【吐槽向】咖啡月神的一些观察

显示全部楼层 · 发表于 2022-4-7 13:04:30

本帖最后由 onedrive 于 2022-4-6 23:32 编辑

那个样本我上报过，不知道是否有影响。不过vt上gw版的似乎确实会参考，好像是自动机拉黑(咖啡社区官人说是VT的GW版本自动机会跑极高的启发和行为)...另外我记得咖啡论坛有人说，查看txt记录时，jti/suspect在有对应的artemis记录时才是联网拉黑。

显示全部楼层 · 发表于 2022-4-7 13:12:30

bbs2811125 发表于 2022-4-7 13:04
是真的有的，反正在我看来也就卡巴和ESET比较严谨，别的多少都有点随意

下次你见到类似的案例，可以分享出来。反正我目前还没找到实锤说还有其他哪个大厂会这么做。。。

显示全部楼层 · 发表于 2022-4-7 13:13:04

onedrive 发表于 2022-4-7 13:04
那个样本我上报过，不知道是否有影响。不过vt上gw版的似乎确实会参考，好像是自动机拉黑...另外我记得咖啡 ...

你上报的是解包后的文件吗？上传具体时间是啥时候？

显示全部楼层 · 发表于 2022-4-7 15:07:04

anthonyqian 发表于 2022-4-6 21:13
你上报的是解包后的文件吗？上传具体时间是啥时候？

解包前后的都分别上传了，2022/4/2 12:20和2022/4/3 12:49分别如下

Virus_Research@avertlabs.com
周六 2022/4/2 12:20
McAfee Labs - Beaverton
Current Scan Engine Version:6100.8979
Current DAT Version:10304.0000
Thank you for your submission.

Analysis ID: 11094862

File Name          Findings                      Detection                   Type       Extra
--------------------|------------------------------|----------------------------|------------|-----
1b9a300d4e882a59e4bb|inconclusive                |                         |          |no

inconclusive [1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1.exe]

Automated analysis was not able to determine that this file is malware. This file is
being sent for further processing and the DAT files will potentially be updated if
detection of this sample is warranted.

Note –

Due to the prevalence of network gateway AV products, it is important that all
submissions be zipped and the zip file password-protected (password - infected). Some
products will reject an email that contains a virus that is not sent in this way. In
addition, often we receive a file that appears not to have been infected, to find
later that the file was infected when it left the sender, and was cleaned somewhere
along the line.

Regards,

McAfee Labs

Virus_Research@avertlabs.com
周日 2022/4/3 12:49
McAfee Labs - Beaverton
Current Scan Engine Version:6100.8979
Current DAT Version:10305.0000
Thank you for your submission.

Analysis ID: 11094902

File Name          Findings                      Detection                   Type       Extra
--------------------|------------------------------|----------------------------|------------|-----
1b9a300d4e882a59e4bb|inconclusive                |                         |          |no
adobeipcbroker.exe  |no malware                   |                         |          |no
adobeipcbrokercustom|no malware                   |                         |          |no
api-ms-win-core-cons|no malware                   |                         |          |no
api-ms-win-core-cons|no malware                   |                         |          |no
api-ms-win-core-date|no malware                   |                         |          |no
api-ms-win-core-debu|no malware                   |                         |          |no
api-ms-win-core-erro|no malware                   |                         |          |no
api-ms-win-core-file|no malware                   |                         |          |no
api-ms-win-core-file|no malware                   |                         |          |no
api-ms-win-core-file|no malware                   |                         |          |no
api-ms-win-core-hand|no malware                   |                         |          |no
api-ms-win-core-heap|no malware                   |                         |          |no
api-ms-win-core-inte|no malware                   |                         |          |no
api-ms-win-core-kern|no malware                   |                         |          |no
api-ms-win-core-libr|no malware                   |                         |          |no
api-ms-win-core-loca|no malware                   |                         |          |no
api-ms-win-core-memo|no malware                   |                         |          |no
api-ms-win-core-name|no malware                   |                         |          |no
api-ms-win-core-proc|no malware                   |                         |          |no
api-ms-win-core-proc|no malware                   |                         |          |no
api-ms-win-core-proc|no malware                   |                         |          |no
api-ms-win-core-prof|no malware                   |                         |          |no
api-ms-win-core-rtls|no malware                   |                         |          |no
api-ms-win-core-stri|no malware                   |                         |          |no
api-ms-win-core-sync|no malware                   |                         |          |no
api-ms-win-core-sync|no malware                   |                         |          |no
api-ms-win-core-sysi|no malware                   |                         |          |no
api-ms-win-core-sysi|no malware                   |                         |          |no
api-ms-win-core-time|no malware                   |                         |          |no
api-ms-win-core-util|no malware                   |                         |          |no
api-ms-win-core-xsta|no malware                   |                         |          |no
api-ms-win-crt-conio|no malware                   |                         |          |no
api-ms-win-crt-conve|no malware                   |                         |          |no
api-ms-win-crt-envir|no malware                   |                         |          |no
api-ms-win-crt-files|no malware                   |                         |          |no
api-ms-win-crt-heap-|no malware                   |                         |          |no
api-ms-win-crt-local|no malware                   |                         |          |no
api-ms-win-crt-math-|no malware                   |                         |          |no
api-ms-win-crt-multi|no malware                   |                         |          |no
api-ms-win-crt-priva|inconclusive                |                         |          |no
api-ms-win-crt-proce|no malware                   |                         |          |no
api-ms-win-crt-runti|no malware                   |                         |          |no
api-ms-win-crt-stdio|no malware                   |                         |          |no
api-ms-win-crt-strin|no malware                   |                         |          |no
api-ms-win-crt-time-|no malware                   |                         |          |no
api-ms-win-crt-utili|no malware                   |                         |          |no
api-ms-win-downlevel|no malware                   |                         |          |no
api-ms-win-downlevel|no malware                   |                         |          |no
api-ms-win-eventing-|no malware                   |                         |          |no
boost_system-vc100-m|no malware                   |                         |          |no
codeparsingdll.dll  |inconclusive                |                         |          |no
config.ini       |inconclusive                |                         |          |no
controllor.dll    |inconclusive                |                         |          |no
cr_win_client_config|no malware                   |                         |          |no
crclient.dll       |inconclusive                |                         |          |no
d3dcompiler_43.dll  |no malware                   |                         |          |no
d3dx9_43.dll       |no malware                   |                         |          |no
drmd.dll          |inconclusive                |                         |          |no
engine.dll       |inconclusive                |                         |          |no
ground             |inconclusive                |                         |          |no
ipcbox.pimx       |no malware                   |                         |          |no
libcui40.dll       |inconclusive                |                         |          |no
machining.exe    |inconclusive                |                         |          |no
mfc100u.dll       |no malware                   |                         |          |no
msvcp100.dll       |no malware                   |                         |          |no
msvcp140.dll       |no malware                   |                         |          |no
msvcp140_1.dll    |no malware                   |                         |          |no
msvcp140_2.dll    |inconclusive                |                         |          |no
msvcp140_atomic_wait|no malware                   |                         |          |no
msvcp140_codecvt_ids|no malware                   |                         |          |no
msvcr100.dll       |no malware                   |                         |          |no
options.dll       |no malware                   |                         |          |no
startupoptions.xml  |no malware                   |                         |          |no
tmevent.dll       |inconclusive                |                         |          |no
tool_mill.ini    |no malware                   |                         |          |no
toollist.ini       |inconclusive                |                         |          |no
tracegen.exe       |inconclusive                |                         |          |no
triangulation.dll |no malware                   |                         |          |no
ucrtbase.dll       |no malware                   |                         |          |no
uninst.exe       |inconclusive                |                         |          |no
usermanual_ch.html  |inconclusive                |                         |          |no
usermanual_en.html  |inconclusive                |                         |          |no
vccorlib140.dll    |no malware                   |                         |          |no
vcruntime140.dll |no malware                   |                         |          |no
xdf.dll          |inconclusive                |                         |          |no

no malware [adobeipcbroker.exe adobeipcbrokercustomhook.exe api-ms-win-core-console-l1-1-0.dll
api-ms-win-core-console-l1-2-0.dll api-ms-win-core-datetime-l1-1-0.dll
api-ms-win-core-debug-l1-1-0.dll api-ms-win-core-errorhandling-l1-1-0.dll
api-ms-win-core-file-l1-1-0.dll api-ms-win-core-file-l1-2-0.dll
api-ms-win-core-file-l2-1-0.dll api-ms-win-core-handle-l1-1-0.dll
api-ms-win-core-heap-l1-1-0.dll api-ms-win-core-interlocked-l1-1-0.dll
api-ms-win-core-kernel32-legacy-l1-1-0.dll api-ms-win-core-libraryloader-l1-1-0.dll
api-ms-win-core-localization-l1-2-0.dll api-ms-win-core-memory-l1-1-0.dll
api-ms-win-core-namedpipe-l1-1-0.dll api-ms-win-core-processenvironment-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-0.dll api-ms-win-core-processthreads-l1-1-1.dll
api-ms-win-core-profile-l1-1-0.dll api-ms-win-core-rtlsupport-l1-1-0.dll
api-ms-win-core-string-l1-1-0.dll api-ms-win-core-synch-l1-1-0.dll
api-ms-win-core-synch-l1-2-0.dll api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-sysinfo-l1-2-0.dll api-ms-win-core-timezone-l1-1-0.dll
api-ms-win-core-util-l1-1-0.dll api-ms-win-core-xstate-l2-1-0.dll
api-ms-win-crt-conio-l1-1-0.dll api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll api-ms-win-crt-filesystem-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-multibyte-l1-1-0.dll
api-ms-win-crt-process-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-time-l1-1-0.dll api-ms-win-crt-utility-l1-1-0.dll
api-ms-win-downlevel-kernel32-l1-1-0.dll api-ms-win-downlevel-kernel32-l2-1-0.dll
api-ms-win-eventing-provider-l1-1-0.dll boost_system-vc100-mt-1_59.dll
cr_win_client_config.cfg d3dcompiler_43.dll d3dx9_43.dll ipcbox.pimx mfc100u.dll
msvcp100.dll msvcp140.dll msvcp140_1.dll msvcp140_atomic_wait.dll
msvcp140_codecvt_ids.dll msvcr100.dll options.dll startupoptions.xml tool_mill.ini
triangulation.dll ucrtbase.dll vccorlib140.dll vcruntime140.dll]

McAfee Labs has found no indications of malicious code. Upon examining the file we
observed no malicious behavior.

inconclusive [1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1.exe
api-ms-win-crt-private-l1-1-0.dll codeparsingdll.dll config.ini controllor.dll
crclient.dll drmd.dll engine.dll ground libcui40.dll machining.exe msvcp140_2.dll
tmevent.dll toollist.ini tracegen.exe uninst.exe usermanual_ch.html usermanual_en.html
xdf.dll]

Automated analysis was not able to determine that this file is malware. This file is
being sent for further processing and the DAT files will potentially be updated if
detection of this sample is warranted.

Note –

Due to the prevalence of network gateway AV products, it is important that all
submissions be zipped and the zip file password-protected (password - infected). Some
products will reject an email that contains a virus that is not sent in this way. In
addition, often we receive a file that appears not to have been infected, to find
later that the file was infected when it left the sender, and was cleaned somewhere
along the line.

Regards,

显示全部楼层 · 发表于 2022-4-7 15:30:56

onedrive 发表于 2022-4-7 15:07
解包前后的都分别上传了，2022/4/2 12:20和2022/4/3 12:49分别如下

从上报时间上看，不影响我的推论，不然很难解释咖啡为啥6号下午还不报别的厂商拉黑了才报…

显示全部楼层 · 发表于 2022-4-7 15:33:15

anthonyqian 发表于 2022-4-6 23:30
从上报时间上看，不影响我的推论，不然很难解释咖啡为啥6号下午还不报别的厂商拉黑了才报…

不清楚...极大可能是参考.好像趋势也会参考巨硬的

PS:主要是上报无跟踪，很难受

显示全部楼层 · 发表于 2022-4-7 15:34:26

anthonyqian 发表于 2022-4-7 12:00
当然还有一些小厂，比如卡巴的坚定的跟屁虫 Lionic（偶尔还会跟一跟BD）、伪AI的MAX（VT报的引擎越多，AI ...

几家玩云玩的厉害的，基本都这么搞。

话说，你觉得诺顿怎么样？

显示全部楼层 · 发表于 2022-4-7 15:36:59

onedrive 发表于 2022-4-7 15:33
不清楚...极大可能是参考.好像趋势也会参考巨硬的

PS:主要是上报无跟踪，很难受

话说今天又发现了咖啡“抄”ESET、Avast的例子，但不够实锤。下面这个样本前天就传到VT了，咖啡也是跟在这两家后门报的。

显示全部楼层 · 发表于 2022-4-7 15:39:05

bbszy 发表于 2022-4-7 15:34
几家玩云玩的厉害的，基本都这么搞。

话说，你觉得诺顿怎么样？

诺顿/铁壳也会从VT获取样本，他们的上报平台就支持填写已经上传到VT的样本的hash进行上报。至于分析，我目前还没有找到实锤。。。

显示全部楼层 · 发表于 2022-4-7 15:41:11

anthonyqian 发表于 2022-4-7 15:39
诺顿/铁壳也会从VT获取样本，他们的上报平台就支持填写已经上传到VT的样本的hash进行上报。至于分析，我 ...

不过诺顿的拉黑速度比咖啡慢很多。咖啡的速度基本是数一数二的。

[讨论] 【吐槽向】咖啡月神的一些观察

本帖子中包含更多资源