一个很有技术含量的锁机样本

显示全部楼层 · 发表于 2018-3-23 13:48:52

本帖最后由慕若曦于 2018-3-23 13:52 编辑

目前已经过了@学雷锋做人同学的File Analysis，已经反馈，等待处理
哈勃报告：https://habo.qq.com/file/showdetail?pk=ADIGZF1sB2MIMFs%2F
Virscan报告：http://r.virscan.org/report/7a9dcbe7ec44c31af32c553b2ed2e9dd

接群友反馈所得样本，因为比较危险，处理不当你就只能重装去了，所以样本地址我放在本文最下方，先列举注意事项。

首先样本被加壳了，safengine，所以我直接用File Analysis工具在物理机跑了
跑的过程中一堆黑窗口然后重启了，按雷锋的说法可能是对系统进程动了小手脚导致的重启，因为微软提供的重启方法File Analysis是可以拦截的。
是传统的mbr修改，附带File Analysis的日志：

10:42:50[1]：(允许)程序启动：File_Analysis 行为记录成功开启规则版本：2.5.0.0

10:42:51[2]：(阻止)写入进程内存：0317.exe    进程PID：8648    进程句柄：1020    首地址：0x2221E8    写入Hex数据： 00 00 1B 00

10:42:51[3]：(阻止)写入进程内存：0317.exe    进程PID：8648    进程句柄：1020    首地址：0x1C0000    写入Hex数据： 60 68 00 01 1C 00 B8 E0 59 89 74 FF D0 61 E9 AD 0C CC 77 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC 43 00 3A 00 5C 00 50 00 72 00 6F 00 67 00 72 00 61 00 6D 00 20 00 46 00 69 00 6C 00 65 00 73 00 5C 00 4D 00 61 00 63 00 54 00 79 00 70 00 65 00 5C 00 4D 00 61 00 63 00 54 00 79 00 70 00 65 00 2E 00 64 00 6C 00 6C 00 00 00 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC

10:42:51[4]：(阻止)写入进程内存：0317.exe    进程PID：8648    进程句柄：-1    首地址：0x1C0000    写入Hex数据： 60 68 00 01 1C 00 B8 E0 59 89 74 FF D0 61 E9 AD 0C CC 77 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC 43 00 3A 00 5C 00 50 00 72 00 6F 00 67 00 72 00 61 00 6D 00 20 00 46 00 69 00 6C 00 65 00 73 00 5C 00 4D 00 61 00 63 00 54 00 79 00 70 00 65 00 5C 00 4D 00 61 00 63 00 54 00 79 00 70 00 65 00 2E 00 64 00 6C 00 6C 00 00 00 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC

10:42:51[5]：(阻止)写入进程内存：0317.exe    进程PID：8648    进程句柄：1020    首地址：0x460000    写入Hex数据： 44 3A 5C 50 72 6F 67 72 61 6D 20 46 69 6C 65 73 20 28 78 38 36 29 5C 46 69 6C 65 5F 41 6E 61 6C 79 73 69 73 5C 46 69 6C 65 5F 73 61 66 65 2E 64 6C 6C 00

10:42:54[6]：(允许)读取注册表键值：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FontAssoc\Associated DefaultFonts\FontPackage    数据：

10:42:54[7]：(允许)读取注册表键值：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FontAssoc\Associated DefaultFonts\FontPackageDecorative    数据：

10:42:54[8]：(允许)读取注册表键值：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FontAssoc\Associated DefaultFonts\FontPackageDontCare    数据：

10:42:54[9]：(允许)读取注册表键值：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FontAssoc\Associated DefaultFonts\FontPackageModern    数据：

10:42:54[10]：(允许)读取注册表键值：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FontAssoc\Associated DefaultFonts\FontPackageRoman    数据：

10:42:54[11]：(允许)读取注册表键值：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FontAssoc\Associated DefaultFonts\FontPackageScript    数据：

10:42:54[12]：(允许)读取注册表键值：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FontAssoc\Associated DefaultFonts\FontPackageSwiss    数据：

10:43:10[13]：(允许)读取文件：\\.\\physicaldrive0

10:43:10[14]：(阻止)修改内核对象：\\.\\physicaldrive0(物理磁盘)

10:43:10[15]：(阻止)写入MBR Hex： 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 F8 05 32 00 00 00 00 02 00 EE FF FF FF 01 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA

10:43:10[16]：(阻止)修改内核对象：\\.\\physicaldrive0(物理磁盘)

10:43:10[17]：(阻止)写入MBR Hex： E9 00 00 8C C8 8E D8 8E D0 8E C0 BC 00 01 BD ED 7C BB ED 7C E8 B0 00 89 C1 B8 01 13 BB 0C 00 B2 00 CD 10 B8 00 B8 05 A0 00 8E D8 31 C9 31 DB 31 C0 CD 16 3C 08 74 13 3C 0D 74 1B B4 02 88 07 88 67 01 81 C3 02 00 41 E9 E5 FF 81 EB 02 00 49 31 C0 89 07 E9 D9 FF 8C C8 8E C0 31 DB BE DA 7C 2E 8A 0E D9 7C B5 00 3E 8A 07 26 8A 24 38 E0 75 31 81 C3 02 00 46 E2 EF 31 C0 B8 00 7E 8E C0 31 DB B4 02 B2 80 B0 01 B6 00 B5 00 B1 03 CD 13 31 DB B2 80 B4 03 B0 01 B6 00 B5 00 B1 01 CD 13 E9 1D 00 BB 00 B8 81 C3 38 00 B0 58 88 07 2E 8B 0E D9 7C 31 C0 89 07 81 C3 02 00 E2 F8 E9 45 FF B8 FF FF 50 B8 00 00 50 CB 51 53 3E 8A 0F 80 F9 00 74 05 43 40 E9 F3 FF 59 5B C3 11 77 6F 73 68 69 78 69 61 6F 78 75 65 73 68 65 6E 67 00 00 51 51 33 30 34 33 37 38 37 32 31 38 20 20 4A 69 65 20 53 75 6F 20 31 35 52 4D 42 20 42 59 A3 BA 57 75 58 69 6E 00 68 65 20 75 6E 6C 6F 63 6B 20 70 61 73 73 77 6F 72 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA

精准分析MBR逻辑锁密码：woshixiaoxuesheng    Hex：77 6F 73 68 69 78 69 61 6F 78 75 65 73 68 65 6E 67 00 00 51 51 33 30 34 33 37 38 37 32 31 38 20 20 4A 69 65 20 53 75 6F 20 31 35 52 4D 42 20 42 59 A3 BA 57 75 58 69 6E 00 68 65 20 75 6E 6C 6F 63 6B 20 70 61 73 73 77 6F 72 64

从上述日志中得到File Analysis已经分析出了逻辑锁密码了：woshixiaoxuesheng
我将此结果发给网友，被赞为“大神”后，他告诉我系统还被创建了用户并且修改了Administrator的密码，这个行为同样没有被File Analysis拦截，且桌面背景也被改掉了，桌面的右键也被禁用了，换了一个很丑的背景给我
尝试了重启explorer进程，无济于事，用win+e快捷键打开此电脑后发现点击桌面会提示"本次操作由于这台计算机的限制而被取消"
猜测是组策略部分的权限控制

修复方法：
组策略-用户配置-管理模板-Windows组件-防止从"我的电脑"访问驱动器-先启用，后改回未配置
运行gpupdate /force命令刷新一下
任务管理器里重启Explorer进程，桌面回来了，然后重新设置背景图片即可

接着发现硬盘盘符被隐藏了

判断依据是我在路径输入C:或者D:依旧是可以访问的，优先检查组策略

修复方法：
组策略-用户配置-管理模板-Windows组件-隐藏"我的电脑"中这些指定的驱动器-先启用，后改回未配置
运行gpupdate /force命令刷新一下
任务管理器里重启Explorer进程，即可找回

接着又发现C、D两个盘被共享了

修复方法：
盘符上右键-属性-共享-高级共享-共享此文件夹的勾去掉

继续，回想起还被新建了一个用户

图片来自受害者，我是win10，无视了mbr

修复方法：
win+r，lusrmgr.msc，用户里面删掉多余的用户，将Administrator的密码设置为空

再往后，电脑无法关机，开始菜单中的电源按钮提示“没有可用的电源选项”
快捷键Alt+F4提示“本次操作由于这台计算机的限制而被取消”
快捷键Alt+L后也没有出现关机或者注销一类

修复方法：
组策略-Windows设置-安全设置-本地策略-用户权限分配-关闭系统，删除当前用户组，然后重新添加上去
组策略-用户配置-管理模板-“开始菜单”和任务栏-删除并阻止访问“关机”、“重新启动”、“睡眠”和“休眠”命令，先启用，后改成未配置
运行gpupdate /force命令刷新一下

重启电脑，用ESET扫描了半天没发现啥乱七八糟的东西，comodo的hips打开了，观察两天看看情况
样本地址：https://pan.baidu.com/s/1MtDzp0MdViCtpD81atsWXw 密码: kn5k
解压密码：国际通用

注意：
因为有使用雷锋的File Analysis工具，且我是gpt引导的win10，所以导致样本在我电脑上运行的行为是不完整的，比如创建自启动项目等都被File Analysis拦截了，所以我的解决方案可能不适用于完整运行此病毒的用户。
另，雷锋因为运行此病毒后火绒异常，强制关机重启后发现注册表和组策略都被禁用了，所以判断病毒可能有别的操作，还请诸位大佬各显神通。

显示全部楼层 · 发表于 2018-3-23 14:00:59

本帖最后由 pal家族于 2018-3-23 14:07 编辑

吧主每天刷贴吧多长时间啊？
另外行为这么多，应该很多杀软都能杀吧~~~

显示全部楼层 · 发表于 2018-3-23 14:05:47

360miss

显示全部楼层 · 发表于 2018-3-23 14:12:18

pal家族发表于 2018-3-23 14:00
吧主每天刷贴吧多长时间啊？
另外行为这么多，应该很多杀软都能杀吧~~~

不刷了，贴吧所有吧务被撸了，申请了一次吧主没成功，现在心如死灰

显示全部楼层 · 发表于 2018-3-23 14:13:11

慕若曦发表于 2018-3-23 14:12
不刷了，贴吧所有吧务被撸了，申请了一次吧主没成功，现在心如死灰

白毒还是那个白毒啊。。

显示全部楼层 · 发表于 2018-3-23 14:23:39

显示全部楼层 · 发表于 2018-3-23 14:28:30

卡巴杀

显示全部楼层 · 发表于 2018-3-23 14:45:21

火绒

显示全部楼层 · 发表于 2018-3-23 14:45:58

显示全部楼层 · 发表于 2018-3-23 14:48:48

GDATA
病毒: Gen:Variant.Graftor.468062 (引擎A), Win32.Riskware.NoobyProtect.B (引擎B)

嘗試開啟已感染檔案。

檔案: 0317.exe
資料夾: C:\Users\Ari\Desktop\惡意程式

[病毒样本] 一个很有技术含量的锁机样本

本帖子中包含更多资源

评分

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

浏览过的版块