转，敲竹杠

显示全部楼层 · 发表于 2014-6-14 12:23:13

Filename: 小黑手机名片赞 {日赞400}.exe
Threat name: SONAR.Heuristic.120
Full Path: Not Available

____________________________

Details
Very Few Users, Very New, Risk High

Origin
Downloaded from
Unknown

Activity
Actions performed: 5

____________________________

On computers as of 2014-6-14 at 12:22:51
Last Used 2014-6-14 at 12:22:51
Startup Item No
Launched Yes

____________________________

Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week ago.

High
This file risk is high.

SONAR Protection monitors for suspicious program activity on your computer.

____________________________

Source: External Media

Source File:
360zip.exe

File Created:
小黑手机名片赞 {日赞400}.exe

____________________________

File Actions

File: c:\documents and settings\avt\桌面\test\样本\小黑手机名片赞 {日赞400}.exe
Removed
____________________________

Network Actions

Event: Network activity (Performed by c:\documents and settings\avt\桌面\test\样本\小黑手机名片赞 {日赞400}.exe, PID:2864)
No action taken
____________________________

System Settings Actions

Event: Process start (Performed by c:\documents and settings\avt\桌面\test\样本\小黑手机名片赞 {日赞400}.exe, PID:2864)
No action taken
Event: Process start: c:\documents and settings\avt\桌面\test\样本\小黑手机名片赞 {日赞400}.exe, PID:2864 (Performed by c:\documents and settings\avt\桌面\test\样本\小黑手机名片赞 {日赞400}.exe, PID:2864)
No action taken
____________________________

Suspicious Actions

(Performed by c:\documents and settings\avt\桌面\test\样本\小黑手机名片赞 {日赞400}.exe, PID:2864)
No action taken
____________________________

File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available

显示全部楼层 · 发表于 2014-6-14 12:26:26

skycai 发表于 2014-6-14 11:43
前面是按啥手段？还是net？

使用net，蓝屏重起后，记录日志找不到密码，除非强制结束。

显示全部楼层 · 发表于 2014-6-14 12:29:28

KIS双击过一会删除

显示全部楼层 · 发表于 2014-6-14 12:30:11

lql2012 发表于 2014-6-14 12:23
管家未知。。。
哈勃http://habo.qq.com/file/showdetail?pk=ADQGY11kB2Q=
几天以来，发现这个哈勃是个瞎 ...

不是哈勃分析不出来，而是这个样本本身不是锁屏，锁屏的动作应该是他后来下载的，如果防火墙阻止他联网，这个样本就废了

显示全部楼层 · 发表于 2014-6-14 12:34:06

XP测试，设置临时规则测试

2014-06-14 12:21:12 修改文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:(隐藏文件)C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:12 修改文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:(隐藏文件)C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:13 修改文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:(隐藏文件)C:\Documents and Settings\Administrator\Local Settings\History
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:14 修改文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:(隐藏文件)C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:15 修改文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:(隐藏文件)C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:17 修改文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:18 修改文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:(隐藏文件)C:\Documents and Settings\Administrator\Cookies
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:19 修改文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:C:\Documents and Settings\Administrator\Cookies\index.dat
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:20 修改文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:(隐藏文件)C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:20 修改文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:21 修改文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:(隐藏文件)C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:22 修改文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:(隐藏文件)C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:24 删除注册表    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
注册表路径:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
注册表名称:ProxyServer
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:25 删除注册表    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
注册表路径:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
注册表名称:ProxyOverride
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:25 修改注册表内容    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
注册表路径:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
注册表名称:SavedLegacySettings
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:26 删除注册表    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
注册表路径:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
注册表名称:ProxyServer
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:27 删除注册表    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
注册表路径:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
注册表名称:ProxyOverride
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:28 修改注册表内容    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
注册表路径:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
注册表名称:SavedLegacySettings
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:29 创建文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\1G5MUXV6\127_0_0_1[1]
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:29 删除文件    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D5RQJ9KT\127_0_0_1[1]
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:30 修改注册表内容    操作:允许
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
注册表路径:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
注册表名称:宽带连接
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:35 运行应用程序    操作:阻止
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:C:\WINDOWS\system32\net.exe
命令行:user Administrator /fullname:要密码加Q：2805324583
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

2014-06-14 12:21:42 运行应用程序    操作:阻止  （手动强制结束进程，阻止或允许都会蓝屏重启，重启后这步消失，有可能删除了）
进程路径:C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe
文件路径:C:\WINDOWS\system32\net.exe
命令行:user administrator tyf5201314.
触发规则:应用程序规则->临时规则->C:\Documents and Settings\Administrator\桌面\样本\小黑手机名片赞 {日赞400}.exe

显示全部楼层 · 发表于 2014-6-14 13:41:01

BD 扫描过双击IDS拦截

显示全部楼层 · 发表于 2014-6-14 13:56:22

饭@avast 发表于 2014-6-14 12:23
Filename: 小黑手机名片赞 {日赞400}.exe
Threat name: SONAR.Heuristic.120
Full Path: Not Available
...

重启一下再看看！

显示全部楼层 · 发表于 2014-6-14 13:59:24

消停发表于 2014-6-14 13:56
重启一下再看看！

一切正常，没有被加密

显示全部楼层 · 发表于 2014-6-14 14:11:07

饭@avast 发表于 2014-6-14 13:59
一切正常，没有被加密

蓝屏的无法下载？

显示全部楼层 · 发表于 2014-6-14 14:30:45

饭@avast 发表于 2014-6-14 13:59
一切正常，没有被加密

虚拟机吧？当然安全了。

[病毒样本] 转，敲竹杠

评分

浏览过的版块