#PACKAGE 0827

Jerry.Lin

蓝奏

Total : 19


#勿传VT
#在样本有效期内（24小时），建议无需手动上报样本至厂商，便于其他人测试行为拦截，响应速度等
#样本序号以收集时间顺序排序，越大代表越接近现在时间

#原始样本在ESET LiveGrid 云系统 被发现的时间





IOC：

1. 0827(2).exe  -  eceb968c929151242cf57783b27b38c1
   
2. 0827(3).exe  -  4233a0dbef8a300b7610d2db3d40595a
   
3. 0827(13).exe  -  97a30822ad4f74376ef8c013958bd4c9
   
4. 0827(10).exe  -  4a3367a95c3408060a99a7b5bc370efb
   
5. 0827(15).exe  -  d3d28b9665bdbc7a297e977134b90810
   
6. 0827(7).exe  -  7330f8c8f20f1a6aa419470d2421ce27
   
7. 0827(17).exe  -  0398d53bc37802082f8b710589a1f9f6
   
8. 0827(11).exe  -  24cc4ad6883d1477c2dbf90d4df7b618
   
9. 0827(4).exe  -  ba0b6e2dccc0bf82a92c86c52a8ca921
   
10. 0827(8).exe  -  5eee8651cf210df9cf66da55d93a8d99
    
11. 0827(18).exe  -  16a6c86092dcbf0b7dc483a4b2eca167
    
12. 0827(9).exe  -  e4b92b9bef8dd114333febd04d131230
    
13. 0827(5).exe  -  18a23b7daf7ccb3d3cb59780e9e10d4e
    
14. 0827(19).exe  -  3825efd5fcbdde5bd2a250c08d335c91
    
15. 0827(1).exe  -  21e6182ef3ec3f8bb806cecc945d0fc4
    
16. 0827(12).exe  -  0bf5f61879df689ced502e18e13d2c32
    
17. 0827(14).exe  -  790a2768b504dc976539fab4d7d6d3b3
    
18. 0827(6).exe  -  ce3e9c09443110098104cc70b5e5bf20
    
19. 0827(16).exe  -  3ad789016069bfcbce4aa217b62bf864
    

复制代码

回帖格式建议

杀软名称 + 时间
查杀数量+查杀率


例如：
XXX 20:39
Samples(5/10) 50%

Jirehlov1234

BD 21:00
TIU 11905561

扫描9x+双击8x=17/19

E:\TEST\PACKAGE 0827\0827(7).exe	Trojan.Agent.DDOY	Deleted
E:\TEST\PACKAGE 0827\0827(8).exe	Gen:Variant.Barys.51339	Deleted
E:\TEST\PACKAGE 0827\0827(1).exe	Trojan.GenericKD.40429263	Deleted
E:\TEST\PACKAGE 0827\0827(18).exe	Trojan.GenericKD.40428724	Deleted
E:\TEST\PACKAGE 0827\0827(13).exe	Gen:Variant.Razy.378118	Deleted
E:\TEST\PACKAGE 0827\0827(3).exe	Trojan.GenericKD.40424759	Deleted
E:\TEST\PACKAGE 0827\0827(12).exe	Gen:Variant.Johnnie.117678	Deleted
E:\TEST\PACKAGE 0827\0827(5).exe	Trojan.GenericKD.40429995	Deleted
E:\TEST\PACKAGE 0827\0827(14).exe	Trojan.GenericKD.40430006	Deleted

2
ATD击杀（malicious behavior）
0827(2).exe
adobeservice.exe

4
允许外联37.187.155.228
ATD击杀（potentially malicious application）
0827(4).exe
dddw.lnk

6
ATD击杀（potentially malicious application）
0827(6).exe


9
ATD击杀（malicious behavior）
0827(9).exe
~df0eef58600b33e77c.tmp
udpsvc.exe
run.dat

10
自退出

11
ATD击杀（potentially malicious application）
0827(11).exe


15
ATD击杀（malicious behavior）
aemogrtinstall14-2-1.txt.lockedfile（勒索？）
execoutputhandlerunner.java.lockedfile
0827(15).exe
crypto.hash._sha256.pyd
crypto.util.strxor.pyd
crypto.cipher._des.pyd
crypto.cipher._aes.pyd
crypto.util._counter.pyd
crypto.random.osrng.winrandom.pyd
crypto.cipher._des3.pyd
lockyfud.exe
lockyfud.exe.manifest
safestreams.java
encodedstream.java
javaexechandlefactory.java
aemogrtinstall14-2-1.txt.lockymap
win32ui.pyd
signatures.xml.lockymap
defaultexechandlebuilder.java
locky-readme.txt
defaultexechandlebuilder.java.lockedfile
defaultexechandlebuilder.java.lockymap
aemogrtinstall14-2-1.txt
defaultjavaexecaction.java
streamsforwarder.java.lockymap
defaultjavaexecaction.java.lockedfile
defaultjavaexecaction.java.lockymap
defaultjavaforkoptions.java
safestreams.java.lockymap
defaultjavaforkoptions.java.lockedfile
defaultjavaforkoptions.java.lockymap
defaultprocessforkoptions.java
defaultprocessforkoptions.java.lockedfile
aemogrtinstall15-1.txt
aemogrtinstall15-1.txt.lockedfile
aemogrtinstall15-1.txt.lockymap
defaultprocessforkoptions.java.lockymap
execaction.java
等等

16
ATD击杀（potentially malicious application）
0827(16).exe


17
ATD阻止（vulnerability exploitation）
firefox.exe

19
ATD击杀（malicious behavior）
0827(19).exe

stupid1man

紅傘 21:02
右鍵掃描：3
傳送APC待確定：9/15

21:27
隔離區掃（接近於雙擊APC）：6/7
Total：18/19（94.7%）

——————掃描部份——————

1. Start of the scan: 2018-08-27 21:02:40
   
2. 08/27/2018,21-02-43        [INFO]        [CLOUD] File 'c:\users\desktop\package 0827\0827(1).exe' needs to be uploaded to cloud. User confirmation is needed.
   
3. 08/27/2018,21-02-43        [INFO]        The file 'c:\users\desktop\package 0827\0827(1).exe' was scanned with the Protection Cloud. SHA256 = DCF5A24AD263711F9105F1FDBFAA74800223680A0C700DFBE7EB60B7AC7151CD
   
4. 08/27/2018,21-02-44        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(10).exe'
   
5. 08/27/2018,21-02-44        [INFO]        c:\users\desktop\package 0827\0827(10).exe
   
6. 08/27/2018,21-02-44        [INFO]        [DETECTION] file contains 'HEUR/AGEN.1008710'
   
7. 08/27/2018,21-02-44        [INFO]        [CLOUD] File 'c:\users\desktop\package 0827\0827(11).exe' needs to be uploaded to cloud. User confirmation is needed.
   
8. 08/27/2018,21-02-44        [INFO]        The file 'c:\users\desktop\package 0827\0827(11).exe' was scanned with the Protection Cloud. SHA256 = CA43FD2FA781341E480F4782753B90870BB95DE0277DA32749B3B43CDECC073F
   
9. 08/27/2018,21-02-45        [INFO]        [CLOUD] File 'c:\users\desktop\package 0827\0827(12).exe' needs to be uploaded to cloud. User confirmation is needed.
   
10. 08/27/2018,21-02-45        [INFO]        The file 'c:\users\desktop\package 0827\0827(12).exe' was scanned with the Protection Cloud. SHA256 = 6D450B882D64397617EE6EF876D5CE609004816FACDF944802FD850E0661C98D
    
11. 08/27/2018,21-02-45        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(13).exe'
    
12. 08/27/2018,21-02-45        [INFO]        c:\users\desktop\package 0827\0827(13).exe
    
13. 08/27/2018,21-02-45        [INFO]        [DETECTION] file contains 'TR/Dropper.MSIL.Gen'
    
14. 08/27/2018,21-02-45        [INFO]        [CLOUD] File 'c:\users\desktop\package 0827\0827(14).exe' needs to be uploaded to cloud. User confirmation is needed.
    
15. 08/27/2018,21-02-45        [INFO]        The file 'c:\users\desktop\package 0827\0827(14).exe' was scanned with the Protection Cloud. SHA256 = 89E1D3659614A085BF49EF5602E7460CE5AAA1826D1FE27FFAD300C13088A6B9
    
16. 08/27/2018,21-02-47        [INFO]        [CLOUD] File 'c:\users\desktop\package 0827\0827(15).exe' needs to be uploaded to cloud. User confirmation is needed.
    
17. 08/27/2018,21-02-47        [INFO]        The file 'c:\users\desktop\package 0827\0827(15).exe' was scanned with the Protection Cloud. SHA256 = D0AC8F97A60F6083AE3B4CF366F7EFCA5C6336E2542D02F53A680180C23B10F1
    
18. 08/27/2018,21-02-47        [INFO]        [CLOUD] File 'c:\users\desktop\package 0827\0827(16).exe' needs to be uploaded to cloud. User confirmation is needed.
    
19. 08/27/2018,21-02-47        [INFO]        The file 'c:\users\desktop\package 0827\0827(16).exe' was scanned with the Protection Cloud. SHA256 = 6B75CE1BE0FA46CCF204790F1D95CB687765819E0395D8B79C1CD53F59448B84
    
20. 08/27/2018,21-02-48        [INFO]        [CLOUD] File 'c:\users\desktop\package 0827\0827(18).exe' needs to be uploaded to cloud. User confirmation is needed.
    
21. 08/27/2018,21-02-48        [INFO]        The file 'c:\users\desktop\package 0827\0827(18).exe' was scanned with the Protection Cloud. SHA256 = FDF94226ABAB274C0FC6C7C2DC45AD808F01EA7E71D2C45A3835E6B745B150A1
    
22. 08/27/2018,21-02-48        [INFO]        [CLOUD] File 'c:\users\desktop\package 0827\0827(19).exe' needs to be uploaded to cloud. User confirmation is needed.
    
23. 08/27/2018,21-02-48        [INFO]        The file 'c:\users\desktop\package 0827\0827(19).exe' was scanned with the Protection Cloud. SHA256 = 9FB0F93FC50564B2AC90D665C4F9C52F0C3773CD052C0135EFFE25FF5070CD23
    
24. 08/27/2018,21-02-48        [INFO]        [CLOUD] File 'c:\users\desktop\package 0827\0827(2).exe' needs to be uploaded to cloud. User confirmation is needed.
    
25. 08/27/2018,21-02-48        [INFO]        The file 'c:\users\desktop\package 0827\0827(2).exe' was scanned with the Protection Cloud. SHA256 = B23EB7E70EC2486593E2B136251445AF2BBE84FFB90DF18C7D4226BC89AD5413
    
26. 08/27/2018,21-02-49        [INFO]        [CLOUD] File 'c:\users\desktop\package 0827\0827(3).exe' needs to be uploaded to cloud. User confirmation is needed.
    
27. 08/27/2018,21-02-49        [INFO]        The file 'c:\users\desktop\package 0827\0827(3).exe' was scanned with the Protection Cloud. SHA256 = BD1A7F12F317F4EA877CD2EEA1035F9A907FCAA83E4333EDF8A44A019494BAA7
    
28. 08/27/2018,21-02-49        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(4).exe'
    
29. 08/27/2018,21-02-49        [INFO]        c:\users\desktop\package 0827\0827(4).exe
    
30. 08/27/2018,21-02-49        [INFO]        [DETECTION] file contains 'TR/Dropper.Gen'
    
31. 08/27/2018,21-02-50        [INFO]        [CLOUD] File 'c:\users\desktop\package 0827\0827(5).exe' needs to be uploaded to cloud. User confirmation is needed.
    
32. 08/27/2018,21-02-50        [INFO]        The file 'c:\users\desktop\package 0827\0827(5).exe' was scanned with the Protection Cloud. SHA256 = 343BBA86BC43920C91AD1E17CF2FA8704A8071DC5F440ACFEE2D70F253A3B07B
    
33. 08/27/2018,21-02-50        [INFO]        [CLOUD] File 'c:\users\desktop\package 0827\0827(6).exe' needs to be uploaded to cloud. User confirmation is needed.
    
34. 08/27/2018,21-02-50        [INFO]        The file 'c:\users\desktop\package 0827\0827(6).exe' was scanned with the Protection Cloud. SHA256 = E6460C86386E084AA21F9C4AE9CBE122D4CB81D6D6E58189FEA245BE6475DAE0
    
35. 08/27/2018,21-02-51        [INFO]        [CLOUD] File 'c:\users\desktop\package 0827\0827(7).exe' needs to be uploaded to cloud. User confirmation is needed.
    
36. 08/27/2018,21-02-51        [INFO]        The file 'c:\users\desktop\package 0827\0827(7).exe' was scanned with the Protection Cloud. SHA256 = F94819DB8E5B8CD555D2935847075C15DC0A8856F9A0B8C0E000ECA1C772926D
    
37. 08/27/2018,21-02-51        [INFO]        [CLOUD] File 'c:\users\desktop\package 0827\0827(8).exe' needs to be uploaded to cloud. User confirmation is needed.
    
38. 08/27/2018,21-02-51        [INFO]        The file 'c:\users\desktop\package 0827\0827(8).exe' was scanned with the Protection Cloud. SHA256 = 4C38FFFCE83E97941145568989C84CA55FF42146505AE07669B69688F7A68D4E
    
39. 08/27/2018,21-02-52        [INFO]        [CLOUD] File 'c:\users\desktop\package 0827\0827(9).exe' needs to be uploaded to cloud. User confirmation is needed.
    
40. 08/27/2018,21-02-52        [INFO]        The file 'c:\users\desktop\package 0827\0827(9).exe' was scanned with the Protection Cloud. SHA256 = 05647B61A26D1F4E363A9B0F8C17A3E76760C2CDD2D109A62EDF1139BFD12508
    
41. 08/27/2018,21-03-17        [INFO]        Retry 1 for the file 'c:\users\desktop\package 0827\0827(1).exe'. SHA256 = DCF5A24AD263711F9105F1FDBFAA74800223680A0C700DFBE7EB60B7AC7151CD
    
42. 08/27/2018,21-03-20        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(1).exe'
    
43. 08/27/2018,21-03-20        [INFO]        The file 'c:\users\desktop\package 0827\0827(1).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = DCF5A24AD263711F9105F1FDBFAA74800223680A0C700DFBE7EB60B7AC7151CD
    
44. 08/27/2018,21-03-20        [INFO]        c:\users\desktop\package 0827\0827(1).exe
    
45. 08/27/2018,21-03-20        [INFO]        [DETECTION] file contains 'TR/Dropper.VB.dcf5a2'
    
46. 08/27/2018,21-03-38        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(11).exe'
    
47. 08/27/2018,21-03-38        [INFO]        The file 'c:\users\desktop\package 0827\0827(11).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = CA43FD2FA781341E480F4782753B90870BB95DE0277DA32749B3B43CDECC073F
    
48. 08/27/2018,21-03-38        [INFO]        c:\users\desktop\package 0827\0827(11).exe
    
49. 08/27/2018,21-03-38        [INFO]        [DETECTION] file contains 'TR/Injector.ca43fd'
    
50. 08/27/2018,21-03-58        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(12).exe'
    
51. 08/27/2018,21-03-59        [INFO]        The file 'c:\users\desktop\package 0827\0827(12).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 6D450B882D64397617EE6EF876D5CE609004816FACDF944802FD850E0661C98D
    
52. 08/27/2018,21-03-59        [INFO]        c:\users\desktop\package 0827\0827(12).exe
    
53. 08/27/2018,21-03-59        [INFO]        [DETECTION] file contains 'TR/Injector.6d450b'
    
54. 08/27/2018,21-04-13        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(14).exe'
    
55. 08/27/2018,21-04-13        [INFO]        The file 'c:\users\desktop\package 0827\0827(14).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 89E1D3659614A085BF49EF5602E7460CE5AAA1826D1FE27FFAD300C13088A6B9
    
56. 08/27/2018,21-04-13        [INFO]        c:\users\desktop\package 0827\0827(14).exe
    
57. 08/27/2018,21-04-13        [INFO]        [DETECTION] file contains 'TR/Crypt.XPACK.Gen'
    
58. 08/27/2018,21-05-28        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(15).exe'
    
59. 08/27/2018,21-05-28        [INFO]        The file 'c:\users\desktop\package 0827\0827(15).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = D0AC8F97A60F6083AE3B4CF366F7EFCA5C6336E2542D02F53A680180C23B10F1
    
60. 08/27/2018,21-05-28        [INFO]        c:\users\desktop\package 0827\0827(15).exe
    
61. 08/27/2018,21-05-28        [INFO]        [DETECTION] file contains 'HEUR/APC'
    
62. 08/27/2018,21-05-43        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(16).exe'
    
63. 08/27/2018,21-05-43        [INFO]        The file 'c:\users\desktop\package 0827\0827(16).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 6B75CE1BE0FA46CCF204790F1D95CB687765819E0395D8B79C1CD53F59448B84
    
64. 08/27/2018,21-05-43        [INFO]        c:\users\desktop\package 0827\0827(16).exe
    
65. 08/27/2018,21-05-43        [INFO]        [DETECTION] file contains 'TR/Injector.6b75ce'
    
66. 08/27/2018,21-05-58        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(18).exe'
    
67. 08/27/2018,21-05-58        [INFO]        The file 'c:\users\desktop\package 0827\0827(18).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = FDF94226ABAB274C0FC6C7C2DC45AD808F01EA7E71D2C45A3835E6B745B150A1
    
68. 08/27/2018,21-05-58        [INFO]        c:\users\desktop\package 0827\0827(18).exe
    
69. 08/27/2018,21-05-58        [INFO]        [DETECTION] file contains 'TR/Crypt.XPACK.fdf942'
    
70. 08/27/2018,21-06-12        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(19).exe'
    
71. 08/27/2018,21-06-12        [INFO]        The file 'c:\users\desktop\package 0827\0827(19).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = 9FB0F93FC50564B2AC90D665C4F9C52F0C3773CD052C0135EFFE25FF5070CD23
    
72. 08/27/2018,21-06-12        [INFO]        c:\users\desktop\package 0827\0827(19).exe
    
73. 08/27/2018,21-06-12        [INFO]        [DETECTION] file contains 'TR/Dropper.MSIL.9fb0f9'
    
74. 08/27/2018,21-06-29        [INFO]        Retry 1 for the file 'c:\users\desktop\package 0827\0827(2).exe'. SHA256 = B23EB7E70EC2486593E2B136251445AF2BBE84FFB90DF18C7D4226BC89AD5413
    
75. 08/27/2018,21-06-33        [INFO]        FP reports status 'NO False Positive' for file 'c:\users\desktop\package 0827\0827(2).exe'
    
76. 08/27/2018,21-06-33        [INFO]        The file 'c:\users\desktop\package 0827\0827(2).exe' has been uploaded to the Protection Cloud and analyzed. SHA256 = B23EB7E70EC2486593E2B136251445AF2BBE84FFB90DF18C7D4226BC89AD5413
    
77. 08/27/2018,21-06-33        [INFO]        c:\users\desktop\package 0827\0827(2).exe
    
78. 08/27/2018,21-06-33        [INFO]        [DETECTION] file contains 'TR/Kryptik.b23eb7'
    
79. 08/27/2018,21-06-33        [INFO]        The file 'c:\users\desktop\package 0827\0827(3).exe' was scanned with the Protection Cloud. SHA256 = BD1A7F12F317F4EA877CD2EEA1035F9A907FCAA83E4333EDF8A44A019494BAA7
    
80. 08/27/2018,21-06-34        [INFO]        The file 'c:\users\desktop\package 0827\0827(5).exe' was scanned with the Protection Cloud. SHA256 = 343BBA86BC43920C91AD1E17CF2FA8704A8071DC5F440ACFEE2D70F253A3B07B
    
81. 08/27/2018,21-06-34        [INFO]        The file 'c:\users\desktop\package 0827\0827(6).exe' was scanned with the Protection Cloud. SHA256 = E6460C86386E084AA21F9C4AE9CBE122D4CB81D6D6E58189FEA245BE6475DAE0
    
82. 08/27/2018,21-06-35        [INFO]        The file 'c:\users\desktop\package 0827\0827(7).exe' was scanned with the Protection Cloud. SHA256 = F94819DB8E5B8CD555D2935847075C15DC0A8856F9A0B8C0E000ECA1C772926D
    
83. 08/27/2018,21-06-35        [INFO]        The file 'c:\users\desktop\package 0827\0827(8).exe' was scanned with the Protection Cloud. SHA256 = 4C38FFFCE83E97941145568989C84CA55FF42146505AE07669B69688F7A68D4E
    
84. 08/27/2018,21-06-36        [INFO]        The file 'c:\users\desktop\package 0827\0827(9).exe' was scanned with the Protection Cloud. SHA256 = 05647B61A26D1F4E363A9B0F8C17A3E76760C2CDD2D109A62EDF1139BFD12508

复制代码

静影沉璧

AVAST高级版
扫描：11/19
双击：
IDP杀3,5,7,9,10,19号样本
剩余样本双击结果：
2号：过扫描后miss
15号样本（似乎是勒索），第一次双击成功防御，然而重启后……文件又被加密了
Total：17/19 89.5%

静影沉璧

SEP：SEP：
扫描：13/16

1. 0827(1).exe        Downloader.Ponik        已通过删除清除        病毒        自动防护扫描        C:\Users\Administrator\Desktop\PACKAGE 0827\        WIN-7L012NVDSMK        Administrator        已删除        已删除        清除安全风险        隔离        已成功地删除了文件。        2018/8/27 21:14:44
   
2. 0827(3).exe        Heur.AdvML.B        已通过删除清除        启发式病毒        自动防护扫描        C:\Users\Administrator\Desktop\PACKAGE 0827\        WIN-7L012NVDSMK        Administrator        已删除        已删除        清除安全风险        隔离        已成功地删除了文件。        2018/8/27 21:14:57
   
3. 0827(2).exe        Heur.AdvML.B        已通过删除清除        启发式病毒        自动防护扫描        C:\Users\Administrator\Desktop\PACKAGE 0827\        WIN-7L012NVDSMK        Administrator        已删除        已删除        清除安全风险        隔离        已成功地删除了文件。        2018/8/27 21:15:08
   
4. 0827(19).exe        Heur.AdvML.B        已通过删除清除        启发式病毒        自动防护扫描        C:\Users\Administrator\Desktop\PACKAGE 0827\        WIN-7L012NVDSMK        Administrator        已删除        已删除        清除安全风险        隔离        已成功地删除了文件。        2018/8/27 21:15:17
   
5. 0827(14).exe        Trojan.Emotet!g5        已通过删除清除        启发式病毒        自动防护扫描        C:\Users\Administrator\Desktop\PACKAGE 0827\        WIN-7L012NVDSMK        Administrator        已删除        已删除        清除安全风险        隔离        已成功地删除了文件。        2018/8/27 21:15:27
   
6. 0827(4).exe        Heur.AdvML.B        已通过删除清除        启发式病毒        自动防护扫描        C:\Users\Administrator\Desktop\PACKAGE 0827\        WIN-7L012NVDSMK        Administrator        已删除        已删除        清除安全风险        隔离        已成功地删除了文件。        2018/8/27 21:15:35
   
7. 0827(11).exe        Packed.Generic.516        已通过删除清除        启发式病毒        自动防护扫描        C:\Users\Administrator\Desktop\PACKAGE 0827\        WIN-7L012NVDSMK        Administrator        已删除        已删除        清除安全风险        隔离        已成功地删除了文件。        2018/8/27 21:15:45
   
8. 0827(5).exe        Heur.AdvML.B        已通过删除清除        启发式病毒        自动防护扫描        C:\Users\Administrator\Desktop\PACKAGE 0827\        WIN-7L012NVDSMK        Administrator        已删除        已删除        清除安全风险        隔离        已成功地删除了文件。        2018/8/27 21:16:12
   
9. 0827(18).exe        Packed.Generic.521        已通过删除清除        病毒        自动防护扫描        C:\Users\Administrator\Desktop\PACKAGE 0827\        WIN-7L012NVDSMK        Administrator        已删除        已删除        清除安全风险        隔离        已成功地删除了文件。        2018/8/27 21:16:21
   
10. 0827(16).exe        Packed.Generic.516        已通过删除清除        启发式病毒        自动防护扫描        C:\Users\Administrator\Desktop\PACKAGE 0827\        WIN-7L012NVDSMK        Administrator        已删除        已删除        清除安全风险        隔离        已成功地删除了文件。        2018/8/27 21:16:47
    
11. 0827(6).exe        Packed.Generic.516        已通过删除清除        启发式病毒        自动防护扫描        C:\Users\Administrator\Desktop\PACKAGE 0827\        WIN-7L012NVDSMK        Administrator        已删除        已删除        清除安全风险        隔离        已成功地删除了文件。        2018/8/27 21:17:20
    
12. 0827(13).exe        Heur.AdvML.B        已通过删除清除        启发式病毒        自动防护扫描        C:\Users\Administrator\Desktop\PACKAGE 0827\        WIN-7L012NVDSMK        Administrator        已删除        已删除        清除安全风险        隔离        已成功地删除了文件。        2018/8/27 21:17:30
    
13. 0827(7).exe        Heur.AdvML.B        已通过删除清除        启发式病毒        自动防护扫描        C:\Users\Administrator\Desktop\PACKAGE 0827\        WIN-7L012NVDSMK        Administrator        已删除        已删除        清除安全风险        隔离        已成功地删除了文件。        2018/8/27 21:17:45

复制代码

双击：SONAR kill 5X（15号勒索样本的主体是图中的lockyfud.exe）



Total：18/19 94.7%

www-tekeze

21:05，17/19，89.5%，剩余#9、#17 。 补充：上报后补杀#9

YU2711

TREND  MICRO   21:04
SCAN  4/19

1. 安全威脅:        Backdoor.MSIL.ASDROP.SMZSM
   
2. 來源類型:        安全威脅
   
3. 受影響的檔案:        C:\Users\USER\Downloa…\0827(19).exe
   
4. 處理行動:        已移除
   
5. 偵測方式:        手動掃瞄
   
6. 
   
7. 安全威脅:        TrojanSpy.Win32.LOKI.SMBD1.hp
   
8. 來源類型:        安全威脅
   
9. 受影響的檔案:        C:\Users\USER\Download…\0827(6).exe
   
10. 處理行動:        已移除
    
11. 偵測方式:        手動掃瞄
    
12. 
    
13. 安全威脅:        TrojanSpy.Win32.LOKI.SMBD1.hp
    
14. 來源類型:        安全威脅
    
15. 受影響的檔案:        C:\Users\USER\Downloa…\0827(11).exe
    
16. 處理行動:        已移除
    
17. 偵測方式:        手動掃瞄
    
18. 
    
19. 安全威脅:        TrojanSpy.Win32.LOKI.SMBD1.hp
    
20. 來源類型:        安全威脅
    
21. 受影響的檔案:        C:\Users\USER\Downloa…\0827(16).exe
    
22. 處理行動:        已移除
    
23. 偵測方式:        手動掃瞄

复制代码

a445441

卡巴：10/19=52.6%

心痛的伤不起

微点15/19 79%

时间        类型        处理结果        病毒名称        病毒路径        创建者        描述
2018-08-27 21:44:13        蠕虫        处理成功                C:\USERS\555\APPDATA\ROAMING\C4F79B\B13E36.EXE        C:\USERS\555\DESKTOP\PACKAGE 0827\0827(7).EXE        未发现任何修改动作...
2018-08-27 21:44:12        蠕虫        处理成功                C:\USERS\555\DESKTOP\PACKAGE 0827\0827(7).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        生成(1)个文件...
2018-08-27 21:43:40        木马        处理成功        未知间谍软件        C:\USERS\555\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\ADOBESERVICE.EXE        C:\WINDOWS\SYSTEM32\SVCHOST.EXE        未发现任何修改动作...
2018-08-27 21:43:01        木马        处理成功                C:\USERS\555\DESKTOP\PACKAGE 0827\0827(5).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        未发现任何修改动作...
2018-08-27 21:42:24        木马        处理成功        未知木马        C:\USERS\555\DESKTOP\PACKAGE 0827\0827(9).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        未发现任何修改动作...
2018-08-27 21:42:09        木马        删除文件失败        未知木马        C:\USERS\555\DESKTOP\PACKAGE 0827\0827(9).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        未发现任何修改动作...
2018-08-27 21:42:04        木马        删除文件失败        未知木马        C:\USERS\555\DESKTOP\PACKAGE 0827\0827(9).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        未发现任何修改动作...
2018-08-27 21:41:59        木马        处理成功                C:\USERS\555\DESKTOP\PACKAGE 0827\0827(19).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        未发现任何修改动作...
2018-08-27 21:41:56        木马        处理成功                C:\USERS\555\APPDATA\LOCAL\TEMP\IS-S43D4.TMP\0827(17).TMP        C:\USERS\555\DESKTOP\PACKAGE 0827\0827(17).EXE        未发现任何修改动作...
2018-08-27 21:41:56        木马        处理成功                C:\USERS\555\DESKTOP\PACKAGE 0827\0827(17).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        生成(1)个文件...
2018-08-27 21:41:37        木马        处理成功                C:\USERS\555\APPDATA\LOCAL\MICROSOFT\WINDOWS\LUNAMUTE.EXE        C:\USERS\555\DESKTOP\PACKAGE 0827\0827(14).EXE        未发现任何修改动作...
2018-08-27 21:41:37        木马        处理成功                C:\USERS\555\DESKTOP\PACKAGE 0827\0827(14).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        生成(1)个文件...
2018-08-27 21:41:35        木马        处理成功                C:\USERS\555\APPDATA\LOCAL\TEMP\IS-FEKCV.TMP\0827(15).TMP        C:\USERS\555\DESKTOP\PACKAGE 0827\0827(15).EXE        未发现任何修改动作...
2018-08-27 21:41:35        木马        处理成功                C:\USERS\555\DESKTOP\PACKAGE 0827\0827(15).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        生成(1)个文件...
2018-08-27 21:41:33        木马        删除文件失败        未知木马        C:\USERS\555\DESKTOP\PACKAGE 0827\0827(9).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        未发现任何修改动作...
2018-08-27 21:41:26        木马        删除文件失败        未知木马        C:\USERS\555\DESKTOP\PACKAGE 0827\0827(9).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        未发现任何修改动作...
2018-08-27 21:41:26        木马        处理成功                C:\USERS\555\APPDATA\ROAMING\AE26E99B-688B-40DF-B67A-E7E11CAE2119\WPA MANAGER\WPAMGR.EXE        C:\USERS\555\DESKTOP\PACKAGE 0827\0827(9).EXE        未发现任何修改动作...
2018-08-27 21:41:26        木马        删除文件失败                C:\USERS\555\DESKTOP\PACKAGE 0827\0827(9).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        生成(1)个文件，注册表中修改(1)项...
2018-08-27 21:41:08        木马        处理成功                C:\USERS\555\APPDATA\ROAMING\CV.EXE        C:\USERS\555\DESKTOP\PACKAGE 0827\0827(4).EXE        未发现任何修改动作...
2018-08-27 21:41:07        木马        处理成功                C:\USERS\555\DESKTOP\PACKAGE 0827\0827(4).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        生成(1)个文件...
2018-08-27 21:41:01        木马        处理成功                C:\PROGRAMDATA\WINDOWS\CSRSS.EXE        C:\USERS\555\DESKTOP\PACKAGE 0827\0827(3).EXE        未发现任何修改动作...
2018-08-27 21:41:01        木马        处理成功                C:\USERS\555\DESKTOP\PACKAGE 0827\0827(3).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        生成(1)个文件，注册表中修改(1)项...
2018-08-27 21:40:58        木马        处理成功        未知间谍软件        C:\USERS\555\DESKTOP\PACKAGE 0827\0827(2).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        未发现任何修改动作...
2018-08-27 21:40:57        木马        处理成功                C:\USERS\555\DESKTOP\PACKAGE 0827\0827(2).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        未发现任何修改动作...
2018-08-27 21:40:48        木马        处理成功                C:\USERS\555\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\{20949F-A734E6-ECD3-60272A203373}\TOOLSET.EXE        C:\USERS\555\DESKTOP\PACKAGE 0827\0827(8).EXE        未发现任何修改动作...
2018-08-27 21:40:48        木马        处理成功                C:\USERS\555\DESKTOP\PACKAGE 0827\0827(8).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        生成(1)个文件...
2018-08-27 21:40:43        木马        处理成功                C:\USERS\555\DESKTOP\PACKAGE 0827\0827(12).EXE        C:\PROGRAM FILES (X86)\360\360ZIP\360ZIP.EXE        未发现任何修改动作...

Jerry.Lin

ESET
16/19

1. Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here
   
2. 2018/8/27 21:55:20;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(2).exe;a variant of Win32/GenKryptik.CJHJ trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;E16EB4994751342F99359E87C053E3214E4D1A33;2018/8/27 21:55:11
   
3. 2018/8/27 21:55:20;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(4).exe;a variant of MSIL/Agent.AQL trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;92C38DB9FC10B266CD77159A0AD460860E1D535C;2018/8/27 21:55:11
   
4. 2018/8/27 21:55:20;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(13).exe;a variant of MSIL/Kryptik.PDT trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;06CB84248653A743F58751557FBC588BAF77306E;2018/8/27 21:55:10
   
5. 2018/8/27 21:55:20;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(16).exe;a variant of Win32/Injector.EAAW trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;681E338D24D0C33A8F4D25AE28256329FD5DE2E6;2018/8/27 21:55:10
   
6. 2018/8/27 21:55:20;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(11).exe;a variant of Win32/Injector.EAAW trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;825828A428E493298C8E02E6A1FBA6AA56DC40AC;2018/8/27 21:55:10
   
7. 2018/8/27 21:55:20;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(18).exe;Win32/Spy.Ursnif.BW trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;B603A6FBE4F6FF986973841E5BBCD6CEB5913375;2018/8/27 21:55:11
   
8. 2018/8/27 21:55:21;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(5).exe;a variant of MSIL/Kryptik.PHG trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;0F16CBC2B1C3DB261BD6D00A2806CC9D6A230B68;2018/8/27 21:55:11
   
9. 2018/8/27 21:55:23;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(10).exe;a variant of Win32/Injector.EAAR trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;3EFB0EC8D65B7F379AA479A09EE065203A92ECDE;
   
10. 2018/8/27 21:55:24;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(7).exe;Win32/PSW.Fareit.L trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;D93DCF0FD62080D11776C2F12E1AF4E941891DF3;2018/8/27 21:55:11
    
11. 2018/8/27 21:55:25;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(14).exe;a variant of Win32/Kryptik.GKFJ trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;691AEA27DE5DFDBE3F607ECB2E7E313A0A44B7F3;2018/8/27 21:55:10
    
12. 2018/8/27 21:55:26;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(1).exe;a variant of Win32/Injector.EAAM trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;5620FC5B8EECB8AB1065A362E42A50FE15BA6BBD;2018/8/27 21:55:10
    
13. 2018/8/27 21:55:27;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(6).exe;a variant of Win32/Injector.EAAW trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;9C49859756D32E6D7D7A6AB24BF6200412016C27;2018/8/27 21:55:11
    
14. 2018/8/27 21:55:29;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(12).exe;a variant of MSIL/Injector.TWG trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;4341A9FD4790727C642DAD514592AA946B66C23A;2018/8/27 21:55:10
    
15. 2018/8/27 21:55:30;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(3).exe;a variant of Win32/Kryptik.GKEA trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;FDCFDEF2DED5A0CA24AE277CB7BF950A65706295;2018/8/27 21:55:11
    
16. 2018/8/27 21:55:32;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(8).exe;a variant of MSIL/Agent.STM trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;26FD0B7970B58D6474A1643BE76F13C6E020FEE0;2018/8/27 21:55:11
    
17. 2018/8/27 21:55:32;Real-time file system protection;file;C:\Users\zhong\Downloads\Compressed\VIRUS TEST\PACKAGE 0827\0827(9).exe;a variant of Win32/GenKryptik.CJHI trojan;cleaned by deleting;DESKTOP-VPBE70N\zhong;Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe (33F1554BA5E9F414C8A7DFD65A5831C513BD2DB2).;A27E429077ADDA29FCCD170F736F52B93365F983;2018/8/27 21:55:11
    

复制代码