BEST沙盒报WPS更新文件木马

发呆的阿狸~

运行沙箱自动处理的,沙箱报未知威胁然后并没有做任何处理所以意义何在
描述:"The sample modifies the list of programs to run at startup or login. These programs and drivers include those programs in the system's startup folder or registry keys like Run or RunOnce. The sample adds or removes applications from these locations. The sample writes additional files on the system, which may be used in various ways, including ensuring persistence. The new files can be executables that continue the sample's actions or storage/configuration files that hold viable information for the sample. Not only that, the sample creates or uses an inter-process communication environment through pipes. A pipe is a section of memory used by processes for communication."
行为:
"Creates mutexes. Mutexes can be used to synchronize different processes the sample may create or inject, or to indicate that the system is already infected. The following mutexes are created by the original file c:\wps office\11.1.0.11369\wtoolex\wpsupdate.exe: _#_UPD_LogFile_Z_MutxName_#_, Global\_UPD_Session_MutexName_.

The original file c:\wps office\11.1.0.11369\wtoolex\wpsupdate.exe writes the following registry keys:

hkcu\software\kingsoft\office\6.0\common\updateinfo\lasthttpsmode : 0
hkcu\software\kingsoft\office\6.0\common\updateinfo\hasreporttaskschel : 1
hkcu\software\kingsoft\office\6.0\common\updateinfo\lastchecktime : 2022-03-23 23:34:52
hkcu\software\kingsoft\office\6.0\common\updateinfo\cachestatusinfo\runningpid : 2072
hkcu\software\kingsoft\office\6.0\common\updateinfo\lastlog : mjaymi0wmy0ymyaymzozndo1mjszozb4odawmdqwmdu=
Performs various changes to the file system. These changes can have various purposes from ensuring persistence and continuing the activities from a different location, storing information or modifying existing files to restrict access or destroying user data. Writes a new file on the system. The new file can have various uses, including storing sensitive information gathered by the sample, or being a configuration file. For this sample, the original file c:\wps office\11.1.0.11369\wtoolex\wpsupdate.exe writes the file %profile%\appdata\roaming\kingsoft\office6\update\log\wpsupdate_2022_03_23.log.

Pipes can be used to communicate with other processes. The original file c:\wps office\11.1.0.11369\wtoolex\wpsupdate.exe connects to the pipes: pipe\WPSCloudSvr\kwpsupdateui, pipe\WPSCloudSvr\admin\kwpsupdateui."
无法打包文件...一压缩就提示沙盒分析检测到未知威胁好像拒绝访问了也没隔离.看来BEST对有正规数字签名的软件也毫不手软
想测试误报的可以自己可以去下个WPS找wps office\11.1.0.11369\wtoolex\wpsupdate.exe 这个文件(好吧沙盒分析出来之后虽然说没有处理但是好像给文件拒绝访问了反正不影响我WPS的使用就不管了)