Ransom XiaoZhan-HU

3245076553

https://www.lanzous.com/iaa17yh

马甲账号

ESET扫描miss请楼主给样本加上密码
@LSPD

我我我55

卡巴斯基查杀

renyifei

瑞星miss

马甲账号

双击，首先会调用mshta.exe执行cmd.exe
然后样本本体"XiaoZhan-HU.bat"会调用wscript.exe弹出来一堆乱七八糟的窗口。。

然后被火绒文件监控报x.js为释放器木马！



没任何文件被加密

关闭火绒文件系统实时监控双击，前面的行为都一样。释放出的x.js会在%appdata%目录下创建XiaoZhan-HU.exe，并执行


然后XiaoZhan-HU.exe会写MBR

阻止或结束进程后啥事没有，允许后GG

CHURP

卡巴实时kill

swizzer

智量

脚本小子写的？？

病毒探索者

EMSISOFT 监控、扫描 missed
待双击
双击 主防云联动killed衍生物

a233

我这里怎么释放不出那个文件

ELOHIM

WD扫描不报。

1. echo wscript.sleep 500>>x.vbs
   
2. start mshta vbscript:Msgbox("肖战糊！",0,"肖战糊！")(Close)
   
3. wscript x.vbs >NUL 2>NUL
   
4. start mshta vbscript:Msgbox("肖战糊！",1,"肖战糊！")(Close)
   
5. wscript x.vbs >NUL 2>NUL
   
6. start mshta vbscript:Msgbox("肖战糊！",2,"肖战糊！")(Close)
   
7. wscript x.vbs >NUL 2>NUL
   
8. start mshta vbscript:Msgbox("肖战糊！",3,"肖战糊！")(Close)
   
9. wscript x.vbs >NUL 2>NUL
   
10. start mshta vbscript:Msgbox("肖战糊！",4,"肖战糊！")(Close)
    
11. wscript x.vbs >NUL 2>NUL
    
12. start mshta vbscript:Msgbox("肖战糊！",5,"肖战糊！")(Close)
    
13. wscript x.vbs >NUL 2>NUL
    
14. start mshta vbscript:Msgbox("肖战糊！",32,"肖战糊！")(Close)
    
15. wscript x.vbs >NUL 2>NUL
    
16. start mshta vbscript:Msgbox("肖战糊！",64,"肖战糊！")(Close)
    
17. wscript x.vbs >NUL 2>NUL
    
18. start mshta vbscript:Msgbox("肖战糊！",16,"肖战糊！")(Close)
    
19. wscript x.vbs >NUL 2>NUL
    
20. start mshta vbscript:Msgbox("肖战糊！",48,"肖战糊！")(Close)
    
21. wscript x.vbs >NUL 2>NUL
    
22. del x.vbs >NUL 2>NUL

复制代码

看的我真想笑。。