精睿样本测试（15.11.1）

显示全部楼层 · 发表于 2015-11-2 08:22:11

君陌潇发表于 2015-11-1 20:25
是的讲过 WIN10 WD以后发展方向

不是发展方向，只不过是WD 4.8的新变化而已啊

显示全部楼层 · 发表于 2015-11-2 12:04:31

唉

显示全部楼层 · 发表于 2015-11-2 12:48:58

aboringman 发表于 2015-11-1 14:32
MSE能做到这样已经很不错了，至少自己没被干掉

@ELOHIM

怪哉，今天启动昨天测试Zbot的虚拟机，结果如下，唉

2015-11-02T04:27:19.605Z Task(GetDeviceTicket -AccessKey 70562A23-3E9A-C88C-6DAE-2C24814957FE ) launched as network service
2015-11-02T04:27:19.727Z Process scan (poststartupscan) started.
Internal signature match:subtype=Persist, sigseq=0x00000555038C655E, signame=#PERSIST_HSTR:UnsignedNSIS, cached=false, resource="C:\Users\win7\AppData\Roaming\Ywuwu\qeytroe.exe"

BEGIN BM telemetry
GUID:{0F8B0AAA-7462-669C-8820-D13DBDA57C17}
TelemetryName:Behavior:Win32/OpenExplorerProcess
SignatureID:23862338556417
ProcessID:2492
ProcessCreationTime:130909120333100296
SessionID:1
CreationTime:11-02-2015 12:27:13
ImagePath:C:\Users\win7\AppData\Roaming\Ywuwu\qeytroe.exe
END BM telemetry

Internal signature match:subtype=Persist, sigseq=0x00000555038C655E, signame=#PERSIST_HSTR:UnsignedNSIS, cached=false, resource="C:\Users\win7\AppData\Roaming\Ywuwu\qeytroe.exe"

BEGIN BM telemetry
GUID:{A8F6BD55-1DC7-BC24-A0E6-F7E647DE3886}
TelemetryName:Behavior:Win32/MultiInjector
SignatureID:59046271144977
ProcessID:2492
ProcessCreationTime:130909120333100296
SessionID:1
CreationTime:11-02-2015 12:27:13
ImagePath:C:\Users\win7\AppData\Roaming\Ywuwu\qeytroe.exe
TargetFileName:C:\Windows\System32\dwm.exe
END BM telemetry

Internal signature match:subtype=Persist, sigseq=0x00000555038C655E, signame=#PERSIST_HSTR:UnsignedNSIS, cached=false, resource="C:\Users\win7\AppData\Roaming\Ywuwu\qeytroe.exe"

BEGIN BM telemetry
GUID:{F8F1939B-24B4-8BBF-217E-363F1B165354}
TelemetryName:Behavior:Win32/AppdataInjector
SignatureID:76639094139797
ProcessID:2492
ProcessCreationTime:130909120333100296
SessionID:1
CreationTime:11-02-2015 12:27:13
ImagePath:C:\Users\win7\AppData\Roaming\Ywuwu\qeytroe.exe
TargetFileName:C:\Users\win7\AppData\Roaming\Ywuwu\qeytroe.exe
END BM telemetry

Internal signature match:subtype=Persist, sigseq=0x00000555038C655E, signame=#PERSIST_HSTR:UnsignedNSIS, cached=false, resource="C:\Users\win7\AppData\Roaming\Ywuwu\qeytroe.exe"

BEGIN BM telemetry
GUID:{71217D77-B7DA-6715-9761-71EE62EAD7B5}
TelemetryName:Behavior:Win32/InjectedRemoteThreadExplorer
SignatureID:23861090166086
ProcessID:2492
ProcessCreationTime:130909120333100296
SessionID:1
CreationTime:11-02-2015 12:27:13
ImagePath:C:\Users\win7\AppData\Roaming\Ywuwu\qeytroe.exe
TargetFileName:C:\Windows\explorer.exe
END BM telemetry

2015-11-02T04:27:25.528Z Task(GetDeviceTicket -AccessKey ABDE2979-1D26-8611-5708-2913D678B990 ) launched as network service
Internal signature match:subtype=Persist, sigseq=0x00000555038C655E, signame=#PERSIST_HSTR:UnsignedNSIS, cached=false, resource="C:\Users\win7\AppData\Roaming\Ywuwu\qeytroe.exe"

BEGIN BM telemetry
GUID:{1654E290-36E5-E26D-557E-0E3F5EF21D29}
TelemetryName:Behavior:Win32/MultiInjector2
SignatureID:76637621234586
ProcessID:2492
ProcessCreationTime:130909120333100296
SessionID:1
CreationTime:11-02-2015 12:27:13
ImagePath:C:\Users\win7\AppData\Roaming\Ywuwu\qeytroe.exe
TargetFileName:C:\Windows\System32\dwm.exe
END BM telemetry

Internal signature match:subtype=Persist, sigseq=0x00000555038C655E, signame=#PERSIST_HSTR:UnsignedNSIS, cached=false, resource="C:\Users\win7\AppData\Roaming\Ywuwu\qeytroe.exe"

BEGIN BM telemetry
GUID:{787603F7-B1A2-066E-57C2-D3C02F4EB15C}
TelemetryName:Behavior:Win32/InjectRemoteThreadInMSAV
SignatureID:129414677452474
ProcessID:2492
ProcessCreationTime:130909120333100296
SessionID:1
CreationTime:11-02-2015 12:27:13
ImagePath:C:\Users\win7\AppData\Roaming\Ywuwu\qeytroe.exe
TargetFileName:C:\Program Files\Microsoft Security Client\msseces.exe
END BM telemetry

2015-11-02T04:27:28.145Z Task(GetDeviceTicket -AccessKey 3444A877-9BFB-8879-3A8F-4F20A06AED40 ) launched as network service
2015-11-02T04:27:28.337Z Task(GetDeviceTicket -AccessKey 3BEEC315-483B-0B86-256A-2C22E59D8093 ) launched as network service
2015-11-02T04:27:43.574Z DETECTIONEVENT VirTool:Win32/CeeInject.gen!DZ process:pid:2376,ProcessStart:130909120315539007;
2015-11-02T04:27:43.648Z DETECTION_ADD VirTool:Win32/CeeInject.gen!DZ process:pid:2376,ProcessStart:130909120315539007
Begin Resource Scan
Scan ID:{F3893264-DFBA-4100-A1F7-17D1EB20E0FB}
Scan Source:8
Start Time:11-02-2015 12:27:12
End Time:11-02-2015 12:27:43
Explicit resource to scan
Resource Schema:processmemoryscan
Resource Path:pid:2376,ProcessStart:130909120315539007
Result Count:1
Threat Name:VirTool:Win32/CeeInject.gen!DZ
ID:2147644180
Severity:5
Number of Resources:1
Resource Schema:process
Resource Path:pid:2376,ProcessStart:130909120315539007
Extended Info:91776949102691
End Scan

显示全部楼层 · 发表于 2015-11-2 13:21:51

230f4 发表于 2015-11-1 11:12
35.vir

今天重启以后，先是没反应，几分钟以后，收到行为监控遥测的云反馈，各种云杀plock

提示重启动，重启以后Zbot启动项都被灭掉了

显示全部楼层 · 发表于 2015-11-2 13:28:54

驭龙发表于 2015-11-2 13:21
今天重启以后，先是没反应，几分钟以后，收到行为监控遥测的云反馈，各种云杀plock

有点想实机测测卡巴了，不过貌似只能测试带毒清除了，入库了我没法测试主防
今晚看看忙不忙

显示全部楼层 · 发表于 2015-11-2 13:37:01

驭龙发表于 2015-11-2 13:21
今天重启以后，先是没反应，几分钟以后，收到行为监控遥测的云反馈，各种云杀plock

看来WD 真心不想当基准线了

显示全部楼层 · 发表于 2015-11-2 13:43:43

君陌潇发表于 2015-11-2 13:37
看来WD 真心不想当基准线了

重新观察了一下，这个母体每次生成的启动项和文件都是随机的，而且好像SHA1也不一样，衍生物的版本好像是7月编译的

遗憾的是再次双击以后产生的衍生物，MSE没有杀，又要等云反馈，哈哈

显示全部楼层 · 发表于 2015-11-2 13:53:59

驭龙发表于 2015-11-2 13:21
今天重启以后，先是没反应，几分钟以后，收到行为监控遥测的云反馈，各种云杀plock

这就是云的力量。。。。。。现在我也很想看看卡巴会怎么对待这个小家伙。。。。。。

显示全部楼层 · 发表于 2015-11-2 14:02:52

驭龙发表于 2015-11-2 13:21
今天重启以后，先是没反应，几分钟以后，收到行为监控遥测的云反馈，各种云杀plock

我的虚拟机已经恢复快照。。

显示全部楼层 · 发表于 2015-11-2 15:05:59

驭龙发表于 2015-11-2 13:21
今天重启以后，先是没反应，几分钟以后，收到行为监控遥测的云反馈，各种云杀plock

在64位Win8.1上默默看着你们玩。。。

[病毒样本] 精睿样本测试（15.11.1）

本帖子中包含更多资源

评分

本帖子中包含更多资源