Detection ratio: 4 / 55 Angler Exploit Kit Redirect 加密勒索挂马

墨家小子

SHA256:        889dfba211db94866097af6e3455a9c39a74a74870629ddc91de62e6fcf8a5e3
File name:        6D85.tmp.exe
Detection ratio:        4 / 55
Analysis date:        2016-02-21 07:17:34 UTC ( 0 minutes ago )
https://www.virustotal.com/en/file/889dfba211db94866097af6e3455a9c39a74a74870629ddc91de62e6fcf8a5e3/analysis/1456039054/

AhnLab-V3        Trojan/Win32.Teslacrypt        20160220
McAfee        Ransomware-FEB!1D6C2A9709DB        20160221
Qihoo-360        HEUR/QVM07.1.Malware.Gen        20160221
Rising        PE:Trojan.Ransom-Tesla!1.A322 [F]        20160221

2016/2/21 15:00:14,高,阻止了 www.cifor.com 的入侵企图,已阻止,不需要操作,,不需要操作,不需要操作,Web Attack: Angler Exploit Kit Redirect,"www.cifor.com (213.186.33.17, 80)",www.cifor.com/,"XXXX (XXXX, 1XXX4)",www.cifor.com (213.186.33.17),"TCP, www-http"

aboringman

AVG：

扫描：miss；

双击：实机双击，IDP击杀之。（连同衍生物“gcignvlalyig.exe”，并阻止“cmd.exe”的后续操作）

"";"IDP.SMP.12, C:\USERS\KILLER\DESKTOP\6D85.TMP.EXE";"Deleted";"File or Directory";"2016/2/21, 15:47:45"

"";", C:\USERS\KILLER\DESKTOP\6D85.TMP.EXE";"Object was blocked";"Process";"2016/2/21, 15:47:45"

"";", C:\Windows\gcignvlalyig.exe";"Object was blocked";"Process";"2016/2/21, 15:47:45"

"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2016/2/21, 15:47:45"

"";", C:\Windows\gcignvlalyig.exe";"Deleted, Moved to Virus Vault";"File or Directory";"2016/2/21, 15:47:45"

"";", C:\USERS\KILLER\DESKTOP\6D85.TMP.EXE";"Object was blocked";"Process";"2016/2/21, 15:47:45"

lzy2010000

FSP扫描MISS，双击拦截

ymb668888

卡巴主防完美拦截，并回滚病毒操作

21.02.2016 15.51.35;恶意程序的操作已回滚;PDM:Trojan.Win32.Generic;C:\Users\Administrator\Downloads\6D85.tmp.exe;c:\sandbox\administrator\defaultbox\drive\c\windows\fsocyodrlhio.exe;02/21/2016 15:51:35
21.02.2016 15.51.35;恶意程序的操作已回滚;PDM:Trojan.Win32.Generic;C:\Users\Administrator\Downloads\6D85.tmp.exe;c:\sandbox\administrator\defaultbox\drive\c\windows\fsocyodrlhio.exe;02/21/2016 15:51:35
21.02.2016 15.51.35;恶意程序的操作已回滚;PDM:Trojan.Win32.Generic;C:\Users\Administrator\Downloads\6D85.tmp.exe;c:\users\administrator\downloads\6d85.tmp.exe;02/21/2016 15:51:35
21.02.2016 15.51.35;恶意程序的操作已回滚;PDM:Trojan.Win32.Generic;C:\Users\Administrator\Downloads\6D85.tmp.exe;c:\users\administrator\downloads\6d85.tmp.exe;02/21/2016 15:51:35
21.02.2016 15.51.35;回滚恶意程序的操作时文件被恢复;c:\sandbox\administrator\defaultbox\drive\c\$recycle.bin\s-1-5-21-2382313841-2341094415-2425494424-500\$iaafs8h.zip;c:\sandbox\administrator\defaultbox\drive\c\$recycle.bin\s-1-5-21-2382313841-2341094415-2425494424-500\$iaafs8h.zip;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\fsocyodrlhio.exe;c:\users\administrator\downloads\6d85.tmp.exe;02/21/2016 15:51:35
21.02.2016 15.51.35;回滚恶意程序的操作时文件被恢复;c:\sandbox\administrator\defaultbox\drive\c\$recycle.bin\s-1-5-21-2382313841-2341094415-2425494424-500\$r3jkwdn.rar;c:\sandbox\administrator\defaultbox\drive\c\$recycle.bin\s-1-5-21-2382313841-2341094415-2425494424-500\$r3jkwdn.rar;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\fsocyodrlhio.exe;c:\users\administrator\downloads\6d85.tmp.exe;02/21/2016 15:51:35
21.02.2016 15.51.35;回滚恶意程序的操作时文件被恢复;c:\sandbox\administrator\defaultbox\drive\c\$recycle.bin\s-1-5-21-2382313841-2341094415-2425494424-500\$raafs8h.zip;c:\sandbox\administrator\defaultbox\drive\c\$recycle.bin\s-1-5-21-2382313841-2341094415-2425494424-500\$raafs8h.zip;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\fsocyodrlhio.exe;c:\users\administrator\downloads\6d85.tmp.exe;02/21/2016 15:51:35
21.02.2016 15.51.35;回滚恶意程序的操作时文件被恢复;c:\sandbox\administrator\defaultbox\user\current\appdata\local\microsoft\internet explorer\brndlog.txt;c:\sandbox\administrator\defaultbox\user\current\appdata\local\microsoft\internet explorer\brndlog.txt;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\fsocyodrlhio.exe;c:\users\administrator\downloads\6d85.tmp.exe;02/21/2016 15:51:35
21.02.2016 15.51.35;回滚恶意程序的操作时文件被恢复;c:\sandbox\administrator\defaultbox\drive\c\$recycle.bin\s-1-5-21-2382313841-2341094415-2425494424-500\$i3jkwdn.rar;c:\sandbox\administrator\defaultbox\drive\c\$recycle.bin\s-1-5-21-2382313841-2341094415-2425494424-500\$i3jkwdn.rar;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\fsocyodrlhio.exe;c:\users\administrator\downloads\6d85.tmp.exe;02/21/2016 15:51:35
21.02.2016 15.49.59;恶意程序已删除;PDM:Trojan.Win32.Generic;Popcorn Rocket Pointillist;c:\users\administrator\downloads\6d85.tmp.exe;02/21/2016 15:49:59
21.02.2016 15.49.59;恶意程序已删除;PDM:Trojan.Win32.Generic;Popcorn Rocket Pointillist;c:\sandbox\administrator\defaultbox\drive\c\windows\fsocyodrlhio.exe;02/21/2016 15:49:59
21.02.2016 15.49.59;恶意程序已删除;PDM:Trojan.Win32.Generic;Popcorn Rocket Pointillist;c:\sandbox\administrator\defaultbox\drive\c\windows\fsocyodrlhio.exe;02/21/2016 15:49:59
21.02.2016 15.49.59;恶意程序已删除;PDM:Trojan.Win32.Generic;Popcorn Rocket Pointillist;c:\users\administrator\downloads\6d85.tmp.exe;02/21/2016 15:49:59
21.02.2016 15.49.53;恶意程序已终止;PDM:Trojan.Win32.Generic;Popcorn Rocket Pointillist;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\fsocyodrlhio.exe;02/21/2016 15:49:53
21.02.2016 15.49.53;检测到恶意程序;PDM:Trojan.Win32.Generic;Popcorn Rocket Pointillist;c:\sandbox\administrator\defaultbox\drive\c\windows\fsocyodrlhio.exe;02/21/2016 15:49:53
21.02.2016 15.49.53;检测到恶意程序;PDM:Trojan.Win32.Generic;Popcorn Rocket Pointillist;c:\users\administrator\downloads\6d85.tmp.exe;02/21/2016 15:49:53
21.02.2016 15.49.53;检测到恶意程序;PDM:Trojan.Win32.Generic;Popcorn Rocket Pointillist;c:\users\administrator\downloads\6d85.tmp.exe;02/21/2016 15:49:53
21.02.2016 15.49.53;检测到恶意程序;PDM:Trojan.Win32.Generic;Popcorn Rocket Pointillist;c:\sandbox\administrator\defaultbox\drive\c\windows\fsocyodrlhio.exe;02/21/2016 15:49:53
21.02.2016 15.49.51;应用程序已添加至组受信任组;WMI Commandline Utility;WMI Commandline Utility;C:\Windows\System32\wbem\WMIC.exe;02/21/2016 15:49:51
21.02.2016 15.49.35;可选择扫描;未检测到威胁;0;0;0;今天，2016/2/21 12:14;0 秒;02/21/2016 15:49:35
21.02.2016 15.49.18;应用程序已添加至组低限制组;Popcorn Rocket Pointillist;Popcorn Rocket Pointillist;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\fsocyodrlhio.exe;02/21/2016 15:49:18
21.02.2016 15.48.46;应用程序已添加至组低限制组;Popcorn Rocket Pointillist;Popcorn Rocket Pointillist;C:\Users\Administrator\downloads\6D85.tmp.exe;02/21/2016 15:48:46

墨家小子

aboringman 发表于 2016-2-21 15:48
AVG：

扫描：miss；

你双击一下这个给我看看
http://bbs.kafan.cn/thread-1712473-1-1.html

墨家小子

aboringman 发表于 2016-2-21 15:48
AVG：

扫描：miss；

还有这几个
https://www.google.com/search?q= ... HYPLDB0QrQIIJSgEMAA

ericdj

Gdata
右键miss


右键入沙
BB blocked！


详细信息~
[mw_shl_code=css,true]Started by: 6d85.tmp.exe
Publisher: Unknown publisher


*** Actions ***

The program file is misleadingly named to deceive the user (e.g. 'Image.jpg.exe')
The program was modified in memory.
An unknown process was accessed.
The program has created or manipulated an executable file.
The program can be used to execute any program code.
The program created a copy of itself.


*** Quarantine ***

The following files were moved into quarantine:
C:\Users\Administrator\Desktop\Special files\6D85.tmp.exe
c:\sandbox\administrator\suspected\drive\c\windows\odgypeprrgng.exe
c:\users\administrator\desktop\special files\6d85.tmp.exe

The following registry entries were deleted:


YGLRKNnQcnJycmJi4HKiKifncoIMZ3KCYmJygnAoJycnJyYGp0InKXRyQicIt3KScnJygpArFo1yB+lycmJicnKgLCcnJiYnB5xygnJycnLAKicnJiYnB/xycnJyYmLQKCcnJiYnB+1ycmJicnLwKCcnJiYnB89ycnJyYmJwuqJhV2O2oqJhV2O2cqJhV2O2knDbcnJycmJicPxygmJicoJwjnJyCecpJy8nLyYGaCknBwA
Rules version: 5.0.83
OS: Windows 10.0 Service Pack 0.0 Build: 10240 - Workstation 32bit OS
dll version: 55982

"C:\Users\Administrator\Desktop\Special files\6D85.tmp.exe"
MD5: 1D6C2A9709DB56990EC3E5E26C12C775
"C:\Users\Administrator\Desktop\Special files\6D85.tmp.exe"
MD5: 1D6C2A9709DB56990EC3E5E26C12C775[/mw_shl_code]

aboringman

墨家小子 发表于 2016-2-21 16:11
你双击一下这个给我看看
http://bbs.kafan.cn/thread-1712473-1-1.html

怎么运行。。。。。。该不会是漏洞利用之类的吧。。。。。。

墨家小子

aboringman 发表于 2016-2-21 16:27
怎么运行。。。。。。该不会是漏洞利用之类的吧。。。。。。

你们不是喜欢双击吗？那么这种呢？怎么双击啊？
http://bbs.kafan.cn/thread-1705893-1-1.html

aboringman

墨家小子 发表于 2016-2-21 16:29
你们不是喜欢双击吗？那么这种呢？怎么双击啊？
http://bbs.kafan.cn/thread-1705893-1-1.html

原来如此，是这个意思啊，我明白了