欧阳宣 发表于 2014-11-29 19:44
2014.11.29 19:43:57,High,cflogin.exe (Spyware.Perfect) detected by Auto-Protect,Blocked,Resolved - ...
CF卡枪.rar
MD5: c6e072950f863cf1d283f8016cb4c6cf
文件类型: Rar
上传时间: 2014-11-29 21:12:19
出品公司: N/A
版本: N/A
壳或编译器信息: COMPILER:Elan
子文件信息:
CF卡枪工具.exe / 426a708aeef910a9e854e16fdb069c7f / EXE
upx30_0b919b54dumpFile / c8c8daed1c81e53741b5d5c39571e5bf / DLL
CFLogin.exe / 371c7c5e99495dbba5e6e99a51cd0ea7 / EXE
SkinH_EL.dll / 74643bfcb5506297fc0a08baa172db15 / DLL
CFLogin.exedumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
CF卡枪工具.exedumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
SkinH_EL.dlldumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
关键行为
行为描述: 跨进程写入数据
详情信息:
TargetProcess = userinit.exe, WriteAddress = 0x00400000, Size = 1024
TargetProcess = userinit.exe, WriteAddress = 0x00401000, Size = 80384
TargetProcess = userinit.exe, WriteAddress = 0x00415000, Size = 3584
TargetProcess = userinit.exe, WriteAddress = 0x00416000, Size = 0
TargetProcess = userinit.exe, WriteAddress = 0x00417000, Size = 5632
TargetProcess = userinit.exe, WriteAddress = 0x00419000, Size = 0
TargetProcess = userinit.exe, WriteAddress = 0x0041a000, Size = 512
TargetProcess = userinit.exe, WriteAddress = 0x0041b000, Size = 4608
TargetProcess = userinit.exe, WriteAddress = 0x0041d000, Size = 1536
TargetProcess = userinit.exe, WriteAddress = 0x7ffd9008, Size = 4
行为描述: 按名称获取主机地址
详情信息:
h4ckb0y.3322.org
行为描述: 设置线程上下文
详情信息:
C:\WINDOWS\system32\userinit.exe
行为描述: 创建系统服务
详情信息:
[服务创建成功]: DRATSer, C:\WINDOWS\system32\System64.exe
进程行为
行为描述: 隐藏窗口创建进程
详情信息:
ImagePath = , CmdLine = cflogin.exe
行为描述: 跨进程写入数据
详情信息:
TargetProcess = userinit.exe, WriteAddress = 0x00400000, Size = 1024
TargetProcess = userinit.exe, WriteAddress = 0x00401000, Size = 80384
TargetProcess = userinit.exe, WriteAddress = 0x00415000, Size = 3584
TargetProcess = userinit.exe, WriteAddress = 0x00416000, Size = 0
TargetProcess = userinit.exe, WriteAddress = 0x00417000, Size = 5632
TargetProcess = userinit.exe, WriteAddress = 0x00419000, Size = 0
TargetProcess = userinit.exe, WriteAddress = 0x0041a000, Size = 512
TargetProcess = userinit.exe, WriteAddress = 0x0041b000, Size = 4608
TargetProcess = userinit.exe, WriteAddress = 0x0041d000, Size = 1536
TargetProcess = userinit.exe, WriteAddress = 0x7ffd9008, Size = 4
行为描述: 创建新文件进程
详情信息:
ImagePath = c:\%temp%\1417266574.325215.exe_7zdump\CFLogin.exe, CmdLine = CFLogin.exe
ImagePath = C:\WINDOWS\system32\System64.exe, CmdLine = C:\WINDOWS\system32\System64.exe
行为描述: 创建进程
详情信息:
ImagePath = C:\WINDOWS\system32\userinit.exe, CmdLine = "C:\WINDOWS\system32\userinit.exe"
行为描述: 设置线程上下文
详情信息:
C:\WINDOWS\system32\userinit.exe
行为描述: 枚举进程
详情信息:
N/A
文件行为
行为描述: 创建可执行文件
详情信息:
C:\%temp%\1417266574.201025.exe_7zdump\SkinH_EL.dll
C:\%temp%\1417266574.242548.exe_7zdump\CFLogin.exe
C:\WINDOWS\system32\System64.exe
网络行为
行为描述: 发送一个已连接的套接字数据
详情信息:
SOCKET = 0x00000108, TotalSize = 4, Offset = 0, ReadSize = 4.
SOCKET = 0x00000108, TotalSize = 6, Offset = 0, ReadSize = 6.
行为描述: 建立到一个指定的套接字连接
详情信息:
219.133.40.1:2012
行为描述: 按名称获取主机地址
详情信息:
h4ckb0y.3322.org
注册表行为
行为描述: 修改注册表
详情信息:
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Multimedia\DrawDib\vga.drv 1676x885x32(BGR 0)
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\WinXpMemory
其他行为
行为描述: 创建互斥体
详情信息:
RasPbFile
SHIMLIB_LOG_MUTEX
RAT20122042
行为描述: 内联HOOK
详情信息:
C:\WINDOWS\system32\GDI32.dll--->ExtTextOutA Offset = 0x0
C:\WINDOWS\system32\GDI32.dll--->ExtTextOutW Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetWindowLongA Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->SetWindowLongA Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->SetWindowLongW Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetWindowLongW Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->BeginPaint Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->EndPaint Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetDC Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetWindowDC Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->ReleaseDC Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->WindowFromDC Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetScrollInfo Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetScrollPos Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetScrollRange Offset = 0x0
行为描述: 查找指定窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [,]
行为描述: 启动系统服务
详情信息:
[服务启动失败]: LocalSystem, DRATRat, C:\WINDOWS\system32\System64.exe
行为描述: 窗口信息
详情信息:
Pid = 896, Hwnd=0xb0336, Text = 提示:由于使用人数太多,使用时请避开网络高峰期。, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 896, Hwnd=0xd038e, Text = 老虎帽子, ClassName = Button(CheckBox).
Pid = 896, Hwnd=0xd01c4, Text = 老虎背包, ClassName = Button(CheckBox).
Pid = 896, Hwnd=0xc017a, Text = 圣诞手枪, ClassName = Button(CheckBox).
Pid = 896, Hwnd=0xd01f6, Text = 红色烟雾, ClassName = Button(CheckBox).
Pid = 896, Hwnd=0xb0200, Text = 圣诞手斧, ClassName = Button(CheckBox).
Pid = 896, Hwnd=0xc01a6, Text = 福字手雷, ClassName = Button(CheckBox).
Pid = 896, Hwnd=0xc01da, Text = 幽灵手雷, ClassName = Button(CheckBox).
Pid = 896, Hwnd=0xb019c, Text = 其他装备, ClassName = Button(GroupBox).
Pid = 896, Hwnd=0xa039e, Text = 爱心手雷, ClassName = Button(CheckBox).
Pid = 896, Hwnd=0xb03b0, Text = 百城名片, ClassName = Button(CheckBox).
Pid = 896, Hwnd=0x9035c, Text = 兔子背包, ClassName = Button(CheckBox).
Pid = 896, Hwnd=0xb0332, Text = 兔子发带, ClassName = Button(CheckBox).
Pid = 896, Hwnd=0xb015e, Text = 京剧帽子, ClassName = Button(CheckBox).
Pid = 896, Hwnd=0xa01f0, Text = 京剧背包, ClassName = Button(CheckBox).
行为描述: 创建系统服务
详情信息:
[服务创建成功]: DRATSer, C:\WINDOWS\system32\System64.exe |
楼主: 寂寞日落
发表于 2014-11-29 18:26:55
