18X样本大荟萃

显示全部楼层 · 发表于 2016-10-21 13:51:54

本帖最后由 windows7爱好者于 2016-10-21 14:38 编辑

SEP14干掉17个。欲知最后一个结果如何

，稍等我出下门，回来测

最后一个是国外的远控，被IPS拦截，可惜手残，只截到一张图

好吧，被SONAR先杀了，当我二次双击，想截图时，被SONAR先杀了...

圆满

显示全部楼层 · 发表于 2016-10-21 13:57:41

本帖最后由驭龙于 2016-10-21 14:37 编辑

SCEP 4.10关闭监控测试，杀两个，其中一个云杀，我没有耐心，大多数样本是手动结束样本的。

回到常规测试，扫描杀17个。
[mw_shl_code=css,true]Result Count:9
Threat Name:Trojan:Win32/Dynamer!ac
ID:2147684005
Severity:5
Number of Resources:1
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-19-EITest-Rig-EK-first-run-follow-up-malware.exe
Extended Info:24633280164582
Threat Name:Trojan:Win32/Ipac.F!cl
ID:2147711351
Severity:5
Number of Resources:1
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-19-EITest-Rig-EK-payload-first-run.exe
Extended Info:42226218405392
Threat Name:VirTool:Win32/Injector.GE
ID:2147696959
Severity:5
Number of Resources:1
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-19-EITest-Rig-EK-payload-second-run.exe
Extended Info:24632992611360
Threat Name:Ransom:Win32/HydraCrypt.A
ID:2147716793
Severity:5
Number of Resources:1
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-20-EITest-Rig-EK-payload-2nd-run.exe
Extended Info:24635554612150
Threat Name:VirTool:Win32/CeeInject.GF
ID:2147694609
Severity:5
Number of Resources:2
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-20-EITest-Rig-EK-payload-4th-run.exe
Extended Info:24634456417788
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-20-EITest-Rig-EK-payload-3rd-run.exe
Extended Info:24634456417788
Threat Name:Trojan:Win32/Repexit
ID:2147689774
Severity:5
Number of Resources:1
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-20-EITest-Rig-EK-payload-5th-run.exe
Extended Info:42225501875778
Threat Name:Trojan:Win32/Peals.B!cl
ID:2147691762
Severity:5
Number of Resources:1
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-20-EITest-Rig-EK-payload-6th-run.exe
Extended Info:42224123641811
Threat Name:TrojanDownloader:Win32/Talalpek.A
ID:2147712209
Severity:5
Number of Resources:1
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-20-EITest-Rig-EK-payload-7th-run.exe
Extended Info:42227748362094
Threat Name:Ransom:Win32/Cerber
ID:2147709928
Severity:5
Number of Resources:8
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-8th-run.exe
Extended Info:24633206644489
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-7th-run.exe
Extended Info:24633206644489
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-6th-run.exe
Extended Info:24633206644489
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-5th-run.exe
Extended Info:24633206644489
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-4th-run.exe
Extended Info:24633206644489
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-3rd-run.exe
Extended Info:24633206644489
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-2nd-run.exe
Extended Info:24633206644489
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-1st-run.exe
Extended Info:24633206644489
End Scan
[/mw_shl_code]

开启监控状态下，双击剩余的一个样本，云杀：
[mw_shl_code=css,true]
2016-10-21T06:27:21.249Z MAPS Report Send (hr=0x0 httpcode=200)
Internal signature match:subtype=Lowfi, sigseq=0x0000055509715C70, signame=#Lowfi:RPF:BasicBlockClassifier:99, cached=false, resource="\\?\C:\Users\win8\Downloads\新建文件夹\2016-10-20-EITest-Rig-EK-payload-1st-run.exe"
Internal signature match:subtype=Lowfi, sigseq=0x0000055509715C70, signame=#Lowfi:RPF:BasicBlockClassifier:99, cached=false, resource="\Device\HarddiskVolume2\Users\win8\Downloads\新建文件夹\2016-10-20-EITest-Rig-EK-payload-1st-run.exe"
Internal signature match:subtype=Lowfi, sigseq=0x0000055509715C70, signame=#Lowfi:RPF:BasicBlockClassifier:99, cached=true, resource="\Device\HarddiskVolume2\Users\win8\Downloads\新建文件夹\2016-10-20-EITest-Rig-EK-payload-1st-run.exe"
Dynamic Signature has been received
Dynamic Signature Type:Signature Update
Signature Path:c:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\7b633863b7548f048f60c7f3ef105d6d8c4bda34
Dynamic Signature Compilation Timestamp:10-21-2016 14:27:35
Persistence Type:VDM Version
Source Version:282467120316417
Expiration Version:282467120316417
2016-10-21T06:27:33.495Z Dynamic signature received
2016-10-21T06:27:33.495Z MAPS Report Send (hr=0x0 httpcode=200)
Internal signature match:subtype=Lowfi, sigseq=0x0000055509715C70, signame=#Lowfi:RPF:BasicBlockClassifier:99, cached=false, resource="\\?\C:\Users\win8\Downloads\新建文件夹\2016-10-20-EITest-Rig-EK-payload-1st-run.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00000070DE3CA1F0, signame=MpRescanNoDetection, cached=false, resource="\\?\C:\Users\win8\Downloads\新建文件夹\2016-10-20-EITest-Rig-EK-payload-1st-run.exe"
2016-10-21T06:27:39.110Z DETECTIONEVENT Trojan:Win32/Wammuras.C!cl file:C:\Users\win8\Downloads\新建文件夹\2016-10-20-EITest-Rig-EK-payload-1st-run.exe;
2016-10-21T06:27:39.126Z DETECTION_ADD Trojan:Win32/Wammuras.C!cl file:C:\Users\win8\Downloads\新建文件夹\2016-10-20-EITest-Rig-EK-payload-1st-run.exe
Begin Resource Scan
Scan ID:{E6702595-F86A-4CE5-9550-05981B4D8155}
Scan Source:1
Start Time:10-21-2016 14:27:07
End Time:10-21-2016 14:27:39
Explicit resource to scan
Resource Schema:poststartupscan
Resource Path:
Result Count:1
Threat Name:Trojan:Win32/Wammuras.C!cl
ID:2147716938
Severity:5
Number of Resources:1
Resource Schema:file
Resource Path:C:\Users\win8\Downloads\新建文件夹\2016-10-20-EITest-Rig-EK-payload-1st-run.exe
Extended Info:42226536998485
End Scan[/mw_shl_code]

PS：看来关闭文件监控会影响MA的云监控功能啊

显示全部楼层 · 发表于 2016-10-21 14:20:06

果然是 1.8.禁啊，好邪恶，我要举报举报

卡巴
[mw_shl_code=css,true]2016-10-21 14:19:00    C:\Users\XuanXia\Desktop\18X\2016-10-19-EITest-Rig-EK-first-run-follow-up-malware.exe detected       UDS:DangerousObject.Multi.Generic
2016-10-21 14:19:00    C:\Users\XuanXia\Desktop\18X\2016-10-19-EITest-Rig-EK-payload-first-run.exe    ok
2016-10-21 14:19:01    C:\Users\XuanXia\Desktop\18X\2016-10-19-EITest-Rig-EK-payload-second-run.exe detected       Backdoor.Win32.Farfli.annb
2016-10-21 14:19:01    C:\Users\XuanXia\Desktop\18X\2016-10-20-EITest-Rig-EK-payload-1st-run.exe    detected       UDS:DangerousObject.Multi.Generic
2016-10-21 14:19:02    C:\Users\XuanXia\Desktop\18X\2016-10-20-EITest-Rig-EK-payload-2nd-run.exe    detected       UDS:DangerousObject.Multi.Generic
2016-10-21 14:19:02    C:\Users\XuanXia\Desktop\18X\2016-10-20-EITest-Rig-EK-payload-3rd-run.exe    detected       UDS:DangerousObject.Multi.Generic
2016-10-21 14:19:02    C:\Users\XuanXia\Desktop\18X\2016-10-20-EITest-Rig-EK-payload-4th-run.exe    detected       UDS:DangerousObject.Multi.Generic
2016-10-21 14:19:02    C:\Users\XuanXia\Desktop\18X\2016-10-20-EITest-Rig-EK-payload-5th-run.exe    detected       UDS:DangerousObject.Multi.Generic
2016-10-21 14:19:02    C:\Users\XuanXia\Desktop\18X\2016-10-20-EITest-Rig-EK-payload-6th-run.exe    detected       UDS:DangerousObject.Multi.Generic
2016-10-21 14:19:02    C:\Users\XuanXia\Desktop\18X\2016-10-20-EITest-Rig-EK-payload-7th-run.exe    ok
2016-10-21 14:19:03    C:\Users\XuanXia\Desktop\18X\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-1st-run.exe    detected       Packed.NSIS.MyxaH.iyo
2016-10-21 14:19:03    C:\Users\XuanXia\Desktop\18X\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-2nd-run.exe    detected       Packed.NSIS.MyxaH.iyo
2016-10-21 14:19:04    C:\Users\XuanXia\Desktop\18X\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-3rd-run.exe    detected       Packed.NSIS.MyxaH.iyo
2016-10-21 14:19:04    C:\Users\XuanXia\Desktop\18X\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-4th-run.exe    detected       Packed.NSIS.MyxaH.iyo
2016-10-21 14:19:05    C:\Users\XuanXia\Desktop\18X\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-5th-run.exe    detected       Packed.NSIS.MyxaH.iyo
2016-10-21 14:19:06    C:\Users\XuanXia\Desktop\18X\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-6th-run.exe    detected       Packed.NSIS.MyxaH.iyo
2016-10-21 14:19:06    C:\Users\XuanXia\Desktop\18X\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-7th-run.exe    detected       Packed.NSIS.MyxaH.iyo
2016-10-21 14:19:07    C:\Users\XuanXia\Desktop\18X\2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-8th-run.exe    detected       Packed.NSIS.MyxaH.iyo
; --- Statistics ---
; Time Start: 2016-10-21 14:18:59
; Time Finish:  2016-10-21 14:19:07
; Completion: 100%
; Processed objects: 18
; Total detected:    16
; Detected exact:    9
; Errors:    0
; ------------------[/mw_shl_code]

显示全部楼层 · 发表于 2016-10-21 14:25:30

eset检测并删除16个

显示全部楼层 · 发表于 2016-10-21 14:40:08

欧阳宣发表于 2016-10-21 14:25
eset检测并删除16个

哈，我MA终于超一次ESET，泪流满面

显示全部楼层 · 发表于 2016-10-21 14:40:45

驭龙发表于 2016-10-21 14:40
哈，我MA终于超一次ESET，泪流满面

eset响应慢嘛，正常的

显示全部楼层 · 发表于 2016-10-21 14:41:48

欧阳宣发表于 2016-10-21 14:40
eset响应慢嘛，正常的

MA其中不少是入库杀呢，当然如果没有云的话，确实是比不过ESET了

显示全部楼层 · 发表于 2016-10-21 14:45:24

X怀疑是人为造的。。基本是勒索程序

显示全部楼层 · 发表于 2016-10-21 14:46:53

本帖最后由 windows7爱好者于 2016-10-21 14:49 编辑

vm001 发表于 2016-10-21 14:45
X怀疑是人为造的。。基本是勒索程序

1-8的run基本是远控，不全是勒索
这些都是从漏洞攻击网站得来的样本
可惜IE11似乎安全防护很好，我最近进了很多，都没反应
当然关了IPS，不然IPS会先拦截
测试者的环境是WIN7，说不定win7可以触发

显示全部楼层 · 发表于 2016-10-21 14:47:52

vm001 发表于 2016-10-21 14:45
X怀疑是人为造的。。基本是勒索程序

其实全部清一色是勒索，这个就是我之前搬运的一个毒源样本，我只是没有说源地址，就被吐槽了

[病毒样本] 18X样本大荟萃

本帖子中包含更多资源

本帖子中包含更多资源

评分