共计 2552 个字符,预计需要花费 7 分钟才能阅读完成。
大白菜 6.0 后均被加入木马,Windows 安装器安装原版的 Windows 均会加入木马改变主页等,现在主页君对 6.0 的木马进行分析。
基本信息
文件名称: |
TASKMANU0.exe |
|||||
MD5: | 43bc86cba5908ab614a120226592cad5 | |||||
文件类型: | Autoit | |||||
上传时间: | 2015-09-24 13:15:58 | |||||
出品公司: | N/A | |||||
版本: | 6.0.14.718—6.0.14.718 | |||||
壳或编译器信息: |
COMPILER:Microsoft Visual Studio .NET 2005 — 2008 -> Microsoft Corporation [Overlay] * |
|||||
子文件信息: |
详情
|
关键行为
|
行为描述: | 检测自身是否被调试 |
详情信息: |
N/A |
行为描述: | 隐藏指定窗口 |
详情信息: |
[Window,Class] = [AutoIt v3,AutoIt v3] [Window,Class] = [Errors:,Static] [Window,Class] = [,Static] [Window,Class] = [List1,SysListView32] [Window,Class] = [&Background,Button] [Window,Class] = [&Pause,Button] |
行为描述: | 添加浏览器收藏夹 |
详情信息: |
C:Documents and SettingsAdministratorFavorites 百度.url C:Documents and SettingsAdministratorFavorites 搜狗.url C:Documents and SettingsAdministratorFavorites 淘宝网.url C:Documents and SettingsAdministratorFavorites 减肥网.url C:Documents and SettingsAdministratorFavorites 美女图片.url C:Documents and SettingsAdministratorFavorites 美容网.url C:Documents and SettingsAdministratorFavorites 女性网.url C:Documents and SettingsAdministratorFavorites 京东商城.url C:Documents and SettingsAdministratorFavorites 小游戏.url C:Documents and SettingsAdministratorFavorites 电影网.url C:Documents and SettingsAdministratorFavorites 天猫购物.url C:Documents and SettingsAdministratorFavorites 体育新闻.url C:Documents and SettingsAdministratorFavorites 足球比分.url C:Documents and SettingsAdministratorFavorites 网游卡密.url C:Documents and SettingsAdministratorFavorites 话费直充.url |
行为描述: | 写权限映射文件 |
详情信息: |
CiceroSharedMemDefaultS-* MSCTF.MarshalInterface.FileMap.IHI..KIAHH MSCTF.MarshalInterface.FileMap.IHI.B.KIAHH MSCTF.MarshalInterface.FileMap.IHI.C.KIAHH MSCTF.MarshalInterface.FileMap.IHI.D.KIAHH MSCTF.MarshalInterface.FileMap.IHI.E.KIAHH MSCTF.MarshalInterface.FileMap.IHI.F.KIAHH MSCTF.MarshalInterface.FileMap.IHI.G.KIAHH |
行为描述: | 修改注册表_IE 首页 |
详情信息: |
REGISTRYUSERS-*SoftwareMicrosoftInternet ExplorerMainStart Page |
行为描述: | 修改注册表_启动项 |
详情信息: |
REGISTRYUSERS-*SoftwareMicrosoftWindowsCurrentVersionRunctfmon.exe |
进程行为
行为描述: | 隐藏窗口创建进程 |
详情信息: | |
行为描述: | 创建进程 |
详情信息: | |
行为描述: | 创建新文件进程 |
详情信息: | |
行为描述: | 枚举进程 |
详情信息: |
N/A |
文件行为
行为描述: | 写权限映射文件 |
详情信息: |
CiceroSharedMemDefaultS-* MSCTF.MarshalInterface.FileMap.IHI..KIAHH MSCTF.MarshalInterface.FileMap.IHI.B.KIAHH MSCTF.MarshalInterface.FileMap.IHI.C.KIAHH MSCTF.MarshalInterface.FileMap.IHI.D.KIAHH MSCTF.MarshalInterface.FileMap.IHI.E.KIAHH MSCTF.MarshalInterface.FileMap.IHI.F.KIAHH MSCTF.MarshalInterface.FileMap.IHI.G.KIAHH |
行为描述: | 添加浏览器收藏夹 |
详情信息: |
C:Documents and SettingsAdministratorFavorites 百度.url C:Documents and SettingsAdministratorFavorites 搜狗.url C:Documents and SettingsAdministratorFavorites 淘宝网.url C:Documents and SettingsAdministratorFavorites 减肥网.url C:Documents and SettingsAdministratorFavorites 美女图片.url C:Documents and SettingsAdministratorFavorites 美容网.url C:Documents and SettingsAdministratorFavorites 女性网.url C:Documents and SettingsAdministratorFavorites 京东商城.url C:Documents and SettingsAdministratorFavorites 小游戏.url C:Documents and SettingsAdministratorFavorites 电影网.url C:Documents and SettingsAdministratorFavorites 天猫购物.url C:Documents and SettingsAdministratorFavorites 体育新闻.url C:Documents and SettingsAdministratorFavorites 足球比分.url C:Documents and SettingsAdministratorFavorites 网游卡密.url C:Documents and SettingsAdministratorFavorites 话费直充.url |
行为描述: | 创建可执行文件 |
详情信息: |
C:DOCUME~1ADMINI~1LOCALS~1dbcTMPFav~Url.tmp C:DOCUME~1ADMINI~1LOCALS~1Tempfbinst.dll |
行为描述: | 修改文件内容 |
详情信息: |
C:Documents and SettingsAdministratorFavorites 百度.url—> Offset = 0 C:Documents and SettingsAdministratorFavorites 搜狗.url—> Offset = 0 C:Documents and SettingsAdministratorFavorites 淘宝网.url—> Offset = 0 C:Documents and SettingsAdministratorFavorites 减肥网.url—> Offset = 0 C:Documents and SettingsAdministratorFavorites 美女图片.url—> Offset = 0 C:Documents and SettingsAdministratorFavorites 美容网.url—> Offset = 0 C:Documents and SettingsAdministratorFavorites 女性网.url—> Offset = 0 C:Documents and SettingsAdministratorFavorites 京东商城.url—> Offset = 0 C:Documents and SettingsAdministratorFavorites 小游戏.url—> Offset = 0 C:Documents and SettingsAdministratorFavorites 电影网.url—> Offset = 0 C:Documents and SettingsAdministratorFavorites 天猫购物.url—> Offset = 0 C:Documents and SettingsAdministratorFavorites 体育新闻.url—> Offset = 0 C:Documents and SettingsAdministratorFavorites 足球比分.url—> Offset = 0 C:Documents and SettingsAdministratorFavorites 网游卡密.url—> Offset = 0 C:Documents and SettingsAdministratorFavorites 话费直充.url—> Offset = 0 |
行为描述: | 查找文件 |
详情信息: |
FileName = C:Documents and Settings FileName = C:Documents and SettingsAdministrator FileName = C:Documents and SettingsAdministratorLocal Settings FileName = C:Documents and SettingsAdministratorLocal SettingsTemp FileName = C:Documents and SettingsAdministratorLocal Settings%temp% FileName = C:Documents and SettingsAdministratorLocal Settings%temp%1443071130.063677.exe FileName = C:DOCUME~1ADMINI~1LOCALS~1dbcTMP FileName = C:Documents and SettingsAdministratorFavorites* FileName = C:*.* FileName = C:Documents and SettingsAdministratorFavoritesMicrosoft Websites FileName = C:Documents and SettingsAdministratorFavoritesMicrosoft Websites*.* FileName = C:Documents and SettingsAdministratorFavoritesMicrosoft 网站 FileName = C:Documents and SettingsAdministratorFavoritesMicrosoft 网站 *.* FileName = C:Documents and SettingsAdministratorFavoritesMSN 网站 FileName = C:Documents and SettingsAdministratorFavoritesMSN 网站 *.* |
注册表行为
行为描述: | 修改注册表 |
详情信息: |
REGISTRYUSERS-*SoftwareMicrosoftInternet ExplorerBrowserEmulationAllSitesCompatibilityMode REGISTRYUSERS-*SoftwarePPStreammainclient |
行为描述: | 删除注册表键值_删除启动项 |
详情信息: |
REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunTASKMANU0 REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunTASKMANU1 REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunTASKMANU2 REGISTRYUSERS-*SoftwareMicrosoftWindowsCurrentVersionRuninsScrip |
行为描述: | 删除注册表键 |
详情信息: |
REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRun REGISTRYUSERS-*SoftwareMicrosoftWindowsCurrentVersionRun |
行为描述: | 删除注册表键_删除启动项 |
详情信息: |
REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsIMAIL REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsMAPI REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsMSFS REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponents |
行为描述: | 修改注册表_IE 首页 |
详情信息: |
REGISTRYUSERS-*SoftwareMicrosoftInternet ExplorerMainStart Page |
行为描述: | 修改注册表_启动项 |
详情信息: |
REGISTRYUSERS-*SoftwareMicrosoftWindowsCurrentVersionRunctfmon.exe |