MedusaLocker加壳测试

显示全部楼层 · 发表于 2024-6-23 12:55:54

隔山打空气发表于 2024-6-23 12:22
不能确保正常运行的话意义就少了很多（

之前确实有不少为了免杀套壳结果憋死了（损坏

这种的应该就属于不管病毒死活为加壳而加壳

显示全部楼层 · 发表于 2024-6-23 12:57:42

我刚刚试了下在实体机运行全部都打开失败目前电脑一切正常

显示全部楼层 · 发表于 2024-6-23 13:14:34

蜘蛛扫描6Trojan.DownLoader33.34694
Trojan.DownLoader33.34694
BackDoor.Bifrost.15005
Trojan.Inject3.4985
Trojan.DownLoader33.34694
Trojan.DownLoader33.34694

Checking: packed.zip
Engine version: 7.0.65.5230
Total virus-finding records: 12029639
File size: 9.05 MB
File MD5: ab6ee76140dc11a8c85e7b2e41c6f3c3

packed.zip - archive ZIP
>packed.zip/packed/packed/medusa.exe infected with Trojan.DownLoader33.34694
>packed.zip/packed/packed/medusa_aspack.exe packed by FLY-CODE
>>packed.zip/packed/packed/medusa_aspack.exe infected with Trojan.DownLoader33.34694
>packed.zip/packed/packed/medusa_encryptEXE.exe infected with BackDoor.Bifrost.15005
>packed.zip/packed/packed/medusa_enigma.exe packed by ENIGMA
>>packed.zip/packed/packed/medusa_enigma.exe packed by FLY-CODE
>>>packed.zip/packed/packed/medusa_enigma.exe packed by BINARYRES
>>>>packed.zip/packed/packed/medusa_enigma.exe infected with Trojan.Inject3.4985
>packed.zip/packed/packed/medusa_upx.exe packed by UPX
>>packed.zip/packed/packed/medusa_upx.exe infected with Trojan.DownLoader33.34694
>packed.zip/packed/packed/medusa_vmp.exe - Ok
>packed.zip/packed/packed/medusa_zprotect.exe packed by PESTUB
>>packed.zip/packed/packed/medusa_zprotect.exe packed by PESTUB
>>>packed.zip/packed/packed/medusa_zprotect.exe packed by FLY-CODE
>>>>packed.zip/packed/packed/medusa_zprotect.exe packed by ZPROTECT
>>>>>packed.zip/packed/packed/medusa_zprotect.exe infected with Trojan.DownLoader33.34694

显示全部楼层 · 发表于 2024-6-23 13:16:57

本帖最后由 BitterLotus 于 2024-6-23 13:18 编辑

DI All

显示全部楼层 · 发表于 2024-6-23 13:25:09

Avira found 7 threats as below

packed.zip/medusa.exe TR/FileCoder.mbmgm
packed.zip/medusa_aspack.exe TR/Crypt.ASPM.Gen
packed.zip/medusa_encryptEXE.exe HEUR/AGEN.1363722
packed.zip/medusa_enigma.exe HEUR/AGEN.1314144
packed.zip/medusa_upx.exe HEUR/AGEN.1314840
packed.zip/medusa_vmp.exe TR/Redcap.qfztc
packed.zip/medusa_zprotect.exe TR/AVI.MedusaLocker.hgyul

显示全部楼层 · 发表于 2024-6-23 13:54:39

你开心就好发表于 2024-6-23 12:53
https://mp.weixin.qq.com/s/DDp0EqzSnmFZAHMYuEWjLw
那也就是说这种也就是带壳取特征啦？

VMP只是通用机脱不了，你真要手动算偏移量修IAT那当然没问题
但是也要很高的技术力

显示全部楼层 · 发表于 2024-6-23 14:10:12

BEST 清空

显示全部楼层 · 发表于 2024-6-23 14:41:21

你开心就好发表于 2024-6-23 12:53
https://mp.weixin.qq.com/s/DDp0EqzSnmFZAHMYuEWjLw
那也就是说这种也就是带壳取特征啦？

这种不能算是脱壳，火绒脱壳并不能把VMP加壳还原到原始代码，但是它可以获取一些查杀特征

显示全部楼层 · 发表于 2024-6-23 14:56:52

00006666 发表于 2024-6-23 14:41
这种不能算是脱壳，火绒脱壳并不能把VMP加壳还原到原始代码，但是它可以获取一些查杀特征

涨知识了
但是他们（厂商）那边写脱壳而且举例专门针对VMP壳保护的驱动

显示全部楼层 · 发表于 2024-6-23 14:58:53

DisaPDB 发表于 2024-6-23 13:54
VMP只是通用机脱不了，你真要手动算偏移量修IAT那当然没问题
但是也要很高的技术力

谢谢长见识了

[病毒样本] MedusaLocker加壳测试

本帖子中包含更多资源