大白菜装机 TASKMANU0.exe 木马分析

33次阅读
没有评论

共计 2552 个字符,预计需要花费 7 分钟才能阅读完成。

大白菜 6.0 后均被加入木马,Windows 安装器安装原版的 Windows 均会加入木马改变主页等,现在主页君对 6.0 的木马进行分析。

建议大家选择 4.0 版本的,毕竟之后的版本加入木马还是不舒服的。4.0 的还是很不错的 PE 版本

基本信息

文件名称:

TASKMANU0.exe

MD5: 43bc86cba5908ab614a120226592cad5
文件类型: Autoit
上传时间: 2015-09-24 13:15:58
出品公司: N/A
版本: 6.0.14.718—6.0.14.718
壳或编译器信息: COMPILER:Microsoft Visual Studio .NET 2005 — 2008 -> Microsoft
Corporation [Overlay] *
子文件信息: 详情

Url.dll /  7c3a8080ef0a394287f24aebd27af77d /  7z
fbinst.dll /  fccff3d5e754a1085fef98eb3e8692e3 /  EXE
reg.dll /  30ca3af3fb9db4e3b7ff857bd154aa56 /  EXE
help.dat /  8552650b4f1005c7cb733f3b29ecff74 /  Unknown

AutoItScript /  b9c7a1400abed924380a844f40f7acc3 /  Unknown

关键行为

行为描述: 检测自身是否被调试
详情信息:

N/A

行为描述: 隐藏指定窗口
详情信息:

[Window,Class] = [AutoIt v3,AutoIt v3]

[Window,Class] = [Errors:,Static]

[Window,Class] = [,Static]

[Window,Class] = [List1,SysListView32]

[Window,Class] = [&Background,Button]

[Window,Class] = [&Pause,Button]

行为描述: 添加浏览器收藏夹
详情信息:

C:Documents and SettingsAdministratorFavorites 百度.url

C:Documents and SettingsAdministratorFavorites 搜狗.url

C:Documents and SettingsAdministratorFavorites 淘宝网.url

C:Documents and SettingsAdministratorFavorites 减肥网.url

C:Documents and SettingsAdministratorFavorites 美女图片.url

C:Documents and SettingsAdministratorFavorites 美容网.url

C:Documents and SettingsAdministratorFavorites 女性网.url

C:Documents and SettingsAdministratorFavorites 京东商城.url

C:Documents and SettingsAdministratorFavorites 小游戏.url

C:Documents and SettingsAdministratorFavorites 电影网.url

C:Documents and SettingsAdministratorFavorites 天猫购物.url

C:Documents and SettingsAdministratorFavorites 体育新闻.url

C:Documents and SettingsAdministratorFavorites 足球比分.url

C:Documents and SettingsAdministratorFavorites 网游卡密.url

C:Documents and SettingsAdministratorFavorites 话费直充.url

行为描述: 写权限映射文件
详情信息:

CiceroSharedMemDefaultS-*

MSCTF.MarshalInterface.FileMap.IHI..KIAHH

MSCTF.MarshalInterface.FileMap.IHI.B.KIAHH

MSCTF.MarshalInterface.FileMap.IHI.C.KIAHH

MSCTF.MarshalInterface.FileMap.IHI.D.KIAHH

MSCTF.MarshalInterface.FileMap.IHI.E.KIAHH

MSCTF.MarshalInterface.FileMap.IHI.F.KIAHH

MSCTF.MarshalInterface.FileMap.IHI.G.KIAHH

行为描述: 修改注册表_IE 首页
详情信息:

REGISTRYUSERS-*SoftwareMicrosoftInternet ExplorerMainStart Page

行为描述: 修改注册表_启动项
详情信息:

REGISTRYUSERS-*SoftwareMicrosoftWindowsCurrentVersionRunctfmon.exe

进程行为

行为描述: 隐藏窗口创建进程
详情信息:

ImagePath = , CmdLine = c:docume~1admini~1locals~1dbctmpfav~url.tmp -y -o”c:documents and settingsadministratorfavorites”

ImagePath = , CmdLine = c:windowssystem32cmd.exe /c c:docume~1admini~1locals~1tempfbinst.dll “c:windowsinstallationsupport.im_” output img/* %~nx

ImagePath = , CmdLine = c:windowssystem32cmd.exe /c ping 127.0.0.1 -n 50® add “hkcusoftwaremicrosoftinternet explorermain” /v “start page” /d “http://www.157167.com/?dbc6” /f

行为描述: 创建进程
详情信息:

ImagePath = C:WINDOWSsystem32cmd.exe, CmdLine = C:WINDOWSsystem32cmd.exe /c C:DOCUME~1ADMINI~1LOCALS~1Tempfbinst.dll “C:WINDOWSInstallationSUPPORT.IM_” output IMG/* %~nx

ImagePath = C:WINDOWSsystem32cmd.exe, CmdLine = C:WINDOWSsystem32cmd.exe /c ping 127.0.0.1 -n 50® add “HKCUSoftwareMicrosoftInternet ExplorerMain” /v “Start Page” /d “http://www.157167.com/?dbc6” /f

ImagePath = C:WINDOWSsystem32reg.exe, CmdLine = reg add “HKCUSoftwareMicrosoftInternet ExplorerMain” /v “Start Page” /d “http://www.157167.com/?dbc6” /f

行为描述: 创建新文件进程
详情信息:

ImagePath = C:DOCUME~1ADMINI~1LOCALS~1dbcTMPFav~Url.tmp, CmdLine = C:DOCUME~1ADMINI~1LOCALS~1dbcTMPFav~Url.tmp -y -o”C:Documents and SettingsAdministratorFavorites”

ImagePath = C:DOCUME~1ADMINI~1LOCALS~1Tempfbinst.dll, CmdLine = C:DOCUME~1ADMINI~1LOCALS~1Tempfbinst.dll “C:WINDOWSInstallationSUPPORT.IM_” output IMG/* %~nx

行为描述: 枚举进程
详情信息:

N/A

文件行为

行为描述: 写权限映射文件
详情信息:

CiceroSharedMemDefaultS-*

MSCTF.MarshalInterface.FileMap.IHI..KIAHH

MSCTF.MarshalInterface.FileMap.IHI.B.KIAHH

MSCTF.MarshalInterface.FileMap.IHI.C.KIAHH

MSCTF.MarshalInterface.FileMap.IHI.D.KIAHH

MSCTF.MarshalInterface.FileMap.IHI.E.KIAHH

MSCTF.MarshalInterface.FileMap.IHI.F.KIAHH

MSCTF.MarshalInterface.FileMap.IHI.G.KIAHH

行为描述: 添加浏览器收藏夹
详情信息:

C:Documents and SettingsAdministratorFavorites 百度.url

C:Documents and SettingsAdministratorFavorites 搜狗.url

C:Documents and SettingsAdministratorFavorites 淘宝网.url

C:Documents and SettingsAdministratorFavorites 减肥网.url

C:Documents and SettingsAdministratorFavorites 美女图片.url

C:Documents and SettingsAdministratorFavorites 美容网.url

C:Documents and SettingsAdministratorFavorites 女性网.url

C:Documents and SettingsAdministratorFavorites 京东商城.url

C:Documents and SettingsAdministratorFavorites 小游戏.url

C:Documents and SettingsAdministratorFavorites 电影网.url

C:Documents and SettingsAdministratorFavorites 天猫购物.url

C:Documents and SettingsAdministratorFavorites 体育新闻.url

C:Documents and SettingsAdministratorFavorites 足球比分.url

C:Documents and SettingsAdministratorFavorites 网游卡密.url

C:Documents and SettingsAdministratorFavorites 话费直充.url

行为描述: 创建可执行文件
详情信息:

C:DOCUME~1ADMINI~1LOCALS~1dbcTMPFav~Url.tmp

C:DOCUME~1ADMINI~1LOCALS~1Tempfbinst.dll

行为描述: 修改文件内容
详情信息:

C:Documents and SettingsAdministratorFavorites 百度.url—> Offset = 0

C:Documents and SettingsAdministratorFavorites 搜狗.url—> Offset = 0

C:Documents and SettingsAdministratorFavorites 淘宝网.url—> Offset = 0

C:Documents and SettingsAdministratorFavorites 减肥网.url—> Offset = 0

C:Documents and SettingsAdministratorFavorites 美女图片.url—> Offset = 0

C:Documents and SettingsAdministratorFavorites 美容网.url—> Offset = 0

C:Documents and SettingsAdministratorFavorites 女性网.url—> Offset = 0

C:Documents and SettingsAdministratorFavorites 京东商城.url—> Offset = 0

C:Documents and SettingsAdministratorFavorites 小游戏.url—> Offset = 0

C:Documents and SettingsAdministratorFavorites 电影网.url—> Offset = 0

C:Documents and SettingsAdministratorFavorites 天猫购物.url—> Offset = 0

C:Documents and SettingsAdministratorFavorites 体育新闻.url—> Offset = 0

C:Documents and SettingsAdministratorFavorites 足球比分.url—> Offset = 0

C:Documents and SettingsAdministratorFavorites 网游卡密.url—> Offset = 0

C:Documents and SettingsAdministratorFavorites 话费直充.url—> Offset = 0

行为描述: 查找文件
详情信息:

FileName = C:Documents and Settings

FileName = C:Documents and SettingsAdministrator

FileName = C:Documents and SettingsAdministratorLocal Settings

FileName = C:Documents and SettingsAdministratorLocal SettingsTemp

FileName = C:Documents and SettingsAdministratorLocal Settings%temp%

FileName = C:Documents and SettingsAdministratorLocal Settings%temp%1443071130.063677.exe

FileName = C:DOCUME~1ADMINI~1LOCALS~1dbcTMP

FileName = C:Documents and SettingsAdministratorFavorites*

FileName = C:*.*

FileName = C:Documents and SettingsAdministratorFavoritesMicrosoft Websites

FileName = C:Documents and SettingsAdministratorFavoritesMicrosoft Websites*.*

FileName = C:Documents and SettingsAdministratorFavoritesMicrosoft 网站

FileName = C:Documents and SettingsAdministratorFavoritesMicrosoft 网站 *.*

FileName = C:Documents and SettingsAdministratorFavoritesMSN 网站

FileName = C:Documents and SettingsAdministratorFavoritesMSN 网站 *.*

注册表行为

行为描述: 修改注册表
详情信息:

REGISTRYUSERS-*SoftwareMicrosoftInternet ExplorerBrowserEmulationAllSitesCompatibilityMode

REGISTRYUSERS-*SoftwarePPStreammainclient

行为描述: 删除注册表键值_删除启动项
详情信息:

REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunTASKMANU0

REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunTASKMANU1

REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunTASKMANU2

REGISTRYUSERS-*SoftwareMicrosoftWindowsCurrentVersionRuninsScrip

行为描述: 删除注册表键
详情信息:

REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

REGISTRYUSERS-*SoftwareMicrosoftWindowsCurrentVersionRun

行为描述: 删除注册表键_删除启动项
详情信息:

REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsIMAIL

REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsMAPI

REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsMSFS

REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponents

行为描述: 修改注册表_IE 首页
详情信息:

REGISTRYUSERS-*SoftwareMicrosoftInternet ExplorerMainStart Page

行为描述: 修改注册表_启动项
详情信息:

REGISTRYUSERS-*SoftwareMicrosoftWindowsCurrentVersionRunctfmon.exe

其他行为

正文完
 0
关于我们

By OUEYE

版权说明

本站部分资源来自于网络收集,若侵犯了你的隐私或版权,请及时联系我们删除有关信息。E-Mail: admin@oueye.com

Copyright OUEYE 2014-2024
 Theme by Puock