各位大神 小弟不小心中了勒索病毒 目前在做数据恢复 病毒样本如下 希望忙分析一下
该勒索病毒会在加密常用文件后 将自身删除 本病毒是从历史快照中找到的附件中有加密后的文件和勒索文本如能破解 感激不尽
文件加压密码
52pojie
链接:https://pan.baidu.com/s/1UzV7d7wJfUcPzS17preeNQ
提取码:fwpi
处理建议:
删除自启动注册表项
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4ea2d9471107f4fc3820aa2af5074d4e397f89ccceb617d5c8e56bf0639ec7fb
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\4ea2d9471107f4fc3820aa2af5074d4e397f89ccceb617d5c8e56bf0639ec7fb
删除文件
%HOMEPATH%\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\acrord32_sbx\lilo.2296\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\TCD32E6.tmp\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\hsperfdata_vbccsb\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\TCD33C4.tmp\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\TCD32E7.tmp\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\TCD3488.tmp\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.30319\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\gen_py\2.7\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\TCD33B4.tmp\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\Low\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\gen_py\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\Microsoft .NET Framework 4 Setup_4.0.30319\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\TCD3436.tmp\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\TCD33E6.tmp\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\TCD3488.tmp\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\TCD3447.tmp\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\mozilla-temp-files\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\TCD3436.tmp\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\gen_py\2.7\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\TCD32E6.tmp\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\acrord32_sbx\lilo.2296\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\gen_py\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\TCD33E6.tmp\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\TCD32E8.tmp\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\TCD33D5.tmp\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\TCD34E8.tmp\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\acrord32_sbx\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\CR_A7BDC.tmp\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.30319\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\Adobe_CDMLogs\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\TCD3447.tmp\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\mozilla-temp-files\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\hsperfdata_vbccsb\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\acrord32_sbx\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\TCD32E8.tmp\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\TCD33C4.tmp\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\TCD33B4.tmp\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\CR_A7BDC.tmp\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\TCD32E5.tmp\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\TCD34E8.tmp\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\TCD33D5.tmp\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\TCD32E7.tmp\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\Microsoft .NET Framework 4 Setup_4.0.30319\!READ_ME.txt
%HOMEPATH%\AppData\Local\Temp\TCD32E5.tmp\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\Low\__lock_XXX__
%HOMEPATH%\AppData\Local\Temp\Adobe_CDMLogs\!READ_ME.txt
经过沙箱检查,该软件经过UPX加壳,2019-09-11 06:32:28创造
通过verticious.pw下载远控软件,访问203.208.43.228和203.208.42.29(TCP 80端口)
病毒家族:为QQWare
以下为具体信息
导入表HASH
987925333a6242f7c4ec0e6643a7f692
编译时间戳
2019-09-11 06:32:28
PEID
PE: packer: UPX(3.95)
PE: linker: Microsoft Linker(14.15)
入口所在段
UPX1
附加数据
3357
入口点(OEP)
0x190c70
镜像基地址
0x400000 什么也不会的小白也帮不了你啊,请问你是怎么中的?给大家介绍一下。 虚拟机中病毒还修复啥…绝了!!!! zxcvbnm12 发表于 2020-2-25 17:16
虚拟机中病毒还修复啥…绝了!!!!
感谢关注中毒的是虚拟化集群快照是备份服务器里的 jhcl212 发表于 2020-2-25 17:02
什么也不会的小白也帮不了你啊,请问你是怎么中的?给大家介绍一下。
具体原因不明 早上上班就发现这种状况了 真羡慕你们能中病毒的,一般什么样的SAO操作才能中啊,我也试试去 太高深了 送祝福,祝好运 小白一个,啥也不懂啊,想知道怎么解决的