GandCrab5.2_3 (19.03.14)

显示全部楼层 · 发表于 2019-3-14 16:37:52

本帖最后由 191196846 于 2019-3-14 16:43 编辑

#Ransom #LowAVDetection

25DC3086DE8BDD780B89B0A7CD9D51BB word.exe

复制代码

非常有意思的变种

显示全部楼层 · 发表于 2019-3-14 16:47:52

卡巴斯基免费版，解压后监控报毒。

显示全部楼层 · 发表于 2019-3-14 16:48:00

Norton Kill

显示全部楼层 · 发表于 2019-3-14 16:50:36

智量Kill 火绒日常Miss(谁来补一下双击)

显示全部楼层 · 发表于 2019-3-14 17:00:34

a233 发表于 2019-3-14 16:50
智量Kill 火绒日常Miss(谁来补一下双击)

开启勒索诱捕，第一个弹窗就是主防报勒索，关闭诱捕只能靠自定义规则，否则全盘被加密。。

显示全部楼层 · 发表于 2019-3-14 17:00:47

360木马查杀扫描日志
开始时间: 2019-3-14 16:59:27
扫描用时: 00:00:01
扫描类型: 自定义扫描
扫描引擎:360云查杀引擎（本地木马库） 360启发式引擎 QEX脚本查杀引擎
扫描文件数: 1
系统关键位置文件: 0
系统内存运行模块: 0
压缩包文件: 0
安全的文件数: 1
发现安全威胁: 0
已处理安全威胁: 0
扫描选项
----------------------
扫描后自动关机: 否
扫描模式: 速度最快
管理员：是
扫描内容
----------------------
D:\迅雷下载\word.exe
白名单设置
----------------------
d:\games\bluestackscn\bluestacksgp.exe b36f923f5bef5cb970dbee7dae62c0c7
c:\program files\git\git-bash.exe bc9b5b5c120590798bc8139edb8d1606
扫描结果
======================
未发现安全威胁

复制代码

显示全部楼层 · 发表于 2019-3-14 17:01:07

还是半年前的病毒库的BG，扫描MISS，双击，文件被加密，然后等了10秒左右，主防KILL，然后回滚。

Suspected file: word.exe

Path: C:\Users\Administrator\Desktop\word.exe

Details
• Drop.Win64.Startup.221526

Files modified
• C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\382BEE38D95B9C95C937BBCA7F3F9013
• C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\382BEE38D95B9C95C937BBCA7F3F9013
• C:\Users\Administrator\AppData\Local\Temp\bxmeoengtf.bmp
• C:\Users\Public\Pictures\Sample Pictures\UXZQMEZB-MANUAL.txt
• C:\Users\Public\Libraries\UXZQMEZB-MANUAL.txt
• C:\Users\Public\Favorites\UXZQMEZB-MANUAL.txt
• C:\Users\Public\Downloads\UXZQMEZB-MANUAL.txt
• C:\Users\Public\Desktop\UXZQMEZB-MANUAL.txt
• C:\Users\Public\Documents\UXZQMEZB-MANUAL.txt
• C:\Users\Public\Music\UXZQMEZB-MANUAL.txt
• C:\Users\Public\Pictures\UXZQMEZB-MANUAL.txt
• C:\Users\Public\Videos\UXZQMEZB-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\UXZQMEZB-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\UXZQMEZB-MANUAL.txt
• C:\Users\Default\Saved Games\UXZQMEZB-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\UXZQMEZB-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\UXZQMEZB-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\UXZQMEZB-MANUAL.txt
• C:\Users\Default\Downloads\UXZQMEZB-MANUAL.txt
• C:\Users\Default\Favorites\UXZQMEZB-MANUAL.txt
• C:\Users\Default\Links\UXZQMEZB-MANUAL.txt
• C:\Users\Default\Music\UXZQMEZB-MANUAL.txt
• C:\Users\Default\Pictures\UXZQMEZB-MANUAL.txt
• C:\Users\Default\Videos\UXZQMEZB-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\UXZQMEZB-MANUAL.txt
• C:\Users\Default\Desktop\UXZQMEZB-MANUAL.txt
• C:\Users\Default\Documents\UXZQMEZB-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\UXZQMEZB-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\UXZQMEZB-MANUAL.txt
• C:\Users\Default\AppData\Roaming\Microsoft\UXZQMEZB-MANUAL.txt
• C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\UXZQMEZB-MANUAL.txt
• C:\Users\Default\AppData\Local\Temp\UXZQMEZB-MANUAL.txt
• C:\Users\Default\AppData\Local\Microsoft\UXZQMEZB-MANUAL.txt
• C:\Users\Default\AppData\Local\Microsoft\Windows\History\UXZQMEZB-MANUAL.txt
• C:\Users\Default\AppData\Local\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\UXZQMEZB-MANUAL.txt
• C:\Users\Default\AppData\UXZQMEZB-MANUAL.txt
• C:\Users\Default\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\Saved Games\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\Searches\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\ntuser.ini
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\Favorites\Links\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\Links\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\Documents\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\Downloads\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\Favorites\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\Music\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\Pictures\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\Videos\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\Desktop\word.rar
• C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\QuickScan\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\Contacts\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\Desktop\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\L7UWVVMH\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\Y22FQC26\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2986275899-530275652-2909107411-500\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\8MSDSGWA\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\K09L9QIL\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Identities\{6C2E0D9E-B5E4-4402-BB6B-BB73885CD256}\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Credentials\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2986275899-530275652-2909107411-500\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Microsoft\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\Identities\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\BullGuard\Antivirus\Profiles\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\BullGuard\Antivirus\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\BullGuard\GameBooster\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\BullGuard\TuneUp\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\BullGuard\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\Roaming\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\AppData\UXZQMEZB-MANUAL.txt
• C:\PerfLogs\Admin\UXZQMEZB-MANUAL.txt
• C:\PerfLogs\UXZQMEZB-MANUAL.txt
• C:\Program Files\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\UXZQMEZB-MANUAL.txt
• C:\Users\UXZQMEZB-MANUAL.txt
• C:\$Recycle.Bin\S-1-5-21-2986275899-530275652-2909107411-500\$RPWGMYO.txt
• C:\$Recycle.Bin\S-1-5-21-2986275899-530275652-2909107411-500\$IPWGMYO.txt
• C:\$Recycle.Bin\S-1-5-21-2986275899-530275652-2909107411-500\UXZQMEZB-MANUAL.txt
• C:\$Recycle.Bin\UXZQMEZB-MANUAL.txt
• C:\UXZQMEZB-MANUAL.txt
• C:\Users\Administrator\Desktop\word.exe

Registry modified
• HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections : SavedLegacySettings (old value = 46000000250000000900000000000000000000000000000004000000000000009B782E3928DAD4010000000000000000000000000100000002000000C0A88082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -> new value = 46000000260000000900000000000000000000000000000004000000000000009B782E3928DAD4010000000000000000000000000100000002000000C0A88082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000)
• HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections : SavedLegacySettings (old value = 46000000250000000900000000000000000000000000000004000000000000009B782E3928DAD4010000000000000000000000000100000002000000C0A88082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -> new value = 46000000260000000900000000000000000000000000000004000000000000009B782E3928DAD4010000000000000000000000000100000002000000C0A88082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : EnableFileTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : EnableConsoleTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : FileTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : ConsoleTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : MaxFileSize (value = 1048576)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : FileDirectory (value = %windir%\tracing)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : EnableFileTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : EnableConsoleTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : FileTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : ConsoleTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : MaxFileSize (value = 1048576)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : FileDirectory (value = %windir%\tracing)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : EnableFileTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : EnableConsoleTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : FileTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : ConsoleTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : MaxFileSize (value = 1048576)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : FileDirectory (value = %windir%\tracing)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : EnableFileTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : EnableConsoleTracing (value = 0)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : FileTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : ConsoleTracingMask (value = -65536)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : MaxFileSize (value = 1048576)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : FileDirectory (value = %windir%\tracing)

Processes
• [3284] C:\Users\Administrator\Desktop\word.exe
• [3496] C:\Windows\System32\wbem\WMIC.exe

3/14/2019 10:59:04 AM

显示全部楼层 · 发表于 2019-3-14 17:09:56

www-tekeze 发表于 2019-3-14 17:00
开启勒索诱捕，第一个弹窗就是主防报勒索，关闭诱捕只能靠自定义规则，否则全盘被加密。。

GandCrab5.X都有那么多变种了，火绒还不打算做通杀，最近GandCrab5.X的样本扫描基本全Miss，只能靠诱捕杀，太丢脸了吧

显示全部楼层 · 发表于 2019-3-14 17:13:24

小红伞解压清空
微点无反应

显示全部楼层 · 发表于 2019-3-14 17:15:44

www-tekeze 发表于 2019-3-14 17:00
开启勒索诱捕，第一个弹窗就是主防报勒索，关闭诱捕只能靠自定义规则，否则全盘被加密。。

5.0火绒，不需开启勒索诱捕，被主防直接报勒索，over 。。

[病毒样本] GandCrab5.2_3 (19.03.14)

本帖子中包含更多资源

评分

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源