#PACKAGE 0827

显示全部楼层 · 发表于 2018-8-27 20:57:23

蓝奏

Total : 19

#勿传VT
#在样本有效期内（24小时），建议无需手动上报样本至厂商，便于其他人测试行为拦截，响应速度等
#样本序号以收集时间顺序排序，越大代表越接近现在时间

#原始样本在ESET LiveGrid 云系统被发现的时间

IOC：

0827(2).exe - eceb968c929151242cf57783b27b38c1
0827(3).exe - 4233a0dbef8a300b7610d2db3d40595a
0827(13).exe - 97a30822ad4f74376ef8c013958bd4c9
0827(10).exe - 4a3367a95c3408060a99a7b5bc370efb
0827(15).exe - d3d28b9665bdbc7a297e977134b90810
0827(7).exe - 7330f8c8f20f1a6aa419470d2421ce27
0827(17).exe - 0398d53bc37802082f8b710589a1f9f6
0827(11).exe - 24cc4ad6883d1477c2dbf90d4df7b618
0827(4).exe - ba0b6e2dccc0bf82a92c86c52a8ca921
0827(8).exe - 5eee8651cf210df9cf66da55d93a8d99
0827(18).exe - 16a6c86092dcbf0b7dc483a4b2eca167
0827(9).exe - e4b92b9bef8dd114333febd04d131230
0827(5).exe - 18a23b7daf7ccb3d3cb59780e9e10d4e
0827(19).exe - 3825efd5fcbdde5bd2a250c08d335c91
0827(1).exe - 21e6182ef3ec3f8bb806cecc945d0fc4
0827(12).exe - 0bf5f61879df689ced502e18e13d2c32
0827(14).exe - 790a2768b504dc976539fab4d7d6d3b3
0827(6).exe - ce3e9c09443110098104cc70b5e5bf20
0827(16).exe - 3ad789016069bfcbce4aa217b62bf864

复制代码

回帖格式建议

杀软名称 + 时间
查杀数量+查杀率

例如：
XXX 20:39
Samples(5/10) 50%

显示全部楼层 · 发表于 2018-8-27 20:59:27

本帖最后由 Jirehlov1234 于 2018-8-27 22:51 编辑

BD 21:00
TIU 11905561

扫描9x+双击8x=17/19

E:\TEST\PACKAGE 0827\0827(7).exe	Trojan.Agent.DDOY	Deleted
E:\TEST\PACKAGE 0827\0827(8).exe	Gen:Variant.Barys.51339	Deleted
E:\TEST\PACKAGE 0827\0827(1).exe	Trojan.GenericKD.40429263	Deleted
E:\TEST\PACKAGE 0827\0827(18).exe	Trojan.GenericKD.40428724	Deleted
E:\TEST\PACKAGE 0827\0827(13).exe	Gen:Variant.Razy.378118	Deleted
E:\TEST\PACKAGE 0827\0827(3).exe	Trojan.GenericKD.40424759	Deleted
E:\TEST\PACKAGE 0827\0827(12).exe	Gen:Variant.Johnnie.117678	Deleted
E:\TEST\PACKAGE 0827\0827(5).exe	Trojan.GenericKD.40429995	Deleted
E:\TEST\PACKAGE 0827\0827(14).exe	Trojan.GenericKD.40430006	Deleted

2
ATD击杀（malicious behavior）
0827(2).exe
adobeservice.exe

4
允许外联37.187.155.228
ATD击杀（potentially malicious application）
0827(4).exe
dddw.lnk

6
ATD击杀（potentially malicious application）
0827(6).exe

9
ATD击杀（malicious behavior）
0827(9).exe
~df0eef58600b33e77c.tmp
udpsvc.exe
run.dat

10
自退出

11
ATD击杀（potentially malicious application）
0827(11).exe

15
ATD击杀（malicious behavior）
aemogrtinstall14-2-1.txt.lockedfile（勒索？）
execoutputhandlerunner.java.lockedfile
0827(15).exe
crypto.hash._sha256.pyd
crypto.util.strxor.pyd
crypto.cipher._des.pyd
crypto.cipher._aes.pyd
crypto.util._counter.pyd
crypto.random.osrng.winrandom.pyd
crypto.cipher._des3.pyd
lockyfud.exe
lockyfud.exe.manifest
safestreams.java
encodedstream.java
javaexechandlefactory.java
aemogrtinstall14-2-1.txt.lockymap
win32ui.pyd
signatures.xml.lockymap
defaultexechandlebuilder.java
locky-readme.txt
defaultexechandlebuilder.java.lockedfile
defaultexechandlebuilder.java.lockymap
aemogrtinstall14-2-1.txt
defaultjavaexecaction.java
streamsforwarder.java.lockymap
defaultjavaexecaction.java.lockedfile
defaultjavaexecaction.java.lockymap
defaultjavaforkoptions.java
safestreams.java.lockymap
defaultjavaforkoptions.java.lockedfile
defaultjavaforkoptions.java.lockymap
defaultprocessforkoptions.java
defaultprocessforkoptions.java.lockedfile
aemogrtinstall15-1.txt
aemogrtinstall15-1.txt.lockedfile
aemogrtinstall15-1.txt.lockymap
defaultprocessforkoptions.java.lockymap
execaction.java
等等

16
ATD击杀（potentially malicious application）
0827(16).exe

17
ATD阻止（vulnerability exploitation）
firefox.exe

19
ATD击杀（malicious behavior）
0827(19).exe

显示全部楼层 · 发表于 2018-8-27 21:01:39

本帖最后由 stupid1man 于 2018-8-27 22:21 编辑

紅傘 21:02
右鍵掃描：3
傳送APC待確定：9/15

21:27
隔離區掃（接近於雙擊APC）：6/7
Total：18/19（94.7%）

——————掃描部份——————

Start of the scan: 2018-08-27 21:02:40
08/27/2018,21-02-43 [INFO] [CLOUD] File 'c:\users\desktop\package 0827\0827(1).exe' needs to be uploaded to cloud. User confirmation is needed.
08/27/2018,21-02-43 [INFO] The file 'c:\users\desktop\package 0827\0827(1).exe' was scanned with the Protection Cloud. SHA256 = DCF5A24AD263711F9105F1FDBFAA74800223680A0C700DFBE7EB60B7AC7151CD
08/27/2018,21-02-44 [INFO] FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(10).exe'
08/27/2018,21-02-44 [INFO] c:\users\desktop\package 0827\0827(10).exe
08/27/2018,21-02-44 [INFO] [DETECTION] file contains 'HEUR/AGEN.1008710'
08/27/2018,21-02-44 [INFO] [CLOUD] File 'c:\users\desktop\package 0827\0827(11).exe' needs to be uploaded to cloud. User confirmation is needed.
08/27/2018,21-02-44 [INFO] The file 'c:\users\desktop\package 0827\0827(11).exe' was scanned with the Protection Cloud. SHA256 = CA43FD2FA781341E480F4782753B90870BB95DE0277DA32749B3B43CDECC073F
08/27/2018,21-02-45 [INFO] [CLOUD] File 'c:\users\desktop\package 0827\0827(12).exe' needs to be uploaded to cloud. User confirmation is needed.
08/27/2018,21-02-45 [INFO] The file 'c:\users\desktop\package 0827\0827(12).exe' was scanned with the Protection Cloud. SHA256 = 6D450B882D64397617EE6EF876D5CE609004816FACDF944802FD850E0661C98D
08/27/2018,21-02-45 [INFO] FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(13).exe'
08/27/2018,21-02-45 [INFO] c:\users\desktop\package 0827\0827(13).exe
08/27/2018,21-02-45 [INFO] [DETECTION] file contains 'TR/Dropper.MSIL.Gen'
08/27/2018,21-02-45 [INFO] [CLOUD] File 'c:\users\desktop\package 0827\0827(14).exe' needs to be uploaded to cloud. User confirmation is needed.
08/27/2018,21-02-45 [INFO] The file 'c:\users\desktop\package 0827\0827(14).exe' was scanned with the Protection Cloud. SHA256 = 89E1D3659614A085BF49EF5602E7460CE5AAA1826D1FE27FFAD300C13088A6B9
08/27/2018,21-02-47 [INFO] [CLOUD] File 'c:\users\desktop\package 0827\0827(15).exe' needs to be uploaded to cloud. User confirmation is needed.
08/27/2018,21-02-47 [INFO] The file 'c:\users\desktop\package 0827\0827(15).exe' was scanned with the Protection Cloud. SHA256 = D0AC8F97A60F6083AE3B4CF366F7EFCA5C6336E2542D02F53A680180C23B10F1
08/27/2018,21-02-47 [INFO] [CLOUD] File 'c:\users\desktop\package 0827\0827(16).exe' needs to be uploaded to cloud. User confirmation is needed.
08/27/2018,21-02-47 [INFO] The file 'c:\users\desktop\package 0827\0827(16).exe' was scanned with the Protection Cloud. SHA256 = 6B75CE1BE0FA46CCF204790F1D95CB687765819E0395D8B79C1CD53F59448B84
08/27/2018,21-02-48 [INFO] [CLOUD] File 'c:\users\desktop\package 0827\0827(18).exe' needs to be uploaded to cloud. User confirmation is needed.
08/27/2018,21-02-48 [INFO] The file 'c:\users\desktop\package 0827\0827(18).exe' was scanned with the Protection Cloud. SHA256 = FDF94226ABAB274C0FC6C7C2DC45AD808F01EA7E71D2C45A3835E6B745B150A1
08/27/2018,21-02-48 [INFO] [CLOUD] File 'c:\users\desktop\package 0827\0827(19).exe' needs to be uploaded to cloud. User confirmation is needed.
08/27/2018,21-02-48 [INFO] The file 'c:\users\desktop\package 0827\0827(19).exe' was scanned with the Protection Cloud. SHA256 = 9FB0F93FC50564B2AC90D665C4F9C52F0C3773CD052C0135EFFE25FF5070CD23
08/27/2018,21-02-48 [INFO] [CLOUD] File 'c:\users\desktop\package 0827\0827(2).exe' needs to be uploaded to cloud. User confirmation is needed.
08/27/2018,21-02-48 [INFO] The file 'c:\users\desktop\package 0827\0827(2).exe' was scanned with the Protection Cloud. SHA256 = B23EB7E70EC2486593E2B136251445AF2BBE84FFB90DF18C7D4226BC89AD5413
08/27/2018,21-02-49 [INFO] [CLOUD] File 'c:\users\desktop\package 0827\0827(3).exe' needs to be uploaded to cloud. User confirmation is needed.
08/27/2018,21-02-49 [INFO] The file 'c:\users\desktop\package 0827\0827(3).exe' was scanned with the Protection Cloud. SHA256 = BD1A7F12F317F4EA877CD2EEA1035F9A907FCAA83E4333EDF8A44A019494BAA7
08/27/2018,21-02-49 [INFO] FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(4).exe'
08/27/2018,21-02-49 [INFO] c:\users\desktop\package 0827\0827(4).exe
08/27/2018,21-02-49 [INFO] [DETECTION] file contains 'TR/Dropper.Gen'
08/27/2018,21-02-50 [INFO] [CLOUD] File 'c:\users\desktop\package 0827\0827(5).exe' needs to be uploaded to cloud. User confirmation is needed.
08/27/2018,21-02-50 [INFO] The file 'c:\users\desktop\package 0827\0827(5).exe' was scanned with the Protection Cloud. SHA256 = 343BBA86BC43920C91AD1E17CF2FA8704A8071DC5F440ACFEE2D70F253A3B07B
08/27/2018,21-02-50 [INFO] [CLOUD] File 'c:\users\desktop\package 0827\0827(6).exe' needs to be uploaded to cloud. User confirmation is needed.
08/27/2018,21-02-50 [INFO] The file 'c:\users\desktop\package 0827\0827(6).exe' was scanned with the Protection Cloud. SHA256 = E6460C86386E084AA21F9C4AE9CBE122D4CB81D6D6E58189FEA245BE6475DAE0
08/27/2018,21-02-51 [INFO] [CLOUD] File 'c:\users\desktop\package 0827\0827(7).exe' needs to be uploaded to cloud. User confirmation is needed.
08/27/2018,21-02-51 [INFO] The file 'c:\users\desktop\package 0827\0827(7).exe' was scanned with the Protection Cloud. SHA256 = F94819DB8E5B8CD555D2935847075C15DC0A8856F9A0B8C0E000ECA1C772926D
08/27/2018,21-02-51 [INFO] [CLOUD] File 'c:\users\desktop\package 0827\0827(8).exe' needs to be uploaded to cloud. User confirmation is needed.
08/27/2018,21-02-51 [INFO] The file 'c:\users\desktop\package 0827\0827(8).exe' was scanned with the Protection Cloud. SHA256 = 4C38FFFCE83E97941145568989C84CA55FF42146505AE07669B69688F7A68D4E
08/27/2018,21-02-52 [INFO] [CLOUD] File 'c:\users\desktop\package 0827\0827(9).exe' needs to be uploaded to cloud. User confirmation is needed.
08/27/2018,21-02-52 [INFO] The file 'c:\users\desktop\package 0827\0827(9).exe' was scanned with the Protection Cloud. SHA256 = 05647B61A26D1F4E363A9B0F8C17A3E76760C2CDD2D109A62EDF1139BFD12508
08/27/2018,21-03-17 [INFO] Retry 1 for the file 'c:\users\desktop\package 0827\0827(1).exe'. SHA256 = DCF5A24AD263711F9105F1FDBFAA74800223680A0C700DFBE7EB60B7AC7151CD
08/27/2018,21-03-20 [INFO] FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(1).exe'
08/27/2018,21-03-20 [INFO] The file 'c:\users\desktop\package 0827\0827(1).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = DCF5A24AD263711F9105F1FDBFAA74800223680A0C700DFBE7EB60B7AC7151CD
08/27/2018,21-03-20 [INFO] c:\users\desktop\package 0827\0827(1).exe
08/27/2018,21-03-20 [INFO] [DETECTION] file contains 'TR/Dropper.VB.dcf5a2'
08/27/2018,21-03-38 [INFO] FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(11).exe'
08/27/2018,21-03-38 [INFO] The file 'c:\users\desktop\package 0827\0827(11).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = CA43FD2FA781341E480F4782753B90870BB95DE0277DA32749B3B43CDECC073F
08/27/2018,21-03-38 [INFO] c:\users\desktop\package 0827\0827(11).exe
08/27/2018,21-03-38 [INFO] [DETECTION] file contains 'TR/Injector.ca43fd'
08/27/2018,21-03-58 [INFO] FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(12).exe'
08/27/2018,21-03-59 [INFO] The file 'c:\users\desktop\package 0827\0827(12).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 6D450B882D64397617EE6EF876D5CE609004816FACDF944802FD850E0661C98D
08/27/2018,21-03-59 [INFO] c:\users\desktop\package 0827\0827(12).exe
08/27/2018,21-03-59 [INFO] [DETECTION] file contains 'TR/Injector.6d450b'
08/27/2018,21-04-13 [INFO] FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(14).exe'
08/27/2018,21-04-13 [INFO] The file 'c:\users\desktop\package 0827\0827(14).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 89E1D3659614A085BF49EF5602E7460CE5AAA1826D1FE27FFAD300C13088A6B9
08/27/2018,21-04-13 [INFO] c:\users\desktop\package 0827\0827(14).exe
08/27/2018,21-04-13 [INFO] [DETECTION] file contains 'TR/Crypt.XPACK.Gen'
08/27/2018,21-05-28 [INFO] FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(15).exe'
08/27/2018,21-05-28 [INFO] The file 'c:\users\desktop\package 0827\0827(15).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = D0AC8F97A60F6083AE3B4CF366F7EFCA5C6336E2542D02F53A680180C23B10F1
08/27/2018,21-05-28 [INFO] c:\users\desktop\package 0827\0827(15).exe
08/27/2018,21-05-28 [INFO] [DETECTION] file contains 'HEUR/APC'
08/27/2018,21-05-43 [INFO] FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(16).exe'
08/27/2018,21-05-43 [INFO] The file 'c:\users\desktop\package 0827\0827(16).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 6B75CE1BE0FA46CCF204790F1D95CB687765819E0395D8B79C1CD53F59448B84
08/27/2018,21-05-43 [INFO] c:\users\desktop\package 0827\0827(16).exe
08/27/2018,21-05-43 [INFO] [DETECTION] file contains 'TR/Injector.6b75ce'
08/27/2018,21-05-58 [INFO] FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(18).exe'
08/27/2018,21-05-58 [INFO] The file 'c:\users\desktop\package 0827\0827(18).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = FDF94226ABAB274C0FC6C7C2DC45AD808F01EA7E71D2C45A3835E6B745B150A1
08/27/2018,21-05-58 [INFO] c:\users\desktop\package 0827\0827(18).exe
08/27/2018,21-05-58 [INFO] [DETECTION] file contains 'TR/Crypt.XPACK.fdf942'
08/27/2018,21-06-12 [INFO] FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(19).exe'
08/27/2018,21-06-12 [INFO] The file 'c:\users\desktop\package 0827\0827(19).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 9FB0F93FC50564B2AC90D665C4F9C52F0C3773CD052C0135EFFE25FF5070CD23
08/27/2018,21-06-12 [INFO] c:\users\desktop\package 0827\0827(19).exe
08/27/2018,21-06-12 [INFO] [DETECTION] file contains 'TR/Dropper.MSIL.9fb0f9'
08/27/2018,21-06-29 [INFO] Retry 1 for the file 'c:\users\desktop\package 0827\0827(2).exe'. SHA256 = B23EB7E70EC2486593E2B136251445AF2BBE84FFB90DF18C7D4226BC89AD5413
08/27/2018,21-06-33 [INFO] FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(2).exe'
08/27/2018,21-06-33 [INFO] The file 'c:\users\desktop\package 0827\0827(2).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = B23EB7E70EC2486593E2B136251445AF2BBE84FFB90DF18C7D4226BC89AD5413
08/27/2018,21-06-33 [INFO] c:\users\desktop\package 0827\0827(2).exe
08/27/2018,21-06-33 [INFO] [DETECTION] file contains 'TR/Kryptik.b23eb7'
08/27/2018,21-06-33 [INFO] The file 'c:\users\desktop\package 0827\0827(3).exe' was scanned with the Protection Cloud. SHA256 = BD1A7F12F317F4EA877CD2EEA1035F9A907FCAA83E4333EDF8A44A019494BAA7
08/27/2018,21-06-34 [INFO] The file 'c:\users\desktop\package 0827\0827(5).exe' was scanned with the Protection Cloud. SHA256 = 343BBA86BC43920C91AD1E17CF2FA8704A8071DC5F440ACFEE2D70F253A3B07B
08/27/2018,21-06-34 [INFO] The file 'c:\users\desktop\package 0827\0827(6).exe' was scanned with the Protection Cloud. SHA256 = E6460C86386E084AA21F9C4AE9CBE122D4CB81D6D6E58189FEA245BE6475DAE0
08/27/2018,21-06-35 [INFO] The file 'c:\users\desktop\package 0827\0827(7).exe' was scanned with the Protection Cloud. SHA256 = F94819DB8E5B8CD555D2935847075C15DC0A8856F9A0B8C0E000ECA1C772926D
08/27/2018,21-06-35 [INFO] The file 'c:\users\desktop\package 0827\0827(8).exe' was scanned with the Protection Cloud. SHA256 = 4C38FFFCE83E97941145568989C84CA55FF42146505AE07669B69688F7A68D4E
08/27/2018,21-06-36 [INFO] The file 'c:\users\desktop\package 0827\0827(9).exe' was scanned with the Protection Cloud. SHA256 = 05647B61A26D1F4E363A9B0F8C17A3E76760C2CDD2D109A62EDF1139BFD12508

复制代码

显示全部楼层 · 发表于 2018-8-27 21:03:14

本帖最后由静影沉璧于 2018-8-27 22:09 编辑

AVAST高级版
扫描：11/19
双击：
IDP杀3,5,7,9,10,19号样本
剩余样本双击结果：
2号：过扫描后miss
15号样本（似乎是勒索），第一次双击成功防御，然而重启后……文件又被加密了

Total：17/19 89.5%

显示全部楼层 · 发表于 2018-8-27 21:03:35

本帖最后由静影沉璧于 2018-8-27 22:34 编辑

SEP：SEP：
扫描：13/16

0827(1).exe Downloader.Ponik 已通过删除清除病毒自动防护扫描 C:\Users\Administrator\Desktop\PACKAGE 0827\ WIN-7L012NVDSMK Administrator 已删除已删除清除安全风险隔离已成功地删除了文件。 2018/8/27 21:14:44
0827(3).exe Heur.AdvML.B 已通过删除清除启发式病毒自动防护扫描 C:\Users\Administrator\Desktop\PACKAGE 0827\ WIN-7L012NVDSMK Administrator 已删除已删除清除安全风险隔离已成功地删除了文件。 2018/8/27 21:14:57
0827(2).exe Heur.AdvML.B 已通过删除清除启发式病毒自动防护扫描 C:\Users\Administrator\Desktop\PACKAGE 0827\ WIN-7L012NVDSMK Administrator 已删除已删除清除安全风险隔离已成功地删除了文件。 2018/8/27 21:15:08
0827(19).exe Heur.AdvML.B 已通过删除清除启发式病毒自动防护扫描 C:\Users\Administrator\Desktop\PACKAGE 0827\ WIN-7L012NVDSMK Administrator 已删除已删除清除安全风险隔离已成功地删除了文件。 2018/8/27 21:15:17
0827(14).exe Trojan.Emotet!g5 已通过删除清除启发式病毒自动防护扫描 C:\Users\Administrator\Desktop\PACKAGE 0827\ WIN-7L012NVDSMK Administrator 已删除已删除清除安全风险隔离已成功地删除了文件。 2018/8/27 21:15:27
0827(4).exe Heur.AdvML.B 已通过删除清除启发式病毒自动防护扫描 C:\Users\Administrator\Desktop\PACKAGE 0827\ WIN-7L012NVDSMK Administrator 已删除已删除清除安全风险隔离已成功地删除了文件。 2018/8/27 21:15:35
0827(11).exe Packed.Generic.516 已通过删除清除启发式病毒自动防护扫描 C:\Users\Administrator\Desktop\PACKAGE 0827\ WIN-7L012NVDSMK Administrator 已删除已删除清除安全风险隔离已成功地删除了文件。 2018/8/27 21:15:45
0827(5).exe Heur.AdvML.B 已通过删除清除启发式病毒自动防护扫描 C:\Users\Administrator\Desktop\PACKAGE 0827\ WIN-7L012NVDSMK Administrator 已删除已删除清除安全风险隔离已成功地删除了文件。 2018/8/27 21:16:12
0827(18).exe Packed.Generic.521 已通过删除清除病毒自动防护扫描 C:\Users\Administrator\Desktop\PACKAGE 0827\ WIN-7L012NVDSMK Administrator 已删除已删除清除安全风险隔离已成功地删除了文件。 2018/8/27 21:16:21
0827(16).exe Packed.Generic.516 已通过删除清除启发式病毒自动防护扫描 C:\Users\Administrator\Desktop\PACKAGE 0827\ WIN-7L012NVDSMK Administrator 已删除已删除清除安全风险隔离已成功地删除了文件。 2018/8/27 21:16:47
0827(6).exe Packed.Generic.516 已通过删除清除启发式病毒自动防护扫描 C:\Users\Administrator\Desktop\PACKAGE 0827\ WIN-7L012NVDSMK Administrator 已删除已删除清除安全风险隔离已成功地删除了文件。 2018/8/27 21:17:20
0827(13).exe Heur.AdvML.B 已通过删除清除启发式病毒自动防护扫描 C:\Users\Administrator\Desktop\PACKAGE 0827\ WIN-7L012NVDSMK Administrator 已删除已删除清除安全风险隔离已成功地删除了文件。 2018/8/27 21:17:30
0827(7).exe Heur.AdvML.B 已通过删除清除启发式病毒自动防护扫描 C:\Users\Administrator\Desktop\PACKAGE 0827\ WIN-7L012NVDSMK Administrator 已删除已删除清除安全风险隔离已成功地删除了文件。 2018/8/27 21:17:45

复制代码

双击：SONAR kill 5X（15号勒索样本的主体是图中的lockyfud.exe）

Total：18/19 94.7%

显示全部楼层 · 发表于 2018-8-27 21:04:37

本帖最后由 www-tekeze 于 2018-8-28 00:39 编辑

21:05，17/19，89.5%，剩余#9、#17 。补充：上报后补杀#9

显示全部楼层 · 发表于 2018-8-27 21:12:52

本帖最后由 YU2711 于 2018-8-27 23:32 编辑

TREND MICRO 21:04
SCAN 4/19

安全威脅: Backdoor.MSIL.ASDROP.SMZSM
來源類型: 安全威脅
受影響的檔案: C:\Users\USER\Downloa…\0827(19).exe
處理行動: 已移除
偵測方式: 手動掃瞄
安全威脅: TrojanSpy.Win32.LOKI.SMBD1.hp
來源類型: 安全威脅
受影響的檔案: C:\Users\USER\Download…\0827(6).exe
處理行動: 已移除
偵測方式: 手動掃瞄
安全威脅: TrojanSpy.Win32.LOKI.SMBD1.hp
來源類型: 安全威脅
受影響的檔案: C:\Users\USER\Downloa…\0827(11).exe
處理行動: 已移除
偵測方式: 手動掃瞄
安全威脅: TrojanSpy.Win32.LOKI.SMBD1.hp
來源類型: 安全威脅
受影響的檔案: C:\Users\USER\Downloa…\0827(16).exe
處理行動: 已移除
偵測方式: 手動掃瞄

复制代码

显示全部楼层 · 发表于 2018-8-27 21:23:54

本帖最后由 a445441 于 2018-8-27 21:49 编辑

卡巴：10/19=52.6%

显示全部楼层 · 发表于 2018-8-27 21:46:37

微点15/19 79%

时间类型处理结果病毒名称病毒路径创建者描述
2018-08-27 21:44:13 蠕虫处理成功 C:\USERS\555\APPDATA\ROAMING\C4F79B\B13E36.EXE C:\USERS\555\DESKTOP\PACKAGE 0827\0827(7).EXE 未发现任何修改动作...
2018-08-27 21:44:12 蠕虫处理成功 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(7).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 生成(1)个文件...
2018-08-27 21:43:40 木马处理成功未知间谍软件 C:\USERS\555\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\ADOBESERVICE.EXE C:\WINDOWS\SYSTEM32\SVCHOST.EXE 未发现任何修改动作...
2018-08-27 21:43:01 木马处理成功 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(5).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 未发现任何修改动作...
2018-08-27 21:42:24 木马处理成功未知木马 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(9).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 未发现任何修改动作...
2018-08-27 21:42:09 木马删除文件失败未知木马 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(9).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 未发现任何修改动作...
2018-08-27 21:42:04 木马删除文件失败未知木马 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(9).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 未发现任何修改动作...
2018-08-27 21:41:59 木马处理成功 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(19).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 未发现任何修改动作...
2018-08-27 21:41:56 木马处理成功 C:\USERS\555\APPDATA\LOCAL\TEMP\IS-S43D4.TMP\0827(17).TMP C:\USERS\555\DESKTOP\PACKAGE 0827\0827(17).EXE 未发现任何修改动作...
2018-08-27 21:41:56 木马处理成功 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(17).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 生成(1)个文件...
2018-08-27 21:41:37 木马处理成功 C:\USERS\555\APPDATA\LOCAL\MICROSOFT\WINDOWS\LUNAMUTE.EXE C:\USERS\555\DESKTOP\PACKAGE 0827\0827(14).EXE 未发现任何修改动作...
2018-08-27 21:41:37 木马处理成功 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(14).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 生成(1)个文件...
2018-08-27 21:41:35 木马处理成功 C:\USERS\555\APPDATA\LOCAL\TEMP\IS-FEKCV.TMP\0827(15).TMP C:\USERS\555\DESKTOP\PACKAGE 0827\0827(15).EXE 未发现任何修改动作...
2018-08-27 21:41:35 木马处理成功 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(15).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 生成(1)个文件...
2018-08-27 21:41:33 木马删除文件失败未知木马 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(9).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 未发现任何修改动作...
2018-08-27 21:41:26 木马删除文件失败未知木马 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(9).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 未发现任何修改动作...
2018-08-27 21:41:26 木马处理成功 C:\USERS\555\APPDATA\ROAMING\AE26E99B-688B-40DF-B67A-E7E11CAE2119\WPA MANAGER\WPAMGR.EXE C:\USERS\555\DESKTOP\PACKAGE 0827\0827(9).EXE 未发现任何修改动作...
2018-08-27 21:41:26 木马删除文件失败 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(9).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 生成(1)个文件，注册表中修改(1)项...
2018-08-27 21:41:08 木马处理成功 C:\USERS\555\APPDATA\ROAMING\CV.EXE C:\USERS\555\DESKTOP\PACKAGE 0827\0827(4).EXE 未发现任何修改动作...
2018-08-27 21:41:07 木马处理成功 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(4).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 生成(1)个文件...
2018-08-27 21:41:01 木马处理成功 C:\PROGRAMDATA\WINDOWS\CSRSS.EXE C:\USERS\555\DESKTOP\PACKAGE 0827\0827(3).EXE 未发现任何修改动作...
2018-08-27 21:41:01 木马处理成功 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(3).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 生成(1)个文件，注册表中修改(1)项...
2018-08-27 21:40:58 木马处理成功未知间谍软件 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(2).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 未发现任何修改动作...
2018-08-27 21:40:57 木马处理成功 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(2).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 未发现任何修改动作...
2018-08-27 21:40:48 木马处理成功 C:\USERS\555\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\{20949F-A734E6-ECD3-60272A203373}\TOOLSET.EXE C:\USERS\555\DESKTOP\PACKAGE 0827\0827(8).EXE 未发现任何修改动作...
2018-08-27 21:40:48 木马处理成功 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(8).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 生成(1)个文件...
2018-08-27 21:40:43 木马处理成功 C:\USERS\555\DESKTOP\PACKAGE 0827\0827(12).EXE C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE 未发现任何修改动作...

显示全部楼层 · 发表于 2018-8-27 21:56:43

ESET
16/19

Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here
2018/8/27 21:55:20;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(2).exe;a variant of Win32/GenKryptik.CJHJ trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;E16EB4994751342F99359E87C053E3214E4D1A33;2018/8/27 21:55:11
2018/8/27 21:55:20;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(4).exe;a variant of MSIL/Agent.AQL trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;92C38DB9FC10B266CD77159A0AD460860E1D535C;2018/8/27 21:55:11
2018/8/27 21:55:20;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(13).exe;a variant of MSIL/Kryptik.PDT trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;06CB84248653A743F58751557FBC588BAF77306E;2018/8/27 21:55:10
2018/8/27 21:55:20;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(16).exe;a variant of Win32/Injector.EAAW trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;681E338D24D0C33A8F4D25AE28256329FD5DE2E6;2018/8/27 21:55:10
2018/8/27 21:55:20;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(11).exe;a variant of Win32/Injector.EAAW trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;825828A428E493298C8E02E6A1FBA6AA56DC40AC;2018/8/27 21:55:10
2018/8/27 21:55:20;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(18).exe;Win32/Spy.Ursnif.BW trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;B603A6FBE4F6FF986973841E5BBCD6CEB5913375;2018/8/27 21:55:11
2018/8/27 21:55:21;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(5).exe;a variant of MSIL/Kryptik.PHG trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;0F16CBC2B1C3DB261BD6D00A2806CC9D6A230B68;2018/8/27 21:55:11
2018/8/27 21:55:23;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(10).exe;a variant of Win32/Injector.EAAR trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;3EFB0EC8D65B7F379AA479A09EE065203A92ECDE;
2018/8/27 21:55:24;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(7).exe;Win32/PSW.Fareit.L trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;D93DCF0FD62080D11776C2F12E1AF4E941891DF3;2018/8/27 21:55:11
2018/8/27 21:55:25;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(14).exe;a variant of Win32/Kryptik.GKFJ trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;691AEA27DE5DFDBE3F607ECB2E7E313A0A44B7F3;2018/8/27 21:55:10
2018/8/27 21:55:26;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(1).exe;a variant of Win32/Injector.EAAM trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;5620FC5B8EECB8AB1065A362E42A50FE15BA6BBD;2018/8/27 21:55:10
2018/8/27 21:55:27;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(6).exe;a variant of Win32/Injector.EAAW trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;9C49859756D32E6D7D7A6AB24BF6200412016C27;2018/8/27 21:55:11
2018/8/27 21:55:29;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(12).exe;a variant of MSIL/Injector.TWG trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;4341A9FD4790727C642DAD514592AA946B66C23A;2018/8/27 21:55:10
2018/8/27 21:55:30;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(3).exe;a variant of Win32/Kryptik.GKEA trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;FDCFDEF2DED5A0CA24AE277CB7BF950A65706295;2018/8/27 21:55:11
2018/8/27 21:55:32;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(8).exe;a variant of MSIL/Agent.STM trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;26FD0B7970B58D6474A1643BE76F13C6E020FEE0;2018/8/27 21:55:11
2018/8/27 21:55:32;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(9).exe;a variant of Win32/GenKryptik.CJHI trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;A27E429077ADDA29FCCD170F736F52B93365F983;2018/8/27 21:55:11

复制代码

[病毒样本] #PACKAGE 0827

评分

本帖子中包含更多资源

本帖子中包含更多资源