好吧好吧，我就稍微更新了一下

willjjyu

1. <b>基本信息</b>
   
2. 文件名称：        
   
3. <b>flashplayer28pp_va_install[1.3].exe</b>
   
4. MD5：        6f366f9a0d1bed530ea58c1873afef57
   
5. 文件类型：        EXE
   
6. 上传时间：        2018-03-03 19:40:07
   
7. 出品公司：        N/A
   
8. 版本：        N/A
   
9. 壳或编译器信息：        PACKER:UPX V2.00-V3.00 -> Markus Oberhumer & Laszlo Molnar & John Reiser *
   
10. 子文件信息：        
    
11. upx30_52bae088dumpFile /  83a35d02ed0d12abd86d4ff0d746769d /  EXE
    
12. <b><font color="#ff0000">关键行为</font></b>
    
13. <font color="#ff0000">行为描述：        在桌面创建文件
    
14. 详情信息：        
    
15. C:\Documents and Settings\Administrator\桌面\AdobeFlashPlayer-part1.exe
    
16. C:\Documents and Settings\Administrator\桌面\funny.exe
    
17. C:\Documents and Settings\Administrator\桌面\AD.exe
    
18. C:\Documents and Settings\Administrator\桌面\Flash.exe
    
19. C:\Documents and Settings\Administrator\桌面\Locks.exe
    
20. 行为描述：        杀掉进程
    
21. 详情信息：        
    
22. TASKKILL = taskkill /f /t /im HipsTray.exe</font>
    
23. <b>进程行为</b>
    
24. 行为描述：        创建进程
    
25. 详情信息：        
    
26. [0x00000b14]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd" /c ""C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp\6.bat" "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe""
    
27. [0x00000b34]ImagePath = C:\WINDOWS\system32\tasklist.exe, CmdLine = tasklist
    
28. [0x00000b3c]ImagePath = C:\WINDOWS\system32\findstr.exe, CmdLine = findstr /i HipsTray.exe
    
29. [0x00000be0]ImagePath = C:\WINDOWS\system32\taskkill.exe, CmdLine = taskkill /f /t /im HipsTray.exe
    
30. 行为描述：        创建本地线程
    
31. 详情信息：        
    
32. TargetProcess: tasklist.exe, InheritedFromPID = 2836, ProcessID = 2868, ThreadID = 2896, StartAddress = 77E56C7D, Parameter = 000EAAD0
    
33. TargetProcess: tasklist.exe, InheritedFromPID = 2836, ProcessID = 2868, ThreadID = 2900, StartAddress = 769AE43B, Parameter = 000ED460
    
34. TargetProcess: tasklist.exe, InheritedFromPID = 2836, ProcessID = 2868, ThreadID = 2908, StartAddress = 77E56C7D, Parameter = 000EDB08
    
35. TargetProcess: taskkill.exe, InheritedFromPID = 2836, ProcessID = 3040, ThreadID = 3084, StartAddress = 77E56C7D, Parameter = 000EAB88
    
36. TargetProcess: taskkill.exe, InheritedFromPID = 2836, ProcessID = 3040, ThreadID = 3088, StartAddress = 769AE43B, Parameter = 000ED3E8
    
37. TargetProcess: taskkill.exe, InheritedFromPID = 2836, ProcessID = 3040, ThreadID = 3092, StartAddress = 77E56C7D, Parameter = 000EDBA0
    
38. 行为描述：        杀掉进程
    
39. 详情信息：        
    
40. TASKKILL = taskkill /f /t /im HipsTray.exe
    
41. <b>文件行为</b>
    
42. 行为描述：        创建文件
    
43. 详情信息：        
    
44. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp
    
45. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp
    
46. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp\6.tmp
    
47. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp\7.tmp
    
48. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp\6.bat
    
49. 行为描述：        创建可执行文件
    
50. 详情信息：        
    
51. C:\Documents and Settings\Administrator\桌面\AdobeFlashPlayer-part1.exe
    
52. C:\Documents and Settings\Administrator\桌面\funny.exe
    
53. C:\Documents and Settings\Administrator\桌面\AD.exe
    
54. C:\Documents and Settings\Administrator\桌面\Flash.exe
    
55. C:\Documents and Settings\Administrator\桌面\Locks.exe
    
56. 行为描述：        修改脚本文件
    
57. 详情信息：        
    
58. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp\6.bat ---> Offset = 0
    
59. 行为描述：        查找文件
    
60. 详情信息：        
    
61. FileName = C:\DOCUME~1
    
62. FileName = C:\DOCUME~1\ADMINI~1
    
63. FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
    
64. FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
    
65. FileName = C:\Documents and Settings
    
66. FileName = C:\Documents and Settings\Administrator
    
67. FileName = C:\Documents and Settings\Administrator\Local Settings
    
68. FileName = C:\Documents and Settings\Administrator\桌面\AdobeFlashPlayer-part1.exe
    
69. FileName = C:\WINDOWS
    
70. FileName = C:\WINDOWS\system32
    
71. FileName = C:\WINDOWS\system32\cmd.exe
    
72. FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
    
73. FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
    
74. FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp\6.bat
    
75. FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp
    
76. 行为描述：        删除文件
    
77. 详情信息：        
    
78. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp
    
79. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp
    
80. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp\6.tmp
    
81. 行为描述：        在桌面创建文件
    
82. 详情信息：        
    
83. C:\Documents and Settings\Administrator\桌面\AdobeFlashPlayer-part1.exe
    
84. C:\Documents and Settings\Administrator\桌面\funny.exe
    
85. C:\Documents and Settings\Administrator\桌面\AD.exe
    
86. C:\Documents and Settings\Administrator\桌面\Flash.exe
    
87. C:\Documents and Settings\Administrator\桌面\Locks.exe
    
88. 行为描述：        修改文件内容
    
89. 详情信息：        
    
90. C:\Documents and Settings\Administrator\桌面\AdobeFlashPlayer-part1.exe ---> Offset = 0
    
91. C:\Documents and Settings\Administrator\桌面\funny.exe ---> Offset = 0
    
92. C:\Documents and Settings\Administrator\桌面\AD.exe ---> Offset = 0
    
93. C:\Documents and Settings\Administrator\桌面\Flash.exe ---> Offset = 0
    
94. C:\Documents and Settings\Administrator\桌面\Locks.exe ---> Offset = 0
    
95. <b>其他行为</b>
    
96. 行为描述：        创建互斥体
    
97. 详情信息：        
    
98. CTF.LBES.MutexDefaultS-*
    
99. CTF.Compart.MutexDefaultS-*
    
100. CTF.Asm.MutexDefaultS-*
     
101. CTF.Layouts.MutexDefaultS-*
     
102. CTF.TMD.MutexDefaultS-*
     
103. CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
     
104. MSCTF.Shared.MUTEX.IOH
     
105. MSCTF.Shared.MUTEX.IBL
     
106. 行为描述：        创建事件对象
     
107. 详情信息：        
     
108. EventName = DINPUTWINMM
     
109. EventName = MSCTF.SendReceiveConection.Event.IBL.IC
     
110. EventName = MSCTF.SendReceive.Event.IBL.IC
     
111. 行为描述：        查找指定窗口
     
112. 详情信息：        
     
113. NtUserFindWindowEx: [Class,Window] = [,]
     
114. NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
     
115. NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
     
116. 行为描述：        打开事件
     
117. 详情信息：        
     
118. HookSwitchHookEnabledEvent
     
119. MSFT.VSA.COM.DISABLE.2868
     
120. MSFT.VSA.IEC.STATUS.6c736db0
     
121. MSFT.VSA.COM.DISABLE.3040
     
122. _fCanRegisterWithShellService
     
123. CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
     
124. CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
     
125. MSCTF.SendReceiveConection.Event.IOH.IC
     
126. MSCTF.SendReceive.Event.IOH.IC
     
127. 行为描述：        调整进程token权限
     
128. 详情信息：        
     
129. SE_DEBUG_PRIVILEGE
     
130. SE_SYSTEMTIME_PRIVILEGE
     
131. SE_LOAD_DRIVER_PRIVILEGE
     
132. 行为描述：        枚举窗口
     
133. 详情信息：        
     
134. N/A
     
135. 行为描述：        可执行文件签名信息
     
136. 详情信息：        
     
137. C:\Documents and Settings\Administrator\桌面\AdobeFlashPlayer-part1.exe(签名验证: 未通过)
     
138. C:\Documents and Settings\Administrator\桌面\funny.exe(签名验证: 未通过)
     
139. C:\Documents and Settings\Administrator\桌面\AD.exe(签名验证: 未通过)
     
140. C:\Documents and Settings\Administrator\桌面\Flash.exe(签名验证: 未通过)
     
141. C:\Documents and Settings\Administrator\桌面\Locks.exe(签名验证: 未通过)
     
142. 行为描述：        调用Sleep函数
     
143. 详情信息：        
     
144. [1]: MilliSeconds = 10.
     
145. [2]: MilliSeconds = 10.
     
146. [3]: MilliSeconds = 10.
     
147. [4]: MilliSeconds = 10.
     
148. [5]: MilliSeconds = 10.
     
149. [6]: MilliSeconds = 10.
     
150. [7]: MilliSeconds = 10.
     
151. [8]: MilliSeconds = 10.
     
152. [9]: MilliSeconds = 10.
     
153. [10]: MilliSeconds = 10.
     
154. 行为描述：        可执行文件MD5
     
155. 详情信息：        
     
156. C:\Documents and Settings\Administrator\桌面\AdobeFlashPlayer-part1.exe ---> 958f7260d707e8b3579407e0f9fb815c
     
157. C:\Documents and Settings\Administrator\桌面\funny.exe ---> aafdf50e3fbcc3179033ee4fada60ef3
     
158. C:\Documents and Settings\Administrator\桌面\AD.exe ---> fc9379011a041c2d2e1a6e43a211d9ab
     
159. C:\Documents and Settings\Administrator\桌面\Flash.exe ---> 8333b26b25bdef985b56427ad3ad196d
     
160. C:\Documents and Settings\Administrator\桌面\Locks.exe ---> 97240a4ed13a61469da8529136a419ac
     
161. 行为描述：        打开互斥体
     
162. 详情信息：        
     
163. ShimCacheMutex
     
164. 行为描述：        样本控制台输出内容
     
165. 详情信息：        
     
166. N/A
     
167. 进程树
     
168. ****.exe (PID: 0x00000ad8)
     
169. cmd.exe cmd" /c "6.bat" ****.exe"" (PID: 0x00000b14)
     
170. tasklist.exe (PID: 0x00000b34)
     
171. findstr.exe (PID: 0x00000b3c)
     
172. taskkill.exe (PID: 0x00000be0)

复制代码

j2016

eav解压秒

hansyu

McAfee
JTI/Suspect.131076!6f366f9a0d1b

ELOHIM

wiep clean

xingluhuayu

eea表现不错，点了下载还没保存，直接报警

极简极纯

BD终于杀了已回...今天早上连着Miss有点可怕

45her

诺顿解压杀

ATP_synthase

卡巴目前已拉黑

julia跺跺

ytysh 发表于 2018-3-3 15:30
Webroot Miss 10分钟二扫就杀了

我是发现了。。。webroot所有报毒名称都叫W32


好吧，忽略，W32是windows32的意思  囧囧囧

Dolby123

WD

Trojan:Win32/Sonoko.A!ms