本帖最后由 神迹般存在 于 2015-8-3 10:35 编辑
KIS missed
Have sent to KL.
[mw_shl_code=css,true]基本信息
文件名称:
【抢先版】《西游记之...请先下载百度网盘播放器.rvmb
MD5: cdea614dc8b18a897a04664815af1a41
文件类型: Nsis
上传时间: 2015-08-03 10:30:23
出品公司: 天格(杭州)科技有限公司
版本: 1.0.1.7---1.0.1.7
壳或编译器信息: N/A
子文件信息:
install_step22.bmp / 39c993f97ec718d98ecae63c58a6da19 / Unknown
ShowPlayer.exe / a8fadb3173ec30eec67124827e067952 / EXE
install_step21.bmp / 22ddc200473696f9fa937a083cb80285 / Unknown
install_step32.bmp / 9595042c1bd5f835fd1e0fea065e8966 / Unknown
install_step31.bmp / 5c5ab44a3b996df11b6731f7aefd10af / Unknown
install_step11.bmp / c4d14684c7c60ecc18f07cf5dd6c6fdc / Unknown
install_step12.bmp / d03ec98316020d7334c9a1e9ed9af2f5 / Unknown
BSTongji.dll / 390b9f43673152f4133be6a87b6248ec / DLL
BSService.exe / c08446fed9394dacd5dcd128be32548a / EXE
finish.bmp / c008e7e974940a9f1f259fb95c8e19ba / Unknown
install.bmp / c7607f11ca20bf7ee2e4a254f401c428 / Unknown
bg.bmp / 49dff8b12ec7fc19397a73802cb438aa / Unknown
BSTuijian64.dll / 9220495841e8efaaf04bac679769de82 / DLL
BSTuijian.dll / 2e45bdb38d087723a9b999dbfc306094 / DLL
BSTuijianXP.dll / 0b789b844f3e2021e7ad4703c2accb6f / DLL
CheckEnv.dll / 4e09ca0312aeaa4029d5cd50cb99871a / DLL
LoadDll64.exe / 629c13b835e1383652133f881795a4e7 / EXE
LoadDll.exe / 927e42cfd2a3171bd29eb3aed8eb3b01 / EXE
[NSIS].nsi / fa1b110a9be704778e38894cf109c98e / Unknown
关键行为
行为描述: 写权限映射文件
详情信息:
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\UrlZonesSM_Administrator
Local\!PrivacIE!SharedMem!Counter
MSCTF.MarshalInterface.FileMap.INK..FDJJG
MSCTF.MarshalInterface.FileMap.INK.B.CLJJG
MSCTF.MarshalInterface.FileMap.INK.C.CLJJG
MSCTF.MarshalInterface.FileMap.INK.D.CLJJG
MSCTF.MarshalInterface.FileMap.INK.E.CLJJG
MSCTF.MarshalInterface.FileMap.INK.F.CLJJG
MSCTF.MarshalInterface.FileMap.INK.G.CLJJG
MSCTF.MarshalInterface.FileMap.INK.H.CLJJG
MSCTF.MarshalInterface.FileMap.INK.I.CLJJG
\WINDOWS\system32\zh-cn\mshtml.dll.mui
MSCTF.MarshalInterface.FileMap.INK.J.PCKJG
行为描述: 设置特殊文件夹属性
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [,Static]
[Window,Class] = [Nullsoft Install System v2.46 ,Static]
[Window,Class] = [Nullsoft Install System v2.46,Static]
[Window,Class] = [,Button]
[Window,Class] = [下一步(&N) >,Button]
[Window,Class] = [取消(&C),Button]
[Window,Class] = [,#32770]
[Window,Class] = [< 上一步(&B),Button]
进程行为
行为描述: 枚举进程
详情信息:
N/A
文件行为
行为描述: 写权限映射文件
详情信息:
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\UrlZonesSM_Administrator
Local\!PrivacIE!SharedMem!Counter
MSCTF.MarshalInterface.FileMap.INK..FDJJG
MSCTF.MarshalInterface.FileMap.INK.B.CLJJG
MSCTF.MarshalInterface.FileMap.INK.C.CLJJG
MSCTF.MarshalInterface.FileMap.INK.D.CLJJG
MSCTF.MarshalInterface.FileMap.INK.E.CLJJG
MSCTF.MarshalInterface.FileMap.INK.F.CLJJG
MSCTF.MarshalInterface.FileMap.INK.G.CLJJG
MSCTF.MarshalInterface.FileMap.INK.H.CLJJG
MSCTF.MarshalInterface.FileMap.INK.I.CLJJG
\WINDOWS\system32\zh-cn\mshtml.dll.mui
MSCTF.MarshalInterface.FileMap.INK.J.PCKJG
行为描述: 创建可执行文件
详情信息:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\WebCtrl.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\CheckEnv.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\SkinBtn.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ShowPlayer\BSTongji.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\nsDialogs.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\WndProc.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\BgWorker.dll
行为描述: 修改文件内容
详情信息:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\install_step11.bmp---> Offset = 98304
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\install_step12.bmp---> Offset = 98304
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\install_step21.bmp---> Offset = 98304
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\install_step22.bmp---> Offset = 98304
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\install_step31.bmp---> Offset = 98304
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\install_step32.bmp---> Offset = 98304
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\install.bmp---> Offset = 98304
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\checkbox1.bmp---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\checkbox2.bmp---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\loading1.bmp---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\loading2.bmp---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\finish.bmp---> Offset = 98304
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\browse.bmp---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\close.bmp---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\bg.bmp---> Offset = 98304
行为描述: 设置特殊文件夹属性
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
网络行为
行为描述: 连接指定站点
详情信息:
InternetConnectA: ServerName = config.0551fs.com, PORT = 80
InternetConnectA: ServerName = config.789wed.com, PORT = 80
行为描述: 建立到一个指定的套接字连接
详情信息:
127.0.0.1:1034
行为描述: 读取网络文件
详情信息:
hFile = 0x000003bc, BytesToRead =65535, BytesRead = 65535.
hFile = 0x000003ac, BytesToRead =65535, BytesRead = 65535.
hFile = 0x0000036c, BytesToRead =65535, BytesRead = 65535.
hFile = 0x00000370, BytesToRead =65535, BytesRead = 65535.
行为描述: 打开HTTP请求
详情信息:
HttpOpenRequestA: config.0551fs.com:80/public/conf/cnzz_page/38/install_begin.html?, hConnect = 0x00000504
HttpOpenRequestA: config.0551fs.com:80/public/conf/open/1/35_1_0_1_7/10.jpg, hConnect = 0x00000380
HttpOpenRequestA: config.0551fs.com:80/public/conf/cpa/2/35_1_0_1_7/10.xml, hConnect = 0x00000380
HttpOpenRequestA: config.789wed.com:80/public/conf/cybercafe_check/index.xml, hConnect = 0x00000370
HttpOpenRequestA: config.0551fs.com:80/public/conf/icon/2/35_1_0_1_7/10.xml, hConnect = 0x0000036c
注册表行为
行为描述: 修改注册表
详情信息:
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
行为描述: 删除注册表键值_IE连接设置
详情信息:
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
其他行为
行为描述: 创建互斥体
详情信息:
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
Mutex_ShowPlayer_
Local\!PrivacIE!SharedMemory!Mutex
MSCTF.Shared.MUTEX.AEH
MSCTF.Shared.MUTEX.INK
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [,Static]
[Window,Class] = [Nullsoft Install System v2.46 ,Static]
[Window,Class] = [Nullsoft Install System v2.46,Static]
[Window,Class] = [,Button]
[Window,Class] = [下一步(&N) >,Button]
[Window,Class] = [取消(&C),Button]
[Window,Class] = [,#32770]
[Window,Class] = [< 上一步(&B),Button]
行为描述: 查找指定窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [#32770,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述: 获取系统权限
详情信息:
SE_LOAD_DRIVER_PRIVILEGE
行为描述: 窗口信息
详情信息:
Pid = 2772, Hwnd=0x40252, Text = 下一步(&N) >, ClassName = Button.
Pid = 2772, Hwnd=0x301be, Text = 取消(&C), ClassName = Button.
Pid = 2772, Hwnd=0x301ca, Text = Nullsoft Install System v2.46 , ClassName = Static.
Pid = 2772, Hwnd=0x301e6, Text = Nullsoft Install System v2.46, ClassName = Static.
Pid = 2772, Hwnd=0x70248, Text = Show直播间 安装, ClassName = #32770.
Pid = 2772, Hwnd=0x60230, Text = Show直播间下载解压向导, ClassName = Static.
Pid = 2772, Hwnd=0x4021e, Text = 创建桌面快捷方式, ClassName = Static.
Pid = 2772, Hwnd=0x50208, Text = 我已阅读并同意, ClassName = Static.
Pid = 2772, Hwnd=0x60212, Text = 安装许可协议, ClassName = Static.
Pid = 2772, Hwnd=0x301f0, Text = 解压路径, ClassName = Static.
Pid = 2772, Hwnd=0x301ec, Text = D:\Program Files\ShowPlayer, ClassName = Edit.
Pid = 2772, Hwnd=0x70240, Text = < 上一步(&B), ClassName = Button.
行为描述: 打开图片文件
详情信息:
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\install_step11.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\install_step12.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\install_step21.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\install_step22.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\install_step31.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\install_step32.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\install.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\checkbox1.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\checkbox2.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\loading1.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\loading2.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\finish.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\browse.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\close.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg5.tmp\bg.bmp[/mw_shl_code]
运行截图
简单地分析一下,这是一个流氓安装软件。并没有病毒行为。
-----end----- |
发表于 2015-7-31 21:15:49
楼主
发表于 2015-8-3 12:04:38
