捆绑驱动木马的外{过}{滤}挂

显示全部楼层 · 发表于 2019-11-9 20:25:17

https://www.lanzous.com/i79gqwf
数字论坛里一人发的https://bbs.360.cn/thread-15807878-1-1.html
好像就是【PCH再不更新要出事了】【继续发Rootkit】重启后专治各种不服(PCH/GMER/tdsskiller)的母体@lifan88
@wowocock 怎么急救箱还没更新

显示全部楼层 · 发表于 2019-11-12 23:42:41

本帖最后由 lifan88 于 2019-11-12 23:50 编辑

希望楼主顶置！

火绒4.0的监控被过掉了，注册表的写入过火绒

，加载驱动过掉火绒和火绒剑的防御

新的rootkit加载后不需要重启直接就复制了一个TCPIP.sys，然后加载并劫持。。

1，测试条件：Vmware-win8.1x64-pro
2，测试方法：直接加载即可
3，关键词解释
SYS_regsrv：注册服务
SYS_load_kmod：加载内核模块
SYS_enumproc：枚举进程
SYS_opendev：打开设备

REG_openkey：打开注册表项
REG_getval：获取注册表键值
REG_mkkey：创建注册表项
REG_setval：设置注册表项值
REG_rmval：删除注册表键值
REG_rmkey：删除注册表键

FILE_open：打开文件
FILE_touch：创建文件
FILE_truncate：截断文件
FILE_write：写文件
FILE_chmod：设置文件属性
FILE_modified：文件被修改BA_exec_extratedfile：启动自释放文件

PROC_exec：创建进程
PROC_open：打开进程
PROC_readvm：跨进程读内存
PROC_writevm：跨进程写内存
PROC_pgprot：跨进程修改内存属性
THRD_setctxt：跨进程设置线程上下文
THRD_resume：跨进程恢复线程EXEC_create：进程启动
EXEC_destroy：进程退出

NET_connect：网络连接
NET_send：发送数据包
NET_http：HTTP请求

4，火绒剑抓动作
15:25:13:683,       简单挂免费版.exe,       2336:0,       2780,       EXEC_create,       C:\Users\j8qq_000\Desktop\简单挂免费版.exe,       parent_pid:2780 cmdline:'"C:\Users\j8qq_000\Desktop\简单挂免费版.exe" ' image_base:0x0000000000A20000 image_size:0x022EE000 ,       0x00000000 [操作成功完成。  ],

15:25:28:372,       简单挂免费版.exe,       2336:2712,       2780,       FILE_touch,       C:\Users\j8qq_000\Desktop\简单挂免费版.lnk,       access:0x0012019F alloc_size:0 attrib:0x00000000 share_access:0x00000003 disposition:0x00000005 options:0x00000060 ,       0x00000000 [操作成功完成。  ],

15:25:29:336,       简单挂免费版.exe,       2336:2712,       2780,       FILE_write,       C:\Users\j8qq_000\Desktop\简单挂免费版.lnk,       offset:0x00000000 datalen:0x000001EB ,       0x00000000 [操作成功完成。  ],

15:25:29:336,       简单挂免费版.exe,       2336:2712,       2780,       FILE_modified,       C:\Users\j8qq_000\Desktop\简单挂免费版.lnk,       ,       0x00000000 [操作成功完成。  ],

15:25:29:336,       简单挂免费版.exe,       2336:2712,       2780,       PROC_open,       C:\Windows\Explorer.EXE,       target_pid:2904 access:0x00000040 ,       0x00000000 [操作成功完成。  ],

15:25:29:383,       简单挂免费版.exe,       2336:2712,       2780,       FILE_touch,       C:\Program Files (x86)\BCL Technologies\J9CE8BF,       access:0x00120196 alloc_size:0 attrib:0x00000080 share_access:0x00000002 disposition:0x00000005 options:0x00000060 ,       0x00000000 [操作成功完成。  ],

15:25:29:383,       简单挂免费版.exe,       2336:2712,       2780,       FILE_truncate,       C:\Program Files (x86)\BCL Technologies\J9CE8BF,       eof:0x00000000 ,       0x00000000 [操作成功完成。  ],

15:25:29:383,       简单挂免费版.exe,       2336:2712,       2780,       FILE_write,       C:\Program Files (x86)\BCL Technologies\J9CE8BF,       offset:0x00000000 datalen:0x0000CAC8 ,       0x00000000 [操作成功完成。  ],

15:25:29:383,       简单挂免费版.exe,       2336:2712,       2780,       FILE_modified,       C:\Program Files (x86)\BCL Technologies\J9CE8BF,       ,       0x00000000 [操作成功完成。  ],

15:25:29:383,       简单挂免费版.exe,       2336:2712,       2780,       FILE_open,       C:\Program Files (x86)\BCL Technologies\J9CE8BF,       access:0x00000080 alloc_size:0 attrib:0x00000000 share_access:0x00000007 disposition:0x00000001 options:0x00200000 ,       0x00000000 [操作成功完成。  ],

15:25:29:401,       简单挂免费版.exe,       2336:2712,       2780,       FILE_open,       C:\Program Files (x86)\BCL Technologies\J9CE8BF,       access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000001 options:0x00000060 ,       0x00000000 [操作成功完成。  ],

15:25:29:414,       简单挂免费版.exe,       2336:0,       2780,       PROC_exec,       C:\Program Files (x86)\BCL Technologies\J9CE8BF,       target_pid:2916 ,       0x00000000 [操作成功完成。  ],

15:25:29:414,       简单挂免费版.exe,       2336:0,       2780,       BA_exec_extratedfile,       C:\Program Files (x86)\BCL Technologies\J9CE8BF,       ,       0x00000000 [操作成功完成。  ],

15:25:29:570,       简单挂免费版.exe,       2336:2712,       2780,       SYS_opendev,       \Device\Nsi,       devtype:18 access:0x00100080 share:0x00000003 ,       0x00000000 [操作成功完成。  ],

15:25:29:586,       简单挂免费版.exe,       2336:2696,       2780,       SYS_opendev,       \Device\NetBT_Tcpip_{BE64D43C-A4AB-4BAB-94A7-3EAF64B87C45},       devtype:18 access:0x00100001 share:0x00000003 ,       0x00000000 [操作成功完成。  ],

15:25:29:586,       简单挂免费版.exe,       2336:2696,       2780,       SYS_opendev,       \Device\NetBT_Tcpip_{3BC837FC-63F3-4FFA-9A1A-C5A239D314FC},       devtype:18 access:0x00100001 share:0x00000003 ,       0x00000000 [操作成功完成。  ],

15:25:29:586,       简单挂免费版.exe,       2336:2696,       2780,       SYS_opendev,       \Device\Afd,       devtype:17 access:0xC0140000 share:0x00000003 ,       0x00000000 [操作成功完成。  ],

15:25:29:617,       svchost.exe,       772:1044,       0,       NET_connect,       114.114.114.114:53,       protocol:(UDP)1 ,       0x00000000 [操作成功完成。  ],

15:25:29:617,       svchost.exe,       772:1044,       0,       NET_send,       114.114.114.114:53,       protocol:(UDP)1 datalen:36 data:'1A 03 01 00 00 01 00 00 00 00 00 00 03 63 72 6C ' ,       0x00000000 [操作成功完成。  ],

15:25:29:639,       简单挂免费版.exe,       2336:2584,       2780,       SYS_opendev,       \Device\Afd,       devtype:17 access:0xC0140000 share:0x00000003 ,       0x00000000 [操作成功完成。  ],

15:25:31:607,       简单挂免费版.exe,       2336:3788,       2780,       NET_http,       crl.globalsign.net/root-r3.crl,       protocol:(TCP)0 cmd:'GET' datalen:129 ,       0x00000000 [操作成功完成。  ],

15:25:31:607,       简单挂免费版.exe,       2336:3788,       2780,       NET_send,       58.218.208.14:80,       protocol:(TCP)0 datalen:129 data:'47 45 54 20 2F 72 6F 6F 74 2D 72 33 2E 63 72 6C ' ,       0x00000000 [操作成功完成。  ],

15:25:31:648,       简单挂免费版.exe,       2336:3596,       2780,       SYS_opendev,       \Device\NetBT_Tcpip_{BE64D43C-A4AB-4BAB-94A7-3EAF64B87C45},       devtype:18 access:0x00100001 share:0x00000003 ,       0x00000000 [操作成功完成。  ],

15:25:31:648,       简单挂免费版.exe,       2336:3596,       2780,       SYS_opendev,       \Device\NetBT_Tcpip_{3BC837FC-63F3-4FFA-9A1A-C5A239D314FC},       devtype:18 access:0x00100001 share:0x00000003 ,       0x00000000 [操作成功完成。  ],

15:25:31:683,       简单挂免费版.exe,       2336:2104,       2780,       NET_http,       ocsp2.globalsign.com/gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY%2F%2Ft2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc%2BoCMMmsCEhEhtwDAvcCDp%2B4THnIkJBLN5w%3D%3D,       protocol:(TCP)0 cmd:'GET' datalen:265 ,       0x00000000 [操作成功完成。  ],

15:25:31:683,       简单挂免费版.exe,       2336:2104,       2780,       NET_send,       180.153.105.140:80,       protocol:(TCP)0 datalen:265 data:'47 45 54 20 2F 67 73 63 6F 64 65 73 69 67 6E 73 ' ,       0x00000000 [操作成功完成。  ],

15:25:31:820,       简单挂免费版.exe,       2336:2712,       2780,       FILE_open,       C:\Program Files (x86)\BCL Technologies\J9CE8BF,       access:0x00000080 alloc_size:0 attrib:0x00000000 share_access:0x00000007 disposition:0x00000001 options:0x00200000 ,       0x00000000 [操作成功完成。  ],

15:25:31:842,       简单挂免费版.exe,       2336:2712,       2780,       PROC_readvm,       C:\Program Files (x86)\BCL Technologies\J9CE8BF,       target_pid:2916 base:0x000000007FFDE000 bytes_read:0x000001D8 datalen:0x000001D8 data:'00 00 00 00 FF FF FF FF 00 00 40 00 00 00 00 00 ' ,       0x00000000 [操作成功完成。  ],

15:25:31:868,       简单挂免费版.exe,       2336:2712,       2780,       PROC_pgprot,       C:\Program Files (x86)\BCL Technologies\J9CE8BF,       target_pid:2916 base:0x0000000000400000 count:0x00000400 attrib:0x00000040 bytes_changed:0x00001000 ,       0x00000000 [操作成功完成。  ],

15:25:31:914,       简单挂免费版.exe,       2336:2712,       2780,       THRD_setctxt,       C:\Program Files (x86)\BCL Technologies\J9CE8BF,       target_pid:2916 target_tid:3700 ,       0x00000000 [操作成功完成。  ],

15:25:31:914,       简单挂免费版.exe,       2336:2712,       2780,       THRD_resume,       C:\Program Files (x86)\BCL Technologies\J9CE8BF,       target_pid:2916 target_tid:3700 ,       0x00000000 [操作成功完成。  ],

15:25:32:007,       简单挂免费版.exe,       2336:0,       2780,       EXEC_destroy,       C:\Users\j8qq_000\Desktop\简单挂免费版.exe,       parent_pid:2780 cmdline:'"C:\Users\j8qq_000\Desktop\简单挂免费版.exe" ' ,       0x00000000 [操作成功完成。  ],

接下来是“更新模块”J9CE8BF的表演（实际J9CE8BF上是一个exe，创建的时候无后缀！表演过火绒和火绒剑，而且驱动和生成的母体不是同一个东西！驱动是一个连exeinfo都分析不清楚的玩意）

15:27:21:187,       J9CE8BF,       2916:3308,       2780,       NET_connect,       183.60.187.58:80,       protocol:(TCP)0 ,       0x00000000 [操作成功完成。  ],

15:27:21:220,       J9CE8BF,       2916:3308,       2780,       NET_http,       sinacloud.net/question/B64d.rar,       protocol:(TCP)0 cmd:'GET' datalen:236 ,       0x00000000 [操作成功完成。  ],

15:27:31:321,       svchost.exe,       772:1124,       0,       NET_connect,       114.114.114.114:53,       protocol:(UDP)1 ,       0x00000000 [操作成功完成。  ],

15:27:32:453,       J9CE8BF,       2916:3308,       2780,       FILE_touch,       C:\Windows\SysWOW64\F80CLCJlM.sys
access:0x00120196 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000005 options:0x00000060 ,       0x00000000 [操作成功完成。  ],

15:27:32:453,       J9CE8BF,       2916:3308,       2780,       FILE_truncate,       C:\Windows\SysWOW64\F80CLCJlM.sys,       eof:0x00000000 ,       0x00000000 [操作成功完成。  ],

15:27:41:727,       J9CE8BF,       2916:3700,       2780,       REG_openkey,       HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\KnownClasses,       access:0x00020019 ,       0xC0000034 [系统找不到指定的文件。  ],

15:27:52:414,       J9CE8BF,       2916:0,       2780,       NET_send,       8.8.8.8:53,       protocol:(UDP)1 datalen:32 data:'01 00 01 00 00 01 00 00 00 00 00 00 0B 73 69 6E ' ,       0x00000000 [操作成功完成。  ],

15:27:52:461,       J9CE8BF,       2916:2140,       2780,       NET_http,       sinastorage.cn/question/PrsProt64.rar,       protocol:(TCP)0 cmd:'GET' datalen:242 ,       0x00000000 [操作成功完成。  ],

15:27:52:461,       J9CE8BF,       2916:2140,       2780,       NET_send,       121.14.32.187:80,       protocol:(TCP)0 datalen:242 data:'47 45 54 20 2F 71 75 65 73 74 69 6F 6E 2F 50 72 ' ,       0x00000000 [操作成功完成。  ],

15:27:55:565,       J9CE8BF,       2916:3308,       2780,       FILE_write,       C:\Windows\SysWOW64\F80CLCJlM.sys,       offset:0x00000000 datalen:0x00001000 ,       0x00000000 [操作成功完成。  ],

15:27:55:961,       J9CE8BF,       2916:3308,       2780,       FILE_modified,       C:\Windows\SysWOW64\F80CLCJlM.sys,       ,       0x00000000 [操作成功完成。  ],

此处注册表火绒没有记录，但是PCH，加驱工具，TDSSKILLER的注册驱动注册表行为都会记录和拦截！

15:27:56:024,       services.exe,       580:2840,       0,       REG_mkkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x0002001F ,       0x00000000 [操作成功完成。  ],

15:27:56:024,       services.exe,       580:2840,       0,       REG_setval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Type,       type:0x00000004 datalen:4 data:'01 00 00 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:024,       services.exe,       580:2840,       0,       REG_setval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Start,       type:0x00000004 datalen:4 data:'01 00 00 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:024,       services.exe,       580:2840,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\StartOverride,       access:0x02000000 ,       0xC0000034 [系统找不到指定的文件。  ],

15:27:56:024,       services.exe,       580:2840,       0,       REG_setval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\ErrorControl,       type:0x00000004 datalen:4 data:'01 00 00 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:041,       services.exe,       580:2840,       0,       REG_setval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\ImagePath,       type:0x00000002 datalen:76 data:'5C 3F 3F 5C 43 3A 5C 57 69 6E 64 6F 77 73 5C 53 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:041,       services.exe,       580:2840,       0,       REG_setval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\DisplayName,       type:0x00000001 datalen:20 data:'46 38 30 43 4C 43 4A 6C 4D 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:041,       services.exe,       580:2840,       0,       REG_setval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\WOW64,       type:0x00000004 datalen:4 data:'01 00 00 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:041,       services.exe,       580:2840,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020019 ,       0x00000000 [操作成功完成。  ],

15:27:56:070,       services.exe,       580:2840,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020019 ,       0x00000000 [操作成功完成。  ],

15:27:56:070,       services.exe,       580:2840,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020019 ,       0x00000000 [操作成功完成。  ],

此处为加载驱动！！！火绒毫无反应！！！导致System开始读取驱动的注册表（加载前读取注册表配置）！

15:27:56:070,       System,       4:3268,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020019 ,       0x00000104 [因为文件名产生符号链接，所以需由对象管理器重新运行分析操作。  ],

15:27:56:070,       System,       4:3268,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020019 ,       0x00000000 [操作成功完成。  ],

15:27:56:070,       System,       4:3268,       0,       REG_getval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\ImagePath,       type:0x00000002 datalen:76 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:070,       System,       4:3268,       0,       REG_getval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Type,       type:0x00000004 datalen:4 data:'01 00 00 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:070,       System,       4:3268,       0,       FILE_open,       C:\Windows\SysWOW64\F80CLCJlM.sys,       access:0x00000020 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 ,       0x00000000 [操作成功完成。  ],

15:27:56:122,       System,       4:3268,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Compatibility\Driver\F80CLCJlM.sys,       access:0x00020019 ,       0x00000104 [因为文件名产生符号链接，所以需由对象管理器重新运行分析操作。  ],

15:27:56:122,       System,       4:3268,       0,       FILE_open,       C:\Windows\apppatch\drvmain.sdb,       access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 ,       0x00000000 [操作成功完成。  ],
15:27:56:122,       System,       4:3268,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Compatibility\Driver\F80CLCJlM.sys,       access:0x00020019 ,       0xC0000034 [系统找不到指定的文件。  ],

15:27:56:133,       System,       4:3268,       0,       FILE_open,       C:\Windows\apppatch\drvmain.sdb,       access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 ,       0x00000000 [操作成功完成。  ],
15:27:56:122,       System,       4:3268,       0,       REG_getval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\ImagePath,       type:0x00000002 datalen:76 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName,       access:0x02020019 ,       0x00000104 [因为文件名产生符号链接，所以需由对象管理器重新运行分析操作。  ],

15:27:56:180,       System,       4:3268,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName,       access:0x02020019 ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_getval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName,       type:0x00000001 datalen:8 data:'48 00 48 00 48 00 00 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName,       access:0x02020019 ,       0x00000104 [因为文件名产生符号链接，所以需由对象管理器重新运行分析操作。  ],

15:27:56:180,       System,       4:3268,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName,       access:0x02020019 ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_getval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName,       type:0x00000001 datalen:8 data:'48 00 48 00 48 00 00 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00000001 ,       0x00000104 [因为文件名产生符号链接，所以需由对象管理器重新运行分析操作。  ],

15:27:56:180,       System,       4:3268,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00000001 ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00000001 ,       0x00000104 [因为文件名产生符号链接，所以需由对象管理器重新运行分析操作。  ],

15:27:56:180,       System,       4:3268,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00000001 ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_getval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Start,       type:0x00000004 datalen:4 data:'01 00 00 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_mkkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020006 ,       0x00000104 [因为文件名产生符号链接，所以需由对象管理器重新运行分析操作。  ],

15:27:56:180,       System,       4:3268,       0,       REG_mkkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020006 ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_setval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\ImagePath,       type:0x00000002 datalen:76 data:'5C 3F 3F 5C 43 3A 5C 57 69 6E 64 6F 77 73 5C 53 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_mkkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020006 ,       0x00000104 [因为文件名产生符号链接，所以需由对象管理器重新运行分析操作。  ],

15:27:56:180,       System,       4:3268,       0,       REG_mkkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020006 ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_setval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Type,       type:0x00000004 datalen:4 data:'01 00 00 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_mkkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020006 ,       0x00000104 [因为文件名产生符号链接，所以需由对象管理器重新运行分析操作。  ],

15:27:56:180,       System,       4:3268,       0,       REG_mkkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020006 ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_setval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Start,       type:0x00000004 datalen:4 data:'01 00 00 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_mkkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020006 ,       0x00000104 [因为文件名产生符号链接，所以需由对象管理器重新运行分析操作。  ],

15:27:56:180,       System,       4:3268,       0,       REG_mkkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020006 ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_setval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Group,       type:0x00000001 datalen:32 data:'53 79 73 74 65 6D 20 52 65 73 65 72 76 65 64 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_mkkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020006 ,       0x00000104 [因为文件名产生符号链接，所以需由对象管理器重新运行分析操作。  ],

15:27:56:180,       System,       4:3268,       0,       REG_mkkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020006 ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_setval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\mark,       type:0x00000001 datalen:14 data:'3F 00 0B 00 0C 00 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\SYSTEM\Select,       access:0x00020019 ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_getval,       HKEY_LOCAL_MACHINE\SYSTEM\Select\Current,       type:0x00000004 datalen:4 data:'01 00 00 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_getval,       HKEY_LOCAL_MACHINE\SYSTEM\Select\Default,       type:0x00000004 datalen:4 data:'01 00 00 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_getval,       HKEY_LOCAL_MACHINE\SYSTEM\Select\LastKnownGood,       type:0x00000004 datalen:4 data:'01 00 00 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:180,       System,       4:3268,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020019 ,       0x00000000 [操作成功完成。  ],

15:27:56:227,       System,       4:3268,       0,       REG_mkkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020006 ,       0x00000000 [操作成功完成。  ],

15:27:56:227,       System,       4:3268,       0,       REG_rmval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM\Tag,       keyname:'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM' ,       0xC0000034 [系统找不到指定的文件。  ],

15:27:56:227,       System,       4:3268,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\SYSTEM\Select,       access:0x00020019 ,       0x00000000 [操作成功完成。  ],

15:27:56:227,       System,       4:3268,       0,       REG_getval,       HKEY_LOCAL_MACHINE\SYSTEM\Select\Current,       type:0x00000004 datalen:4 data:'01 00 00 00 ' ,       0x00000000 [操作成功完成。  ],

此处ROOTKIT已经在System中开始起作用！

15:27:56:227,       System,       4:3268,       0,       FILE_open,       C:\Windows\System32\ntdll.dll,       access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000020 ,       0x00000000 [操作成功完成。  ],

15:27:56:289,       System,       4:3268,       0,       FILE_open,       C:\Windows\System32\drivers\usbhub.sys,       access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 ,       0x00000000 [操作成功完成。  ],

15:27:56:289,       System,       4:3268,       0,       FILE_open,       C:\Windows\System32\drivers\usbhub.sys,       access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 ,       0x00000000 [操作成功完成。  ],

15:27:56:312,       services.exe,       580:2840,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\F80CLCJlM,       access:0x00020019 ,       0x00000000 [操作成功完成。  ],

15:27:56:320,       System,       4:3432,       0,       FILE_open,       C:\Windows\SysWOW64\F80CLCJlM.sys,       access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000001 options:0x00000060 ,       0x00000000 [操作成功完成。  ],

15:27:56:320,       System,       4:3432,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\SYSTEM\Setup,       access:0x00020019 ,       0x00000000 [操作成功完成。  ],

15:27:56:320,       System,       4:3432,       0,       REG_getval,       HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemPartition,       type:0x00000001 datalen:48 data:'5C 00 44 00 65 00 76 00 69 00 63 00 65 00 5C 00 ' ,       0x00000000 [操作成功完成。  ],
复制一个Tcpip.sys，并且在System中加载之，然而还是没有记录！
15:27:56:320,       System,       4:3432,       0,       FILE_open,       C:\Windows\System32\drivers\tcpip.sys,       access:0x00000080 alloc_size:0 attrib:0x00000000 share_access:0x00000003 disposition:0x00000001 options:0x00000040 ,       0x00000000 [操作成功完成。  ],

15:27:56:320,       System,       4:3432,       0,       FILE_open,       C:\Windows\System32\drivers\tcpip.sys,       access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000003 options:0x00000860 ,       0x00000000 [操作成功完成。  ],

Tcpip.sys被复制出来了
15:27:56:352,       System,       4:3432,       0,       FILE_touch,       C:\Windows\System32\drivers\LEMJewCg.sys,       access:0x0012019F alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000003 options:0x00000860 ,       0x00000000 [操作成功完成。  ],

15:27:56:352,       System,       4:3432,       0,       FILE_write,       C:\Windows\System32\drivers\LEMJewCg.sys,       offset:0x00000000 datalen:0x00001000 ,       0x00000000 [操作成功完成。  ],

15:27:56:685,       System,       4:2864,       0,       FILE_open,       C:\Windows\System32\drivers\usbhub.sys,       access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 ,       0x00000000 [操作成功完成。  ],

15:27:56:695,       System,       4:2864,       0,       FILE_open,       C:\Windows\System32\drivers\usbhub.sys,       access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 ,       0x00000000 [操作成功完成。  ],

15:27:56:711,       System,       4:2864,       0,       REG_mkkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies,       access:0x00020006 ,       0x00000104 [因为文件名产生符号链接，所以需由对象管理器重新运行分析操作。  ],

15:27:56:711,       System,       4:2864,       0,       REG_mkkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies,       access:0x00020006 ,       0x00000000 [操作成功完成。  ],

15:27:56:711,       System,       4:2864,       0,       REG_rmval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies\,       keyname:'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies' ,       0xC0000034 [系统找不到指定的文件。  ],

15:27:56:711,       System,       4:2864,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceGroupOrder,       access:0x00020019 ,       0x00000104 [因为文件名产生符号链接，所以需由对象管理器重新运行分析操作。  ],

15:27:56:711,       System,       4:2864,       0,       REG_getval,       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceGroupOrder\List,       type:0x00000007 datalen:2234 data:'53 00 79 00 73 00 74 00 65 00 6D 00 20 00 52 00 ' ,       0x00000000 [操作成功完成。  ],

15:27:56:711,       System,       4:2380,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\,       access:0x000F003F ,       0x00000000 [操作成功完成。  ],

15:27:56:711,       System,       4:2380,       0,       REG_openkey,       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2463246743-3882878456-3851148573-1001,       access:0x02020019 ,       0x00000000 [操作成功完成。  ],

15:27:56:711,       System,       4:1748,       0,       NET_connect,       101.201.172.229:80,       protocol:(TCP)0 ,       0x00000000 [操作成功完成。  ],

15:27:56:773,       System,       4:3432,       0,       FILE_modified,       C:\Windows\System32\drivers\LEMJewCg.sys,       ,       0x00000000 [操作成功完成。  ],

文件工作结束后，ROOTKIT开始工作。。。
15:27:58:713,       System,       4:3224,       0,       NET_connect,       8.8.8.8:53,       protocol:(UDP)1 ,       0x00000000 [操作成功完成。  ],

15:28:01:748,       System,       4:3904,       0,       NET_connect,       122.246.20.200:80,       protocol:(TCP)0 ,       0x00000000 [操作成功完成。  ],
15:28:01:763,       System,       4:3904,       0,       NET_http,       go.gengxinsys.com/data.php?t=l&m=0,       protocol:(TCP)0 cmd:'GET' datalen:185 ,       0x00000000 [操作成功完成。  ],

15:28:01:763,       System,       4:3904,       0,       NET_send,       122.246.20.200:80,       protocol:(TCP)0 datalen:185 data:'47 45 54 20 2F 64 61 74 61 2E 70 68 70 3F 74 3D ' ,       0x00000000 [操作成功完成。  ],

15:28:02:369,       System,       4:3868,       0,       FILE_open,       C:\Windows\System32\drivers\usbhub.sys,       access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 ,       0x00000000 [操作成功完成。  ],

15:28:03:822,       System,       4:2864,       0,       NET_http,       go.gengxinsys.com/data.php?t=l&m=0,       protocol:(TCP)0 cmd:'GET' datalen:185 ,       0x00000000 [操作成功完成。  ],

15:28:03:822,       System,       4:2864,       0,       NET_send,       122.246.20.200:80,       protocol:(TCP)0 datalen:185 data:'47 45 54 20 2F 64 61 74 61 2E 70 68 70 3F 74 3D ' ,       0x00000000 [操作成功完成。  ],

显示全部楼层 · 发表于 2019-11-9 20:28:15

Emsisoft Anti-Malware

显示全部楼层 · 发表于 2019-11-9 20:52:52

FSP不杀

显示全部楼层 · 发表于 2019-11-9 20:55:56

http://jdg.obs-website.cn-north-1.myhuaweicloud.com/

这是什么骚操作

@360主动防御

显示全部楼层 · 发表于 2019-11-9 20:57:07

zay365 发表于 2019-11-9 20:55
http://jdg.obs-website.cn-north-1.myhuaweicloud.com/

真狠啊

显示全部楼层 · 发表于 2019-11-9 21:05:43

Avast扫描Miss
双击监控拦截了3个文件

最后被IDP拦截

显示全部楼层 · 发表于 2019-11-9 21:16:37

BD企业版，ATC拦截并提示重启后清除

显示全部楼层 · 发表于 2019-11-9 21:32:51

BD沙盒分析结果：

BD沙盒将其识别为DNS Changer：

行为描述：

To know when the registry keys are modified,the sample asks to be notified when the registry key \Registry\Machine\Software\Classes\Wow6432Node\CLSID is changed.
Performs various changes to the file system. These changes can have various purposes from ensuring persistence and continuing the activities from an unknown location, storing information or modifying existing files to restrict access or destroying user data. Writes a new file and runs it. The file can be created for various reasons including continuing the sample's actions, ensuring persistence or doing malicious actions while the sample performs clean actions to confuse the user. For this sample, the original file %profile%\downloads\exe.exe writes the file %programfiles%\far manager\ced0fb. Writes several executable files on the system. These files can be files on which the sample depends to accomplish its purpose or executables that are intended to continue the sample's actions. For this sample, the dropped file %programfiles%\far manager\ced0fb writes the files:
%profile%\downloads\a7a309\d16ba11\c972a9ed\c5bb1bspa.dll
%profile%\downloads\a7a309\d16ba11\f2ad0747\3814wjon5.dll
%profile%\downloads\a7a309\d16ba11\d3c941008\feijutc.dll
%profile%\downloads\a7a309\d16ba11\ca45036f59\64abh7pia.dll
%profile%\downloads\a7a309\d16ba11\ff1a611\c880qdutl.dll
%profile%\downloads\a7a309\b3363f5c1\4bbegrkj1.dll
%profile%\downloads\a7a309\i37ac347b\41274qrq8.dll
%profile%\downloads\a7a309\jbe5fdbc84e\7f8dxojg0.dll
%profile%\downloads\a7a309\g65d7b379cda\3654mpexp.dll
%profile%\downloads\a7a309\f3bac14f0\c151cqa8r.dll
%profile%\downloads\a7a309\c1a2695\3142q8mjb.dll
Writes several files on the system. The new files can have various uses including storing sensitive information gathered by the sample or being configuration files. The written files are %profile%\downloads\a7a309\c71c17, %profile%\downloads\a7a309\d16ba11\a7353e\49bcej1g4.dll, %profile%\downloads\a7a309\d16ba11\d85ec73\54bf5uotl.dll, %profile%\desktop\exe.lnk. The dropped file %programfiles%\far manager\ced0fb moves the following files: %profile%\downloads\a7a309\d16ba11\a7353e\49bcej1g4.dll to %profile%\downloads\a7a309\d16ba11\a7353e\25ef0fyxg.dll, %profile%\downloads\a7a309\d16ba11\d85ec73\54bf5uotl.dll to %profile%\downloads\a7a309\d16ba11\d85ec73\2814j3nme.dll.
Creates new processes to perform certain actions. The new processes are created as:
%programfiles%\far manager\ced0fb wfcsiyl7kcmsg3d5di97gpjafsv8gn0veimseyz7phsme04=
%programfiles%\avant browser\avant.exe
%programfiles%\avant browser\avantvw.exe
%system directory%\ipconfig.exe
%programfiles%\avant browser\ybrowser.exe
The dropped file %programfiles%\far manager\ced0fb writes the following registry keys: hkcu\software\policies\microsoft\internet explorer\control panel\autoconfig : 1, hklm\software\microsoft\internet explorer\main\featurecontrol\feature_browser_emulation\ced0fb : 9999.
Makes various changes to the network, changes that facilitates its communication over the network. Changes the DNS (Domain Name System) resolution settings through registry changes. The sample can point the infected system to name servers of its choice that may show advertisements on the webpages or redirect links to certain webpages. This is done as follows: the dropped file %programfiles%\far manager\ced0fb sets the registry keys hklm\system\currentcontrolset\services\tcpip\parameters\interfaces\{01a9f2fe-ed4c-491f-a811-18f55ad4bd7d}\nameserver : 114.114.114.114,8.8.8.8, hklm\system\currentcontrolset\services\tcpip\parameters\interfaces\{fa077adf-7bbe-4065-9c8e-79fa87134550}\nameserver : 114.114.114.114,8.8.8.8. Network accesses can be used for the following reasons: check for Internet connection, report a new infection to its author, receive configuration or other data, receive instructions, search for its location, upload information etc. The domains accessed by the sample are:
bjtime.cn/nt.asp
time1903.beijing-time.org/time.asp
119.29.29.29/d?dn=sinacloud.net
182.254.116.116/d?dn=sinacloud.net
jdg.obs-website.cn-north-1.myhuaweicloud.com
Sends data to or reads data from different domains. Malware can do so to upload stolen information, receive instructions, report a successful infection, etc. The dropped file %programfiles%\far manager\ced0fb communicates with the domains:
114.114.114.114:53
sinacloud.net
128.138.140.44:37
www.baidu.com
sinastorage.cn
sinastorage.com
jdnx.oss-cn-zhangjiakou.aliyuncs.com
jiandan.yaotongji.com:8080
Downloads a new file on the system that it may use in various ways. The spawned process %programfiles%\avant browser\avant.exe downloads a file from dl3.avantbrowser.com.
Creates services that it can use to ensure persistence or perform certain actions stealthy. Writes a new file on the system. For this sample, the dropped file %programfiles%\far manager\ced0fb writes the file %system directory%\452eh3n3v.sys. The sample creates services to run its files. The dropped file %programfiles%\far manager\ced0fb creates the service 452eh3n3v from the file %system directory%\452eh3n3v.sys.

复制代码

显示全部楼层 · 发表于 2019-11-9 21:39:11

记录微笑发表于 2019-11-9 21:16
BD企业版，ATC拦截并提示重启后清除

占用如何

显示全部楼层 · 发表于 2019-11-9 21:41:53

huicuan 发表于 2019-11-9 21:39
占用如何

和个人版半斤八两。
但是ATC回滚强度不如个人版，毕竟hyper detect和沙盒分析器可以抵挡很多威胁了

[病毒样本] 捆绑驱动木马的外{过}{滤}挂

评分

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

浏览过的版块