TR/Spy.Banker.Gen

显示全部楼层 · 发表于 2016-2-19 18:40:17

windows7爱好者发表于 2016-2-19 18:37
也有可能是破解

哈勃行为

[mw_shl_code=css,true]
基本信息
文件名称：

新建压缩(zipped)文件夹 (3).zip
MD5： 6711dc3f28dfb3b20c6c7f5a1c7be926
文件类型： zip
上传时间： 2016-02-19 18:37:46
出品公司： N/A
版本： N/A
壳或编译器信息： N/A
子文件信息：详情
关键行为
行为描述：修改注册表
详情信息：

\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\9\DEBUG\Trace Level

\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
行为描述：设置特殊文件夹属性
详情信息：

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5

C:\Documents and Settings\Administrator\Local Settings\History

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5

C:\Documents and Settings\Administrator\Cookies
行为描述：获取TickCount值
详情信息：

TickCount = 488143, SleepMilliseconds = 50.

TickCount = 488175, SleepMilliseconds = 50.

TickCount = 488190, SleepMilliseconds = 50.

TickCount = 548156, SleepMilliseconds = 60000.

TickCount = 488256, SleepMilliseconds = 100.

TickCount = 488271, SleepMilliseconds = 100.

TickCount = 488287, SleepMilliseconds = 100.

TickCount = 488303, SleepMilliseconds = 100.

TickCount = 488318, SleepMilliseconds = 100.

TickCount = 488334, SleepMilliseconds = 100.

TickCount = 488365, SleepMilliseconds = 100.

TickCount = 488396, SleepMilliseconds = 100.

TickCount = 488412, SleepMilliseconds = 100.

TickCount = 488428, SleepMilliseconds = 100.

TickCount = 488459, SleepMilliseconds = 100.
进程行为
行为描述：创建本地线程
详情信息：

N/A
行为描述：进程退出
详情信息：

N/A
行为描述：枚举进程
详情信息：

N/A
文件行为
行为描述：创建文件
详情信息：

C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1455879116.643055.exe_7zdump\List.txt

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\wpad[1].dat

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\Launcher[1]
行为描述：覆盖已有文件
详情信息：

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1]
行为描述：查找文件
详情信息：

FileName = C:\DOCUME~1

FileName = C:\DOCUME~1\ADMINI~1

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1455879116.439538.exe_7zdump\9.exe

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1455879116.443101.exe_7zdump

FileName = C:\Documents and Settings\ADMINI~1

FileName = C:\Documents and Settings\Administrator\LOCALS~1

FileName = C:\Documents and Settings\Administrator\Local Settings\Temp

FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%

FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\1455879116.460876.exe_7zdump

FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\1455879116.464442.exe_7zdump\9.exe

FileName = C:\Documents and Settings

FileName = C:\Documents and Settings\Administrator
行为描述：删除文件
详情信息：

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\wpad[1].dat

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\ErrorPageTemplate[2]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\errorPageStrings[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\httpErrorPagesScripts[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\background_gradient[2]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\info_48[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\bullet[1]

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\Launcher[1]
行为描述：设置特殊文件夹属性
详情信息：

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5

C:\Documents and Settings\Administrator\Local Settings\History

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5

C:\Documents and Settings\Administrator\Cookies
行为描述：修改文件内容
详情信息：

C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1455879116.610689.exe_7zdump\List.txt---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[1]---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1]---> Offset = 0
网络行为
行为描述：联网打开网址
详情信息：

InternetOpenUrlA: http://110.110.110.110:80/wpad.dat hInternet = 0x00cc0010
行为描述：连接指定站点
详情信息：

InternetConnectA: ServerName = muarena.net, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008

InternetConnectA: ServerName = 110.110.110.110, PORT = 80, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014
行为描述：打开HTTP连接
详情信息：

InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004

InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0), hSession = 0x00cc0010
行为描述：建立到一个指定的套接字连接
详情信息：

127.0.0.1:1031, SOCKET = 0x00000474

219.133.40.1:80, SOCKET = 0x000003b8

110.110.110.110:80, SOCKET = 0x000003c0

110.110.110.110:80, SOCKET = 0x000002d8
行为描述：读取网络文件
详情信息：

hFile = 0x00cc000c, BytesToRead =4096, BytesRead = 4096.

hFile = 0x00cc0018, BytesToRead =4010, BytesRead = 4010.
行为描述：发送HTTP包
详情信息：

GET /wpad.dat HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0) Host: 110.110.110.110

GET /fireteam/Launcher/ HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: muarena.net Connection: Keep-Alive
行为描述：打开HTTP请求
详情信息：

HttpOpenRequestA: muarena.net:80/fireteam/launcher/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer:

HttpOpenRequestA: 110.110.110.110:80/wpad.dat, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer:
行为描述：按名称获取主机地址
详情信息：

computer

wpad

muarena.net

110.110.110.110
注册表行为
行为描述：修改注册表
详情信息：

\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\9\DEBUG\Trace Level

\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
行为描述：删除注册表键值
详情信息：

\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\9\DEBUG\Trace Level
行为描述：删除注册表键值_IE连接设置
详情信息：

\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer

\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
其他行为
行为描述：创建互斥体
详情信息：

CTF.LBES.MutexDefaultS-*

CTF.Compart.MutexDefaultS-*

CTF.Asm.MutexDefaultS-*

CTF.Layouts.MutexDefaultS-*

CTF.TMD.MutexDefaultS-*

CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*

Local\ZonesCounterMutex

Local\ZoneAttributeCacheCounterMutex

Local\ZonesCacheCounterMutex

Local\ZonesLockedCacheCounterMutex

RasPbFile

CritOpMutex

Local\!PrivacIE!SharedMemory!Mutex

MSCTF.Shared.MUTEX.ELH

MSCTF.Shared.MUTEX.IMI
行为描述：创建事件对象
详情信息：

EventName = DINPUTWINMM

EventName = Global\userenv: User Profile setup event

EventName = Global\crypt32LogoffEvent

EventName = MSCTF.SendReceiveConection.Event.IMI.IC

EventName = MSCTF.SendReceive.Event.IMI.IC
行为描述：查找指定窗口
详情信息：

NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]

NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]

NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]

NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]

NtUserFindWindowEx: [Class,Window] = [MS_WINHELP,]
行为描述：获取系统权限
详情信息：

SE_LOAD_DRIVER_PRIVILEGE
行为描述：获取TickCount值
详情信息：

TickCount = 488143, SleepMilliseconds = 50.

TickCount = 488175, SleepMilliseconds = 50.

TickCount = 488190, SleepMilliseconds = 50.

TickCount = 548156, SleepMilliseconds = 60000.

TickCount = 488256, SleepMilliseconds = 100.

TickCount = 488271, SleepMilliseconds = 100.

TickCount = 488287, SleepMilliseconds = 100.

TickCount = 488303, SleepMilliseconds = 100.

TickCount = 488318, SleepMilliseconds = 100.

TickCount = 488334, SleepMilliseconds = 100.

TickCount = 488365, SleepMilliseconds = 100.

TickCount = 488396, SleepMilliseconds = 100.

TickCount = 488412, SleepMilliseconds = 100.

TickCount = 488428, SleepMilliseconds = 100.

TickCount = 488459, SleepMilliseconds = 100.
行为描述：获取光标位置
详情信息：

CursorPos = (106,18467), SleepMilliseconds = 60000.

CursorPos = (6399,26500), SleepMilliseconds = 60000.

CursorPos = (19234,15724), SleepMilliseconds = 60000.

CursorPos = (11543,29358), SleepMilliseconds = 60000.

CursorPos = (27027,24464), SleepMilliseconds = 60000.

CursorPos = (5770,28145), SleepMilliseconds = 60000.

CursorPos = (23346,16827), SleepMilliseconds = 60000.

CursorPos = (10026,491), SleepMilliseconds = 60000.

CursorPos = (3060,11942), SleepMilliseconds = 60000.

CursorPos = (4892,5436), SleepMilliseconds = 60000.

CursorPos = (32456,14604), SleepMilliseconds = 60000.

CursorPos = (3967,153), SleepMilliseconds = 60000.

CursorPos = (357,12382), SleepMilliseconds = 60000.

CursorPos = (17486,18716), SleepMilliseconds = 60000.

CursorPos = (19783,19895), SleepMilliseconds = 60000.
行为描述：窗口信息
详情信息：

Pid = 1856, Hwnd=0x10316, Text = 您想运行或保存此文件吗?, ClassName = Static.

Pid = 1856, Hwnd=0x1031a, Text = 名称:, ClassName = Static.

Pid = 1856, Hwnd=0x1031c, Text = update.exe, ClassName = SysLink.

Pid = 1856, Hwnd=0x1031e, Text = 发行者:, ClassName = Static.

Pid = 1856, Hwnd=0x10322, Text = 类型:, ClassName = Static.

Pid = 1856, Hwnd=0x10324, Text = 应用程序, 15.0KB, ClassName = Static.

Pid = 1856, Hwnd=0x10326, Text = 从:, ClassName = Static.

Pid = 1856, Hwnd=0x10328, Text = muarena.net, ClassName = Static.

Pid = 1856, Hwnd=0x1032a, Text = 运行(&R), ClassName = Button.

Pid = 1856, Hwnd=0x1032c, Text = 保存(&S), ClassName = Button.

Pid = 1856, Hwnd=0x1032e, Text = 取消, ClassName = Button.

Pid = 1856, Hwnd=0x10330, Text = 打开此类文件前总是询问(&W), ClassName = Button(CheckBox).

Pid = 1856, Hwnd=0x10336, Text = 来自 Internet 的文件可能对您有所帮助，但此文件类型可能危害您的计算机。如果您不信任其来源，请不要运行或保存该软件。<A>有何风险?</A>, ClassName = SysLink.

Pid = 1856, Hwnd=0x10314, Text = 文件下载 - 安全警告, ClassName = #32770.

Pid = 1856, Hwnd=0x702c0, Text = 下载完毕, ClassName = Static.
行为描述：调用Sleep函数
详情信息：

[2]: MilliSeconds = 100.

[1]: MilliSeconds = 60000.

[3]: MilliSeconds = 60000.

[4]: MilliSeconds = 1000.
行为描述：隐藏指定窗口
详情信息：

[Window,Class] = [,ComboLBox]

[Window,Class] = [,SysLink]

[Window,Class] = [,Static]

[Window,Class] = [文件大小未知,Static]

[Window,Class] = [打开此类文件前总是询问(&W),Button]

[Window,Class] = [发行者:,Static]

[Window,Class] = [Mu Arena,Tfrm_principal]

[Window,Class] = [,Internet Explorer_Server]
[/mw_shl_code]

显示全部楼层 · 发表于 2016-2-19 18:41:33

360杀毒扫描日志

病毒库版本：2016-02-18 11:00
扫描时间：2016-02-19 18:40:49
扫描用时：00:00:07
扫描类型：右键扫描
扫描文件总数：3
项目总数：1
清除项目数：1

扫描选项
----------------------
扫描所有文件：是
扫描压缩包：是
发现病毒处理方式：由360杀毒自动处理
扫描磁盘引导区：是
扫描 Rootkit：是
使用云查杀引擎：是
使用QVM人工智能引擎：是
扫描建议修复项：是
常规引擎设置：BitDefender Avira(小红伞)

扫描内容
----------------------
D:\360安全浏览器下载\新建压缩(zipped)文件夹 (3).zip

白名单设置
----------------------

扫描结果
======================
高危风险项
----------------------
D:\360安全浏览器下载\新建压缩(zipped)文件夹 (3).zip=>9.exe 感染型病毒(Win32/Trojan.89b) 已删除

显示全部楼层 · 发表于 2016-2-19 18:42:14

1446547521 发表于 2016-2-19 18:40
哈勃行为

[mw_shl_code=css,true]

除了获取系统权限和光标位置，感觉没什么可疑的地方

显示全部楼层 · 发表于 2016-2-19 18:44:03

aboringman 发表于 2016-2-19 15:50
HIPS指的应该是Application Control吧，那玩意挺不错的，只可惜与SW相同，与特征库、云、启发式联动。。 ...

拦截率？好像并没有IDP高吧，另外声纳我记得没有回滚

显示全部楼层 · 发表于 2016-2-19 18:46:01

windows7爱好者发表于 2016-2-19 18:42
除了获取系统权限和光标位置，感觉没什么可疑的地方

行为描述：按名称获取主机地址
详情信息：

computer

wpad

muarena.net

就是个登录器- -

显示全部楼层 · 发表于 2016-2-19 18:47:02

windows7爱好者发表于 2016-2-19 18:44
拦截率？好像并没有IDP高吧，另外声纳我记得没有回滚

SONAR是有回滚的，它的前身Norton Anti-Bot你去了解一下就知道了，跟IDP有渊源就在于此啊。。。。。。

拦截率，SONAR的定义还在不断更新，而IDP不知道多久没有大更新了，反应速度更不用比的，明显SONAR更快。。。。。。

显示全部楼层 · 发表于 2016-2-19 18:49:20

aboringman 发表于 2016-2-19 18:47
SONAR是有回滚的，它的前身Norton Anti-Bot你去了解一下就知道了，跟IDP有渊源就在于此啊。。。。。。

...

单从近期的双击测试发现，SONAR不如IDP

显示全部楼层 · 发表于 2016-2-19 18:49:36

aboringman 发表于 2016-2-19 18:47
SONAR是有回滚的，它的前身Norton Anti-Bot你去了解一下就知道了，跟IDP有渊源就在于此啊。。。。。。

...

速度不重要，能回滚就好，但是现在声纳明显是不如IDP啊

说句不好听的，我看声纳的拦截率也就比DPH高一些，你也知道DPH只防哪两种样本

显示全部楼层 · 发表于 2016-2-19 18:50:39

icedream89 发表于 2016-2-19 18:46
行为描述：按名称获取主机地址
详情信息：

我还一直认为楼主的样本是已经确定的病毒呢

显示全部楼层 · 发表于 2016-2-19 18:53:41

windows7爱好者发表于 2016-2-19 18:49
速度不重要，能回滚就好，但是现在声纳明显是不如IDP啊
说句不好听的，我看声纳的拦截率也就比DPH ...

单纯比拦截率应该是不相上下，但是我认为SONAR更胜一筹。。。。。。

拦截速度快，也就表明威胁造成的破坏要更少一些，或者换句话讲，IDP不如SONAR灵敏。。。。。。.

我正在等待AVG 2017的蜕变（就等着它IDP来个大更新），但目前希望渺茫啊。。。。。。

[其他相关] TR/Spy.Banker.Gen

浏览过的版块