红伞没杀，貌似是个后门程序，大家帮分析下

显示全部楼层 · 发表于 2017-9-6 08:59:18

显示全部楼层 · 发表于 2017-9-6 09:07:37

管家扫描miss

显示全部楼层 · 发表于 2017-9-6 09:09:13

本帖最后由学雷锋做人于 2017-9-6 09:11 编辑

VT：15/58，File_Analysis 行为记录，行为日志文件：

显示全部楼层 · 发表于 2017-9-6 09:13:16

毒霸扫描Miss

显示全部楼层 · 发表于 2017-9-6 09:25:35

本帖最后由 Gollum 于 2017-9-6 09:30 编辑

BDTS扫描放过

KIS

NS

显示全部楼层 · 发表于 2017-9-6 09:30:59

本帖最后由 B100D1E55 于 2017-9-6 09:32 编辑

原文件：Downloader
衍生物：CobaltStrike

危险链接： hxxps://118.184.33.170:8443/qwKZ

显示全部楼层 · 发表于 2017-9-6 09:34:14

B100D1E55 发表于 2017-9-6 09:30
原文件：Downloader
衍生物：CobaltStrike

这是什么，能下详细介绍下么？

显示全部楼层 · 发表于 2017-9-6 09:37:43

WD杀

显示全部楼层 · 发表于 2017-9-6 10:08:02

avast kill

显示全部楼层 · 发表于 2017-9-6 10:26:24

哈勃: 未发现风险

[mw_shl_code=css,true]基本信息
文件名称：
go.zip
MD5： 5e55097c79d6bd99358ca6b357db48a3
文件类型： zip
上传时间： 2017-09-06 10:21:58
出品公司： N/A
版本： N/A
壳或编译器信息： COMPILER:PeStubOEP v1.x *
子文件信息：
go.exe / d309cac7c4cdb2b2b63a9f05a229f773 / EXE
关键行为
行为描述：直接获取CPU时钟
详情信息：
EAX = 0xf1c3be42, EDX = 0x000000b3
EAX = 0x019f59c8, EDX = 0x000000b4
EAX = 0x019f5a14, EDX = 0x000000b4
EAX = 0x019f5a60, EDX = 0x000000b4
行为描述：设置特殊文件夹属性
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述：直接调用系统关键API
详情信息：
Index = 0x0000010F, Name: NtWaitForSingleObject, Instruction Address = 0x0044D2F2
进程行为
行为描述：创建本地线程
详情信息：
TargetProcess: go.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 2708, StartAddress = 0044D210, Parameter = 4CB3A000
TargetProcess: go.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 2712, StartAddress = 0044D210, Parameter = 4CB3A280
TargetProcess: go.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 2720, StartAddress = 0044D210, Parameter = 4CB3A500
TargetProcess: go.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 2724, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: go.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 2728, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: go.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 2732, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: go.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 2812, StartAddress = 7C949B6F, Parameter = 00000000
文件行为
行为描述：设置特殊文件夹属性
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述：查找文件
详情信息：
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\*
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\*
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\*
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
网络行为
行为描述：连接指定站点
详情信息：
InternetConnectA: ServerName = **.184.33.**, PORT = 8443, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
行为描述：打开HTTP连接
详情信息：
InternetOpenA: UserAgent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;PTBR), hSession = 0x00cc0004
行为描述：建立到一个指定的套接字连接
详情信息：
IP: **.184.33.**:8443, SOCKET = 0x00000288
行为描述：读取网络文件
详情信息：
hFile = 0x00cc000c, BytesToRead =8192, BytesRead = 8192.
行为描述：打开HTTP请求
详情信息：
HttpOpenRequestA: **.184.33.**:8443/qwkz, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84a03200
注册表行为
行为描述：修改注册表
详情信息：
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
行为描述：删除注册表键值
详情信息：
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
其他行为
行为描述：创建互斥体
详情信息：
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
行为描述：创建事件对象
详情信息：
EventName = DINPUTWINMM
EventName = Global\crypt32LogoffEvent
EventName = Global\userenv: User Profile setup event
行为描述：打开互斥体
详情信息：
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
行为描述：直接获取CPU时钟
详情信息：
EAX = 0xf1c3be42, EDX = 0x000000b3
EAX = 0x019f59c8, EDX = 0x000000b4
EAX = 0x019f5a14, EDX = 0x000000b4
EAX = 0x019f5a60, EDX = 0x000000b4
行为描述：打开事件
详情信息：
HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\crypt32LogoffEvent
\INSTALLATION_SECURITY_HOLD
Global\SvcctrlStartEvent_A3752DX
行为描述：直接调用系统关键API
详情信息：
Index = 0x0000010F, Name: NtWaitForSingleObject, Instruction Address = 0x0044D2F2
进程树
go.exe (PID: 0x00000a88)[/mw_shl_code]

[可疑文件] 红伞没杀，貌似是个后门程序，大家帮分析下

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源