本帖最后由 安全守护者 于 2017-7-3 19:59 编辑
文件检测评级:
高度风险
文件名称: 浙江温州恶搞.zip
基本信息
文件名称:
浙江温州恶搞.zip
MD5: df8cdca2a07e2d9c22407ece539a67b2
文件类型: zip
上传时间: 2017-07-03 19:52:13
出品公司: N/A
版本: N/A
壳或编译器信息: COMPILER:Microsoft Visual C++ 6.0 [Overlay]
子文件信息:
Windows.exedumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
Windows.exe / 92e0246a47a769258d96c02006f64b45 / EXE
关键行为
行为描述: 修改用户密码
详情信息:
ImagePath = , CmdLine = net user Administrator 004921
行为描述: 杀掉进程
详情信息:
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\360se.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\360tray.exe
行为描述: 添加新用户帐号
详情信息:
ImagePath = , CmdLine = net user Administrator 004921 /add
ImagePath = , CmdLine = net user administrators Administrator /add
行为描述: 获取TickCount值
详情信息:
TickCount = 5462250, SleepMilliseconds = 250.
行为描述: 修改注册表_启动项
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows
进程行为
行为描述: 隐藏窗口创建进程
详情信息:
ImagePath = , CmdLine = net user Administrator 004921
ImagePath = , CmdLine = net user Administrator 004921 /add
ImagePath = , CmdLine = net user administrators Administrator /add
行为描述: 创建本地线程
详情信息:
TargetProcess: Windows.exe, InheritedFromPID = 1944, ProcessID = 2440, ThreadID = 2552, StartAddress = 100B8990, Parameter = 01F40070
TargetProcess: Windows.exe, InheritedFromPID = 1944, ProcessID = 2440, ThreadID = 2556, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: Windows.exe, InheritedFromPID = 1944, ProcessID = 2440, ThreadID = 2580, StartAddress = 100B8990, Parameter = 01F417C0
TargetProcess: Windows.exe, InheritedFromPID = 1944, ProcessID = 2440, ThreadID = 2992, StartAddress = 100B8990, Parameter = 01F40030
行为描述: 枚举进程
详情信息:
N/A
行为描述: 杀掉进程
详情信息:
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\360se.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\360tray.exe
文件行为
行为描述: 创建文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N60005\krnln.fnr
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N60005\eAPI.fne
行为描述: 创建可执行文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N60005\krnln.fnr
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N60005\eAPI.fne
行为描述: 修改文件内容
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N60005\krnln.fnr ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N60005\eAPI.fne ---> Offset = 0
注册表行为
行为描述: 修改注册表_启动项
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows
其他行为
行为描述: 创建互斥体
详情信息:
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
行为描述: 创建事件对象
详情信息:
EventName = DINPUTWINMM
行为描述: 查找指定窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [,explorer.exe]
NtUserFindWindowEx: [Class,Window] = [,csrss.exe]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [,360se.exe]
NtUserFindWindowEx: [Class,Window] = [,Taskmgr.exe]
NtUserFindWindowEx: [Class,Window] = [,360Tray.exe]
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [,_EL_Timer]
行为描述: 打开事件
详情信息:
HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
行为描述: 获取TickCount值
详情信息:
TickCount = 5462250, SleepMilliseconds = 250.
行为描述: 窗口信息
详情信息:
Pid = 2440, Hwnd=0x20128, Text = 为了弘扬我国反盗版精神,不让中国成为盗版之国。我特意编写了“鬼畜风暴一号”病毒,软件检测到了你的硬盘有盗版或破解软件。因此激活了病毒,以示惩罚 编写者:KillTime夏天 特此感谢:www.baidu.com *顺便说一下,本病毒由于作者三心二意,目前没有解药,你们自己看着办咯, ClassName = _EL_Label.
Pid = 2440, Hwnd=0x2014e, Text = 鬼畜风暴1号, ClassName = WTWindow.
Pid = 2440, Hwnd=0x500a8, Text = 确定, ClassName = Button.
Pid = 2440, Hwnd=0x20078, Text = 中病毒了吧,傻逼, ClassName = Static.
Pid = 2440, Hwnd=0x500ae, Text = 傻逼, ClassName = #32770.
Pid = 2440, Hwnd=0x200ca, Text = 确定, ClassName = Button.
Pid = 2440, Hwnd=0x200bc, Text = 给你点教训,傻逼, ClassName = Static.
Pid = 2440, Hwnd=0x2011a, Text = 傻逼, ClassName = #32770.
Pid = 2440, Hwnd=0x100140, Text = 确定, ClassName = Button.
Pid = 2440, Hwnd=0xe0146, Text = 中病毒了吧,傻逼, ClassName = Static.
Pid = 2440, Hwnd=0x2011e, Text = 傻逼, ClassName = #32770.
Pid = 2440, Hwnd=0x20124, Text = 确定, ClassName = Button.
Pid = 2440, Hwnd=0x20122, Text = 给你点教训,傻逼, ClassName = Static.
Pid = 2440, Hwnd=0x30126, Text = 傻逼, ClassName = #32770.
Pid = 2440, Hwnd=0x600a0, Text = 确定, ClassName = Button.
行为描述: 添加新用户帐号
详情信息:
ImagePath = , CmdLine = net user Administrator 004921 /add
ImagePath = , CmdLine = net user administrators Administrator /add
行为描述: 可执行文件签名信息
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N60005\krnln.fnr(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N60005\eAPI.fne(签名验证: 未通过)
行为描述: 调用Sleep函数
详情信息:
[1]: MilliSeconds = 250.
行为描述: 修改用户密码
详情信息:
ImagePath = , CmdLine = net user Administrator 004921
行为描述: 可执行文件MD5
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N60005\krnln.fnr ---> 301768e001d4db20f9a029ee835150f3
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N60005\eAPI.fne ---> 7c1ff88991f5eafab82b1beaefc33a42
行为描述: 打开互斥体
详情信息:
ShimCacheMutex
行为描述: 加载新释放的文件
详情信息:
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N60005\krnln.fnr.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N60005\eAPI.fne.
进程树
windows.exe (PID: 0x00000988)运行截图:
|
发表于 2017-7-3 19:33:05
