#PACKAGE 0817

dreams521

191196846 发表于 2018-8-17 20:53
我这边双击全杀
Hyper-V 虚拟机双击，样本不自退

为什么

Jerry.Lin

dreams521 发表于 2018-8-17 21:04
为什么

因为针对Hyper-V的反虚拟机样本较少，比VMWare，BOX好多了，而且性能上有得天独厚的优势

这次样本目测都跑出来了，报了好几个PDM: Exploit

dreams521

191196846 发表于 2018-8-17 21:09
因为针对Hyper-V的反虚拟机样本较少，比VMWare好多了

这次样本目测都跑出来了，报了好几个PDM: Exploi ...

对,怎么回归了卡巴了?康复了

stupid1man

紅傘 21:10


實時防護：1
右鍵掃描：8

剩下檔案：(7) 21:18 二掃APC報
Total：10/10 (100%)

————————掃描部份————————

1. Start of the scan: 2018-08-17 21:10:30
   
2. 08/17/2018,21-10-32        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\shane siu\desktop\package 0817\0817(1).exe'
   
3. 08/17/2018,21-10-32        [INFO]        Successful Cloud SDK initialization and license check.
   
4. 08/17/2018,21-10-32        [INFO]        The file 'c:\users\shane siu\desktop\package 0817\0817(1).exe' was scanned with the Protection Cloud. SHA256 = 12AE38C96B7A7BA2C96CADF668010344D4FF15F701A7621D0A91314D67712044
   
5. 08/17/2018,21-10-32        [INFO]        c:\users\shane siu\desktop\package 0817\0817(1).exe
   
6. 08/17/2018,21-10-32        [INFO]        [DETECTION] file contains 'HEUR/APC'
   
7. 08/17/2018,21-10-32        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\shane siu\desktop\package 0817\0817(10).exe'
   
8. 08/17/2018,21-10-32        [INFO]        The file 'c:\users\shane siu\desktop\package 0817\0817(10).exe' was scanned with the Protection Cloud. SHA256 = A06E49E2780FF7ADB98E95BB48BF70344ED62C5DDFD358E72492E5B836AFC104
   
9. 08/17/2018,21-10-32        [INFO]        c:\users\shane siu\desktop\package 0817\0817(10).exe
   
10. 08/17/2018,21-10-32        [INFO]        [DETECTION] file contains 'DR/Delphi.a06e49'
    
11. 08/17/2018,21-10-33        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\shane siu\desktop\package 0817\0817(2).exe'
    
12. 08/17/2018,21-10-33        [INFO]        c:\users\shane siu\desktop\package 0817\0817(2).exe
    
13. 08/17/2018,21-10-33        [INFO]        [DETECTION] file contains 'TR/Dropper.Gen'
    
14. 08/17/2018,21-10-33        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\shane siu\desktop\package 0817\0817(3).exe'
    
15. 08/17/2018,21-10-33        [INFO]        c:\users\shane siu\desktop\package 0817\0817(3).exe
    
16. 08/17/2018,21-10-33        [INFO]        [DETECTION] file contains 'TR/Dropper.Gen'
    
17. 08/17/2018,21-10-34        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\shane siu\desktop\package 0817\0817(5).exe'
    
18. 08/17/2018,21-10-34        [INFO]        The file 'c:\users\shane siu\desktop\package 0817\0817(5).exe' was scanned with the Protection Cloud. SHA256 = 4EEBAE5AD3AFD9ED10FEC7BD93A6112E0E4651DD5D455C07162BF910251C16A5
    
19. 08/17/2018,21-10-34        [INFO]        c:\users\shane siu\desktop\package 0817\0817(5).exe
    
20. 08/17/2018,21-10-34        [INFO]        [DETECTION] file contains 'TR/Crypt.ZPACK.4eebae'
    
21. 08/17/2018,21-10-34        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\shane siu\desktop\package 0817\0817(6).exe'
    
22. 08/17/2018,21-10-34        [INFO]        The file 'c:\users\shane siu\desktop\package 0817\0817(6).exe' was scanned with the Protection Cloud. SHA256 = E797113CC3F2AA55231A24B79B42BEA27C6D8F590045CC20B3A99A520FD425BB
    
23. 08/17/2018,21-10-34        [INFO]        c:\users\shane siu\desktop\package 0817\0817(6).exe
    
24. 08/17/2018,21-10-34        [INFO]        [DETECTION] file contains 'TR/AD.Emotet.e79711'
    
25. 08/17/2018,21-10-35        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\shane siu\desktop\package 0817\0817(8).exe'
    
26. 08/17/2018,21-10-35        [INFO]        The file 'c:\users\shane siu\desktop\package 0817\0817(8).exe' was scanned with the Protection Cloud. SHA256 = 8074ED2DEF1E84AD0A85D427EC98682D98994D8E3D53C9D8AE007D8C5E5B6950
    
27. 08/17/2018,21-10-35        [INFO]        c:\users\shane siu\desktop\package 0817\0817(8).exe
    
28. 08/17/2018,21-10-35        [INFO]        [DETECTION] file contains 'TR/Crypt.XPACK.8074ed'
    
29. 08/17/2018,21-10-35        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\shane siu\desktop\package 0817\0817(9).exe'
    
30. 08/17/2018,21-10-35        [INFO]        The file 'c:\users\shane siu\desktop\package 0817\0817(9).exe' was scanned with the Protection Cloud. SHA256 = 7E69151542B1C5FBE151FB3B0ED5BAB642767B8408FDD362D1C6127777999F32
    
31. 08/17/2018,21-10-35        [INFO]        c:\users\shane siu\desktop\package 0817\0817(9).exe
    
32. 08/17/2018,21-10-35        [INFO]        [DETECTION] file contains 'TR/Spy.Ursnif.7e6915'

复制代码

Jerry.Lin

dreams521 发表于 2018-8-17 21:11
对,怎么回归了卡巴了?康复了

实机回卡巴了

但是没康复

现在在玩ESET和卡巴联网锁库的娱乐测试（都不予以更新，测卡巴时改MD5，KSN拒绝加入，测ESET，livegrid feedback系统关闭）

卡巴这次本地只杀1（昨天的库），剩余双击都是PDM干掉

ESET扫描也1x(前天的库），双击AMS+僵尸网络防护 -> 8/10 ，也还算不错

Snake9

Avast

Total：6/10 (60%)

dreams521

191196846 发表于 2018-8-17 21:15
实机回卡巴了

但是没康复

关起门来 练开"硬功夫"了   祝早日康复

√×√×√√×

囧，数字国际版报7，其中云拉黑只有1个


囧，剩余样本双击，1号样本32位系统无法运行
5号样本监控主防均没有反应
7号样本监控主防均没有反应

囧囧囧

Jerry.Lin

√×√×√√× 发表于 2018-8-17 21:23
囧，数字国际版报7，其中云拉黑只有1个

只有Trojan.Generic 是人工云拉黑

Trojan.aabbcc 这类是自动上传云端分析的结果

当然如果双击样本，运行后看到云HIPS报Trojan.Generic，则是基于云规则的多步判定（多步主防），亦或者触发上传后分析完成反馈给本地端点->拦截

√×√×√√×

191196846 发表于 2018-8-17 21:28
只有Trojan.Generic 是人工云拉黑

Trojan.aabbcc 这类是自动上传云端分析的结果

囧，国际版的云端策略目前和国内版是不一样的，之前跟国际版的官人确认过 囧囧 据说之后会逐步向国内版靠拢