自制勒索V2

显示全部楼层 · 发表于 2024-9-17 22:30:59

Avira是首次发现这个文件，直接上传APC，几秒钟分析完成，返回结果云杀

[2024-09-17 22:24:10.931] [info] [OndemandScan] [thread id: 6096] Ondemand version: 1.0.2409.1701
[2024-09-17 22:24:10.952] [info] [OndemandScan] [thread id: 6096] Ondemand rdf version: 1.0.2409.1701
[2024-09-17 22:24:11.543] [info] [OndemandScan] [thread id: 6096] Scan of paths {E:\vir\Neon (3)} started.
[2024-09-17 22:24:11.759] [info] [Core] [thread id: 9408] [CoreLoader] loading core sdk plugin C:\Program Files\Avira\Endpoint Protection SDK\coresdk\apcscanner2.dll
[2024-09-17 22:24:12.377] [info] [Core] [thread id: 9408] [CoreLoader] Plugin C:\Program Files\Avira\Endpoint Protection SDK\coresdk\apcscanner2.dll license status: enabled
[2024-09-17 22:24:12.596] [info] [Core] [thread id: 9408] [ProtectionCloud] [apcsdk] Cache file 'C:\Program Files\Avira\Endpoint Protection SDK\coresdk\temp-epp\avcp_apc2_cache.dat' was not found
[2024-09-17 22:24:12.596] [info] [Core] [thread id: 9408] [ProtectionCloud] [apcsdk] Setting the proxy server '' with the certificate path ''
[2024-09-17 22:24:14.020] [info] [BaseScan] [thread id: 9408] [ProtectionCloud] The file '\\?\E:\vir\Neon (3)\Neon.exe' was unknown in the Protection Cloud. SHA256: '5cb11b7cc127ef0ae7b967fa3403d8092cd7c050aba71fc088779c36b14ba448' Requestor: 'OnDemandScan' Flags: '{Upload needed}' Status: successful
[2024-09-17 22:24:25.031] [info] [Core] [thread id: 9408] [ProtectionCloud] Starting upload of file 'E:\vir\Neon (3)\Neon.exe'
[2024-09-17 22:24:39.566] [info] [Core] [thread id: 9408] [ProtectionCloud] Upload of file 'E:\vir\Neon (3)\Neon.exe' was successful
[2024-09-17 22:25:08.464] [info] [BaseScan] [thread id: 9408] [ProtectionCloud] The file '\\?\E:\vir\Neon (3)\Neon.exe' has been uploaded to the Protection Cloud and analyzed. SHA256: '5cb11b7cc127ef0ae7b967fa3403d8092cd7c050aba71fc088779c36b14ba448' Requestor: 'OnDemandScan' Flags: '{Detected}{Upload done}' Status: successful
[2024-09-17 22:25:08.464] [info] [BaseScan] [thread id: 9408] [ProtectionCloud] The file '\\?\E:\vir\Neon (3)\Neon.exe' was scanned with the Protection Cloud. SHA256: '5cb11b7cc127ef0ae7b967fa3403d8092cd7c050aba71fc088779c36b14ba448' Requestor: 'OnDemandScan' Flags: '{Detected}{Upload done}' Status: successful
[2024-09-17 22:25:08.473] [info] [BaseScan] [thread id: 9408] [ProtectionCloud] Detection by Protection Cloud: '{HEUR/APC} File: '\\?\E:\vir\Neon (3)\Neon.exe' SHA256:'5cb11b7cc127ef0ae7b967fa3403d8092cd7c050aba71fc088779c36b14ba448'
[2024-09-17 22:25:08.473] [info] [Core] [thread id: 9408] [CoreLoader] loading core sdk plugin C:\Program Files\Avira\Endpoint Protection SDK\coresdk\afpcchecker.dll
[2024-09-17 22:25:08.744] [info] [Core] [thread id: 9408] [CoreLoader] Plugin C:\Program Files\Avira\Endpoint Protection SDK\coresdk\afpcchecker.dll license status: enabled
[2024-09-17 22:25:09.779] [info] [BaseScan] [thread id: 9408] [FalsePositiveCloud] The file '\\?\E:\vir\Neon (3)\Neon.exe' has been checked with the false positive checker. Is false positive: false SHA256:'5cb11b7cc127ef0ae7b967fa3403d8092cd7c050aba71fc088779c36b14ba448' Status: successful
[2024-09-17 22:25:09.779] [warning] [BaseScan] [thread id: 9408] [Detection] The file '\\?\E:\vir\Neon (3)\Neon.exe' was detected. Detection name: HEUR/APC
[2024-09-17 22:25:09.871] [warning] [OndemandScan] [thread id: 9408] [Detection] Identified: 'HEUR/APC'. File: '\\?\E:\vir\Neon (3)\Neon.exe'
[2024-09-17 22:25:11.212] [info] [Remediation] [thread id: 4764] remediation.rdf version: 1.0.2409.1609
[2024-09-17 22:25:11.584] [info] [Remediation] [thread id: 4764] Remediation of Generic started.
[2024-09-17 22:25:11.804] [info] [RealTimeProtection] [thread id: 4764] [Configuration] Add Acl: 1 : \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
[2024-09-17 22:25:11.837] [info] [RealTimeProtection] [thread id: 4764] [Configuration] Add Acl: 1 : \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
[2024-09-17 22:25:11.838] [info] [RealTimeProtection] [thread id: 4764] [Configuration] Add Acl: 1 : \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows : LoadAppInit_DLLs
[2024-09-17 22:25:11.839] [info] [RealTimeProtection] [thread id: 4764] [Configuration] Add Acl: 1 : \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows : LoadAppInit_DLLs
[2024-09-17 22:25:14.711] [info] [Remediation] [thread id: 4764] Remediation of Generic finished successfully.
[2024-09-17 22:25:14.720] [info] [EndpointProtection] [thread id: 4764] Create new file operations context from filepath
[2024-09-17 22:25:14.720] [info] [EndpointProtection] [thread id: 4764] Successfully created the file operations context from path: '\\?\E:\vir\Neon (3)\Neon.exe'
[2024-09-17 22:25:14.723] [info] [Remediation] [thread id: 4764] Remediation of HEUR/APC started.
[2024-09-17 22:25:14.830] [info] [RealTimeProtection] [thread id: 4764] [Configuration] Add Acl: 2 : e:\vir\neon (3)\neon.exe :
[2024-09-17 22:25:15.233] [info] [Quarantine] [thread id: 4764] File with original location [\\?\E:\vir\Neon (3)\Neon.exe] was copied to quarantined file [C:\ProgramData\Avira\Endpoint Protection SDK\quarantine\51e41618.qua]
[2024-09-17 22:25:20.734] [info] [Remediation] [thread id: 4764] Remediation of HEUR/APC finished successfully.
[2024-09-17 22:25:20.775] [info] [EndpointProtection] [thread id: 4764] [OnDemandSummary] Total amount of files to be scanned: 1
[2024-09-17 22:25:20.775] [info] [EndpointProtection] [thread id: 4764] [OnDemandSummary] Scanned files: 1
[2024-09-17 22:25:20.775] [info] [EndpointProtection] [thread id: 4764] [OnDemandSummary] Detected files: 1
[2024-09-17 22:25:20.775] [info] [EndpointProtection] [thread id: 4764] [OnDemandSummary] Successful remediation: 1

显示全部楼层 · 发表于 2024-9-17 22:34:51

显示全部楼层 · 发表于 2024-9-17 22:38:49

火绒扫描miss

显示全部楼层 · 发表于 2024-9-17 22:45:37

驭龙发表于 2024-9-17 22:30
Avira是首次发现这个文件，直接上传APC，几秒钟分析完成，返回结果云杀

大佬测测eset如何，没有elg的eis好像不行

显示全部楼层 · 发表于 2024-9-17 22:48:22

tg123321 发表于 2024-9-17 22:45
大佬测测eset如何，没有elg的eis好像不行

等一下吧，我关机之前去测，不然影响我ESET区追踪报道的帖子，新电脑真不想测ESET扫描

显示全部楼层 · 发表于 2024-9-17 23:25:36

tg123321 发表于 2024-9-17 22:45
大佬测测eset如何，没有elg的eis好像不行

非常遗憾的告诉你，ESET彻底破防，毫无还手之力，ELG分析判定为安全，ESET彻底沦陷，Avira几十秒分析完成秒杀，ESET让我等了差不多二十多分钟，然后告诉我说文件安全

显示全部楼层 · 发表于 2024-9-17 23:40:58

驭龙发表于 2024-9-17 23:25
非常遗憾的告诉你，ESET彻底破防，毫无还手之力，ELG分析判定为安全，ESET彻底沦陷，Avira几十秒分析完成 ...

龙大麻烦问一下 Avira那个Sentry的日志能看到吗

显示全部楼层 · 发表于 2024-9-17 23:42:22

驭龙发表于 2024-9-17 23:25
非常遗憾的告诉你，ESET彻底破防，毫无还手之力，ELG分析判定为安全，ESET彻底沦陷，Avira几十秒分析完成 ...

作为eset用户我破防了。。。

显示全部楼层 · 发表于 2024-9-17 23:43:20

DisaPDB 发表于 2024-9-17 23:40
龙大麻烦问一下 Avira那个Sentry的日志能看到吗

我测试那台电脑没有sentryeye日志，也没有启用sentry，不好意思啊

显示全部楼层 · 发表于 2024-9-18 00:03:00

aikafans 发表于 2024-9-17 23:42
作为eset用户我破防了。。。

把防火墙模式设为交互，再加一条任意程序具有有效签名允许出站的规则，这样不用加排除，eset既能放行大部分程序联网，也能拦下没有数签的程序的联网。这个程序在我这儿，eis的防火墙报了四次联网警报框，拦下之后就能成功避免被加密

[病毒样本] 自制勒索V2

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

评分

评分