搜索
楼主: 安全守护者
收起左侧

[病毒样本] 好吧好吧,我就稍微更新了一下

[复制链接]
willjjyu
发表于 2018-3-3 19:42:53 | 显示全部楼层
本帖最后由 willjjyu 于 2018-3-3 19:44 编辑
  1. <b>基本信息</b>
  2. 文件名称:        
  3. <b>flashplayer28pp_va_install[1.3].exe</b>
  4. MD5:        6f366f9a0d1bed530ea58c1873afef57
  5. 文件类型:        EXE
  6. 上传时间:        2018-03-03 19:40:07
  7. 出品公司:        N/A
  8. 版本:        N/A
  9. 壳或编译器信息:        PACKER:UPX V2.00-V3.00 -> Markus Oberhumer & Laszlo Molnar & John Reiser *
  10. 子文件信息:        
  11. upx30_52bae088dumpFile /  83a35d02ed0d12abd86d4ff0d746769d /  EXE
  12. <b><font color="#ff0000">关键行为</font></b>
  13. <font color="#ff0000">行为描述:        在桌面创建文件
  14. 详情信息:        
  15. C:\Documents and Settings\Administrator\桌面\AdobeFlashPlayer-part1.exe
  16. C:\Documents and Settings\Administrator\桌面\funny.exe
  17. C:\Documents and Settings\Administrator\桌面\AD.exe
  18. C:\Documents and Settings\Administrator\桌面\Flash.exe
  19. C:\Documents and Settings\Administrator\桌面\Locks.exe
  20. 行为描述:        杀掉进程
  21. 详情信息:        
  22. TASKKILL = taskkill /f /t /im HipsTray.exe</font>
  23. <b>进程行为</b>
  24. 行为描述:        创建进程
  25. 详情信息:        
  26. [0x00000b14]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd" /c ""C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp\6.bat" "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe""
  27. [0x00000b34]ImagePath = C:\WINDOWS\system32\tasklist.exe, CmdLine = tasklist
  28. [0x00000b3c]ImagePath = C:\WINDOWS\system32\findstr.exe, CmdLine = findstr /i HipsTray.exe
  29. [0x00000be0]ImagePath = C:\WINDOWS\system32\taskkill.exe, CmdLine = taskkill /f /t /im HipsTray.exe
  30. 行为描述:        创建本地线程
  31. 详情信息:        
  32. TargetProcess: tasklist.exe, InheritedFromPID = 2836, ProcessID = 2868, ThreadID = 2896, StartAddress = 77E56C7D, Parameter = 000EAAD0
  33. TargetProcess: tasklist.exe, InheritedFromPID = 2836, ProcessID = 2868, ThreadID = 2900, StartAddress = 769AE43B, Parameter = 000ED460
  34. TargetProcess: tasklist.exe, InheritedFromPID = 2836, ProcessID = 2868, ThreadID = 2908, StartAddress = 77E56C7D, Parameter = 000EDB08
  35. TargetProcess: taskkill.exe, InheritedFromPID = 2836, ProcessID = 3040, ThreadID = 3084, StartAddress = 77E56C7D, Parameter = 000EAB88
  36. TargetProcess: taskkill.exe, InheritedFromPID = 2836, ProcessID = 3040, ThreadID = 3088, StartAddress = 769AE43B, Parameter = 000ED3E8
  37. TargetProcess: taskkill.exe, InheritedFromPID = 2836, ProcessID = 3040, ThreadID = 3092, StartAddress = 77E56C7D, Parameter = 000EDBA0
  38. 行为描述:        杀掉进程
  39. 详情信息:        
  40. TASKKILL = taskkill /f /t /im HipsTray.exe
  41. <b>文件行为</b>
  42. 行为描述:        创建文件
  43. 详情信息:        
  44. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp
  45. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp
  46. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp\6.tmp
  47. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp\7.tmp
  48. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp\6.bat
  49. 行为描述:        创建可执行文件
  50. 详情信息:        
  51. C:\Documents and Settings\Administrator\桌面\AdobeFlashPlayer-part1.exe
  52. C:\Documents and Settings\Administrator\桌面\funny.exe
  53. C:\Documents and Settings\Administrator\桌面\AD.exe
  54. C:\Documents and Settings\Administrator\桌面\Flash.exe
  55. C:\Documents and Settings\Administrator\桌面\Locks.exe
  56. 行为描述:        修改脚本文件
  57. 详情信息:        
  58. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp\6.bat ---> Offset = 0
  59. 行为描述:        查找文件
  60. 详情信息:        
  61. FileName = C:\DOCUME~1
  62. FileName = C:\DOCUME~1\ADMINI~1
  63. FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
  64. FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
  65. FileName = C:\Documents and Settings
  66. FileName = C:\Documents and Settings\Administrator
  67. FileName = C:\Documents and Settings\Administrator\Local Settings
  68. FileName = C:\Documents and Settings\Administrator\桌面\AdobeFlashPlayer-part1.exe
  69. FileName = C:\WINDOWS
  70. FileName = C:\WINDOWS\system32
  71. FileName = C:\WINDOWS\system32\cmd.exe
  72. FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
  73. FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
  74. FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp\6.bat
  75. FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp
  76. 行为描述:        删除文件
  77. 详情信息:        
  78. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp
  79. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp
  80. C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\5.tmp\6.tmp
  81. 行为描述:        在桌面创建文件
  82. 详情信息:        
  83. C:\Documents and Settings\Administrator\桌面\AdobeFlashPlayer-part1.exe
  84. C:\Documents and Settings\Administrator\桌面\funny.exe
  85. C:\Documents and Settings\Administrator\桌面\AD.exe
  86. C:\Documents and Settings\Administrator\桌面\Flash.exe
  87. C:\Documents and Settings\Administrator\桌面\Locks.exe
  88. 行为描述:        修改文件内容
  89. 详情信息:        
  90. C:\Documents and Settings\Administrator\桌面\AdobeFlashPlayer-part1.exe ---> Offset = 0
  91. C:\Documents and Settings\Administrator\桌面\funny.exe ---> Offset = 0
  92. C:\Documents and Settings\Administrator\桌面\AD.exe ---> Offset = 0
  93. C:\Documents and Settings\Administrator\桌面\Flash.exe ---> Offset = 0
  94. C:\Documents and Settings\Administrator\桌面\Locks.exe ---> Offset = 0
  95. <b>其他行为</b>
  96. 行为描述:        创建互斥体
  97. 详情信息:        
  98. CTF.LBES.MutexDefaultS-*
  99. CTF.Compart.MutexDefaultS-*
  100. CTF.Asm.MutexDefaultS-*
  101. CTF.Layouts.MutexDefaultS-*
  102. CTF.TMD.MutexDefaultS-*
  103. CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
  104. MSCTF.Shared.MUTEX.IOH
  105. MSCTF.Shared.MUTEX.IBL
  106. 行为描述:        创建事件对象
  107. 详情信息:        
  108. EventName = DINPUTWINMM
  109. EventName = MSCTF.SendReceiveConection.Event.IBL.IC
  110. EventName = MSCTF.SendReceive.Event.IBL.IC
  111. 行为描述:        查找指定窗口
  112. 详情信息:        
  113. NtUserFindWindowEx: [Class,Window] = [,]
  114. NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
  115. NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
  116. 行为描述:        打开事件
  117. 详情信息:        
  118. HookSwitchHookEnabledEvent
  119. MSFT.VSA.COM.DISABLE.2868
  120. MSFT.VSA.IEC.STATUS.6c736db0
  121. MSFT.VSA.COM.DISABLE.3040
  122. _fCanRegisterWithShellService
  123. CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
  124. CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
  125. MSCTF.SendReceiveConection.Event.IOH.IC
  126. MSCTF.SendReceive.Event.IOH.IC
  127. 行为描述:        调整进程token权限
  128. 详情信息:        
  129. SE_DEBUG_PRIVILEGE
  130. SE_SYSTEMTIME_PRIVILEGE
  131. SE_LOAD_DRIVER_PRIVILEGE
  132. 行为描述:        枚举窗口
  133. 详情信息:        
  134. N/A
  135. 行为描述:        可执行文件签名信息
  136. 详情信息:        
  137. C:\Documents and Settings\Administrator\桌面\AdobeFlashPlayer-part1.exe(签名验证: 未通过)
  138. C:\Documents and Settings\Administrator\桌面\funny.exe(签名验证: 未通过)
  139. C:\Documents and Settings\Administrator\桌面\AD.exe(签名验证: 未通过)
  140. C:\Documents and Settings\Administrator\桌面\Flash.exe(签名验证: 未通过)
  141. C:\Documents and Settings\Administrator\桌面\Locks.exe(签名验证: 未通过)
  142. 行为描述:        调用Sleep函数
  143. 详情信息:        
  144. [1]: MilliSeconds = 10.
  145. [2]: MilliSeconds = 10.
  146. [3]: MilliSeconds = 10.
  147. [4]: MilliSeconds = 10.
  148. [5]: MilliSeconds = 10.
  149. [6]: MilliSeconds = 10.
  150. [7]: MilliSeconds = 10.
  151. [8]: MilliSeconds = 10.
  152. [9]: MilliSeconds = 10.
  153. [10]: MilliSeconds = 10.
  154. 行为描述:        可执行文件MD5
  155. 详情信息:        
  156. C:\Documents and Settings\Administrator\桌面\AdobeFlashPlayer-part1.exe ---> 958f7260d707e8b3579407e0f9fb815c
  157. C:\Documents and Settings\Administrator\桌面\funny.exe ---> aafdf50e3fbcc3179033ee4fada60ef3
  158. C:\Documents and Settings\Administrator\桌面\AD.exe ---> fc9379011a041c2d2e1a6e43a211d9ab
  159. C:\Documents and Settings\Administrator\桌面\Flash.exe ---> 8333b26b25bdef985b56427ad3ad196d
  160. C:\Documents and Settings\Administrator\桌面\Locks.exe ---> 97240a4ed13a61469da8529136a419ac
  161. 行为描述:        打开互斥体
  162. 详情信息:        
  163. ShimCacheMutex
  164. 行为描述:        样本控制台输出内容
  165. 详情信息:        
  166. N/A
  167. 进程树
  168. ****.exe (PID: 0x00000ad8)
  169. cmd.exe cmd" /c "6.bat" ****.exe"" (PID: 0x00000b14)
  170. tasklist.exe (PID: 0x00000b34)
  171. findstr.exe (PID: 0x00000b3c)
  172. taskkill.exe (PID: 0x00000be0)
复制代码


j2016
发表于 2018-3-3 20:51:15 | 显示全部楼层
eav解压秒
hansyu
发表于 2018-3-3 21:53:56 | 显示全部楼层
McAfee
JTI/Suspect.131076!6f366f9a0d1b
ELOHIM
发表于 2018-3-3 22:44:24 | 显示全部楼层
wiep clean

xingluhuayu
发表于 2018-3-4 07:59:13 | 显示全部楼层
本帖最后由 xingluhuayu 于 2018-3-4 08:00 编辑

eea表现不错,点了下载还没保存,直接报警

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
极简极纯
发表于 2018-3-4 10:28:13 | 显示全部楼层
BD终于杀了已回...今天早上连着Miss有点可怕
45her
发表于 2018-3-4 11:05:28 | 显示全部楼层
诺顿解压杀

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
wusiyuanjh
发表于 2018-3-5 20:14:47 | 显示全部楼层
卡巴目前已拉黑
julia跺跺
发表于 2018-3-6 09:44:32 | 显示全部楼层
本帖最后由 julia跺跺 于 2018-3-6 09:47 编辑
ytysh 发表于 2018-3-3 15:30
Webroot Miss 10分钟二扫就杀了

我是发现了。。。webroot所有报毒名称都叫W32


好吧,忽略,W32是windows32的意思  囧囧囧
Dolby123
发表于 2018-3-6 10:01:32 | 显示全部楼层
WD

Trojan:Win32/Sonoko.A!ms
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛|优惠券| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 苏ICP备07004770号 ) GMT+8, 2018-6-22 08:03 , Processed in 0.042492 second(s), 4 queries , MemCached On.

快速回复 返回顶部 返回列表