Ransom #3 （17.8.02）

petr0vic

infected

https://www.virustotal.com/file/ ... nalysis/1501699596/

Antivirus	Result	Update
Cylance	Unsafe	20170802
Baidu	Win32.Trojan.WisdomEyes.16070401.9500.9995	20170728
Symantec	ML.Attribute.HighConfidence	20170802
Rising	Ransom.GlobeImposter!1.AC37 (classic)	20170802
Sophos	Troj/Emotet-CL	20170802
Invincea	heuristic	20170607
McAfee-GW-Edition	BehavesLike.Win32.GameVance.dc	20170802
SentinelOne	static engine - malicious	20170718
Webroot	W32.Trojan.Gen	20170802
Fortinet	W32/Kryptik.FUYC!tr	20170802
Endgame	malicious (high confidence)	20170721
CrowdStrike	malicious_confidence_100% (D)	20170710
Qihoo-360	HEUR/QVM10.1.E626.Malware.Gen	20170802





https://www.virustotal.com/file/1f193cb76e7dcf14ba045e3ff06285bd03ba5154d9b5d6c3aa2ab6c8794c5bf6/analysis/1501692772/



Antivirus	Result	Update
Malwarebytes	Ransom.FileCryptor	20170802
Baidu	Win32.Trojan.WisdomEyes.16070401.9500.9990	20170728
Symantec	Ransom.CryptXXX	20170802
Paloalto	generic.ml	20170802
Kaspersky	Trojan.MSIL.Crypt.ehar	20170802
Rising	Trojan.Win32.FileCryptor.ab (classic)	20170802
DrWeb	Trojan.Encoder.13219	20170802
Invincea	heuristic	20170607
McAfee-GW-Edition	BehavesLike.Win32.PWSZbot.dc	20170802
Sophos	Mal/Generic-S	20170802
Ikarus	Win32.Outbreak	20170802
Endgame	malicious (high confidence)	20170721
AhnLab-V3	Trojan/Win32.Fantom.C2055688	20170802
ZoneAlarm	Trojan.MSIL.Crypt.ehar	20170802
MAX	malware (ai score=56)	20170802
Cylance	Unsafe	20170802
SentinelOne	static engine - malicious	20170718




https://www.virustotal.com/file/ ... nalysis/1501699267/





Antivirus	Result	Update
Invincea	heuristic	20170607
Baidu	Win32.Trojan.WisdomEyes.16070401.9500.9995	20170728
Symantec	ML.Attribute.HighConfidence	20170802
Rising	Ransom.GlobeImposter!1.AC37 (classic)	20170802
Endgame	malicious (high confidence)	20170721
Sophos	Troj/Emotet-CL	20170802
TrendMicro	TSPY_EMOTET.SMQ	20170802
SentinelOne	static engine - malicious	20170718
Cylance	Unsafe	20170802
Fortinet	W32/Kryptik.FUYC!tr	20170802
CrowdStrike	malicious_confidence_80% (D)	20170710
Qihoo-360	HEUR/QVM10.1.E626.Malware.Gen	20170802

这会儿诺顿全入库了，Endgame和CrowdStrike这两个检测率好高啊，看过好多病毒都是提前了好久的库就杀了。

左手

2017-8-3 07:48:32    修改文件 风险级别:未知    阻止
进程: c:\documents and settings\administrator\桌面\2.exe
目标: C:\boot.ini
规则: [应用程序]?* -> [文件]?:\; boot.ini

2017-8-3 07:48:32    修改文件 风险级别:未知    阻止
进程: c:\documents and settings\administrator\桌面\2.exe
目标: C:\bootfont.bin
规则: [应用程序]?* -> [文件]?:\; bootfont.bin

2017-8-3 07:48:32    修改文件 风险级别:未知    阻止
进程: c:\documents and settings\administrator\桌面\2.exe
目标: C:\cleanup.bat
规则: [应用程序组]→a999_★《临时规则_安装软件》★ -> [文件组]《坚固》f299_询问修改的文件>a100 -> [文件]*; *.bat

2017-8-3 07:48:32    修改文件 风险级别:未知    阻止
进程: c:\documents and settings\administrator\桌面\2.exe
目标: C:\dk2.mem
规则: [应用程序]?:\*\*\* -> [文件组]《保护》f023_根目录

2017-8-3 07:48:32    修改文件 风险级别:未知    阻止并结束进程
进程: c:\documents and settings\administrator\桌面\2.exe
目标: C:\NTDETECT.COM
规则: [应用程序]?* -> [文件]?:\; ntdetect.com

ATP_synthase

卡巴全灭，2号入库，1,3云拉黑

I76700K

管家扫描 Miss all

grantzoo

bd2018 KILL ALL

a445441

微点MISS 运行后自动退出，，没反应

XZ8SM7Sx0bVkoUV

火绒kill

900703

68221281 发表于 2017-8-3 06:38
这会儿诺顿全入库了，Endgame和CrowdStrike这两个检测率好高啊，看过好多病毒都是提前了好久的库就杀了。

Endgame和CrowdStrike 是機器學習AV

900703

MAX Kill All