SnakeLocker

显示全部楼层 · 发表于 2018-3-10 19:43:40

Dolby123 发表于 2018-3-10 15:51
这我就不清楚了你看9L 的同学解压报了

eset解压时不报，扫描报

显示全部楼层 · 发表于 2018-3-11 00:46:10

ytysh 发表于 2018-3-9 20:07
Webroot Miss 二扫杀

鉴定耗时11分钟

这是啥的鉴定....
这是人工提交的还是他自己给的

好怀念以前的prevx...
不知道这个东西被收购之后还是不是以前那样了

显示全部楼层 · 发表于 2018-3-11 01:03:53

关键行为
行为描述：获取文件属性探测虚拟机
详情信息：
GetFileAttributes: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware

GetFileAttributes: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD

GetFileAttributes: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions

行为描述：在桌面创建文件
详情信息：
C:\Documents and Settings\Administrator\桌面\money.doc.TGIF

行为描述：获取TickCount值
详情信息：
TickCount = 226068, SleepMilliseconds = 100.

进程行为
行为描述：创建进程
详情信息：
[0x00000c3c]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Sample_5aa12bf6037d0361aed26deb.bin.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Sample_5aa12bf6037d0361aed26deb.bin.exe"

文件行为
行为描述：创建文件
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\Crypto.Cipher._AES.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\Microsoft.VC90.CRT.manifest

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\SnakeLocker.exe.manifest

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_ctypes.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_hashlib.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_multiprocessing.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_socket.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_ssl.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\bz2.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\msvcm90.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\msvcp90.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\msvcr90.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\pyexpat.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\python27.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\pywintypes27.dll

行为描述：获取文件属性探测虚拟机
详情信息：
GetFileAttributes: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware

GetFileAttributes: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD

GetFileAttributes: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions

行为描述：创建可执行文件
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\Crypto.Cipher._AES.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_ctypes.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_hashlib.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_multiprocessing.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_socket.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_ssl.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\bz2.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\msvcm90.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\msvcp90.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\msvcr90.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\pyexpat.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\python27.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\pywintypes27.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\select.pyd

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\unicodedata.pyd

行为描述：查找文件
详情信息：
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\Crypto.Cipher._AES.pyd

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\Microsoft.VC90.CRT.manifest

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\SnakeLocker.exe.manifest

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\_ctypes.pyd

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\_hashlib.pyd

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\_multiprocessing.pyd

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\_socket.pyd

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\_ssl.pyd

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\bz2.pyd

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\msvcm90.dll

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\msvcp90.dll

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\msvcr90.dll

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\pyexpat.pyd

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\python27.dll

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\pywintypes27.dll

行为描述：删除文件
详情信息：
C:\Documents and Settings\Administrator\money.doc

C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.js

C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js

C:\Documents and Settings\Administrator\Application Data\Microsoft\Document Building Blocks\Building Blocks.dotx

C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.bak

C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt

C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\8开双面双页码密封试卷模板2007.dotx

C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Normal.dotm

C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Document Themes\Blends.pot

C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Document Themes\Crayons.pot

C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Document Themes\Mountain Top.pot

C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Document Themes\Network.pot

C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Document Themes\Pixel.pot

C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Document Themes\Snowy road design template.pot

C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Document Themes\地球仪.pot

行为描述：在桌面创建文件
详情信息：
C:\Documents and Settings\Administrator\桌面\money.doc.TGIF

行为描述：修改文件内容
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\Crypto.Cipher._AES.pyd ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\Crypto.Cipher._AES.pyd ---> Offset = 28672

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\Microsoft.VC90.CRT.manifest ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\SnakeLocker.exe.manifest ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_ctypes.pyd ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_ctypes.pyd ---> Offset = 90112

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_hashlib.pyd ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_hashlib.pyd ---> Offset = 1015808

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_multiprocessing.pyd ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_multiprocessing.pyd ---> Offset = 24576

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_socket.pyd ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_socket.pyd ---> Offset = 45056

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_ssl.pyd ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_ssl.pyd ---> Offset = 1409024

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\bz2.pyd ---> Offset = 0

其他行为
行为描述：创建互斥体
详情信息：
CTF.LBES.MutexDefaultS-*

CTF.Compart.MutexDefaultS-*

CTF.Asm.MutexDefaultS-*

CTF.Layouts.MutexDefaultS-*

CTF.TMD.MutexDefaultS-*

CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*

行为描述：隐藏指定窗口
详情信息：
[Window,Class] = [C:\%temp%\****.exe,ConsoleWindowClass]

行为描述：获取TickCount值
详情信息：
TickCount = 226068, SleepMilliseconds = 100.

行为描述：打开事件
详情信息：
HookSwitchHookEnabledEvent

行为描述：可执行文件签名信息
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\Crypto.Cipher._AES.pyd(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_ctypes.pyd(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_hashlib.pyd(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_multiprocessing.pyd(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_socket.pyd(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_ssl.pyd(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\bz2.pyd(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\msvcm90.dll(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\msvcp90.dll(签名验证: 通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\msvcr90.dll(签名验证: 通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\pyexpat.pyd(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\python27.dll(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\pywintypes27.dll(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\select.pyd(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\unicodedata.pyd(签名验证: 未通过)

行为描述：调用Sleep函数
详情信息：
[1]: MilliSeconds = 100.

[2]: MilliSeconds = 100.

[3]: MilliSeconds = 100.

[4]: MilliSeconds = 100.

[5]: MilliSeconds = 100.

[6]: MilliSeconds = 100.

[7]: MilliSeconds = 100.

[8]: MilliSeconds = 100.

[9]: MilliSeconds = 100.

[10]: MilliSeconds = 100.

行为描述：可执行文件MD5
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\Crypto.Cipher._AES.pyd ---> 94411a7b68021a704a60333e11117df0

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_ctypes.pyd ---> 9e6c48ec9508423d0ce6b6e4d4a10d90

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_hashlib.pyd ---> b1dbd52e5da083e5b5613a2b4c17a4ef

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_multiprocessing.pyd ---> 06c8615f66abdd6c2d986d40339d1410

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_socket.pyd ---> 600de8a82e2204e88df27714687f88b9

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\_ssl.pyd ---> 9b59be1fa8427368c4e0e763f578d74c

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\bz2.pyd ---> 58c57a662cde57fea311444cc8dadc24

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\msvcm90.dll ---> 7200dca324f3d1ecd11b2b1250b2d6c7

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\msvcp90.dll ---> db001faea818ae2e14a74e0adc530fc0

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\msvcr90.dll ---> b3892e6da8e2c8ce4b0a9d3eb9a185e5

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\pyexpat.pyd ---> c79a904c852347565950e437335be107

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\python27.dll ---> fe80d4c62b80e5ba3971642158337500

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\pywintypes27.dll ---> 3c68f9ea662189be307dd8bc8842a1f5

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\select.pyd ---> efb6435cb9fb6462132181738c729885

C:\Documents and Settings\Administrator\Local Settings\Temp\_MEI29042\unicodedata.pyd ---> a13020f231b588d46aaf82fe9314efdc

行为描述：打开互斥体
详情信息：
ShimCacheMutex

行为描述：加载新释放的文件
详情信息：
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\python27.dll.

Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29042\msvcr90.dll.

Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29~1\_ctypes.pyd.

Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29~1\_hashlib.pyd.

Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29~1\Crypto.Cipher._AES.pyd.

Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29~1\win32console.pyd.

Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29~1\pywintypes27.dll.

Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_MEI29~1\win32gui.pyd.

显示全部楼层 · 发表于 2018-3-13 07:15:10

kxmp 发表于 2018-3-11 00:46
这是啥的鉴定....
这是人工提交的还是他自己给的

理论上只要用Webroot扫描就可以自动上传可疑文件，不用用户手动干预~

显示全部楼层 · 发表于 2018-3-14 17:36:38

F-secure 已入库

[病毒样本] SnakeLocker

本帖子中包含更多资源