搜索
查看: 963|回复: 21
收起左侧

[病毒样本] GandCrab5.2_3 (19.03.14)

[复制链接]
191196846
发表于 2019-3-14 16:37:52 | 显示全部楼层 |阅读模式
本帖最后由 191196846 于 2019-3-14 16:43 编辑

#Ransom #LowAVDetection

  1. 25DC3086DE8BDD780B89B0A7CD9D51BB  word.exe
复制代码




非常有意思的变种

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x

评分

参与人数 1人气 +1 收起 理由
www-tekeze + 1 版区有你更精彩: )

查看全部评分

灵果
发表于 2019-3-14 16:47:52 | 显示全部楼层
卡巴斯基免费版,解压后监控报毒。

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
pre
发表于 2019-3-14 16:48:00 | 显示全部楼层
Norton Kill

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
a233
发表于 2019-3-14 16:50:36 | 显示全部楼层
智量Kill 火绒日常Miss(谁来补一下双击)

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
www-tekeze
发表于 2019-3-14 17:00:34 | 显示全部楼层
a233 发表于 2019-3-14 16:50
智量Kill 火绒日常Miss(谁来补一下双击)
开启勒索诱捕,第一个弹窗就是主防报勒索,关闭诱捕只能靠自定义规则,否则全盘被加密。。

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
StarlitFuture
发表于 2019-3-14 17:00:47 | 显示全部楼层
  1. 360木马查杀扫描日志

  2. 开始时间: 2019-3-14 16:59:27
  3. 扫描用时: 00:00:01
  4. 扫描类型: 自定义扫描
  5. 扫描引擎:360云查杀引擎(本地木马库)  360启发式引擎  QEX脚本查杀引擎
  6. 扫描文件数: 1
  7. 系统关键位置文件: 0
  8. 系统内存运行模块: 0
  9. 压缩包文件: 0
  10. 安全的文件数: 1
  11. 发现安全威胁: 0
  12. 已处理安全威胁: 0

  13. 扫描选项
  14. ----------------------
  15. 扫描后自动关机: 否
  16. 扫描模式: 速度最快
  17. 管理员:是

  18. 扫描内容
  19. ----------------------
  20. D:\迅雷下载\word.exe

  21. 白名单设置
  22. ----------------------
  23. d:\games\bluestackscn\bluestacksgp.exe b36f923f5bef5cb970dbee7dae62c0c7
  24. c:\program files\git\git-bash.exe bc9b5b5c120590798bc8139edb8d1606

  25. 扫描结果
  26. ======================
  27. 未发现安全威胁
复制代码
badanwfs
发表于 2019-3-14 17:01:07 | 显示全部楼层
还是半年前的病毒库的BG,扫描MISS,双击,文件被加密,然后等了10秒左右,主防KILL,然后回滚。

Suspected file: word.exe

Path: C:\Users\Administrator\Desktop\word.exe

Details
•    Drop.Win64.Startup.221526

Files modified
•    C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\382BEE38D95B9C95C937BBCA7F3F9013
•    C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\382BEE38D95B9C95C937BBCA7F3F9013
•    C:\Users\Administrator\AppData\Local\Temp\bxmeoengtf.bmp
•    C:\Users\Public\Pictures\Sample Pictures\UXZQMEZB-MANUAL.txt
•    C:\Users\Public\Libraries\UXZQMEZB-MANUAL.txt
•    C:\Users\Public\Favorites\UXZQMEZB-MANUAL.txt
•    C:\Users\Public\Downloads\UXZQMEZB-MANUAL.txt
•    C:\Users\Public\Desktop\UXZQMEZB-MANUAL.txt
•    C:\Users\Public\Documents\UXZQMEZB-MANUAL.txt
•    C:\Users\Public\Music\UXZQMEZB-MANUAL.txt
•    C:\Users\Public\Pictures\UXZQMEZB-MANUAL.txt
•    C:\Users\Public\Videos\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\Saved Games\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\Downloads\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\Favorites\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\Links\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\Music\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\Pictures\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\Videos\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\Desktop\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\Documents\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\AppData\Roaming\Microsoft\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\AppData\Local\Temp\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\AppData\Local\Microsoft\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\AppData\Local\Microsoft\Windows\History\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\AppData\Local\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\AppData\UXZQMEZB-MANUAL.txt
•    C:\Users\Default\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\Saved Games\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\Searches\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\ntuser.ini
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\Favorites\Links\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\Links\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\Documents\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\Downloads\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\Favorites\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\Music\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\Pictures\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\Videos\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\Desktop\word.rar
•    C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\QuickScan\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\Contacts\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\Desktop\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\L7UWVVMH\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\Y22FQC26\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2986275899-530275652-2909107411-500\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\8MSDSGWA\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\K09L9QIL\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UserData\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Identities\{6C2E0D9E-B5E4-4402-BB6B-BB73885CD256}\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Credentials\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2986275899-530275652-2909107411-500\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Microsoft\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\Identities\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\BullGuard\Antivirus\Profiles\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\BullGuard\Antivirus\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\BullGuard\GameBooster\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\BullGuard\TuneUp\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\BullGuard\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\Roaming\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\AppData\UXZQMEZB-MANUAL.txt
•    C:\PerfLogs\Admin\UXZQMEZB-MANUAL.txt
•    C:\PerfLogs\UXZQMEZB-MANUAL.txt
•    C:\Program Files\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\UXZQMEZB-MANUAL.txt
•    C:\Users\UXZQMEZB-MANUAL.txt
•    C:\$Recycle.Bin\S-1-5-21-2986275899-530275652-2909107411-500\$RPWGMYO.txt
•    C:\$Recycle.Bin\S-1-5-21-2986275899-530275652-2909107411-500\$IPWGMYO.txt
•    C:\$Recycle.Bin\S-1-5-21-2986275899-530275652-2909107411-500\UXZQMEZB-MANUAL.txt
•    C:\$Recycle.Bin\UXZQMEZB-MANUAL.txt
•    C:\UXZQMEZB-MANUAL.txt
•    C:\Users\Administrator\Desktop\word.exe

Registry modified
•    HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections : SavedLegacySettings (old value = 46000000250000000900000000000000000000000000000004000000000000009B782E3928DAD4010000000000000000000000000100000002000000C0A88082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -> new value = 46000000260000000900000000000000000000000000000004000000000000009B782E3928DAD4010000000000000000000000000100000002000000C0A88082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000)
•    HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections : SavedLegacySettings (old value = 46000000250000000900000000000000000000000000000004000000000000009B782E3928DAD4010000000000000000000000000100000002000000C0A88082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -> new value = 46000000260000000900000000000000000000000000000004000000000000009B782E3928DAD4010000000000000000000000000100000002000000C0A88082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : EnableFileTracing (value = 0)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : EnableConsoleTracing (value = 0)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : FileTracingMask (value = -65536)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : ConsoleTracingMask (value = -65536)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : MaxFileSize (value = 1048576)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : FileDirectory (value = %windir%\tracing)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : EnableFileTracing (value = 0)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : EnableConsoleTracing (value = 0)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : FileTracingMask (value = -65536)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : ConsoleTracingMask (value = -65536)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : MaxFileSize (value = 1048576)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : FileDirectory (value = %windir%\tracing)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : EnableFileTracing (value = 0)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : EnableConsoleTracing (value = 0)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : FileTracingMask (value = -65536)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : ConsoleTracingMask (value = -65536)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : MaxFileSize (value = 1048576)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASAPI32 : FileDirectory (value = %windir%\tracing)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : EnableFileTracing (value = 0)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : EnableConsoleTracing (value = 0)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : FileTracingMask (value = -65536)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : ConsoleTracingMask (value = -65536)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : MaxFileSize (value = 1048576)
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\word_RASMANCS : FileDirectory (value = %windir%\tracing)

Processes
•    [3284] C:\Users\Administrator\Desktop\word.exe
•    [3496] C:\Windows\System32\wbem\WMIC.exe

3/14/2019 10:59:04 AM
a233
发表于 2019-3-14 17:09:56 | 显示全部楼层
www-tekeze 发表于 2019-3-14 17:00
开启勒索诱捕,第一个弹窗就是主防报勒索,关闭诱捕只能靠自定义规则,否则全盘被加密。。

GandCrab5.X都有那么多变种了,火绒还不打算做通杀,最近GandCrab5.X的样本扫描基本全Miss,只能靠诱捕杀,太丢脸了吧
具具
发表于 2019-3-14 17:13:24 | 显示全部楼层
小红伞解压清空
微点无反应
www-tekeze
发表于 2019-3-14 17:15:44 | 显示全部楼层
www-tekeze 发表于 2019-3-14 17:00
开启勒索诱捕,第一个弹窗就是主防报勒索,关闭诱捕只能靠自定义规则,否则全盘被加密。。

5.0火绒,不需开启勒索诱捕,被主防直接报勒索,over 。。

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛|纳美地| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 苏ICP备07004770号 ) GMT+8, 2019-5-26 01:37 , Processed in 0.046078 second(s), 6 queries , MemCache On.

快速回复 返回顶部 返回列表