搜索
12
返回列表 发新帖
楼主: petr0vic
收起左侧

[病毒样本] Cerber(17.10.06)

[复制链接]
DF快递
发表于 2017-10-7 08:48:24 | 显示全部楼层
ziyerain2015 发表于 2017-10-7 03:59
双击AVAST未加密-文件删除
360TS跳的慢了,被加密,可能因为装了2个杀软不详

avast沙盒运行吧,双击有风险
傻瓜爱笨蛋
发表于 2017-10-7 10:46:38 | 显示全部楼层
毒霸双击阻止运行 没有被加密
ziyerain2015
发表于 2017-10-7 13:12:26 | 显示全部楼层
DF快递 发表于 2017-10-7 08:48
avast沙盒运行吧,双击有风险

虚拟机AVAST+360TS
一覺到天明
发表于 2017-10-7 15:29:05 | 显示全部楼层

FSP 解壓攔截
willjjyu
发表于 2017-10-7 16:57:42 | 显示全部楼层
本帖最后由 willjjyu 于 2017-10-7 17:09 编辑

vm双击:

图片文档全部加密


关键行为行为描述:        获取TickCount值
详情信息:        
TickCount = 262890, SleepMilliseconds = 16000.
TickCount = 262921, SleepMilliseconds = 16000.
TickCount = 262937, SleepMilliseconds = 16000.
TickCount = 262968, SleepMilliseconds = 16000.
TickCount = 262984, SleepMilliseconds = 16000.
TickCount = 263000, SleepMilliseconds = 16000.
TickCount = 263015, SleepMilliseconds = 16000.
TickCount = 263031, SleepMilliseconds = 16000.
TickCount = 263062, SleepMilliseconds = 16000.
TickCount = 263093, SleepMilliseconds = 16000.
TickCount = 263109, SleepMilliseconds = 16000.
TickCount = 263125, SleepMilliseconds = 16000.
TickCount = 263140, SleepMilliseconds = 16000.
TickCount = 263171, SleepMilliseconds = 16000.
TickCount = 263187, SleepMilliseconds = 16000.

行为描述:       直接获取CPU时钟
详情信息:        
EAX = 0xe6a21ed8, EDX = 0x000000cd
EAX = 0xead9cddf, EDX = 0x000000cd
EAX = 0xef3cacd9, EDX = 0x000000cd
EAX = 0xf3745be0, EDX = 0x000000cd
EAX = 0xf7d73ada, EDX = 0x000000cd
EAX = 0xfc3a19d4, EDX = 0x000000cd
EAX = 0x0071c8db, EDX = 0x000000ce

行为描述:        疑似加密敲诈行为
详情信息:        
N/A
N/A
行为描述:        查找文件方式探测虚拟机
详情信息:        
FindFirstFileEx: FileName = c:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Add

行为描述:        创建本地线程
详情信息:        
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2628, ThreadID = 3240, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2628, ThreadID = 3252, StartAddress = 004287A0, Parameter = 00C55EF0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2628, ThreadID = 3256, StartAddress = 004287A0, Parameter = 00C55F0C
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2628, ThreadID = 3260, StartAddress = 004287A0, Parameter = 00C55F28
文件行为
行为描述:        创建文件
详情信息:        
C:\Python27\Lib\test\ykcol-7bdf.htm
C:\ykcol-9eb3.htm
C:\Documents and Settings\Administrator\ykcol-2ca6.htm
C:\Python27\Lib\ykcol-2a69.htm
C:\Python27\Scripts\ykcol-41bb.htm
C:\Python27\include\ykcol-8653.htm
行为描述:        重命名文件
详情信息:        
C:\Python27\Lib\test\sha256.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-AB0EE4D9-072BCE46CD29.ykcol
C:\Python27\Lib\test\https_svn_python_org_root.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-4B8B896C-AEDB1E440D47.ykcol
C:\Python27\Lib\test\nullcert.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-434B4A78-32E6E3B4058E.ykcol
C:\Python27\Lib\test\badkey.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-84439716-AF0743836727.ykcol
C:\Python27\Lib\test\badcert.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-F6F4C884-24860092D903.ykcol
C:\Python27\Lib\test\keycert.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-BF10E9DB-2D796A04093F.ykcol
C:\Python27\Lib\test\wrongcert.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-08FDADB3-0322AB51571C.ykcol
C:\Python27\Lib\test\svn_python_org_https_cert.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-48A66A9D-124F6C916844.ykcol
C:\Python27\Lib\test\ssl_key.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-7FB01716-6ED44C9376C7.ykcol
C:\Python27\Lib\test\ssl_cert.pem ---> c:\Python27\Lib\test\HGITE9WZ-1XYX-3WE8-08D27601-FCB6469BF426.ykcol
C:\Documents and Settings\root\Templates\excel.xls ---> c:\Documents and Settings\root\Templates\HGITE9WZ-1XYX-3WE8-DA19C410-F5A2496CC316.ykcol
C:\Documents and Settings\Administrator\Templates\winword.doc ---> c:\Documents and Settings\Administrator\Templates\HGITE9WZ-1XYX-3WE8-7E913AC7-8967A81FC0F2.ykcol
C:\Documents and Settings\Administrator\Templates\winword2.doc ---> c:\Documents and Settings\Administrator\Templates\HGITE9WZ-1XYX-3WE8-CAE09B4F-6C86340DF220.ykcol
C:\Documents and Settings\root\Templates\excel4.xls ---> c:\Documents and Settings\root\Templates\HGITE9WZ-1XYX-3WE8-0969C65D-35D58931412D.ykcol
C:\Documents and Settings\root\Templates\powerpnt.ppt ---> c:\Documents and Settings\root\Templates\HGITE9WZ-1XYX-3WE8-0465B412-4F6CBE0F1C27.ykcol
行为描述:        修改文件内容
详情信息:        
C:\Python27\Lib\test\sha256.pem ---> Offset = 0
C:\Python27\Lib\test\sha256.pem ---> Offset = 2065
C:\Python27\Lib\test\ykcol-7bdf.htm ---> Offset = 0
C:\Python27\Lib\test\https_svn_python_org_root.pem ---> Offset = 0
C:\Python27\Lib\test\https_svn_python_org_root.pem ---> Offset = 2569
C:\Python27\Lib\test\nullcert.pem ---> Offset = 0
C:\Python27\Lib\test\badkey.pem ---> Offset = 0
C:\Python27\Lib\test\badkey.pem ---> Offset = 2162
C:\Python27\Lib\test\badcert.pem ---> Offset = 0
C:\Python27\Lib\test\badcert.pem ---> Offset = 1928
C:\Python27\Lib\test\keycert.pem ---> Offset = 0
C:\Python27\Lib\test\keycert.pem ---> Offset = 1872
C:\Python27\Lib\test\wrongcert.pem ---> Offset = 0
C:\Python27\Lib\test\wrongcert.pem ---> Offset = 1880
C:\Python27\Lib\test\svn_python_org_https_cert.pem ---> Offset = 0
行为描述:        查找文件
详情信息:        
FileName = c:\*
FileName = c:\222c25ed\*
FileName = x:\*
FileName = c:\222c25ed\IE8-Setup-Full\*
FileName = c:\222c25ed\IE8-Setup-Full\log\*
FileName = d:\*
FileName = c:\AnalyzeControl\*
FileName = c:\DiskD\*
FileName = c:\DiskX\*
FileName = c:\Documents and Settings\*
FileName = c:\Documents and Settings\Administrator\*
FileName = c:\Documents and Settings\Administrator\.oracle_jre_usage\*
FileName = c:\Documents and Settings\Administrator\CMB\*
FileName = c:\Documents and Settings\Administrator\CMB\PB40\*
FileName = c:\Documents and Settings\Administrator\CMB\PB40\Data\*
其他行为
行为描述:        枚举网络共享资源
详情信息:        
N/A
行为描述:        创建事件对象
详情信息:        
EventName = Global\3a6aBaCaFa2a9aEa8a3a5aGaBaDaCa:a
EventName = Local\3a6aBaCaFa2a9aEa8a3a5aGaBaDaCa:a
行为描述:        疑似加密敲诈行为
详情信息:        
N/A
N/A
行为描述:        打开互斥体
详情信息:        
Global\3a6aBaCaFa2a9aEa8a3a5aGaBaDaCa:a
Local\3a6aBaCaFa2a9aEa8a3a5aGaBaDaCa:a
行为描述:        加密数据
详情信息:        
[CryptEncrypt] Data: 0x00E4F708, PlainTextLen: 256, CipherTextLen: 256, Flags: 0x00000000
行为描述:        获取TickCount值
详情信息:        
TickCount = 262890, SleepMilliseconds = 16000.
TickCount = 262921, SleepMilliseconds = 16000.
TickCount = 262937, SleepMilliseconds = 16000.
TickCount = 262968, SleepMilliseconds = 16000.
TickCount = 262984, SleepMilliseconds = 16000.
TickCount = 263000, SleepMilliseconds = 16000.
TickCount = 263015, SleepMilliseconds = 16000.
TickCount = 263031, SleepMilliseconds = 16000.
TickCount = 263062, SleepMilliseconds = 16000.
TickCount = 263093, SleepMilliseconds = 16000.
TickCount = 263109, SleepMilliseconds = 16000.
TickCount = 263125, SleepMilliseconds = 16000.
TickCount = 263140, SleepMilliseconds = 16000.
TickCount = 263171, SleepMilliseconds = 16000.
TickCount = 263187, SleepMilliseconds = 16000.
行为描述:        打开事件
详情信息:        
HookSwitchHookEnabledEvent
\INSTALLATION_SECURITY_HOLD
Global\SvcctrlStartEvent_A3752DX
行为描述:        调用Sleep函数
详情信息:        
[1]: MilliSeconds = 16000.
[2]: MilliSeconds = 10.
[3]: MilliSeconds = 10.
[4]: MilliSeconds = 10.
[5]: MilliSeconds = 10.
[6]: MilliSeconds = 10.
[7]: MilliSeconds = 10.
[8]: MilliSeconds = 10.
行为描述:        直接获取CPU时钟
详情信息:        
EAX = 0xe6a21ed8, EDX = 0x000000cd
EAX = 0xead9cddf, EDX = 0x000000cd
EAX = 0xef3cacd9, EDX = 0x000000cd
EAX = 0xf3745be0, EDX = 0x000000cd
EAX = 0xf7d73ada, EDX = 0x000000cd
EAX = 0xfc3a19d4, EDX = 0x000000cd
EAX = 0x0071c8db, EDX = 0x000000ce
行为描述:        导入密钥
详情信息:        
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x00C53788, DataLen: 276, Flags: 0x00000000
行为描述:        查找文件方式探测虚拟机
详情信息:        
FindFirstFileEx: FileName = c:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Add

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
心醉咖啡
发表于 2017-10-7 17:13:27 | 显示全部楼层
管家扫描miss
LSPD
发表于 2017-10-7 17:43:36 | 显示全部楼层
ns kill

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛|优惠券| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 苏ICP备07004770号 ) GMT+8, 2017-10-24 08:15 , Processed in 0.037853 second(s), 4 queries , MemCached On.

快速回复 返回顶部 返回列表