论坛发布的SH3.41貌似有毒？

代表太阳太阳你 · 发表于 2016-4-6 17:28:04

这是在哪里分析的，哈勃还是火眼，有md5没

逆夏 · 发表于 2016-4-6 17:26:38

下面是自动创建的文件（1111111Srv.exe）的检测报告

行为描述：修改原系统的EXE文件
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll

行为描述：跨进程写入数据
详情信息： TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12

行为描述：修改注册表_启动项
详情信息： \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

行为描述：跨进程写代码段数据
详情信息： C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25

行为描述：设置特殊文件夹属性
详情信息： C:\DiskX\RECYCLER

行为描述：查找文件方式探测虚拟机
详情信息： FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VBoxGuestAdditions\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\All Users\Application Data\VMware\*.*
其他行为基本信息文件名称： 1111111Srv.exe

MD5： 7c724e154505b4700ce3de14f47f02e8
文件类型： EXE
上传时间： 2016-04-06 17:04:54
出品公司： SOFTWIN S
版本： 106.42.73.61---106.42.73
壳或编译器信息： PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
报毒名称： Trojan.Win32.Ramnit.efg

关键行为行为描述：修改原系统的EXE文件
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll

行为描述：跨进程写入数据
详情信息： TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12

行为描述：修改注册表_启动项
详情信息： \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

行为描述：跨进程写代码段数据
详情信息： C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25

行为描述：设置特殊文件夹属性
详情信息： C:\DiskX\RECYCLER

行为描述：查找文件方式探测虚拟机
详情信息： FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VBoxGuestAdditions\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\All Users\Application Data\VMware\*.*

进程行为行为描述：创建进程
详情信息： ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE"

行为描述：创建新文件进程
详情信息： ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe"
ImagePath = C:\Program Files\Microsoft\DesktopLayer.exe, CmdLine = "C:\Program Files\Microsoft\DesktopLayer.exe"
ImagePath = C:\Program Files\Microsoft\DesktopLayerSrv.exe, CmdLine = "C:\Program Files\Microsoft\DesktopLayerSrv.exe"
ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.133821.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.133821.exe"

行为描述：跨进程写入数据
详情信息： TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12

行为描述：枚举进程
详情信息： N/A

行为描述：跨进程写代码段数据
详情信息： C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25

行为描述：创建本地线程
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.196238.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.196566.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\DesktopLayerSrv.exe

行为描述：进程退出
详情信息： N/A

文件行为行为描述：创建文件
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\px3.tmp
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Microsoft\px4.tmp
C:\Program Files\Microsoft\DesktopLayerSrv.exe
C:\Program Files\Internet Explorer\dmlconf.dat

行为描述：修改原系统的EXE文件
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll

行为描述：创建可执行文件
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Microsoft\DesktopLayerSrv.exe

行为描述：覆盖已有文件
详情信息： C:\Program Files\Microsoft\px3.tmp
C:\Program Files\Microsoft\px4.tmp
C:\Program Files\Internet Explorer\dmlconf.dat

行为描述：复制文件
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.206134.exe ---> C:\Program Files\Microsoft\DesktopLayer.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> C:\Program Files\Microsoft\DesktopLayer.exe

行为描述：内存映射方式修改可执行文件
详情信息： \device\harddiskvolume1\documents and settings\administrator\application data\sogouexplorer\extension\com.sogou.snaptaker\0.4.2\npprintscreen.dll

行为描述：删除文件
详情信息： C:\Program Files\Microsoft\px3.tmp
C:\Program Files\Microsoft\px4.tmp

行为描述：查找文件
详情信息： FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
FileName = C:\Program Files\Internet Explorer\IEXPLORE.EXE
FileName = C:\Program Files\Internet Explorer\iexplore.exe
FileName = C:\*.*
FileName = C:\222c25ed\*.*
FileName = C:\222c25ed\IE8-Setup-Full\*.*
FileName = C:\222c25ed\IE8-Setup-Full\log\*.*
FileName = C:\AnalyzeControl\*.*
FileName = C:\DiskD\*.*
FileName = C:\DiskX\*.*
FileName = C:\DiskX\RECYCLER\*.*
FileName = C:\Documents and Settings\*.*
FileName = C:\Documents and Settings\Administrator\*.*

行为描述：设置特殊文件夹属性
详情信息： C:\DiskX\RECYCLER

行为描述：修改文件内容
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> Offset = 0
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 0
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 65536
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 4096
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 8192
C:\Program Files\Microsoft\DesktopLayerSrv.exe ---> Offset = 0
C:\Program Files\Internet Explorer\dmlconf.dat ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html ---> Offset = 2787
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\backgroundpage.html ---> Offset = 873
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\popup.html ---> Offset = 39547
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.secondAccount\0.0.0.1\backgroundpage.html ---> Offset = 1227
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.share\0.0.0.1\backgroundpage.html ---> Offset = 5201
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html ---> Offset = 65536
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\backgroundpage

行为描述：修改注册表_启动项
详情信息： \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

基本信息关键行为进程行为文件行为网络行为注册表行为其他行为基本信息文件名称： 1111111Srv.exe

MD5： 7c724e154505b4700ce3de14f47f02e8
文件类型： EXE
上传时间： 2016-04-06 17:04:54
出品公司： SOFTWIN S
版本： 106.42.73.61---106.42.73
壳或编译器信息： PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
报毒名称： Trojan.Win32.Ramnit.efg

关键行为行为描述：修改原系统的EXE文件
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll

行为描述：跨进程写入数据
详情信息： TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12

行为描述：修改注册表_启动项
详情信息： \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

行为描述：跨进程写代码段数据
详情信息： C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25

行为描述：设置特殊文件夹属性
详情信息： C:\DiskX\RECYCLER

行为描述：查找文件方式探测虚拟机
详情信息： FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VBoxGuestAdditions\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\All Users\Application Data\VMware\*.*

进程行为行为描述：创建进程
详情信息： ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE"

行为描述：创建新文件进程
详情信息： ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe"
ImagePath = C:\Program Files\Microsoft\DesktopLayer.exe, CmdLine = "C:\Program Files\Microsoft\DesktopLayer.exe"
ImagePath = C:\Program Files\Microsoft\DesktopLayerSrv.exe, CmdLine = "C:\Program Files\Microsoft\DesktopLayerSrv.exe"
ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.133821.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.133821.exe"

行为描述：跨进程写入数据
详情信息： TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12

行为描述：枚举进程
详情信息： N/A

行为描述：跨进程写代码段数据
详情信息： C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25

行为描述：创建本地线程
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.196238.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.196566.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\DesktopLayerSrv.exe

行为描述：进程退出
详情信息： N/A

文件行为行为描述：创建文件
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\px3.tmp
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Microsoft\px4.tmp
C:\Program Files\Microsoft\DesktopLayerSrv.exe
C:\Program Files\Internet Explorer\dmlconf.dat

行为描述：修改原系统的EXE文件
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll

行为描述：创建可执行文件
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Microsoft\DesktopLayerSrv.exe

行为描述：覆盖已有文件
详情信息： C:\Program Files\Microsoft\px3.tmp
C:\Program Files\Microsoft\px4.tmp
C:\Program Files\Internet Explorer\dmlconf.dat

行为描述：复制文件
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.206134.exe ---> C:\Program Files\Microsoft\DesktopLayer.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> C:\Program Files\Microsoft\DesktopLayer.exe

行为描述：内存映射方式修改可执行文件
详情信息： \device\harddiskvolume1\documents and settings\administrator\application data\sogouexplorer\extension\com.sogou.snaptaker\0.4.2\npprintscreen.dll

行为描述：删除文件
详情信息： C:\Program Files\Microsoft\px3.tmp
C:\Program Files\Microsoft\px4.tmp

行为描述：查找文件
详情信息： FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
FileName = C:\Program Files\Internet Explorer\IEXPLORE.EXE
FileName = C:\Program Files\Internet Explorer\iexplore.exe
FileName = C:\*.*
FileName = C:\222c25ed\*.*
FileName = C:\222c25ed\IE8-Setup-Full\*.*
FileName = C:\222c25ed\IE8-Setup-Full\log\*.*
FileName = C:\AnalyzeControl\*.*
FileName = C:\DiskD\*.*
FileName = C:\DiskX\*.*
FileName = C:\DiskX\RECYCLER\*.*
FileName = C:\Documents and Settings\*.*
FileName = C:\Documents and Settings\Administrator\*.*

行为描述：设置特殊文件夹属性
详情信息： C:\DiskX\RECYCLER

行为描述：修改文件内容
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> Offset = 0
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 0
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 65536
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 4096
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 8192
C:\Program Files\Microsoft\DesktopLayerSrv.exe ---> Offset = 0
C:\Program Files\Internet Explorer\dmlconf.dat ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html ---> Offset = 2787
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\backgroundpage.html ---> Offset = 873
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\popup.html ---> Offset = 39547
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.secondAccount\0.0.0.1\backgroundpage.html ---> Offset = 1227
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.share\0.0.0.1\backgroundpage.html ---> Offset = 5201
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html ---> Offset = 65536
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\backgroundpage.html ---> Offset = 0

网络行为行为描述：建立到一个指定的套接字连接
详情信息： URL: go******om, IP: <FAKE_SERVER_IP>:80, SOCKET = 0x00000120
URL: fg***********om, IP: <FAKE_SERVER_IP>:443, SOCKET = 0x00000128

行为描述：按名称获取主机地址
详情信息： gethostbyname: go******om
gethostbyname: fg***********om

注册表行为行为描述：修改注册表_启动项
详情信息： \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

其他行为行为描述：创建互斥体
详情信息： KyUffThOkYwRRtgPP

行为描述：修改后的可执行文件MD5
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll ---> ff7db3db534236b7738ccce99ae33e09

行为描述：修改后的可执行文件签名信息
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll(签名验证: 未通过)

行为描述：可执行文件签名信息
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe(签名验证: 未通过)
C:\Program Files\Microsoft\DesktopLayer.exe(签名验证: 未通过)
C:\Program Files\Microsoft\DesktopLayerSrv.exe(签名验证: 未通过)

行为描述：可执行文件MD5
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> ff5e1f27193ce51eec318714ef038bef
C:\Program Files\Microsoft\DesktopLayer.exe ---> 7c724e154505b4700ce3de14f47f02e8
C:\Program Files\Microsoft\DesktopLayerSrv.exe ---> ff5e1f27193ce51eec318714ef038bef

行为描述：查找文件方式探测虚拟机
详情信息： FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VBoxGuestAdditions\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\All Users\Application Data\VMware\*.*

		自动登录	找回密码
密码			注册

[闲聊] 论坛发布的SH3.41貌似有毒？

点评

浏览过的版块