GandCrab5.2_2 (19.03.14)

显示全部楼层 · 发表于 2019-3-14 13:46:26

虚拟机里面半年前的BG，扫描MISS，双击，文件被加密，10秒以后，主防kill，称功回滚，只要背景被换了。

Suspected file: 1.exe

Path: C:\Users\Administrator\Desktop\1.exe

Details
• Drop.Win64.Startup.222926

Files modified
• C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\382BEE38D95B9C95C937BBCA7F3F9013
• C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\382BEE38D95B9C95C937BBCA7F3F9013
• C:\Users\Administrator\AppData\Local\Temp\bxmeoengtf.bmp
• C:\Users\Public\Pictures\Sample Pictures\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Public\Libraries\RecordedTV.library-ms
• C:\Users\Public\Favorites\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Public\Libraries\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Public\Downloads\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Public\Videos\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Public\Desktop\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Public\Documents\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Public\Music\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Public\Pictures\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\Saved Games\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\Downloads\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\Favorites\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\Links\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\Music\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\Pictures\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\Videos\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\Desktop\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\Documents\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AppData\Local\Temp\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AppData\Local\Microsoft\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AppData\Local\Microsoft\Windows\History\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AppData\Local\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\Searches\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Default\AppData\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\Saved Games\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\ntuser.ini
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\Links\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\Favorites\Links\Web Slice Gallery.url
• C:\Users\Administrator\Favorites\Links\Suggested Sites.url
• C:\Users\Administrator\Downloads\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\Favorites\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\Favorites\Links\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\Pictures\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\Videos\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\Documents\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\Music\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\Desktop\taskdl.zip
• C:\Users\Administrator\Desktop\New Text Document.txt
• C:\Users\Administrator\Desktop\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\Desktop\1.rar
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\Contacts\Administrator.contact
• C:\Users\Administrator\Contacts\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\QuickScan\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2986275899-530275652-2909107411-500\Preferred
• C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2986275899-530275652-2909107411-500\c855be6c-00df-4341-86f2-24d7c58d2782
• C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2986275899-530275652-2909107411-500\c61f2a34-c202-4f08-8eb8-acc37a58046c
• C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2986275899-530275652-2909107411-500\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2986275899-530275652-2909107411-500\4458085b-3786-43e6-bcfb-08a3f183e5e1
• C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST
• C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\Y22FQC26\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\K09L9QIL\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\L7UWVVMH\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\8MSDSGWA\userDataBIDUPSID[1].xml
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\8MSDSGWA\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Identities\{6C2E0D9E-B5E4-4402-BB6B-BB73885CD256}\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Credentials\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Identities\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\BullGuard\TuneUp\BpTuneUp.log
• C:\Users\Administrator\AppData\Roaming\BullGuard\TuneUp\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\BullGuard\GameBooster\BpGameBooster.log
• C:\Users\Administrator\AppData\Roaming\BullGuard\GameBooster\BgGameMon.db
• C:\Users\Administrator\AppData\Roaming\BullGuard\GameBooster\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\BullGuard\BsConnect(FWALL).txt
• C:\Users\Administrator\AppData\Roaming\BullGuard\Antivirus\Profiles\####4.xml
• C:\Users\Administrator\AppData\Roaming\BullGuard\Antivirus\Profiles\####1.xml
• C:\Users\Administrator\AppData\Roaming\BullGuard\Antivirus\Profiles\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\BullGuard\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\BullGuard\Antivirus\AJJZTPTLFZ-MANUAL.txt
• C:\PerfLogs\AJJZTPTLFZ-MANUAL.txt
• C:\PerfLogs\Admin\AJJZTPTLFZ-MANUAL.txt
• C:\Program Files\AJJZTPTLFZ-MANUAL.txt
• C:\Users\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\AppData\AJJZTPTLFZ-MANUAL.txt
• C:\$Recycle.Bin\S-1-5-21-2986275899-530275652-2909107411-500\AJJZTPTLFZ-MANUAL.txt
• C:\$Recycle.Bin\AJJZTPTLFZ-MANUAL.txt
• C:\AJJZTPTLFZ-MANUAL.txt
• C:\Users\Administrator\Desktop\1.exe

Registry modified
• HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections : SavedLegacySettings (old value = 46000000240000000900000000000000000000000000000004000000000000009B782E3928DAD4010000000000000000000000000100000002000000C0A88082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -> new value = 46000000250000000900000000000000000000000000000004000000000000009B782E3928DAD4010000000000000000000000000100000002000000C0A88082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000)
• HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections : SavedLegacySettings (old value = 46000000240000000900000000000000000000000000000004000000000000009B782E3928DAD4010000000000000000000000000100000002000000C0A88082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -> new value = 46000000250000000900000000000000000000000000000004000000000000009B782E3928DAD4010000000000000000000000000100000002000000C0A88082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 : EnableFileTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 : EnableConsoleTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 : FileTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 : ConsoleTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 : MaxFileSize (value = 1048576)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 : FileDirectory (value = %windir%\tracing)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASMANCS : EnableFileTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASMANCS : EnableConsoleTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASMANCS : FileTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASMANCS : ConsoleTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASMANCS : MaxFileSize (value = 1048576)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASMANCS : FileDirectory (value = %windir%\tracing)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 : EnableFileTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 : EnableConsoleTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 : FileTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 : ConsoleTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 : MaxFileSize (value = 1048576)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASAPI32 : FileDirectory (value = %windir%\tracing)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASMANCS : EnableFileTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASMANCS : EnableConsoleTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASMANCS : FileTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASMANCS : ConsoleTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASMANCS : MaxFileSize (value = 1048576)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1_RASMANCS : FileDirectory (value = %windir%\tracing)

Processes
• [3336] C:\Users\Administrator\Desktop\1.exe
• [3428] C:\Windows\System32\wbem\WMIC.exe

3/14/2019 7:43:05 AM

显示全部楼层 · 发表于 2019-3-14 14:10:15

www-tekeze 发表于 2019-3-14 10:14
安天智甲、管家无BD，都是kill exe，miss js 。

你这个安天智甲是怎么得到的？在安天没找到下载

显示全部楼层 · 发表于 2019-3-14 14:52:04

微点杀

显示全部楼层 · 发表于 2019-3-14 15:41:11

yaoogle007 发表于 2019-3-14 14:10
你这个安天智甲是怎么得到的？在安天没找到下载

安天智甲终端防御系统 http://www.antiy.com/response/wannacry/setup.zip 直接下载不了可以用迅雷下载

显示全部楼层 · 发表于 2019-3-14 17:58:07

BD：Trojan.GenericKD.31774686

显示全部楼层 · 发表于 2019-3-14 19:21:57

本帖最后由小Q机器人于 2019-3-14 22:57 编辑

报毒经典HitmanPro 3.8 最新版多引擎云反病毒扫描器（有卡巴+bd+自带硬气等等多引擎扫描超级强）
下载地址：https://bbs.kafan.cn/thread-2144723-1-1.html

显示全部楼层 · 发表于 2019-3-14 20:48:33

scep 文件监控干掉了。

[病毒样本] GandCrab5.2_2 (19.03.14)

本帖子中包含更多资源