来个大佬分析一下，中木马了我现在在用360

pangzicool · 发表于 2019-8-23 01:01

刚刚登陆的时候一闪而过，那个软件我是下载到电脑上，拉到虚拟机那边运行的，为啥会中了木马。。。我现在在用360急救箱不知道好不好使

下面是哈勃分析出来的，来个大佬研究一下，帮你处理一下，是否会刷电脑上数据。必懂的感恩图报

轻度风险

关键行为

行为描述：	跨进程写入数据
详情信息：	TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x01820000, Size = 0x00002000 TargetPID = 0x000007d0TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x026b0000, Size = 0x00001000 TargetPID = 0x000007d0TargetProcess = C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe, WriteAddress = 0x00990000, Size = 0x00002000 TargetPID = 0x000000dcTargetProcess = C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe, WriteAddress = 0x00bb0000, Size = 0x00001000 TargetPID = 0x000000dcTargetProcess = C:\Program Files\Common Files\Java\Java Update\jusched.exe, WriteAddress = 0x00bf0000, Size = 0x00002000 TargetPID = 0x000000f0TargetProcess = C:\Program Files\Common Files\Java\Java Update\jusched.exe, WriteAddress = 0x00c00000, Size = 0x00001000 TargetPID = 0x000000f0TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009a0000, Size = 0x00002000 TargetPID = 0x000000f8TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009b0000, Size = 0x00001000 TargetPID = 0x000000f8TargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x013e0000, Size = 0x00002000 TargetPID = 0x0000010cTargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x013f0000, Size = 0x00001000 TargetPID = 0x0000010cTargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01110000, Size = 0x00002000 TargetPID = 0x0000015cTargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01120000, Size = 0x00001000 TargetPID = 0x0000015cTargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00900000, Size = 0x00002000 TargetPID = 0x00000210TargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00910000, Size = 0x00001000 TargetPID = 0x00000210TargetProcess = C:\WINDOWS\system32\PersonalBankPortal.exe, WriteAddress = 0x03a30000, Size = 0x00002000 TargetPID = 0x00000098
行为描述：	修改注册表_系统防火墙可信进程列表
详情信息：	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\180407\180407.exe
行为描述：	修改注册表_UAC关键设置
详情信息：	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
行为描述：	常规加载驱动
详情信息：	system32\DRIVERS\ipfltdrv.sys\??\C:\WINDOWS\system32\drivers\hqjkn.sys
行为描述：	创建远程线程
详情信息：	TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 3356, StartAddress = 01820000, Parameter = 00000000TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 3360, StartAddress = 026B0000, Parameter = 00000000TargetProcess: reader_sl.exe, InheritedFromPID = 2000, ProcessID = 220, ThreadID = 3364, StartAddress = 00990000, Parameter = 00000000TargetProcess: reader_sl.exe, InheritedFromPID = 2000, ProcessID = 220, ThreadID = 3368, StartAddress = 00BB0000, Parameter = 00000000TargetProcess: jusched.exe, InheritedFromPID = 2000, ProcessID = 240, ThreadID = 3376, StartAddress = 00BF0000, Parameter = 00000000TargetProcess: jusched.exe, InheritedFromPID = 2000, ProcessID = 240, ThreadID = 3380, StartAddress = 00C00000, Parameter = 00000000TargetProcess: ctfmon.exe, InheritedFromPID = 2000, ProcessID = 248, ThreadID = 3388, StartAddress = 009A0000, Parameter = 00000000TargetProcess: ctfmon.exe, InheritedFromPID = 2000, ProcessID = 248, ThreadID = 3400, StartAddress = 009B0000, Parameter = 00000000TargetProcess: QQ.exe, InheritedFromPID = 2000, ProcessID = 268, ThreadID = 3404, StartAddress = 013E0000, Parameter = 00000000TargetProcess: QQ.exe, InheritedFromPID = 2000, ProcessID = 268, ThreadID = 3416, StartAddress = 013F0000, Parameter = 00000000TargetProcess: TXPlatform.exe, InheritedFromPID = 872, ProcessID = 348, ThreadID = 3424, StartAddress = 01110000, Parameter = 00000000TargetProcess: TXPlatform.exe, InheritedFromPID = 872, ProcessID = 348, ThreadID = 3428, StartAddress = 01120000, Parameter = 00000000TargetProcess: conime.exe, InheritedFromPID = 476, ProcessID = 528, ThreadID = 3436, StartAddress = 00900000, Parameter = 00000000TargetProcess: conime.exe, InheritedFromPID = 476, ProcessID = 528, ThreadID = 3444, StartAddress = 00910000, Parameter = 00000000TargetProcess: PersonalBankPortal.exe, InheritedFromPID = 2000, ProcessID = 152, ThreadID = 3460, StartAddress = 03A30000, Parameter = 00000000
行为描述：	获取TickCount值
详情信息：	TickCount = 226715, SleepMilliseconds = 12.TickCount = 228146, SleepMilliseconds = 256.TickCount = 228177, SleepMilliseconds = 256.TickCount = 228193, SleepMilliseconds = 256.TickCount = 228209, SleepMilliseconds = 256.TickCount = 228992, SleepMilliseconds = 1024.TickCount = 229008, SleepMilliseconds = 1024.TickCount = 229024, SleepMilliseconds = 1024.TickCount = 229039, SleepMilliseconds = 1024.TickCount = 229102, SleepMilliseconds = 1024.TickCount = 229117, SleepMilliseconds = 1024.TickCount = 228349, SleepMilliseconds = 256.TickCount = 228365, SleepMilliseconds = 256.TickCount = 228381, SleepMilliseconds = 256.TickCount = 228396, SleepMilliseconds = 256.
行为描述：	尝试连接RootKit驱动设备对象
详情信息：	\??\amsint32
行为描述：	设置特殊文件夹属性
详情信息：	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet FilesC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5C:\Documents and Settings\Administrator\Local Settings\HistoryC:\Documents and Settings\Administrator\Local Settings\History\History.IE5C:\Documents and Settings\Administrator\CookiesC:\Documents and Settings\Administrator\IETldCacheC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds CacheC:\Documents and Settings\Administrator\IECompatCache
行为描述：	直接调用系统关键API
详情信息：	Index = 0x0000007B, Name: NtOpenProcessToken, Instruction Address = 0x0042DA82Index = 0x0000000B, Name: NtAdjustPrivilegesToken, Instruction Address = 0x0042DB49Index = 0x00000019, Name: NtClose, Instruction Address = 0x0042DA2AIndex = 0x00000053, Name: NtFreeVirtualMemory, Instruction Address = 0x0040BCDEIndex = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x004099A1
行为描述：	创建系统服务
详情信息：	[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\hqjkn.sys

KARMA07007 · 发表于 2019-8-23 01:01

yanmingming 发表于 2019-8-23 07:27
等楼下回复

普通的txplatform.exe病毒
txplatform.exe病毒

txplatform.exe程序有腾讯公司数字签名，通常位于"C:\Program Files\Tencent\QQ\Bin\QQ.exe"路径下。

1、一类病毒木马感染qq目录下面的txplatform文件，这类病毒木马直接改写QQ相关的组件，比如QQ，QQ游戏等组件。这样，木马在QQ的相关程序运行时才启动，然后盗取你的网游，网银等密码信息。

2、一类病毒木马假冒txplatform文件，然后覆盖掉正常的文件，隐蔽性很强，躲过传统安全软件查杀，然后盗取电脑中的各种账号密码，，进行非法牟利。

3、一类病毒木马是在系统盘中释放一个txplatform.exe病毒文件，一般在任务管理器中会看到有两个该文件。

pangzicool · 发表于 2019-8-23 01:02

我对这些一窍不通。。。。不知道咋分析这玩意

昔日天才 · 发表于 2019-8-23 01:34

小白飘过

谦月 · 发表于 2019-8-23 01:41

样本都没有怎么看哦

pangzicool · 发表于 2019-8-23 02:29

谦月发表于 2019-8-23 01:41
样本都没有怎么看哦

样本被我强杀删了。。

pangzicool · 发表于 2019-8-23 02:30

谦月发表于 2019-8-23 01:41
样本都没有怎么看哦

你要我还可以找到，就是不知道咋传给你

谦月 · 发表于 2019-8-23 02:32

pangzicool 发表于 2019-8-23 02:30
你要我还可以找到，就是不知道咋传给你

你可以穿到论坛的样本区。。

15832255334 · 发表于 2019-8-23 03:11

我也中了这个病毒了，也是刚刚

yanmingming · 发表于 2019-8-23 07:27

等楼下回复

帐号		自动登录	找回密码
密码			注册[Register]

来个大佬分析一下，中木马了我现在在用360

最佳答案