本帖最后由 willjjyu 于 2017-10-7 17:09 编辑
vm双击:
图片文档全部加密
关键行为行为描述: 获取TickCount值
详情信息:
TickCount = 262890, SleepMilliseconds = 16000.
TickCount = 262921, SleepMilliseconds = 16000.
TickCount = 262937, SleepMilliseconds = 16000.
TickCount = 262968, SleepMilliseconds = 16000.
TickCount = 262984, SleepMilliseconds = 16000.
TickCount = 263000, SleepMilliseconds = 16000.
TickCount = 263015, SleepMilliseconds = 16000.
TickCount = 263031, SleepMilliseconds = 16000.
TickCount = 263062, SleepMilliseconds = 16000.
TickCount = 263093, SleepMilliseconds = 16000.
TickCount = 263109, SleepMilliseconds = 16000.
TickCount = 263125, SleepMilliseconds = 16000.
TickCount = 263140, SleepMilliseconds = 16000.
TickCount = 263171, SleepMilliseconds = 16000.
TickCount = 263187, SleepMilliseconds = 16000.
行为描述: 直接获取CPU时钟
详情信息:
EAX = 0xe6a21ed8, EDX = 0x000000cd
EAX = 0xead9cddf, EDX = 0x000000cd
EAX = 0xef3cacd9, EDX = 0x000000cd
EAX = 0xf3745be0, EDX = 0x000000cd
EAX = 0xf7d73ada, EDX = 0x000000cd
EAX = 0xfc3a19d4, EDX = 0x000000cd
EAX = 0x0071c8db, EDX = 0x000000ce
行为描述: 疑似加密敲诈行为
详情信息:
N/A
N/A
行为描述: 查找文件方式探测虚拟机
详情信息:
FindFirstFileEx: FileName = c:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Add
行为描述: 创建本地线程
详情信息:
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2628, ThreadID = 3240, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2628, ThreadID = 3252, StartAddress = 004287A0, Parameter = 00C55EF0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2628, ThreadID = 3256, StartAddress = 004287A0, Parameter = 00C55F0C
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2628, ThreadID = 3260, StartAddress = 004287A0, Parameter = 00C55F28
文件行为
行为描述: 创建文件
详情信息:
C:\Python27\Lib\test\ykcol-7bdf.htm
C:\ykcol-9eb3.htm
C:\Documents and Settings\Administrator\ykcol-2ca6.htm
C:\Python27\Lib\ykcol-2a69.htm
C:\Python27\Scripts\ykcol-41bb.htm
C:\Python27\include\ykcol-8653.htm
行为描述: 重命名文件
详情信息:
C:\Python27\Lib\test\sha256.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-AB0EE4D9-072BCE46CD29.ykcol
C:\Python27\Lib\test\https_svn_python_org_root.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-4B8B896C-AEDB1E440D47.ykcol
C:\Python27\Lib\test\nullcert.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-434B4A78-32E6E3B4058E.ykcol
C:\Python27\Lib\test\badkey.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-84439716-AF0743836727.ykcol
C:\Python27\Lib\test\badcert.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-F6F4C884-24860092D903.ykcol
C:\Python27\Lib\test\keycert.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-BF10E9DB-2D796A04093F.ykcol
C:\Python27\Lib\test\wrongcert.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-08FDADB3-0322AB51571C.ykcol
C:\Python27\Lib\test\svn_python_org_https_cert.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-48A66A9D-124F6C916844.ykcol
C:\Python27\Lib\test\ssl_key.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-7FB01716-6ED44C9376C7.ykcol
C:\Python27\Lib\test\ssl_cert.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-08D27601-FCB6469BF426.ykcol
C:\Documents and Settings\root\Templates\excel.xls ---> c:\Documents and Settings\root\Templates\HGITE9WZ-1XYX-3WE8-DA19C410-F5A2496CC316.ykcol
C:\Documents and Settings\Administrator\Templates\winword.doc ---> c:\Documents and Settings\Administrator\Templates\HGITE9WZ-1XYX-3WE8-7E913AC7-8967A81FC0F2.ykcol
C:\Documents and Settings\Administrator\Templates\winword2.doc ---> c:\Documents and Settings\Administrator\Templates\HGITE9WZ-1XYX-3WE8-CAE09B4F-6C86340DF220.ykcol
C:\Documents and Settings\root\Templates\excel4.xls ---> c:\Documents and Settings\root\Templates\HGITE9WZ-1XYX-3WE8-0969C65D-35D58931412D.ykcol
C:\Documents and Settings\root\Templates\powerpnt.ppt ---> c:\Documents and Settings\root\Templates\HGITE9WZ-1XYX-3WE8-0465B412-4F6CBE0F1C27.ykcol
行为描述: 修改文件内容
详情信息:
C:\Python27\Lib\test\sha256.pem ---> Offset = 0
C:\Python27\Lib\test\sha256.pem ---> Offset = 2065
C:\Python27\Lib\test\ykcol-7bdf.htm ---> Offset = 0
C:\Python27\Lib\test\https_svn_python_org_root.pem ---> Offset = 0
C:\Python27\Lib\test\https_svn_python_org_root.pem ---> Offset = 2569
C:\Python27\Lib\test\nullcert.pem ---> Offset = 0
C:\Python27\Lib\test\badkey.pem ---> Offset = 0
C:\Python27\Lib\test\badkey.pem ---> Offset = 2162
C:\Python27\Lib\test\badcert.pem ---> Offset = 0
C:\Python27\Lib\test\badcert.pem ---> Offset = 1928
C:\Python27\Lib\test\keycert.pem ---> Offset = 0
C:\Python27\Lib\test\keycert.pem ---> Offset = 1872
C:\Python27\Lib\test\wrongcert.pem ---> Offset = 0
C:\Python27\Lib\test\wrongcert.pem ---> Offset = 1880
C:\Python27\Lib\test\svn_python_org_https_cert.pem ---> Offset = 0
行为描述: 查找文件
详情信息:
FileName = c:\*
FileName = c:\222c25ed\*
FileName = x:\*
FileName = c:\222c25ed\IE8-Setup-Full\*
FileName = c:\222c25ed\IE8-Setup-Full\log\*
FileName = d:\*
FileName = c:\AnalyzeControl\*
FileName = c:\DiskD\*
FileName = c:\DiskX\*
FileName = c:\Documents and Settings\*
FileName = c:\Documents and Settings\Administrator\*
FileName = c:\Documents and Settings\Administrator\.oracle_jre_usage\*
FileName = c:\Documents and Settings\Administrator\CMB\*
FileName = c:\Documents and Settings\Administrator\CMB\PB40\*
FileName = c:\Documents and Settings\Administrator\CMB\PB40\Data\*
其他行为
行为描述: 枚举网络共享资源
详情信息:
N/A
行为描述: 创建事件对象
详情信息:
EventName = Global\3a6aBaCaFa2a9aEa8a3a5aGaBaDaCa:a
EventName = Local\3a6aBaCaFa2a9aEa8a3a5aGaBaDaCa:a
行为描述: 疑似加密敲诈行为
详情信息:
N/A
N/A
行为描述: 打开互斥体
详情信息:
Global\3a6aBaCaFa2a9aEa8a3a5aGaBaDaCa:a
Local\3a6aBaCaFa2a9aEa8a3a5aGaBaDaCa:a
行为描述: 加密数据
详情信息:
[CryptEncrypt] Data: 0x00E4F708, PlainTextLen: 256, CipherTextLen: 256, Flags: 0x00000000
行为描述: 获取TickCount值
详情信息:
TickCount = 262890, SleepMilliseconds = 16000.
TickCount = 262921, SleepMilliseconds = 16000.
TickCount = 262937, SleepMilliseconds = 16000.
TickCount = 262968, SleepMilliseconds = 16000.
TickCount = 262984, SleepMilliseconds = 16000.
TickCount = 263000, SleepMilliseconds = 16000.
TickCount = 263015, SleepMilliseconds = 16000.
TickCount = 263031, SleepMilliseconds = 16000.
TickCount = 263062, SleepMilliseconds = 16000.
TickCount = 263093, SleepMilliseconds = 16000.
TickCount = 263109, SleepMilliseconds = 16000.
TickCount = 263125, SleepMilliseconds = 16000.
TickCount = 263140, SleepMilliseconds = 16000.
TickCount = 263171, SleepMilliseconds = 16000.
TickCount = 263187, SleepMilliseconds = 16000.
行为描述: 打开事件
详情信息:
HookSwitchHookEnabledEvent
\INSTALLATION_SECURITY_HOLD
Global\SvcctrlStartEvent_A3752DX
行为描述: 调用Sleep函数
详情信息:
[1]: MilliSeconds = 16000.
[2]: MilliSeconds = 10.
[3]: MilliSeconds = 10.
[4]: MilliSeconds = 10.
[5]: MilliSeconds = 10.
[6]: MilliSeconds = 10.
[7]: MilliSeconds = 10.
[8]: MilliSeconds = 10.
行为描述: 直接获取CPU时钟
详情信息:
EAX = 0xe6a21ed8, EDX = 0x000000cd
EAX = 0xead9cddf, EDX = 0x000000cd
EAX = 0xef3cacd9, EDX = 0x000000cd
EAX = 0xf3745be0, EDX = 0x000000cd
EAX = 0xf7d73ada, EDX = 0x000000cd
EAX = 0xfc3a19d4, EDX = 0x000000cd
EAX = 0x0071c8db, EDX = 0x000000ce
行为描述: 导入密钥
详情信息:
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x00C53788, DataLen: 276, Flags: 0x00000000
行为描述: 查找文件方式探测虚拟机
详情信息:
FindFirstFileEx: FileName = c:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Add
|
楼主: petr0vic
发表于 2017-10-7 08:48:24
