来个大佬分析一下,中木马了我现在在用360
刚刚登陆的时候一闪而过,那个软件我是下载到电脑上,拉到虚拟机那边运行的,为啥会中了木马。。。我现在在用360急救箱不知道好不好使下面是哈勃分析出来的,来个大佬研究一下,帮你处理一下,是否会刷电脑上数据。必懂的感恩图报
轻度风险
关键行为
行为描述:跨进程写入数据
详情信息:TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x01820000, Size = 0x00002000 TargetPID = 0x000007d0TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x026b0000, Size = 0x00001000 TargetPID = 0x000007d0TargetProcess = C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe, WriteAddress = 0x00990000, Size = 0x00002000 TargetPID = 0x000000dcTargetProcess = C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe, WriteAddress = 0x00bb0000, Size = 0x00001000 TargetPID = 0x000000dcTargetProcess = C:\Program Files\Common Files\Java\Java Update\jusched.exe, WriteAddress = 0x00bf0000, Size = 0x00002000 TargetPID = 0x000000f0TargetProcess = C:\Program Files\Common Files\Java\Java Update\jusched.exe, WriteAddress = 0x00c00000, Size = 0x00001000 TargetPID = 0x000000f0TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009a0000, Size = 0x00002000 TargetPID = 0x000000f8TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009b0000, Size = 0x00001000 TargetPID = 0x000000f8TargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x013e0000, Size = 0x00002000 TargetPID = 0x0000010cTargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x013f0000, Size = 0x00001000 TargetPID = 0x0000010cTargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01110000, Size = 0x00002000 TargetPID = 0x0000015cTargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01120000, Size = 0x00001000 TargetPID = 0x0000015cTargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00900000, Size = 0x00002000 TargetPID = 0x00000210TargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00910000, Size = 0x00001000 TargetPID = 0x00000210TargetProcess = C:\WINDOWS\system32\PersonalBankPortal.exe, WriteAddress = 0x03a30000, Size = 0x00002000 TargetPID = 0x00000098
行为描述:修改注册表_系统防火墙可信进程列表
详情信息:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\180407\180407.exe
行为描述:修改注册表_UAC关键设置
详情信息:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
行为描述:常规加载驱动
详情信息:system32\DRIVERS\ipfltdrv.sys\??\C:\WINDOWS\system32\drivers\hqjkn.sys
行为描述:创建远程线程
详情信息:TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 3356, StartAddress = 01820000, Parameter = 00000000TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 3360, StartAddress = 026B0000, Parameter = 00000000TargetProcess: reader_sl.exe, InheritedFromPID = 2000, ProcessID = 220, ThreadID = 3364, StartAddress = 00990000, Parameter = 00000000TargetProcess: reader_sl.exe, InheritedFromPID = 2000, ProcessID = 220, ThreadID = 3368, StartAddress = 00BB0000, Parameter = 00000000TargetProcess: jusched.exe, InheritedFromPID = 2000, ProcessID = 240, ThreadID = 3376, StartAddress = 00BF0000, Parameter = 00000000TargetProcess: jusched.exe, InheritedFromPID = 2000, ProcessID = 240, ThreadID = 3380, StartAddress = 00C00000, Parameter = 00000000TargetProcess: ctfmon.exe, InheritedFromPID = 2000, ProcessID = 248, ThreadID = 3388, StartAddress = 009A0000, Parameter = 00000000TargetProcess: ctfmon.exe, InheritedFromPID = 2000, ProcessID = 248, ThreadID = 3400, StartAddress = 009B0000, Parameter = 00000000TargetProcess: QQ.exe, InheritedFromPID = 2000, ProcessID = 268, ThreadID = 3404, StartAddress = 013E0000, Parameter = 00000000TargetProcess: QQ.exe, InheritedFromPID = 2000, ProcessID = 268, ThreadID = 3416, StartAddress = 013F0000, Parameter = 00000000TargetProcess: TXPlatform.exe, InheritedFromPID = 872, ProcessID = 348, ThreadID = 3424, StartAddress = 01110000, Parameter = 00000000TargetProcess: TXPlatform.exe, InheritedFromPID = 872, ProcessID = 348, ThreadID = 3428, StartAddress = 01120000, Parameter = 00000000TargetProcess: conime.exe, InheritedFromPID = 476, ProcessID = 528, ThreadID = 3436, StartAddress = 00900000, Parameter = 00000000TargetProcess: conime.exe, InheritedFromPID = 476, ProcessID = 528, ThreadID = 3444, StartAddress = 00910000, Parameter = 00000000TargetProcess: PersonalBankPortal.exe, InheritedFromPID = 2000, ProcessID = 152, ThreadID = 3460, StartAddress = 03A30000, Parameter = 00000000
行为描述:获取TickCount值
详情信息:TickCount = 226715, SleepMilliseconds = 12.TickCount = 228146, SleepMilliseconds = 256.TickCount = 228177, SleepMilliseconds = 256.TickCount = 228193, SleepMilliseconds = 256.TickCount = 228209, SleepMilliseconds = 256.TickCount = 228992, SleepMilliseconds = 1024.TickCount = 229008, SleepMilliseconds = 1024.TickCount = 229024, SleepMilliseconds = 1024.TickCount = 229039, SleepMilliseconds = 1024.TickCount = 229102, SleepMilliseconds = 1024.TickCount = 229117, SleepMilliseconds = 1024.TickCount = 228349, SleepMilliseconds = 256.TickCount = 228365, SleepMilliseconds = 256.TickCount = 228381, SleepMilliseconds = 256.TickCount = 228396, SleepMilliseconds = 256.
行为描述:尝试连接RootKit驱动设备对象
详情信息:\??\amsint32
行为描述:设置特殊文件夹属性
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet FilesC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5C:\Documents and Settings\Administrator\Local Settings\HistoryC:\Documents and Settings\Administrator\Local Settings\History\History.IE5C:\Documents and Settings\Administrator\CookiesC:\Documents and Settings\Administrator\IETldCacheC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds CacheC:\Documents and Settings\Administrator\IECompatCache
行为描述:直接调用系统关键API
详情信息:Index = 0x0000007B, Name: NtOpenProcessToken, Instruction Address = 0x0042DA82Index = 0x0000000B, Name: NtAdjustPrivilegesToken, Instruction Address = 0x0042DB49Index = 0x00000019, Name: NtClose, Instruction Address = 0x0042DA2AIndex = 0x00000053, Name: NtFreeVirtualMemory, Instruction Address = 0x0040BCDEIndex = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x004099A1
行为描述:创建系统服务
详情信息:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\hqjkn.sys
yanmingming 发表于 2019-8-23 07:27
等楼下回复
普通的txplatform.exe病毒
txplatform.exe病毒
txplatform.exe程序有腾讯公司数字签名,通常位于"C:\Program Files\Tencent\QQ\Bin\QQ.exe"路径下。
1、一类病毒木马感染qq目录下面的txplatform文件,这类病毒木马直接改写QQ相关的组件,比如QQ,QQ游戏等组件。这样,木马在QQ的相关程序运行时才启动,然后盗取你的网游,网银等密码信息。
2、一类病毒木马假冒txplatform文件,然后覆盖掉正常的文件,隐蔽性很强,躲过传统安全软件查杀,然后盗取电脑中的各种账号密码,,进行非法牟利。
3、一类病毒木马是在系统盘中释放一个txplatform.exe病毒文件,一般在任务管理器中会看到有两个该文件。 我对这些一窍不通。 。。。 不知道咋分析这玩意 小白飘过{:1_901:} 样本都没有怎么看哦 谦月 发表于 2019-8-23 01:41
样本都没有怎么看哦
样本被我强杀删了。。 谦月 发表于 2019-8-23 01:41
样本都没有怎么看哦
你要我还可以找到,就是不知道咋传给你 pangzicool 发表于 2019-8-23 02:30
你要我还可以找到,就是不知道咋传给你
你可以穿到论坛的样本区。。 我也中了这个病毒了,也是刚刚 等楼下回复{:301_1004:}
页:
[1]
2