史上最恶心麻辣香锅MLXG Rootkit（没有之一） 12X

显示全部楼层 · 发表于 2022-3-18 16:16:26

kuroandsan 发表于 2022-3-18 00:15
我这里好像是killall，是拉黑快还是你那边云抽了

是我上报的

，上报前6x，McAfee的启发要是真有他说的那么🐂就好了

显示全部楼层 · 发表于 2022-3-18 16:18:16

onedrive 发表于 2022-3-18 16:16
是我上报的，上报前6x，McAfee的启发要是真有他说的那么🐂就好了

好像。。没过多久吧，咋这么快（（

显示全部楼层 · 发表于 2022-3-18 16:24:11

本帖最后由 onedrive 于 2022-3-18 00:48 编辑

kuroandsan 发表于 2022-3-18 00:18
好像。。没过多久吧，咋这么快（（

根据mcafee论坛的说法，JTI/Suspect这种报法就是认为该文件存在可疑代码/行为，但是McAfee当前不能确定。据更有经验的A兄更正，自动机可能会更少。

更新：JTI/Suspect如果有对应的月神检测记录，那么这是云检测，否则是本地的检测手段（FP率不低，据说是可能和静态启发有关，但是我不能确定，McAfee的老用户基本都被LAM伤过，大部分都跑路了）

虽然McAfee增加了可疑文件自动上报，但是我之前两周测样本（只扫描），还从未触发过...因为他说会上传前事先问我有没有个人信息，但是并没有问过，所以我认为没有触发，但是这个功能没有相关document，所以我也不能够非常确定，静待其他人给出更精准答案。

PS：咖啡一向响应上报速度很快，但是几乎不存在后续追踪。上报界的灾难选手。

上报邮件显示，McAfee结果如下

McAfee Labs - Beaverton
Current Scan Engine Version:6100.8979
Current DAT Version:10289.0000
Thank you for your submission.

Analysis ID: 11093933

File Name          Findings                      Detection                   Type       Extra
--------------------|------------------------------|----------------------------|------------|-----
_j8156novdec.exe |current detection          |genericrxlh-si!1474bd3eda2e |Trojan    |no
aupidrv.sys       |inconclusive                |                         |          |no
dvlayout.exe       |inconclusive                |                         |          |no
heu_kms_activator.ex|inconclusive                |                         |          |no
kgysboard.sys    |inconclusive                |                         |          |no
kmdf_look.sys    |current detection          |genericrxmk-iv!5ea0216d15e9 |Trojan    |no
kmdf_protect.sys |inconclusive                |                         |          |no
txtool.sys       |inconclusive                |                         |          |no
wccenter.exe       |current detection          |genericrxaa-aa!030c2dd5b0f2 |Trojan    |no
wdlogin.exe       |current detection          |rdn/generic.hbg          |Trojan    |no
wrme.exe          |current detection          |rdn/generic backdoor       |Trojan    |no
wuhost.exe       |current detection          |rdn/generic pup.x          |Application |no

current detection [wuhost.exe]

The file submitted is a potentially unwanted program file or joke program that can be
detected with current DAT files. It is recommended that you update your DAT and engine
files and scan your computer again.

inconclusive [aupidrv.sys dvlayout.exe heu_kms_activator.exe kgysboard.sys kmdf_protect.sys
txtool.sys]

Automated analysis was not able to determine that this file is malware. This file is
being sent for further processing and the DAT files will potentially be updated if
detection of this sample is warranted.

current detection [_j8156novdec.exe kmdf_look.sys wccenter.exe wdlogin.exe wrme.exe]

The file submitted is malware that can be detected with current DAT files. It is
recommended that you update your DAT and engine files and scan your computer again.

Note –

Due to the prevalence of network gateway AV products, it is important that all
submissions be zipped and the zip file password-protected (password - infected). Some
products will reject an email that contains a virus that is not sent in this way. In
addition, often we receive a file that appears not to have been infected, to find
later that the file was infected when it left the sender, and was cleaned somewhere
along the line.

Regards,

McAfee Labs

显示全部楼层 · 发表于 2022-3-18 16:44:54

Avast 清空

显示全部楼层 · 发表于 2022-3-18 16:47:00

onedrive 发表于 2022-3-18 16:24
根据mcafee论坛的说法，JTI/Suspect这种报法就是认为该文件存在可疑代码/行为，但是McAfee当 ...

一般自动机比客户端检测只会多，不会少。

不是啊，一般情况是恰好相反，因为自动处理系统的回复不包括JTI/Suspect，只是单纯的DAT检测。

显示全部楼层 · 发表于 2022-3-18 16:47:49

本帖最后由 onedrive 于 2022-3-18 00:49 编辑

anthonyqian 发表于 2022-3-18 00:47
不是啊，一般情况是恰好相反，因为自动处理系统的回复不包括JTI/Suspect，只是单纯的DAT检测。

那可能是我判断错误，上报次数还不够多。

显示全部楼层 · 发表于 2022-3-18 17:55:52

MD miss all

显示全部楼层 · 发表于 2022-3-18 18:12:40

虚无混沌发表于 2022-3-18 17:55
MD miss all

意料之外，情理之中

显示全部楼层 · 发表于 2022-3-18 18:18:07

虚无混沌发表于 2022-3-18 17:55
MD miss all

微软：

The submitted files are classified as malware. Detection for them is included in the published threat definition update, available for download here: https://docs.microsoft.com/micro ... -defender-antivirus For more information on how to create, edit, or deploy antimalware policies, see https://docs.microsoft.com/micro ... atp-post-migration. Thank you for contacting Microsoft.

奇怪了，上报页面都能够查杀

File name Final determination Protection Current detection Definition version
Tree View heu_kms_activator.zip
/ Malware    Malware  Cloud
Malware  Client Trojan:Script/Oneeva.A!ml
HackTool:Win32/AutoKMS Online
1.361.211.0
Tree View ._aupidrv.sys
heu_kms_activator.zip / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View kmdf_protect.sys
heu_kms_activator.zip / PuA (Potentially Unwanted Application)    Not malware  Cloud
Malware  Client No malware detected
PUA:Win32/Kuping * Online
1.361.225.0
Tree View certificate
heu_kms_activator.zip / kmdf_protect.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .rdata
heu_kms_activator.zip / kmdf_protect.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .text
heu_kms_activator.zip / kmdf_protect.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .data
heu_kms_activator.zip / kmdf_protect.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .reloc
heu_kms_activator.zip / kmdf_protect.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View init
heu_kms_activator.zip / kmdf_protect.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View wrme.exe
heu_kms_activator.zip / PuA (Potentially Unwanted Application)    Not malware  Cloud
Malware  Client No malware detected
PUA:Win32/Kuping * Online
1.361.211.0
Tree View .text
heu_kms_activator.zip / wrme.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .rdata
heu_kms_activator.zip / wrme.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .data
heu_kms_activator.zip / wrme.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View 1
heu_kms_activator.zip / wrme.exe / Not malware    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .reloc
heu_kms_activator.zip / wrme.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View 1
heu_kms_activator.zip / wrme.exe / Not malware    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View certificate
heu_kms_activator.zip / wrme.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View version.txt
heu_kms_activator.zip / wrme.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View wccenter.exe
heu_kms_activator.zip / PuA (Potentially Unwanted Application)    Not malware  Cloud
Malware  Client No malware detected
PUA:Win32/Kuping * Online
1.361.211.0
Tree View 1
heu_kms_activator.zip / wccenter.exe / Not malware    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View certificate
heu_kms_activator.zip / wccenter.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .reloc
heu_kms_activator.zip / wccenter.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .text
heu_kms_activator.zip / wccenter.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .rdata
heu_kms_activator.zip / wccenter.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .data
heu_kms_activator.zip / wccenter.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View version.txt
heu_kms_activator.zip / wccenter.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View wdlogin.exe
heu_kms_activator.zip / PuA (Potentially Unwanted Application)    Not malware  Cloud
Malware  Client No malware detected
PUA:Win32/Kuping * Online
1.361.211.0
Tree View 1
heu_kms_activator.zip / wdlogin.exe / Not malware    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .reloc
heu_kms_activator.zip / wdlogin.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .text
heu_kms_activator.zip / wdlogin.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .rdata
heu_kms_activator.zip / wdlogin.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View certificate
heu_kms_activator.zip / wdlogin.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View version.txt
heu_kms_activator.zip / wdlogin.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .data
heu_kms_activator.zip / wdlogin.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View _j8156novdec.exe
heu_kms_activator.zip / PuA (Potentially Unwanted Application)    Not malware  Cloud
Malware  Client No malware detected
PUA:Win32/Kuping * Online
1.361.211.0
Tree View 1
heu_kms_activator.zip / _j8156novdec.exe / Not malware    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .text
heu_kms_activator.zip / _j8156novdec.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .data
heu_kms_activator.zip / _j8156novdec.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View certificate
heu_kms_activator.zip / _j8156novdec.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .rdata
heu_kms_activator.zip / _j8156novdec.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .reloc
heu_kms_activator.zip / _j8156novdec.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View dvlayout.exe
heu_kms_activator.zip / PuA (Potentially Unwanted Application)    Not malware  Cloud
Malware  Client No malware detected
PUA:Win32/Kuping * Online
1.361.211.0
Tree View .reloc
heu_kms_activator.zip / dvlayout.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View certificate
heu_kms_activator.zip / dvlayout.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View version.txt
heu_kms_activator.zip / dvlayout.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .text
heu_kms_activator.zip / dvlayout.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View 1
heu_kms_activator.zip / dvlayout.exe / Not malware    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View 1
heu_kms_activator.zip / dvlayout.exe / Not malware    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .data
heu_kms_activator.zip / dvlayout.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.329.501.0
Tree View .rdata
heu_kms_activator.zip / dvlayout.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View txtool.sys
heu_kms_activator.zip / PuA (Potentially Unwanted Application)    Not malware  Cloud
Malware  Client No malware detected
PUA:Win32/Kuping * Online
1.361.211.0
Tree View .data
heu_kms_activator.zip / txtool.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .text
heu_kms_activator.zip / txtool.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View certificate
heu_kms_activator.zip / txtool.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .reloc
heu_kms_activator.zip / txtool.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View init
heu_kms_activator.zip / txtool.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .pdata
heu_kms_activator.zip / txtool.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .rdata
heu_kms_activator.zip / txtool.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View heu_kms_activator.exe
heu_kms_activator.zip / Malware    Malware  Cloud
Malware  Client HackTool:Win32/AutoKMS
HackTool:Win32/AutoKMS Online
1.361.225.0
Tree View aupidrv.sys
heu_kms_activator.zip / PuA (Potentially Unwanted Application)    Not malware  Cloud
Malware  Client No malware detected
PUA:Win32/Kuping * Online
1.361.211.0
Tree View page
heu_kms_activator.zip / aupidrv.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .text
heu_kms_activator.zip / aupidrv.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View certificate
heu_kms_activator.zip / aupidrv.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .reloc
heu_kms_activator.zip / aupidrv.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .pdata
heu_kms_activator.zip / aupidrv.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View init
heu_kms_activator.zip / aupidrv.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .rdata
heu_kms_activator.zip / aupidrv.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .data
heu_kms_activator.zip / aupidrv.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View wuhost.exe
heu_kms_activator.zip / PuA (Potentially Unwanted Application)    Not malware  Cloud
Malware  Client No malware detected
PUA:Win32/Kuping * Online
1.361.211.0
Tree View .text
heu_kms_activator.zip / wuhost.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .reloc
heu_kms_activator.zip / wuhost.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View 1
heu_kms_activator.zip / wuhost.exe / Not malware    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .rdata
heu_kms_activator.zip / wuhost.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .data
heu_kms_activator.zip / wuhost.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View certificate
heu_kms_activator.zip / wuhost.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View version.txt
heu_kms_activator.zip / wuhost.exe / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View kmdf_look.sys
heu_kms_activator.zip / PuA (Potentially Unwanted Application)    Not malware  Cloud
Malware  Client No malware detected
PUA:Win32/Kuping * Online
1.361.211.0
Tree View .reloc
heu_kms_activator.zip / kmdf_look.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .text
heu_kms_activator.zip / kmdf_look.sys / Threat Related    Malware  Cloud
Not malware  Client Trojan:Script/Oneeva.A!ml
No malware detected Online
1.361.211.0
Tree View .data
heu_kms_activator.zip / kmdf_look.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View certificate
heu_kms_activator.zip / kmdf_look.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View page
heu_kms_activator.zip / kmdf_look.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View .rdata
heu_kms_activator.zip / kmdf_look.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0
Tree View init
heu_kms_activator.zip / kmdf_look.sys / Threat Related    Not malware  Cloud
Not malware  Client No malware detected
No malware detected Online
1.361.211.0

显示全部楼层 · 发表于 2022-3-18 18:21:30

漂洋过海123 发表于 2022-3-18 18:18
微软：奇怪了，上报页面都能够查杀

微软的特性

[病毒样本] 史上最恶心麻辣香锅MLXG Rootkit（没有之一） 12X

评分

评分

本帖子中包含更多资源