敲竹杠界的要你命3000又来了，还是熟悉的味道，和不一样的熊猫，依然实机运行警告...

zq19861019

gdata 扫描Miss，sandboxie里双击

During Open the file "C:\Sandbox\琪\virus\drive\D\GameSetup" the "Win32.Worm.Fujacks.BY (Engine A)" virus was detected. Access denied. (Engine A: AVA 25.8139, Engine B: GD 25.7645)
During Close the file "C:\Sandbox\琪\virus\drive\D\GameSetup" the "Win32.Worm.Fujacks.BY (Engine A)" virus was detected. Access denied. (Engine A: AVA 25.8139, Engine B: GD 25.7645)
AVA 25.8139
GD 25.7645

*** Process ***

Process: 13756
File name: CF刷枪.exe
Path: f:\病毒样本\cf刷枪\cf刷枪.exe

Publisher: Unknown publisher
Creation date: 09/04/16 03:07:15
Modification date: 09/04/16 01:12:06

Started by: explorer.exe
Publisher: Microsoft Windows


*** Actions ***

The program has executed actions in the name of another program.
A packer was run on the program file, possibly to conceal malicious content.
The program is trying to create a startup item to launch a program automatically at system startup.
The program establishes a network connection.
The program has downloaded infected software.
The program has created or manipulated an executable file.
The program disables Windows Task Manager.


*** Quarantine ***

The following files were moved into quarantine:
F:\病毒样本\CF刷枪\CF刷枪.exe
c:\sandbox\琪\virus\drive\c\1.exe
c:\sandbox\琪\virus\drive\d\gamesetup
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcookies\ijhapojl.txt
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcookies\u26li53c.txt
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcookies\wmt76jf2.txt

The following registry entries were deleted:

\registry\user\sandbox_琪_virus\user\current\software\microsoft\windows\currentversion\policies\system || disabletaskmgr

YGLxjYIKKycqJyomBiwnKCcoJgYtJyonKiYGLicpJykmBqdCJyd0cmJicCsnJycnJgbHcnJycmJigC4nJycnJga5YvGNcgnZcnKQLicnJiYnB8pycmJicnKgLScpJykmBtxygnKCYmLALycnJycmBo1ycmJicnLwKCcqJyomBv9ycmJicnJwp3JycNhycnJyYmJwuqLBXGOmgoJxXWPGcqLBXGOmcnDLcnJycmJicNtycnJyYmJw/HJyYmJycnCOcnIK9ygnB/cvJyknKSYGaCknB3gpJwe4LycoJygmBgA
Rules version: 5.0.118
OS: Windows 6.3 Service Pack 0.0 Build: 9600 - Workstation 64bit OS
dll version: 63860

"F:\病毒样本\CF刷枪\CF刷枪.exe"
MD5: B5C2D9AC2FC0C156AD0A944D8906C40F
C:\Windows\explorer.exe /factory,75dff2b7-6936-4c06-a8bb-676a7b00b24b -Embedding
MD5:
AVA 25.8139
GD 25.7645

*** Process ***

Process: 14784
File name: rundll32.exe
Path: c:\windows\syswow64\rundll32.exe

Publisher: Microsoft Windows
Creation date: 05/14/16 13:26:58
Modification date: 10/29/14 01:40:50

Started by: xappllv.dll
Publisher: ShenZhen Thunder Networking Technologies Ltd.


*** Actions ***

The program has executed actions in the name of another program.
A packer was run on the program file, possibly to conceal malicious content.
The program is trying to create a startup item to launch a program automatically at system startup.
The program establishes a network connection.
An unknown process was accessed.
The program has downloaded infected software.
The program has created or manipulated an executable file.
The program can be used to execute any program code.
The program disables Windows Task Manager.


*** Quarantine ***

The following files were moved into quarantine:
c:\sandbox\琪\virus\user\all\thunder network\downloadlib\pub_store.dat
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcache\counters.dat
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcache\ie\anu93dhm\gcollecttask_v1.2[1].dat
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcache\ie\nnfn3mh1\tasklist_v2.1[1].dat
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcache\ie\s8d8frp9\index_v2.1[1].dat
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcache\ie\s8d8frp9\preresindex_v1.1[1].dat
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcache\ie\zcjh0z4e\smartindex_v1.1[1].dat
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcookies\ijhapojl.txt
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcookies\u26li53c.txt
c:\sandbox\琪\virus\user\current\appdata\local\microsoft\windows\inetcookies\wmt76jf2.txt
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\code\cmdengine\2039\dcpbaa1.tmp
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\code\cmdengine\2277\dcpbab2.tmp
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\code\cmdengine\dcpba8f.tmp
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\code\cmdengine\dcpbaa0.tmp
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\code\cmdengine\dcpbac2.tmp
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\temp\index_v2.1.dat
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\temp\tasklist_v2.1.dat
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\xappcloud\cloudhistory_v1.1.dat
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\xappcloud\cloudinfo.dat
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\xappcloud\smartindex_v1.1.dat
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\xappdc\gcollecttask.dat
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\xappod\b1de1668_0f4d_47b2_8b18_3a32a1d69c6d_v1.2.od
c:\sandbox\琪\virus\user\public\thunder network\kankan\xapp\xappres\preresindex_v1.1.dat

The following registry entries were deleted:

\registry\user\sandbox_琪_virus\user\current\software\microsoft\windows\currentversion\internet settings\connections || savedlegacysettings
\registry\user\sandbox_琪_virus\user\current\software\microsoft\windows\currentversion\internet settings || proxyserver
\registry\user\sandbox_琪_virus\user\current\software\microsoft\windows\currentversion\policies\system || disabletaskmgr

YGLxjnKssHKiYmJyosByonKCcoLQcqJiYnKi4HLScnJywnAqdIJCJyd0cnArJygnJycHx3JyYmJycoArJycnJyYG6HJyYmJycoAvJ/eQKxbvKGcI2XJykC4nLycoJw2acoJygmJioConC8py0nKCcrKgLScvJywnCZtyomJicqLAKieMcnIqJ+rALScoJiYnCPxycmJicnLQKCcpJygnB71ycmJicnLwKCdocnIsJwp3KicIhy0nKCcnJweXLScnJycmBqcrGM01ZiwpG4c1ZionGM01ZiwIpy0nKCYmJwinLiencMtycmJicnJw23KCcnJycnD7coItJywneHDscoJiYnKCcPxycignLCcM5ygn3HDucrJwj3JycP9ykmJicpKAlnLygJdycoD7crJiYnKyAAA
Rules version: 5.0.118
OS: Windows 6.3 Service Pack 0.0 Build: 9600 - Workstation 64bit OS
dll version: 63860

RunDll32.exe "C:\Users\Public\Thunder Network\KanKan\Pusher\xappdisp.2.0.0.90.dll",NewTipsMain /src:explorer64
MD5: 8BFE805555CDAF6387912A34D7978DAA
"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\Public\Thunder Network\KanKan\Pusher\xappllv.dll",RunDllWithFix xappdisp.dll,NewTipsMain /src:explorer64
MD5:

zhou0197

XywCloud 发表于 2016-9-4 10:55
就比上次那个敲竹杠多捆绑了个熊猫烧香（确认是原版，不要问我怎么知道的）
其他的手法一点都没变。

确实如此…………不过并不清楚为啥加了个熊猫……

qftest

zhou0197 发表于 2016-9-4 11:17
确实如此…………不过并不清楚为啥加了个熊猫……

纪念版？

lzy2010000

火绒，9月2号的库

蓝天二号

lzy2010000 发表于 2016-9-4 11:31
火绒，9月2号的库

你是双击的？我这边退出火绒 测试IDP 电脑立马重启

lzy2010000

蓝天二号 发表于 2016-9-4 12:15
你是双击的？我这边退出火绒 测试IDP 电脑立马重启

没双击，监控杀的。火绒应该是前几个样本入库的，这个就直接杀了

fzshot

Zemana AntiLogger Kill

bbszy

mcafee miss

kenlig

avast貌似给抓住了

tg123321

zhou0197 发表于 2016-9-4 11:17
确实如此…………不过并不清楚为啥加了个熊猫……

结果直接被wd秒了