收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 Olympic Destroyer
12
返回列表 发新帖
楼主: remiliacn
 收起左侧

[病毒样本] Olympic Destroyer

[复制链接]
Dolby123
发表于 2018-2-16 22:14:26 | 显示全部楼层
WD

Trojan:Win32/Samcrex.A!dha
回复

举报

ttdown
发表于 2018-2-17 17:06:48 | 显示全部楼层
火绒扫描 miss !
回复

举报

毛可多来
发表于 2018-2-18 10:12:51 | 显示全部楼层
基本信息
文件名称:
OlympicDestroyer.exe
MD5:cfdd16225e67471f5ef54cab9b3a5558
文件类型:EXE
上传时间:2018-02-18 10:09:06
出品公司:N/A
版本:N/A
壳或编译器信息:COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation *


关键行为
行为描述:跨进程写入数据
详情信息:
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\usadl.exe, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000b7c
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\usadl.exe, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000b7c
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\usadl.exe, WriteAddress = 0x7ffdd238, Size = 0x00000004 TargetPID = 0x00000b7c
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\bvkfc.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000c20
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\bvkfc.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000c20
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\bvkfc.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x00000c20
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\_hff.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000c08
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\_hff.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000c08
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\_hff.exe, WriteAddress = 0x7ffda238, Size = 0x00000004 TargetPID = 0x00000c08
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000ce0
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000ce0
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffd6238, Size = 0x00000004 TargetPID = 0x00000ce0
TargetProcess = C:\Windows\System32\vssadmin.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000d1c
TargetProcess = C:\Windows\System32\vssadmin.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000d1c
TargetProcess = C:\Windows\System32\vssadmin.exe, WriteAddress = 0x7ffda238, Size = 0x00000004 TargetPID = 0x00000d1c
行为描述:关机或重启
详情信息:
InitiateSystemShutdownExW
行为描述:设置特殊文件夹属性
详情信息:
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
行为描述:查询注册表_检测虚拟机相关
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\DisplayName
行为描述:获取TickCount值
详情信息:
TickCount = 155344, SleepMilliseconds = 1.
TickCount = 155360, SleepMilliseconds = 1.
TickCount = 155376, SleepMilliseconds = 1.
TickCount = 155391, SleepMilliseconds = 1.
TickCount = 155407, SleepMilliseconds = 1.
TickCount = 155422, SleepMilliseconds = 1.
TickCount = 156079, SleepMilliseconds = 1.
TickCount = 156094, SleepMilliseconds = 1.
TickCount = 156110, SleepMilliseconds = 1.
TickCount = 156126, SleepMilliseconds = 1.
TickCount = 156141, SleepMilliseconds = 1.
TickCount = 156438, SleepMilliseconds = 1.
TickCount = 156594, SleepMilliseconds = 1.
TickCount = 3760937, SleepMilliseconds = 3600000.
TickCount = 3760953, SleepMilliseconds = 3600000.


进程行为
行为描述:隐藏窗口创建进程
详情信息:
ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\_hff.exe, CmdLine =
ImagePath = , CmdLine = C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
ImagePath = , CmdLine = C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
ImagePath = , CmdLine = C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
ImagePath = , CmdLine = C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
ImagePath = , CmdLine = C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
ImagePath = C:\Windows\System32\%temp%\****.exe, CmdLine = %temp%\**** --machinereadable -- C:/07c18980de59b70b44f118fe7e28dc64_Finished.txt
行为描述:创建进程
详情信息:
[0x00000ce0]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
[0x00000d1c]ImagePath = C:\Windows\System32\vssadmin.exe, CmdLine = c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
[0x00000d88]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
[0x00000d90]ImagePath = C:\Windows\System32\wbadmin.exe, CmdLine = wbadmin.exe delete catalog -quiet
[0x00000eac]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
[0x00000f3c]ImagePath = C:\Windows\System32\bcdedit.exe, CmdLine = bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
[0x00000f58]ImagePath = C:\Windows\System32\bcdedit.exe, CmdLine = bcdedit /set {default} recoveryenabled no
[0x00000f6c]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
[0x00000f40]ImagePath = C:\Windows\System32\wevtutil.exe, CmdLine = wevtutil.exe cl System
[0x00000f38]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
[0x00000770]ImagePath = C:\Windows\System32\wevtutil.exe, CmdLine = wevtutil.exe cl Security
[0x00000a64]ImagePath = C:\Windows\System32\patchupdate.exe, CmdLine = C:\Windows\System32\patchupdate.exe
行为描述:创建新文件进程
详情信息:
[0x00000b7c]ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\usadl.exe, CmdLine = 123 \\.\pipe\F5D9C664-F2BB-4696-933A-CAFE4546E693
[0x00000c20]ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\bvkfc.exe, CmdLine = 123 \\.\pipe\2F46547C-7268-4C76-AE0A-788F505A632E
[0x00000c08]ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\_hff.exe, CmdLine = "C:\Users\ADMINI~1\AppData\Local\Temp\_hff.exe"
行为描述:枚举进程
详情信息:
N/A
行为描述:跨进程写入数据
详情信息:
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\usadl.exe, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000b7c
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\usadl.exe, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000b7c
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\usadl.exe, WriteAddress = 0x7ffdd238, Size = 0x00000004 TargetPID = 0x00000b7c
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\bvkfc.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000c20
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\bvkfc.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000c20
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\bvkfc.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x00000c20
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\_hff.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000c08
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\_hff.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000c08
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\_hff.exe, WriteAddress = 0x7ffda238, Size = 0x00000004 TargetPID = 0x00000c08
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000ce0
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000ce0
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffd6238, Size = 0x00000004 TargetPID = 0x00000ce0
TargetProcess = C:\Windows\System32\vssadmin.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000d1c
TargetProcess = C:\Windows\System32\vssadmin.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000d1c
TargetProcess = C:\Windows\System32\vssadmin.exe, WriteAddress = 0x7ffda238, Size = 0x00000004 TargetPID = 0x00000d1c


文件行为
行为描述:创建文件
详情信息:
C:\Users\Public\30B35759062C5FA75EAFDAB4999D6FB3
C:\Users\Administrator\AppData\Local\Temp\usadl.exe
C:\Users\Administrator\AppData\Local\Temp\bvkfc.exe
C:\Users\Administrator\AppData\Local\Temp\_jtw.exe
C:\Users\Administrator\AppData\Local\Temp\_lyn.exe
C:\Users\Administrator\AppData\Local\Temp\_hff.exe
行为描述:创建可执行文件
详情信息:
C:\Users\Administrator\AppData\Local\Temp\usadl.exe
C:\Users\Administrator\AppData\Local\Temp\bvkfc.exe
C:\Users\Administrator\AppData\Local\Temp\_jtw.exe
C:\Users\Administrator\AppData\Local\Temp\_lyn.exe
C:\Users\Administrator\AppData\Local\Temp\_hff.exe
行为描述:复制文件
详情信息:
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe ---> C:\Users\ADMINI~1\AppData\Local\Temp\_jtw.exe
行为描述:删除文件
详情信息:
C:\Users\Administrator\AppData\Local\Temp\_jtw.exe
行为描述:查找文件
详情信息:
FileName = C:\Users
FileName = C:\Users\ADMINI~1
FileName = C:\Users\ADMINI~1\AppData
FileName = C:\Users\ADMINI~1\AppData\Local
FileName = C:\Users\ADMINI~1\AppData\Local\Temp
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\usadl.exe
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\*.*
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\bvkfc.exe
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\_hff.exe
FileName = C:\Users\Administrator
FileName = C:\Users\Administrator\AppData
FileName = C:\Users\Administrator\AppData\Local
FileName = C:\Users\Administrator\AppData\Local\Temp
FileName = C:\Users\Administrator\AppData\Local\%temp%
FileName = c:\Windows\system32\vssadmin.exe
行为描述:设置特殊文件夹属性
详情信息:
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
行为描述:修改文件内容
详情信息:
C:\Users\Administrator\AppData\Local\Temp\usadl.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\bvkfc.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\_jtw.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\_jtw.exe ---> Offset = 65536
C:\Users\Administrator\AppData\Local\Temp\_jtw.exe ---> Offset = 131072
C:\Users\Administrator\AppData\Local\Temp\_jtw.exe ---> Offset = 196608
C:\Users\Administrator\AppData\Local\Temp\_jtw.exe ---> Offset = 262144
C:\Users\Administrator\AppData\Local\Temp\_jtw.exe ---> Offset = 1859584
C:\Users\Administrator\AppData\Local\Temp\_lyn.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\_hff.exe ---> Offset = 0


注册表行为
行为描述:修改注册表
详情信息:
\REGISTRY\MACHINE\BCD00000000\Objects\{0fb65d91-cb87-11e4-96f4-b7322fe5ec33}\Elements\250000e0\Element
\REGISTRY\MACHINE\BCD00000000\Objects\{0fb65d91-cb87-11e4-96f4-b7322fe5ec33}\Elements\16000009\Element
行为描述:查询注册表_检测虚拟机相关
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\DisplayName


其他行为
行为描述:检测自身是否被调试
详情信息:
IsDebuggerPresent
行为描述:创建互斥体
详情信息:
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
行为描述:枚举网络共享资源
详情信息:
N/A
行为描述:获取TickCount值
详情信息:
TickCount = 155344, SleepMilliseconds = 1.
TickCount = 155360, SleepMilliseconds = 1.
TickCount = 155376, SleepMilliseconds = 1.
TickCount = 155391, SleepMilliseconds = 1.
TickCount = 155407, SleepMilliseconds = 1.
TickCount = 155422, SleepMilliseconds = 1.
TickCount = 156079, SleepMilliseconds = 1.
TickCount = 156094, SleepMilliseconds = 1.
TickCount = 156110, SleepMilliseconds = 1.
TickCount = 156126, SleepMilliseconds = 1.
TickCount = 156141, SleepMilliseconds = 1.
TickCount = 156438, SleepMilliseconds = 1.
TickCount = 156594, SleepMilliseconds = 1.
TickCount = 3760937, SleepMilliseconds = 3600000.
TickCount = 3760953, SleepMilliseconds = 3600000.
行为描述:调整进程token权限
详情信息:
SE_INCREASE_QUOTA_PRIVILEGE
SE_SECURITY_PRIVILEGE
SE_TAKE_OWNERSHIP_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
SE_SYSTEM_PROFILE_PRIVILEGE
SE_SYSTEMTIME_PRIVILEGE
SE_PROF_SINGLE_PROCESS_PRIVILEGE
SE_INC_BASE_PRIORITY_PRIVILEGE
SE_CREATE_PAGEFILE_PRIVILEGE
SE_BACKUP_PRIVILEGE
SE_RESTORE_PRIVILEGE
SE_SHUTDOWN_PRIVILEGE
SE_DEBUG_PRIVILEGE
SE_SYSTEM_ENVIRONMENT_PRIVILEGE
SE_REMOTE_SHUTDOWN_PRIVILEGE
行为描述:打开事件
详情信息:
HookSwitchHookEnabledEvent
\KernelObjects\MaximumCommitCondition
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.3472
MSFT.VSA.IEC.STATUS.6c736db0
Global\SvcctrlStartEvent_A3752DX
Global\TermSrvReadyEvent
MSFT.VSA.COM.DISABLE.2908
行为描述:可执行文件签名信息
详情信息:
C:\Users\Administrator\AppData\Local\Temp\usadl.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\bvkfc.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\_jtw.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\_lyn.exe(签名验证: 通过)
C:\Users\Administrator\AppData\Local\Temp\_hff.exe(签名验证: 未通过)
行为描述:调用Sleep函数
详情信息:
[1]: MilliSeconds = 1.
[2]: MilliSeconds = 1.
[3]: MilliSeconds = 1.
[4]: MilliSeconds = 1.
[5]: MilliSeconds = 1.
[6]: MilliSeconds = 1.
[7]: MilliSeconds = 1.
[8]: MilliSeconds = 1.
[9]: MilliSeconds = 1.
[10]: MilliSeconds = 1.
[1]: MilliSeconds = 3600000.
行为描述:关机或重启
详情信息:
InitiateSystemShutdownExW
行为描述:可执行文件MD5
详情信息:
C:\Users\Administrator\AppData\Local\Temp\usadl.exe ---> 4f43f03783f9789f804dcf9b9474fa6d
C:\Users\Administrator\AppData\Local\Temp\bvkfc.exe ---> 6e0ebeeea1cb00192b074b288a4f9cfe
C:\Users\Administrator\AppData\Local\Temp\_jtw.exe ---> cfdd16225e67471f5ef54cab9b3a5558
C:\Users\Administrator\AppData\Local\Temp\_jtw.exe ---> 1007ee65d2a1035ff4c783b4a185419a
C:\Users\Administrator\AppData\Local\Temp\_lyn.exe ---> 27304b246c7d5b4e149124d5f93c5b01
C:\Users\Administrator\AppData\Local\Temp\_hff.exe ---> 3c0d740347b0362331c882c2dee96dbf
行为描述:打开互斥体
详情信息:
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
行为描述:加载新释放的文件
详情信息:
Image: C:\Users\ADMINI~1\AppData\Local\Temp\usadl.exe.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\bvkfc.exe.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\_hff.exe.


进程树
  • [url=]cmd.exe (PID: 0x0000097c)[/url]
    • [url=]patchupdate.exe (PID: 0x00000a64)[/url]
  • [url=]****.exe (PID: 0x00000b5c)[/url]
    • [url=]usadl.exe (PID: 0x00000b7c)[/url]
    • [url=]bvkfc.exe (PID: 0x00000c20)[/url]
    • [url=]_hff.exe (PID: 0x00000c08)[/url]
      • [url=]cmd.exe (PID: 0x00000ce0)[/url]
      • [url=]cmd.exe (PID: 0x00000d88)[/url]
      • [url=]cmd.exe (PID: 0x00000eac)[/url]
      • [url=]cmd.exe (PID: 0x00000f6c)[/url]
      • [url=]cmd.exe (PID: 0x00000f38)[/url]





文件分析图谱(PortEx)



回复

举报

刻舟求剑
发表于 2018-2-18 12:01:01 | 显示全部楼层
趋势科技,解压后文件被移除。

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

ytysh
发表于 2018-2-19 15:23:59 | 显示全部楼层
Webroot kill

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

12
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-5-2 02:44 , Processed in 0.103150 second(s), 15 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表