#PACKAGE 0706

Jerry.Lin

蓝奏


Total : 26

========================================
由于今天比较晚了，包提前发；绒绒和蜘蛛纯本地，对测试基本无影响Testing...

Products                            Pre-execute    Advanced block     Miss               Status

火绒互联网安全软件                        4                        2                    20               Infected
Dr.Web Security Space                16                        4                    6                 Infected   


Note: Pre-execute includes On-Access scan or exeute scan before malware is running on memory.
          Advanced block includes behavior block or other techiques that successufully terminate running malware.
          Miss includes situations: no any Alert or warning from AV software.
          Status means if there are any malicious items, including processes, images, drivers, autoruns, regs etc., on the current system, the system is infected; otherwise it is clean.
========================================


#勿传VT
#在样本有效期内（24小时），建议无需手动上报样本至厂商，便于其他人测试行为拦截，响应速度等
#样本序号以收集时间顺序排序，越大代表越接近现在时间


回帖格式建议

杀软名称 + 时间
查杀数量+查杀率


例如：
XXX 20:39
Samples(5/10) 50%

ther

SEP
22:11
23/26（扫描）88%剩余10 20 25
10双击后报错
20双击后IPS拦截
25双击后杀衍生物stub.dll

Picca

22:42 begin
卡巴斯基 扫描 13 + 双击
1 常驻内存，没什么占用，重启消失，时间23:07 UDS:DangerousObject.Multi.Generic，VT上查不到md5，卡巴自己捕获或者双击上传检出的
2 自删除，创建重启也常驻的labonly.exe，外联24.173.127.246
4 自删除，创建重启也常驻的labonly.exe，遇见2创建的，短暂外联后退出
6 自删除，创建重启也常驻的labonly.exe，杀掉2创建的，外联187.167.192.22
8 自删除，短暂调用cmd.exe后退出，时间23:07，UDS:Trojan-banker.Win32.Shioto.sb
9 杀掉回滚
10 需要java，运行失败
12 常驻内存，没什么占用，23:07 UDS:Trojan-Spy，VT上查不到md5，卡巴自己捕获或者双击上传检出的
13 高占用运行一段时间后，退出，23:07 UDS:Trojan-downloader，VT上查不到md5，卡巴自己捕获或者双击上传检出的
14 自删除，创建重启也常驻的labonly.exe，杀掉6创建的，外联187.167.192.22，时间23:07 labonly.exe被检测出UDS:Trojan-banker.Win32.Emotet.sb，VT上查不到md5，卡巴自己捕获或者双击上传检出的
18 杀掉回滚
19 杀掉回滚 PDM bazon.a 云拉黑报法，VT上查不到md5，卡巴自己捕获或者双击上传检出的
20 杀掉回滚 PDM badur.a


总结：
1.样本2、4、6、14为同一家族，行为相似，都是后门型的低权限外联木马。卡巴双击MISS后，大概20几分钟后，常驻外联程序labonly.exe被UDS检出

2.几次测试已经可以确定，卡巴现在的云鉴定已经是小时级别的，杀不掉的免杀过的病毒，双击后会很快触发UDS云杀。个人猜测对于脚本小子来说，除了效果立竿见影的破坏性病毒（比如勒索），一般病毒想持久免杀联网的卡巴已经很难了。楼主的样本截至23:15只有样本10没有检出了，可能是由于测试电脑没有java，没运行成功触发上传自动机

command360

火绒 22:08

Samples(4/26)   15.4%

fzshot

Avira 25/26 96.15%

1. Start of the scan: 2018-07-06 10:14:18
   
2. 07/06/2018,10-14-31        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(1).exe'
   
3. 07/06/2018,10-14-31        [INFO]        The file 'c:\users\**\desktop\infected\0706(1).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = C7C733AE4D51947C6C51E6C6DE7BB4D4F67A85DB2B8E3B7FA5C4B112868335E0
   
4. 07/06/2018,10-14-31        [INFO]        c:\users\**\desktop\infected\0706(1).exe
   
5. 07/06/2018,10-14-31        [INFO]        [DETECTION] file contains 'HEUR/APC'
   
6. 07/06/2018,10-14-44        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(11).exe'
   
7. 07/06/2018,10-14-44        [INFO]        The file 'c:\users\**\desktop\infected\0706(11).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = FFEAC7355FE721376A5D19B9E0A35C97D8BF5A9A9BE48D956F4946105B9287B6
   
8. 07/06/2018,10-14-44        [INFO]        c:\users\**\desktop\infected\0706(11).exe
   
9. 07/06/2018,10-14-44        [INFO]        [DETECTION] file contains 'DR/Delphi.Gen'
   
10. 07/06/2018,10-14-56        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(12).exe'
    
11. 07/06/2018,10-14-56        [INFO]        The file 'c:\users\**\desktop\infected\0706(12).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 2B79C546219ABDBCC01480F6BBB7AACC560E7BCE3E416580AB76BC02190C0722
    
12. 07/06/2018,10-14-56        [INFO]        c:\users\**\desktop\infected\0706(12).exe
    
13. 07/06/2018,10-14-56        [INFO]        [DETECTION] file contains 'TR/Crypt.EPACK.2b79c5'
    
14. 07/06/2018,10-15-12        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(13).exe'
    
15. 07/06/2018,10-15-12        [INFO]        The file 'c:\users\**\desktop\infected\0706(13).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 2D06596582F9041E44F5F6C9BB33E746F2C7C91331C313DF81B918B90097185C
    
16. 07/06/2018,10-15-12        [INFO]        c:\users\**\desktop\infected\0706(13).exe
    
17. 07/06/2018,10-15-12        [INFO]        [DETECTION] file contains 'HEUR/APC'
    
18. 07/06/2018,10-15-24        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(14).exe'
    
19. 07/06/2018,10-15-24        [INFO]        The file 'c:\users\**\desktop\infected\0706(14).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 87A35A4A2920CB05E2E0A3D98F3EF57869F5C518FA295DFAB46408F5C51B65A6
    
20. 07/06/2018,10-15-24        [INFO]        c:\users\**\desktop\infected\0706(14).exe
    
21. 07/06/2018,10-15-24        [INFO]        [DETECTION] file contains 'TR/Crypt.XPACK.87a35a'
    
22. 07/06/2018,10-15-24        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(15).exe'
    
23. 07/06/2018,10-15-24        [INFO]        c:\users\**\desktop\infected\0706(15).exe
    
24. 07/06/2018,10-15-24        [INFO]        [DETECTION] file contains 'TR/Dropper.Gen'
    
25. 07/06/2018,10-15-37        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(16).exe'
    
26. 07/06/2018,10-15-37        [INFO]        The file 'c:\users\**\desktop\infected\0706(16).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 3D59D03B04F2C8CB7B29D408D5AC73CF57CA42DAFDBEBF4AAA2C5BAA62CAF05C
    
27. 07/06/2018,10-15-37        [INFO]        c:\users\**\desktop\infected\0706(16).exe
    
28. 07/06/2018,10-15-37        [INFO]        [DETECTION] file contains 'TR/Dropper.VB.Gen9'
    
29. 07/06/2018,10-15-37        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(17).exe'
    
30. 07/06/2018,10-15-37        [INFO]        c:\users\**\desktop\infected\0706(17).exe
    
31. 07/06/2018,10-15-37        [INFO]        [DETECTION] file contains 'SPR/Tool.Mailpassview.473'
    
32. 07/06/2018,10-15-52        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(18).exe'
    
33. 07/06/2018,10-15-52        [INFO]        The file 'c:\users\**\desktop\infected\0706(18).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = A25D285A6908046FD8454BFAB6A85ECAB7F0326554B1234FDAF2E15A2790ED39
    
34. 07/06/2018,10-15-52        [INFO]        c:\users\**\desktop\infected\0706(18).exe
    
35. 07/06/2018,10-15-52        [INFO]        [DETECTION] file contains 'TR/Kryptik.a25d28'
    
36. 07/06/2018,10-15-52        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(19).exe'
    
37. 07/06/2018,10-15-52        [INFO]        c:\users\**\desktop\infected\0706(19).exe
    
38. 07/06/2018,10-15-52        [INFO]        [DETECTION] file contains 'TR/Crypt.XPACK.Gen'
    
39. 07/06/2018,10-16-04        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(2).exe'
    
40. 07/06/2018,10-16-04        [INFO]        The file 'c:\users\**\desktop\infected\0706(2).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 8282D4691003338686620699353CEBD913D4139A03484B6A424B869DFB0320D6
    
41. 07/06/2018,10-16-04        [INFO]        c:\users\**\desktop\infected\0706(2).exe
    
42. 07/06/2018,10-16-04        [INFO]        [DETECTION] file contains 'TR/Crypt.XPACK.8282d4'
    
43. 07/06/2018,10-16-17        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(20).exe'
    
44. 07/06/2018,10-16-17        [INFO]        The file 'c:\users\**\desktop\infected\0706(20).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 1DCA625A670F45765572B78E5C84CD8D6F2945D95AA5FEA4F772010D08AA1023
    
45. 07/06/2018,10-16-17        [INFO]        c:\users\**\desktop\infected\0706(20).exe
    
46. 07/06/2018,10-16-17        [INFO]        [DETECTION] file contains 'HEUR/APC'
    
47. 07/06/2018,10-16-29        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(21).exe'
    
48. 07/06/2018,10-16-29        [INFO]        The file 'c:\users\**\desktop\infected\0706(21).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 80EC49C3F893BCBDE123B99DA2183B2F5DA3553F25EEF96F1AE6DC4C3259E9F7
    
49. 07/06/2018,10-16-29        [INFO]        c:\users\**\desktop\infected\0706(21).exe
    
50. 07/06/2018,10-16-29        [INFO]        [DETECTION] file contains 'DR/Delphi.Gen'
    
51. 07/06/2018,10-16-42        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(22).exe'
    
52. 07/06/2018,10-16-42        [INFO]        The file 'c:\users\**\desktop\infected\0706(22).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 681535ACCA914749A1938F759390E9FD696FC8405073D0464F48B9B657FD13AD
    
53. 07/06/2018,10-16-42        [INFO]        c:\users\**\desktop\infected\0706(22).exe
    
54. 07/06/2018,10-16-42        [INFO]        [DETECTION] file contains 'TR/Dropper.VB.Gen9'
    
55. 07/06/2018,10-16-54        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(23).exe'
    
56. 07/06/2018,10-16-54        [INFO]        The file 'c:\users\**\desktop\infected\0706(23).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = AF7FCAE9AD1F1C075699A30DA2909C8DBA81043FBEFC7AE7F2FF8FDAABE838E2
    
57. 07/06/2018,10-16-54        [INFO]        c:\users\**\desktop\infected\0706(23).exe
    
58. 07/06/2018,10-16-54        [INFO]        [DETECTION] file contains 'TR/Dropper.MSIL.af7fca'
    
59. 07/06/2018,10-16-54        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(24).exe'
    
60. 07/06/2018,10-16-54        [INFO]        c:\users\**\desktop\infected\0706(24).exe
    
61. 07/06/2018,10-16-54        [INFO]        [DETECTION] file contains 'TR/ATRAPS.Gen'
    
62. 07/06/2018,10-16-55        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(25).exe'
    
63. 07/06/2018,10-16-55        [INFO]        c:\users\**\desktop\infected\0706(25).exe
    
64. 07/06/2018,10-16-55        [INFO]        [DETECTION] file contains 'TR/Agent.fjjrc'
    
65. 07/06/2018,10-17-07        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(26).exe'
    
66. 07/06/2018,10-17-07        [INFO]        The file 'c:\users\**\desktop\infected\0706(26).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 2DAD3ECDE48F0F696F104EA598CC5F33ADCBF486EAD2CF6D3C90E36FFB388335
    
67. 07/06/2018,10-17-07        [INFO]        c:\users\**\desktop\infected\0706(26).exe
    
68. 07/06/2018,10-17-07        [INFO]        [DETECTION] file contains 'TR/Crypt.XPACK.2dad3e'
    
69. 07/06/2018,10-17-07        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(3).exe'
    
70. 07/06/2018,10-17-07        [INFO]        c:\users\**\desktop\infected\0706(3).exe
    
71. 07/06/2018,10-17-07        [INFO]        [DETECTION] file contains 'TR/Kryptik.eaiiy'
    
72. 07/06/2018,10-17-19        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(4).exe'
    
73. 07/06/2018,10-17-19        [INFO]        The file 'c:\users\**\desktop\infected\0706(4).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 0B9AC8FC1D6E433C3D01071B12222BE4F45F9B87B283FF883D5643FF8EA4E2A0
    
74. 07/06/2018,10-17-19        [INFO]        c:\users\**\desktop\infected\0706(4).exe
    
75. 07/06/2018,10-17-19        [INFO]        [DETECTION] file contains 'TR/Crypt.XPACK.0b9ac8'
    
76. 07/06/2018,10-17-19        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(5).exe'
    
77. 07/06/2018,10-17-19        [INFO]        c:\users\**\desktop\infected\0706(5).exe
    
78. 07/06/2018,10-17-19        [INFO]        [DETECTION] file contains 'HEUR/AGEN.1013209'
    
79. 07/06/2018,10-17-32        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(6).exe'
    
80. 07/06/2018,10-17-32        [INFO]        The file 'c:\users\**\desktop\infected\0706(6).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 38861C0F07D7A2EBC823BAF0BB4C11ED0B20D078E57830697B22C7EFB1073E5A
    
81. 07/06/2018,10-17-32        [INFO]        c:\users\**\desktop\infected\0706(6).exe
    
82. 07/06/2018,10-17-32        [INFO]        [DETECTION] file contains 'TR/Crypt.XPACK.38861c'
    
83. 07/06/2018,10-17-32        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(7).exe'
    
84. 07/06/2018,10-17-32        [INFO]        c:\users\**\desktop\infected\0706(7).exe
    
85. 07/06/2018,10-17-32        [INFO]        [DETECTION] file contains 'TR/Crypt.XDR.Gen'
    
86. 07/06/2018,10-17-44        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(8).exe'
    
87. 07/06/2018,10-17-44        [INFO]        The file 'c:\users\**\desktop\infected\0706(8).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 66A527A237D03252888BCCDA5D83F9F4C695A82793079D0ABF2EBCC8204CC6D5
    
88. 07/06/2018,10-17-44        [INFO]        c:\users\**\desktop\infected\0706(8).exe
    
89. 07/06/2018,10-17-44        [INFO]        [DETECTION] file contains 'TR/Crypt.XPACK.66a527'
    
90. 07/06/2018,10-17-56        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\**\desktop\infected\0706(9).exe'
    
91. 07/06/2018,10-17-56        [INFO]        The file 'c:\users\**\desktop\infected\0706(9).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = CCE95E54469F470C174721071D820D874584606D11290BF171804D20F6A3012D
    
92. 07/06/2018,10-17-56        [INFO]        c:\users\**\desktop\infected\0706(9).exe
    
93. 07/06/2018,10-17-56        [INFO]        [DETECTION] file contains 'TR/Dropper.MSIL.cce95e'
    

复制代码

lkjx21

command360 发表于 2018-7-6 22:08
火绒 22:08

Samples(4/26)   15.4%

何不用用规则测试一下～例如论坛里的斩首14系列

Eset小粉絲

KIS 22:18
Database released date: Today 5:48pm

(File Protection Module) + (Context Menu Scan) = 13/26 50%

Note: KSN Disabled

真小读者

ESET  20:21
Sample（22/26）   84.6%
剩余1、9、13、20

1. 日志
   
2. 正在扫描日志
   
3. 检测引擎的版本: 17671 (20180706)
   
4. 日期: 2018/7/6  时间: 22:19:52
   
5. 已扫描的磁盘、文件夹和文件: E:\PACKAGE 0706
   
6. E:\PACKAGE 0706\0706(10).exe > ZIP > Project4.class - Java/TrojanDownloader.Banload.ER 特洛伊木马 的变种 - 扫描完成后再选择处理方式
   
7. E:\PACKAGE 0706\0706(11).exe - Win32/Injector.DZBZ 特洛伊木马 的变种 - 通过删除清除 [1]
   
8. E:\PACKAGE 0706\0706(12).exe - Win32/Kryptik.GIHO 特洛伊木马 的变种 - 通过删除清除 [1]
   
9. E:\PACKAGE 0706\0706(14).exe - Win32/Kryptik.GIOA 特洛伊木马 的变种 - 通过删除清除 [1]
   
10. E:\PACKAGE 0706\0706(15).exe - MSIL/TrojanDropper.Agent.DNB 特洛伊木马 的变种 - 通过删除清除 [1]
    
11. E:\PACKAGE 0706\0706(16).exe - Win32/PSW.Fareit.L 特洛伊木马 - 通过删除清除 [1]
    
12. E:\PACKAGE 0706\0706(17).exe - MSIL/Autorun.Spy.Agent.AU 蠕虫 的变种 - 通过删除清除 [1]
    
13. E:\PACKAGE 0706\0706(18).exe - Win32/GenKryptik.CEMN 特洛伊木马 的变种 - 通过删除清除 [1]
    
14. E:\PACKAGE 0706\0706(19).exe - Win32/GenKryptik.CENC 特洛伊木马 的变种 - 通过删除清除 [1]
    
15. E:\PACKAGE 0706\0706(2).exe - Win32/Emotet.BK 特洛伊木马 - 通过删除清除 [1]
    
16. E:\PACKAGE 0706\0706(21).exe - Win32/Injector.DZBZ 特洛伊木马 的变种 - 通过删除清除 [1]
    
17. E:\PACKAGE 0706\0706(22).exe - Win32/GenKryptik.CELQ 特洛伊木马 的变种 - 通过删除清除 [1]
    
18. E:\PACKAGE 0706\0706(23).exe - MSIL/Kryptik.OPX 特洛伊木马 的变种 - 通过删除清除 [1]
    
19. E:\PACKAGE 0706\0706(24).exe - MSIL/Injector.TSY 特洛伊木马 的变种 - 通过删除清除 [1]
    
20. E:\PACKAGE 0706\0706(25).exe - Win32/Agent.ZTT 特洛伊木马 - 通过删除清除 [1]
    
21. E:\PACKAGE 0706\0706(26).exe - Win32/GenKryptik.CEMW 特洛伊木马 的变种 - 通过删除清除 [1]
    
22. E:\PACKAGE 0706\0706(3).exe - Win32/GenKryptik.CEHY 特洛伊木马 的变种 - 通过删除清除 [1]
    
23. E:\PACKAGE 0706\0706(4).exe - Win32/Kryptik.GINQ 特洛伊木马 的变种 - 通过删除清除 [1]
    
24. E:\PACKAGE 0706\0706(5).exe - MSIL/Kryptik.OHR 特洛伊木马 的变种 - 通过删除清除 [1]
    
25. E:\PACKAGE 0706\0706(6).exe - Win32/Kryptik.GINQ 特洛伊木马 的变种 - 通过删除清除 [1]
    
26. E:\PACKAGE 0706\0706(7).exe - MSIL/Injector.TSV 特洛伊木马 的变种 - 通过删除清除 [1]
    
27. E:\PACKAGE 0706\0706(8).exe - Win32/GenKryptik.CELL 特洛伊木马 的变种 - 通过删除清除 [1]
    
28. 已扫描的对象数: 27
    
29. 发现的威胁数: 22
    
30. 已清除对象数: 22
    
31. 完成时间: 22:20:31  总扫描时间: 39 秒 (00:00:39)
    
32. 
    
33. 备注:
    
34. [1] 由于对象中仅包含病毒主体，因此已被删除。
    

复制代码

pal家族

卡巴今天凌晨5点：
10x， 无云检测，
修改md5,10x


卡巴目前，在线扫描：
13x，无云检测，

修改md5,13x

对比发现多出来的三个是更新特征库之后，多出的本地启发检测。

修改md5之后，报毒名没有发生改变。

ynghaos

BD+NS杀25，剩下一个sonaur atd杀

bambooslip

360安全卫士 22x

智量安全终端 26x


腾讯电脑管家 2x