Detection ratio: 3 / 56 Exploit Toolkit Website 67 加密勒索挂马

墨家小子

SHA256:        f16dc7e39a5c37ccad46647c3c9d4f5d7c74c8556590c2280d7bfcd9e4f56e0a
File name:        522.tmp.exe
Detection ratio:        3 / 56
Analysis date:        2016-03-15 01:23:35 UTC ( 1 minute ago )
https://www.virustotal.com/en/file/f16dc7e39a5c37ccad46647c3c9d4f5d7c74c8556590c2280d7bfcd9e4f56e0a/analysis/1458005015/

McAfee        Ransomware-FGN!13DB1E0C0110        20160314
McAfee-GW-Edition        BehavesLike.Win32.Downloader.fh        20160314
Qihoo-360        HEUR/QVM07.1.0000.Malware.Gen        20160315

ericdj

GD主防干掉

蓝天二号

ESS 下载拦截，

ymb668888

卡巴拦截下载

shadowqs

拦截下载毛用都没 要点击后拦截的才有用

WD没反应。。还可以吧

rrorr

522.tmp.exe 威胁名称: SONAR.SelfHijack!gen1

HMPA
[mw_shl_code=css,true]Mitigation   CryptoGuard

Platform     6.1.7601/x86 06_3c*
PID          3824
Application  C:\mbdlwu.exe

Filename     C:\mbdlwu.exe

C:\Users\Administrator.PC-20151228ESVT\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ORKVNOM\blank[1].png
C:\Users\Administrator.PC-20151228ESVT\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ORKVNOM\bkgrey[1].png
C:\$Recycle.Bin\S-1-5-21-2822333451-2535238799-2698388218-500\$RGGXS6Y.doc

Code Injection
00400000-0047B000  492KB C:\mbdlwu.exe [3052]
7FFDD000-7FFDE000    4KB
1  C:\mbdlwu.exe [3052]
\mbdlwu.exe
2  C:\Users\Administrator.PC-20151228ESVT\Desktop\522.tmp\522.tmp.exe [1488]
3  C:\Users\Administrator.PC-20151228ESVT\Desktop\522.tmp\522.tmp.exe [1044]
4  C:\Windows\explorer.exe [3528]
5  C:\Windows\System32\userinit.exe [3444]
6  C:\Windows\System32\winlogon.exe [3228]
winlogon.exe
7  C:\Windows\System32\smss.exe [3172]
\SystemRoot\System32\smss.exe 00000000 00000040

Process Trace
1  C:\mbdlwu.exe [3824]
\mbdlwu.exe
2  C:\mbdlwu.exe [3052]
\mbdlwu.exe
3  C:\Users\Administrator.PC-20151228ESVT\Desktop\522.tmp\522.tmp.exe [1488]
4  C:\Users\Administrator.PC-20151228ESVT\Desktop\522.tmp\522.tmp.exe [1044]
5  C:\Windows\explorer.exe [3528]
6  C:\Windows\System32\userinit.exe [3444]
7  C:\Windows\System32\winlogon.exe [3228]
winlogon.exe
8  C:\Windows\System32\smss.exe [3172]
\SystemRoot\System32\smss.exe 00000000 00000040
[/mw_shl_code]

Luca.l

感觉每次拿管家测你的样本，简直就是没爱啊
扫描miss
双击无反应。。。。。。。。


哈勃：https://habo.qq.com/file/showdetail?pk=ADQGYF1uB24IOFs8

ymb668888

shadowqs 发表于 2016-3-15 10:10
拦截下载毛用都没 要点击后拦截的才有用

WD没反应。。还可以吧

咋个有用？关闭卡巴网页反病毒，下载，然后再断网双击，这样拦截才有用？

kbsj123321

ymb668888 发表于 2016-3-15 11:00
咋个有用？关闭卡巴网页反病毒，下载，然后再断网双击，这样拦截才有用？

双击的明白？

shadowqs

鄙人双击了下，还是装了红伞免费版的情况下。截图吧。

出现归出现。暂未发现哪个文件有被加密的。我再看看 就是生成一堆垃圾文件好烦



内容大意就是你的文件被加密了。还是要你怎么怎么做。。

运行后出现的东西。




进程里多出的东西




[mw_shl_code=css,true]NOT YOUR LANGUAGE? USE https://translate.google.com

What's the matter with your files?

Your data was secured using a strong encryption with RSA4096.
Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem)

What exactly that means?

It means that on a structural level your files have been transformed. You won't be able to use, read, see or work with them anymore.
In other words they are useless, however, there is a possibility to restore them with our help.

What exactly happened to your files?

*** Two personal RSA4096 keys were generated for your PC/Laptop; one key is public, another key is private.
*** All your data and files were encrypted by the means of the public key, which you received over the web.
*** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers.

What should you do next?

There are several options for you to consider:
1. You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or
2. You can start getting BitCoins right now and get access to your data quite fast.
In case you have valuable files, we advise you to act fast as there is no other option rather than paying in order to get back your data.

In order to obtain specific instructions, please access your personal homepage by choosing one of the few addresses down below:
http://kkr4hbwdklf234bfl84uoqlef ... om/D95B8AE43BEDE9E9
http://974gfbjhb23hbfkyfaby3byql ... om/D95B8AE43BEDE9E9
http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/D95B8AE43BEDE9E9

If you can't access your personal homepage or the addresses are not working, complete the following steps:
1. Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en
2. Install TOR Browser
3. Open TOR Browser
4. Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/D95B8AE43BEDE9E9
5. Follow the steps on your screen

IMPORTANT INFORMATION

Your personal homepages:
http://kkr4hbwdklf234bfl84uoqlef ... om/D95B8AE43BEDE9E9
http://974gfbjhb23hbfkyfaby3byql ... om/D95B8AE43BEDE9E9
http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/D95B8AE43BEDE9E9

Your personal page Tor-Browser k7tlx3ghr3m4n2tu.onion/D95B8AE43BEDE9E9
Your personal identification ID: D95B8AE43BEDE9E9
[/mw_shl_code]