楼层
我很久没有出现了,上来露个脸,微点怎么测试?
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-3-29 23:55 , Processed in 0.145004 second(s), 19 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表