人人都是病毒专家 · 上传样本火眼鉴定活动

显示全部楼层 · 发表于 2012-7-2 05:11:45

大力支持

显示全部楼层 · 发表于 2012-7-2 15:07:11

样本：http://115.com/file/ancemkwe#跑跑游侠HS辅助3.0.exe
火眼地址：http://fireeye.ijinshan.com/analyse.html?md5=02e9b13877135a96152a09e74c68f94a
基本信息
文件名称：02e9b13877135a96152a09e74c68f94a
文件哈希：02e9b13877135a96152a09e74c68f94a
文件大小：1486848字节
创建时间：2012-07-02 01:05:28
文件类型：EXE
PEID信息：Nothing found *
文件注释：
公司描述：
文件描述：
文件版本：
版权所有：
合法商标：
原始文件名：
产品名称：
产品版本：
危险行为监控
行为描述：疑似查找游戏进程
附加信息：KARTRIDER.EXE [跑跑卡丁车]

其他行为监控行为描述：读取原始系统dll内容
附加信息：%system%\advapi32.dll

%system%\kernel32.dll

%system%\user32.dll

行为描述：隐藏指定窗口
附加信息：Afx:400000:8:10011:1900015:0 : [sample.exe]

文件操作监控
进程操作监控
创建进程：iexplore.exe
启动参数：www.xmwo.net

显示全部楼层 · 发表于 2012-7-2 17:56:52

本帖最后由陌上~烟雨遥于 2012-7-2 17:58 编辑

火眼报告地址：http://fireeye.ijinshan.com/analyse.html?md5=86e1f06438629fed617881b7260d9c69
样本地址：http://bbs.kafan.cn/thread-1318703-1-1.html

火眼报告：基本信息：文件名称：86E1F06438629FED617881B7260D9C69.exe
文件哈希：86e1f06438629fed617881b7260d9c69
文件大小：224769字节
创建时间：2012-07-01 19:29:44
文件类型：EXE
PEID信息：Nothing found [Overlay] *

危险行为监控：
行为描述：远程注入其他进程
附加信息：
360sd.exe
QQ.exe
TXPlatform.exe
conime.exe
ctfmon.exe
explorer.exe
kxetray.exe
vahy.exe
行为描述：启动宿主进程，注入代码，修改EIP执行自己的代码，偷梁换柱，使用户认为是正常的进程
附加信息：
86E1F06438629FED617881B7260D9C69.exe
vahy.exe
行为描述：运行后删除自身，警惕恶意软件！
附加信息：
无
行为描述：inline Hook 函数入口代码
附加信息：
ntdll.dll!LdrLoadDll
ntdll.dll!NtCreateThread
user32.dll!BeginPaint
user32.dll!CallWindowProcA
user32.dll!CallWindowProcW
user32.dll!DefDlgProcA
user32.dll!DefDlgProcW
user32.dll!DefFrameProcA
user32.dll!DefFrameProcW
user32.dll!DefMDIChildProcA
user32.dll!DefMDIChildProcW
user32.dll!DefWindowProcA
user32.dll!DefWindowProcW
user32.dll!EndPaint
user32.dll!GetCapture
user32.dll!GetClipboardData
user32.dll!GetCursorPos
user32.dll!GetDC
user32.dll!GetDCEx
user32.dll!GetMessageA
user32.dll!GetMessagePos
user32.dll!GetMessageW
user32.dll!GetUpdateRect
user32.dll!GetUpdateRgn
user32.dll!GetWindowDC
user32.dll!OpenInputDesktop
user32.dll!PeekMessageA
user32.dll!PeekMessageW
user32.dll!RegisterClassA
user32.dll!RegisterClassExA
user32.dll!RegisterClassExW
user32.dll!RegisterClassW
user32.dll!ReleaseCapture
user32.dll!ReleaseDC
user32.dll!SetCapture
user32.dll!SetCursorPos
user32.dll!SwitchDesktop
user32.dll!TranslateMessage
wininet.dll!HttpQueryInfoA
wininet.dll!HttpSendRequestA
wininet.dll!HttpSendRequestExA
wininet.dll!HttpSendRequestExW
wininet.dll!HttpSendRequestW
wininet.dll!InternetCloseHandle
wininet.dll!InternetQueryDataAvailable
wininet.dll!InternetReadFile
wininet.dll!InternetReadFileExA
wininet.dll!InternetSetOptionA
wininet.dll!InternetSetStatusCallback
wininet.dll!InternetSetStatusCallbackW
ws2_32.dll!WSARecv
ws2_32.dll!WSASend
ws2_32.dll!closesocket
ws2_32.dll!recv
ws2_32.dll!send

其他行为监控：
行为描述：检测是否存在指定注册表键
附加信息：
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
行为描述：添加开机自启动项
附加信息：
[{000D6DF3-7331-AD41-37F2-31E53DA512F7}] : "%APPDATA%\Ybwo\vahy.exe"
行为描述：查找文件
附加信息：
"%USERPROFILE%\Cookies\*"
"%USERPROFILE%\Cookies\Low\*"
"%USERPROFILE%\Local Settings\Application Data\*.1dd4e178"
"%temp%\tmpac011cc0.bat"
"D:\Vir"
行为描述：添加Windows防火墙例外，防止访问网络时被防火墙拦截
附加信息：
16605:UDP >> 16605:UDP:*:Enabled:UDP 16605
19498:TCP >> 19498:TCP:*:Enabled:TCP 19498

文件操作监控：
操作       文件MD5       文件大小       文件路径
释放后删除       86e1f06438629fed617881b7260d9c69       224769       %SampleStore%\86E1F06438629FED6178...
释放后删除       7eae6487c91fb020a21001fffe6d7d87       163       %temp%\tmpac011cc0.bat
新增       d71a0d4d2d050a7681514378fff1dc26       903       %USERPROFILE%\Local Settings\Appli...
新增       911af4ba8f499fd0e4146bc8cebbd4c4       224769       %APPDATA%\Ybwo\vahy.exe
新增       758498d6b275e58e3c83494ad6080ac2       176212       %APPDATA%\Microsoft\Address Book\A...
进程操作监控
创建进程：%SampleStore%\86E1F06438629FED617881B7260D9C69.exe
启动参数：无
创建进程：%APPDATA%\Ybwo\vahy.exe
启动参数：无
创建进程：无
启动参数："%APPDATA%\Ybwo\vahy.exe"
创建进程：无
启动参数："%system%\cmd.exe" /c "%temp%\tmpac011cc0.bat"

注册表监控：
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager
[Default LDAP Account] = [Active Directory GC]
[Server ID] = [0x00000004]
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
[PreConfigVerNTDS] = [0x00000001]
[PreConfigVer] = [0x00000004]
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
[LDAP Resolve Flag] = [0x00000001]
[LDAP Secure Connection] = [0x00000000]
[LDAP Simple Search] = [0x00000000]
[LDAP Search Base] = [NULL]
[LDAP Search Return] = [0x00000064]
[Account Name] = [Active Directory]
[LDAP Server] = [NULL]
[LDAP Timeout] = [0x0000003c]
[LDAP Server ID] = [0x00000000]
[LDAP Authentication] = [0x00000002]
[LDAP User Name] = [NULL]
[LDAP Port] = [0x00000cc4]
[LDAP Bind DN] = [0x00000000]
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
[LDAP Logo] = [%ProgramFiles%\Common Files\Services\bigfoot.bmp]
[LDAP Server ID] = [0x00000001]
[LDAP Search Return] = [0x00000064]
[Account Name] = [Bigfoot Internet Directory Service]
[LDAP Timeout] = [0x0000003c]
[LDAP Simple Search] = [0x00000001]
[LDAP Authentication] = [0x00000000]
[LDAP Server] = [ldap.bigfoot.com]
[LDAP URL] = [http://www.bigfoot.com]
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
[Account Name] = [VeriSign Internet Directory Service]
[LDAP URL] = [http://www.verisign.com]
[LDAP Simple Search] = [0x00000001]
[LDAP Authentication] = [0x00000000]
[LDAP Search Base] = [NULL]
[LDAP Timeout] = [0x0000003c]
[LDAP Logo] = [%ProgramFiles%\Common Files\Services\verisign.bmp]
[LDAP Search Return] = [0x00000064]
[LDAP Server] = [directory.verisign.com]
[LDAP Server ID] = [0x00000002]
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
[LDAP URL] = [http://www.whowhere.com]
[LDAP Search Return] = [0x00000064]
[Account Name] = [WhoWhere Internet Directory Service]
[LDAP Server] = [ldap.whowhere.com]
[LDAP Timeout] = [0x0000003c]
[LDAP Server ID] = [0x00000003]
[LDAP Authentication] = [0x00000000]
[LDAP Logo] = [%ProgramFiles%\Common Files\Services\whowhere.bmp]
[LDAP Simple Search] = [0x00000001]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
[CleanCookies] = [0x00000000]
HKEY_CURRENT_USER\Software\Microsoft\Ozyxyp
[290ij9g] = [\x92\x68\x0c\x32]
[76937i2] = [\x8d\x68\x5e\x32\xe4...]
[29babecg] = [HigMMqQFPtd9nUzX]
HKEY_CURRENT_USER\Software\Microsoft\WAB
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4
[OlkFolderRefresh] = [0x00000000]
[OlkContactRefresh] = [0x00000000]
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name
[(NULL)] = [%APPDATA%\Microsoft\Address Book\Administrator.wab]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
[1609] = [0x00000000]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
[1406] = [0x00000000]
[1609] = [0x00000000]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
[1609] = [0x00000000]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
[1609] = [0x00000000]
[1406] = [0x00000000]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
[1609] = [0x00000000]
[1406] = [0x00000000]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[{000D6DF3-7331-AD41-37F2-31E53DA512F7}] = ["%APPDATA%\Ybwo\vahy.exe"]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProf...
[DisableNotifications] = [0x00000000]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProf...
[16605:UDP] = [16605:UDP:*:Enabled:UDP 16605]
[19498:TCP] = [19498:TCP:*:Enabled:TCP 19498]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standard...
[DisableNotifications] = [0x00000000]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standard...
[19498:TCP] = [19498:TCP:*:Enabled:TCP 19498]
[16605:UDP] = [16605:UDP:*:Enabled:UDP 16605]

显示全部楼层 · 发表于 2012-7-4 08:58:11

陌上~烟雨遥发表于 2012-7-2 17:56
火眼报告地址：http://fireeye.ijinshan.com/analyse.html?md5=86e1f06438629fed617881b7260d9c69
样本地址 ...

恭喜你获得QQ会员3个月的奖励。请将QQ号PM给我

[金山] 人人都是病毒专家 · 上传样本火眼鉴定活动

本帖子中包含更多资源

本帖子中包含更多资源