这是典型的远程DLL注入行为，SSF现在这么牛逼了？

显示全部楼层 · 发表于 2016-11-15 11:56:57

本帖最后由墨家小子于 2016-11-15 11:58 编辑

是不是误报这个dll？

SHA256: 9b42fc53c49d3b8b8479d42f8fc8dd3b7dc634b2de0aa43a3c78e8961b73a833
File name: baldrics.dll
Detection ratio: 3 / 56
Analysis date: 2016-11-15 03:51:50 UTC ( 0 minutes ago )
https://www.virustotal.com/en/fi ... nalysis/1479181910/

SHA256: 3788984ce70973ac3e7ae83af380ad536e14feab3e62e7ff34754d73fe07763a
File name: a1.exe
Detection ratio: 7 / 56
Analysis date: 2016-11-15 03:53:00 UTC ( 1 minute ago )
https://www.virustotal.com/en/fi ... nalysis/1479181980/

显示全部楼层 · 发表于 2016-11-15 12:05:58

管家miss

显示全部楼层 · 发表于 2016-11-15 12:08:01

ESET [v14444/20161114]

Kill a1.rar [Suspicious Object]

a2.exe and baldrics.dll miss [未到达临界点？]

显示全部楼层 · 发表于 2016-11-15 12:12:20

fireherman 发表于 2016-11-15 12:08
ESET [v14444/20161114]

Kill a1.rar [Suspicious Object]

虚拟机试试，你把hips调成自动模式，双击，估计a1、2都能被拦截

显示全部楼层 · 发表于 2016-11-15 12:14:48

卡巴

a2.exe
UDS:DangerousObject.Multi.Generic

显示全部楼层 · 发表于 2016-11-15 12:27:00

本帖最后由 fireherman 于 2016-11-15 12:45 编辑

墨家小子发表于 2016-11-15 12:12
虚拟机试试，你把hips调成自动模式，双击，估计a1、2都能被拦截

正好在用虚拟机测试，不过HIPS不是自动模式，而是智能模式，而且有[针对性的自定义规则]：

a1.exe被杀了，就不管。

双击a2.exe，开始写注册表[阻止]，并且在临时目录生成文件（第11行生成baldrics.dll）[允许]，然后进行递归调用（自己调用自己[允许]，打鸡血？

）

过一会似乎有所行动：修改注册表启动项（第1行）[阻止]

[mw_shl_code=css,true]2016-11-15 12:11:46       E:\VirZ\a2.exe       Delete from registry       HKEY_USERS\S-1-5-21-2052111302-2111687655-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Run\{0E2F1425-C2B7-C393-2668-3608BC049FA0}       blocked       [101][X]ESET-NOD32 HIPS Test[RD]
2016-11-15 12:11:33       E:\VirZ\a2.exe       Modify state of another application       E:\VirZ\a2.exe       allowed       [103][H]ESET-NOD32 HIPS Test[AD]
2016-11-15 12:11:08       E:\VirZ\a2.exe       Modify state of another application       E:\VirZ\a2.exe       allowed       [103][H]ESET-NOD32 HIPS Test[AD]
2016-11-15 12:11:06       E:\VirZ\a2.exe       Modify state of another application       E:\VirZ\a2.exe       allowed       [103][H]ESET-NOD32 HIPS Test[AD]
2016-11-15 12:11:05       E:\VirZ\a2.exe       Modify state of another application       E:\VirZ\a2.exe       allowed       [103][H]ESET-NOD32 HIPS Test[AD]
2016-11-15 12:11:02       E:\VirZ\a2.exe       Modify state of another application       E:\VirZ\a2.exe       allowed       [103][H]ESET-NOD32 HIPS Test[AD]
2016-11-15 12:10:58       E:\VirZ\a2.exe       Start new application       E:\VirZ\a2.exe       allowed       [103][H]ESET-NOD32 HIPS Test[AD]
2016-11-15 12:09:55       E:\VirZ\a2.exe       Get access to file       E:\Temp\WINXP_~1\nsxF.tmp\System.dll       some access allowed       [100][O]ESET-NOD32 HIPS Test[FD:Del/Write]       Write to file
2016-11-15 12:09:55       E:\VirZ\a2.exe       Get access to file       E:\Temp\WINXP_~1\nsxF.tmp       some access allowed       [100][O]ESET-NOD32 HIPS Test[FD:Del/Write]       Delete file
2016-11-15 12:09:55       E:\VirZ\a2.exe       Get access to file       E:\Temp\WINXP_~1\nsxF.tmp       some access allowed       [100][O]ESET-NOD32 HIPS Test[FD:Del/Write]       Write to file,Get exclusive access to file
2016-11-15 12:09:55       E:\VirZ\a2.exe       Get access to file       E:\Temp\WINXP_~1\baldrics.dll       some access allowed       [100][O]ESET-NOD32 HIPS Test[FD:Del/Write]       Write to file
2016-11-15 12:09:55       E:\VirZ\a2.exe       Get access to file       E:\Temp\WINXP_~1\Tartrazine.6Jq       some access allowed       [100][O]ESET-NOD32 HIPS Test[FD:Del/Write]       Write to file
2016-11-15 12:09:55       E:\VirZ\a2.exe       Get access to file       E:\Temp\WINXP_~1\nsnE.tmp       some access allowed       [100][O]ESET-NOD32 HIPS Test[FD:Del/Write]       Delete file
2016-11-15 12:09:55       E:\VirZ\a2.exe       Get access to file       E:\Temp\WINXP_~1\nsnE.tmp       some access allowed       [100][O]ESET-NOD32 HIPS Test[FD:Del/Write]       Write to file,Get exclusive access to file
2016-11-15 12:09:55       E:\VirZ\a2.exe       Modify registry       HKEY_USERS\S-1-5-21-2052111302-2111687655-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f274fa40-775a-11e6-be8c-806d6172696f}\BaseClass       blocked       [101][X]ESET-NOD32 HIPS Test[RD]
2016-11-15 12:09:55       E:\VirZ\a2.exe       Modify registry       HKEY_USERS\S-1-5-21-2052111302-2111687655-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f274fa43-775a-11e6-be8c-806d6172696f}\BaseClass       blocked       [101][X]ESET-NOD32 HIPS Test[RD]
2016-11-15 12:09:55       E:\VirZ\a2.exe       Modify registry       HKEY_USERS\S-1-5-21-2052111302-2111687655-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f274fa42-775a-11e6-be8c-806d6172696f}\BaseClass       blocked       [101][X]ESET-NOD32 HIPS Test[RD]       [/mw_shl_code]

然后就一直驻留在内存里赖着不走：

任务管理器强行关闭：

显示全部楼层 · 发表于 2016-11-15 12:32:31

@墨家小子

你说对了，采用HIPS智能模式，双击，AMS（高级内存扫描击杀，终于……）

[mw_shl_code=css,true]2016-11-15 12:30:16 Advanced memory scanner file Operating memory » E:\VirZ\a2.exe Win32/Boaxxe.BV trojan cleaned 08037EB2DF06D644DEE645B9F13AF7F878A596AE [/mw_shl_code]

显示全部楼层 · 发表于 2016-11-15 12:44:55

Avira

a2.exe
->TR/AD.Boaxxe.Y (Cloud)
a1.exe
->TR/Crypt.ZPACK.Gen4 (Cloud)
baldrics.dll
->HEUR/APC (Cloud)

显示全部楼层 · 发表于 2016-11-15 12:48:01

咔吧拉黑两个exe
不杀dll

%PRODNAME1% %PRODNAME2%

拒绝访问
无法访问该网页

对象网址:

https://att.kafan.cn/forum.php?mo ... Dk3NTc3MnwyMDY1MDE4
原因: 对象被感染 UDS:DangerousObject.Multi.Generic

消息生成日期: 2016/11/15 12:46:36

显示全部楼层 · 发表于 2016-11-15 12:48:29

WD 报a1,a2云杀

dll那个无视了

[可疑文件] 这是典型的远程DLL注入行为，SSF现在这么牛逼了？

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源