本帖最后由 偶偶偶114514 于 2025-12-24 13:43 编辑
md经典全部miss()
来看看搞笑选手:{
"verdict": "malicious",
"confidence": "medium",
"malware_identity": {
"type": "Trojan/Overlay Loader",
"suspected_family": "Generic/Sonbokli",
"reasoning": "基于以下证据判定为恶意软件:1) VirusTotal检测率为7/72,被Microsoft标记为'Trojan:Win32/Sonbokli.A!cl';2) 文件包含'overlay'标签,表明可能存在附加数据;3) 高熵值(7.7862)暗示加密或压缩数据;4) 导入表包含典型的恶意软件API组合,包括文件操作(CreateFileW, SetFilePointerEx, ReadFile)、进程操作(CreateThread)、注册表访问(RegOpenKeyExW)和反调试(IsDebuggerPresent, OutputDebugStringW);5) 代码中包含字符串'itunes'和'iTunes',可能伪装成合法音频软件,但实际行为可疑;6) 虽然PYAS显示为白文件,但VirusTotal检测和代码特征更倾向于恶意。"
},
"summary": "伪装成音频处理工具的恶意软件,使用Overlay技术隐藏payload,具备文件操作、进程创建、注册表访问和反调试能力。",
"mitre_matrix": [
{"id": "T1027", "technique": "混淆文件或信息", "evidence": "高熵值(7.7862)表明文件可能被加密或压缩"},
{"id": "T1055", "technique": "进程注入", "evidence": "导入CreateThread API,可能用于创建恶意线程"},
{"id": "T1112", "technique": "修改注册表", "evidence": "导入RegOpenKeyExW, RegQueryValueExW, RegCloseKey API"},
{"id": "T1056", "technique": "输入捕获", "evidence": "可能通过文件操作API监控系统"},
{"id": "T1497", "technique": "虚拟化/沙箱逃逸", "evidence": "导入IsDebuggerPresent, OutputDebugStringW, QueryPerformanceCounter等反调试API"},
{"id": "T1204", "technique": "用户执行", "evidence": "伪装成'iTunes'相关软件诱使用户执行"},
{"id": "T1036", "technique": "伪装", "evidence": "使用'itunes'、'iTunes'字符串伪装成合法音频软件"}
],
"virustotal_summary": "SHA256: 9866a8ecf5414283d89528597ef7ff590f60e42aa6fc4972f61a083c2b08c1ec,检测率7/72,主要引擎检测:Microsoft标记为'Trojan:Win32/Sonbokli.A!cl',CrowdStrike标记为'win/grayware_confidence_70% (D)'。标签包含:signed, invalid-signature, peexe, overlay。PYAS分析显示为Pefile/White,但与已知恶意样本有59.8%相似度。",
"indicators": [
{"type": "hash", "value": "9866a8ecf5414283d89528597ef7ff590f60e42aa6fc4972f61a083c2b08c1ec"},
{"type": "hash", "value": "fa35125ea4d401d91a8b101c94d5ba19"},
{"type": "string", "value": "itunes"},
{"type": "string", "value": "iTunes"},
{"type": "string", "value": "tak_deco_lib"},
{"type": "behavior", "value": "Overlay数据读取"},
{"type": "behavior", "value": "反调试技术"},
{"type": "behavior", "value": "注册表操作"}
]
}
|
发表于 
发表于 
)
