搜索
查看: 1217|回复: 15
收起左侧

[可疑文件] 红伞没杀,貌似是个后门程序,大家帮分析下

[复制链接]
tom123123
发表于 2017-9-6 08:59:18 | 显示全部楼层 |阅读模式
红伞没杀,貌似是个后门程序,大家帮分析下





本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
心醉咖啡
发表于 2017-9-6 09:07:37 | 显示全部楼层
管家扫描miss
学雷锋做人
发表于 2017-9-6 09:09:13 | 显示全部楼层
本帖最后由 学雷锋做人 于 2017-9-6 09:11 编辑

VT:15/58,File_Analysis 行为记录,行为日志文件:

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
I76700K
发表于 2017-9-6 09:13:16 | 显示全部楼层
毒霸扫描Miss
Gollum
发表于 2017-9-6 09:25:35 | 显示全部楼层
本帖最后由 Gollum 于 2017-9-6 09:30 编辑

BDTS扫描放过

KIS


NS

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
B100D1E55
发表于 2017-9-6 09:30:59 | 显示全部楼层
本帖最后由 B100D1E55 于 2017-9-6 09:32 编辑

原文件:Downloader
衍生物:CobaltStrike


危险链接: hxxps://118.184.33.170:8443/qwKZ
tom123123
 楼主| 发表于 2017-9-6 09:34:14 | 显示全部楼层
B100D1E55 发表于 2017-9-6 09:30
原文件:Downloader
衍生物:CobaltStrike

这是什么,能下详细介绍下么?
yaoyunjia
发表于 2017-9-6 09:37:43 | 显示全部楼层
WD杀

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
DF快递
发表于 2017-9-6 10:08:02 | 显示全部楼层
avast kill
191196846
发表于 2017-9-6 10:26:24 | 显示全部楼层
哈勃: 未发现风险

[mw_shl_code=css,true]基本信息
文件名称:       
go.zip
MD5:        5e55097c79d6bd99358ca6b357db48a3
文件类型:        zip
上传时间:        2017-09-06 10:21:58
出品公司:        N/A
版本:        N/A
壳或编译器信息:        COMPILER:PeStubOEP v1.x *
子文件信息:       
go.exe /  d309cac7c4cdb2b2b63a9f05a229f773 /  EXE
关键行为
行为描述:        直接获取CPU时钟
详情信息:       
EAX = 0xf1c3be42, EDX = 0x000000b3
EAX = 0x019f59c8, EDX = 0x000000b4
EAX = 0x019f5a14, EDX = 0x000000b4
EAX = 0x019f5a60, EDX = 0x000000b4
行为描述:        设置特殊文件夹属性
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:        直接调用系统关键API
详情信息:       
Index = 0x0000010F, Name: NtWaitForSingleObject, Instruction Address = 0x0044D2F2
进程行为
行为描述:        创建本地线程
详情信息:       
TargetProcess: go.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 2708, StartAddress = 0044D210, Parameter = 4CB3A000
TargetProcess: go.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 2712, StartAddress = 0044D210, Parameter = 4CB3A280
TargetProcess: go.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 2720, StartAddress = 0044D210, Parameter = 4CB3A500
TargetProcess: go.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 2724, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: go.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 2728, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: go.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 2732, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: go.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 2812, StartAddress = 7C949B6F, Parameter = 00000000
文件行为
行为描述:        设置特殊文件夹属性
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:        查找文件
详情信息:       
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\*
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\*
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\*
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
网络行为
行为描述:        连接指定站点
详情信息:       
InternetConnectA: ServerName = **.184.33.**, PORT = 8443, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
行为描述:        打开HTTP连接
详情信息:       
InternetOpenA: UserAgent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;PTBR), hSession = 0x00cc0004
行为描述:        建立到一个指定的套接字连接
详情信息:       
IP: **.184.33.**:8443, SOCKET = 0x00000288
行为描述:        读取网络文件
详情信息:       
hFile = 0x00cc000c, BytesToRead =8192, BytesRead = 8192.
行为描述:        打开HTTP请求
详情信息:       
HttpOpenRequestA: **.184.33.**:8443/qwkz, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84a03200
注册表行为
行为描述:        修改注册表
详情信息:       
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
行为描述:        删除注册表键值
详情信息:       
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
其他行为
行为描述:        创建互斥体
详情信息:       
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
行为描述:        创建事件对象
详情信息:       
EventName = DINPUTWINMM
EventName = Global\crypt32LogoffEvent
EventName = Global\userenv: User Profile setup event
行为描述:        打开互斥体
详情信息:       
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
行为描述:        直接获取CPU时钟
详情信息:       
EAX = 0xf1c3be42, EDX = 0x000000b3
EAX = 0x019f59c8, EDX = 0x000000b4
EAX = 0x019f5a14, EDX = 0x000000b4
EAX = 0x019f5a60, EDX = 0x000000b4
行为描述:        打开事件
详情信息:       
HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\crypt32LogoffEvent
\INSTALLATION_SECURITY_HOLD
Global\SvcctrlStartEvent_A3752DX
行为描述:        直接调用系统关键API
详情信息:       
Index = 0x0000010F, Name: NtWaitForSingleObject, Instruction Address = 0x0044D2F2
进程树
go.exe (PID: 0x00000a88)[/mw_shl_code]
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛|优惠券| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 苏ICP备07004770号 ) GMT+8, 2017-11-24 04:30 , Processed in 0.042931 second(s), 3 queries , MemCached On.

快速回复 返回顶部 返回列表