Detection ratio: 4 / 55 一妈带着三熊孩子各个都是非主流

显示全部楼层 · 发表于 2015-12-1 19:21:43

https://www.virustotal.com/en/fi ... nalysis/1448968059/
SHA256: 0f4d6c8f7be6913b728dc11fe663c4ede070e8a85f68613cbf460273e3562e34
File name: and515.exe
Detection ratio: 4 / 55
Analysis date: 2015-12-01 11:07:39 UTC ( 0 minutes ago )

+++++++++++++++++++++++++++++++++++++

SHA256: 7fb56e0a59babb2222c5418fa3229f18a80775e0339d0971dd48477bb7873202
File name: KB09883203.exe
Detection ratio: 3 / 49
Analysis date: 2015-12-01 11:14:03 UTC ( 1 minute ago )

+++++++++++++++++++++++++++++++++++++

SHA256: e95fb952f1e77ea683c1a73318f6e835158a398093a4def50657b8f4683a4bf6
File name: KB09932109.exe
Detection ratio: 4 / 55
Analysis date: 2015-12-01 11:14:15 UTC ( 1 minute ago )

+++++++++++++++++++++++++++++++++++++

SHA256: 660ca14b3b368981d5470edb59a11f3a37ac40161ddf352f58d15578f6fb3155
File name: KB09996640.exe
Detection ratio: 4 / 55
Analysis date: 2015-12-01 11:14:27 UTC ( 1 minute ago )

+++++++++++++++++++++++++++++++++++++

2015/12/1 19:08:38,C:\Windows\explorer.exe,53,Allowed ;执行应用程序 ("C:\Users\AAAAA\Desktop\1111\and515.exe" )

2015/12/1 19:08:48,C:\Users\AAAAA\Desktop\1111\and515.exe,53,Allowed ;执行应用程序 ("C:\windows\system32\msiexec.exe")

2015/12/1 19:08:51,C:\Windows\SysWOW64\msiexec.exe,50,Allowed ;使用 DNS 解析服务访问网络
2015/12/1 19:08:54,C:\Windows\SysWOW64\msiexec.exe,48,Allowed ;出站网络访问
2015/12/1 19:09:19,C:\Windows\SysWOW64\msiexec.exe,47,Allowed ;创建交换数据流 (C:\ProgramData\msojglxqp.exe:Zone.Identifier)

2015/12/1 19:09:21,C:\Windows\SysWOW64\msiexec.exe,26,Blocked ;修改受保护的注册表键 (HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows,Load)
2015/12/1 19:09:23,C:\Windows\SysWOW64\msiexec.exe,26,Blocked ;修改受保护的注册表键 (HKCU\Software\Microsoft\Windows\CurrentVersion\Run,80835775)

2015/12/1 19:09:58,C:\Windows\SysWOW64\msiexec.exe,53,Allowed ;执行应用程序 (C:\Users\AAAAA\AppData\Local\Temp\KB09883203.exe)

2015/12/1 19:10:06,C:\Users\AAAAA\AppData\Local\Temp\KB09883203.exe,53,Allowed ;执行应用程序 ("C:\windows\SysWOW64\explorer.exe")

2015/12/1 19:10:16,C:\Windows\SysWOW64\msiexec.exe,53,Allowed ;执行应用程序 (C:\Users\AAAAA\AppData\Local\Temp\KB09914671.exe)

2015/12/1 19:10:17,C:\Windows\SysWOW64\explorer.exe,26,Blocked ;修改受保护的注册表键 (HKCU\Software\Microsoft\Windows\CurrentVersion\Run,KdjSaS011arbaaa1z)

2015/12/1 19:10:20,C:\Users\AAAAA\AppData\Local\Temp\KB09914671.exe,53,Allowed ;执行应用程序 ("C:\windows\SysWOW64\explorer.exe")

2015/12/1 19:10:22,C:\Windows\SysWOW64\explorer.exe,26,Blocked ;修改受保护的注册表键 (HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce,KdjSaS011arbaaa1z)

2015/12/1 19:10:24,C:\Windows\SysWOW64\explorer.exe,26,Blocked ;修改受保护的注册表键 (HKCU\Software\Microsoft\Windows\CurrentVersion\Run,KdjSaS011arhaaa)

2015/12/1 19:10:59,C:\Windows\SysWOW64\msiexec.exe,53,Allowed ;执行应用程序 (C:\Users\AAAAA\AppData\Local\Temp\KB09932109.exe)

2015/12/1 19:11:01,C:\Windows\SysWOW64\explorer.exe,26,Blocked ;修改受保护的注册表键 (HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce,KdjSaS011arhaaa)

2015/12/1 19:11:03,C:\Windows\SysWOW64\explorer.exe,48,Allowed ;出站网络访问

2015/12/1 19:11:06,C:\Users\AAAAA\AppData\Local\Temp\KB09932109.exe,53,Allowed ;执行应用程序 ("C:\windows\SysWOW64\explorer.exe")

2015/12/1 19:11:07,C:\Windows\SysWOW64\explorer.exe,26,Blocked ;修改受保护的注册表键 (HKCU\Software\Microsoft\Windows\CurrentVersion\Run,KdjSaS011arha)
2015/12/1 19:11:09,C:\Windows\SysWOW64\explorer.exe,26,Blocked ;修改受保护的注册表键 (HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce,KdjSaS011arha)

2015/12/1 19:11:13,C:\Windows\SysWOW64\explorer.exe,48,Allowed ;出站网络访问
2015/12/1 19:11:23,C:\Windows\SysWOW64\explorer.exe,48,Blocked ;出站网络访问

2015/12/1 19:11:40,C:\Windows\SysWOW64\msiexec.exe,53,Allowed ;执行应用程序 (C:\Users\AAAAA\AppData\Local\Temp\KB09996640.exe)

2015/12/1 19:11:45,C:\Users\AAAAA\AppData\Local\Temp\KB09996640.exe,53,Allowed ;执行应用程序 ("C:\windows\SysWOW64\explorer.exe")

2015/12/1 19:11:46,C:\Windows\SysWOW64\explorer.exe,26,Blocked ;修改受保护的注册表键 (HKCU\Software\Microsoft\Windows\CurrentVersion\Run,djSaS011arbaaa1za13a1)
2015/12/1 19:11:48,C:\Windows\SysWOW64\explorer.exe,26,Blocked ;修改受保护的注册表键 (HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce,djSaS011arbaaa1za13a1)

2015/12/1 19:12:00,C:\Windows\SysWOW64\explorer.exe,48,Allowed ;出站网络访问

显示全部楼层 · 发表于 2015-12-1 19:23:43

@ccboxes 给它们点爱

显示全部楼层 · 发表于 2015-12-1 19:33:00

2345最近厉害啊

显示全部楼层 · 发表于 2015-12-1 19:37:29

本帖最后由 yzt1004 于 2015-12-1 19:39 编辑

妈这么快就打胎啦？

测了一个娃，也是alert 拦的，是不是我电脑爆发了？

显示全部楼层 · 发表于 2015-12-1 19:42:43

yzt1004 发表于 2015-12-1 19:37
妈这么快就打胎啦？

不是，这玩意目测拦截注入成功率100%，建议该公司收购SpyShelter

不过我这里是先注入msiexec.exe，后来的衍生物注入explorer

显示全部楼层 · 发表于 2015-12-1 19:47:45

本帖最后由 ccboxes 于 2015-12-1 19:48 编辑

BD扫描全Miss
ATC全部拦截成功，已上报。@230f4

显示全部楼层 · 发表于 2015-12-1 19:50:25

ccboxes 发表于 2015-12-1 19:47
BD扫描全Miss
ATC全部拦截成功，已上报。@230f4

感谢测试！人气稍后送上

显示全部楼层 · 发表于 2015-12-1 19:51:36

显示全部楼层 · 发表于 2015-12-1 20:05:12

to dr.web

显示全部楼层 · 发表于 2015-12-1 20:13:13

AVG：

扫描：miss；

双击：实机双击（不入沙），注入msiexec.exe后不久，IDP突袭击杀之。

"";"IDP.ARES.Generic, C:\Users\Killer\Desktop\and515.exe";"Deleted, Moved to Virus Vault";"File or Directory";"2015/12/1, 20:10:31"
"";", C:\Users\Killer\Desktop\and515.exe";"Object was blocked";"Process";"2015/12/1, 20:10:31"
"";", C:\Windows\System32\msiexec.exe";"Object was blocked";"Process";"2015/12/1, 20:10:31"
"";", C:\Windows\System32\WerFault.exe";"Object was blocked";"Process";"2015/12/1, 20:10:31"
"";", C:\Users\Killer\Desktop\and515.exe";"Object was blocked";"Process";"2015/12/1, 20:10:31"

[可疑文件] Detection ratio: 4 / 55 一妈带着三熊孩子各个都是非主流

本帖子中包含更多资源

评分

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

评分

本帖子中包含更多资源

[可疑文件] Detection ratio: 4 / 55 一妈带着三熊孩子 各个都是非主流

本帖子中包含更多资源

评分

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

评分

本帖子中包含更多资源

[可疑文件] Detection ratio: 4 / 55 一妈带着三熊孩子各个都是非主流