本帖最后由 54ss 于 2020-4-6 19:47 编辑
BEST 扫描 MISS
双击 暂时也没反应……
先上报再说VT上八个月前就有了…… 还没几家报
BD沙盒分析出来了 杀
沙盒分析器检测到未知威胁. 文件已被删除。C:\Users\JOJO\Desktop\andylau1064g.exe
Modifies the registry so that it runs at system startup and when a user logs on. To do this, the original file c:\users\jojo\desktop\andylau1064g.exe modifies the registry key hkcu\software\microsoft\windows\currentversion\run\flagx : c:\users\jojo\desktop\andylau1064g.exe. Network accesses can be used for the following reasons: check for Internet connection, report a new infection to its author, receive configuration or other data, receive instructions, search for its location, upload information etc. The original file c:\users\jojo\desktop\andylau1064g.exe connects to the domains hm.baidu.com/hm.gif?si=3a149aa78d002d0248fa7b89efed39ba&et=0&nv=1&st=2&se=1&su=https%3A%2F%2Fwww.baidu.com%2Fs%3Fie%3DUTF-8%26wd%3Dandylau1064g&v=wap-0-0.2&rnd=11111132487, 119.29.29.29:53. Performs various changes to the file system. These changes can have various purposes from ensuring persistence and continuing the activities from an unknown location, storing information or modifying existing files to restrict access or destroying user data. The sample changes file attributes. By changing file attributes, it makes them harder to find or remove. The original file c:\users\jojo\desktop\andylau1064g.exe changes %profile%\appdata\roaming\microsoft\windows\cookies's attributes to include system, hidden, %profile%\appdata\local\microsoft\windows\temporary internet files\content.ie5's attributes to include system, hidden, %profile%\appdata\local\microsoft\windows\history\history.ie5's attributes to include system, hidden. Creates a new process to perform certain actions. The original file c:\users\jojo\desktop\andylau1064g.exe creates the new process as %system directory%\cmd.exe. The sample deletes the original file to limit forensic evidence and avoid analysis. The process name is the spawned process %system directory%\cmd.exe.
|