分析平台再次升级

2017-3-31 Nie.Meining Life

其实中途已经更新过好几个版本了,只是人老了比较懒,一直没更新日志,猛然一看上一篇日志居然是两年前写的……

这期间其实发生了不少事,比如N个项目开发,比如发表论文和撰写专利,以及历尽千辛万苦累感不爱终于毕业了……

废话不多说,新版分析系统更新内容包括检测项目增加、检测能力加强、匹配规则优化等多个方面。

访问地址依旧http://tcasoft.com/,欢迎大家测试并提出宝贵意见!

--------------------------------------------------------------------------------------------------

另外分享一些比较有意思的恶意代码分析报告,有新有旧:

[java样本] 最近捕获到的java样本越来越多,这是一种新的趋势吗?

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=d97eded86dcd31b357e511b3df61029e

比较有意思的是,自己本来就是个java,还要再释放一个vbs,虽然vbs查询WMI的确挺方便:

1111.png


[js样本] 当然更大的趋势是各种脚本Downloader,也就是勒索软件……

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=6a71148619077ce9416659ee42b4db15

不过这类样本的存活周期往往比较短暂,为了触发js可能的后续行为我们实现了网络模拟:

2222.png

有兴趣的伙伴也可以下载pcap包进一步分析。


[BSOD样本] 对于某些加钩子的分析引擎可能会被一起弄崩溃吧。

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=39a76b8b933a0c0a87430625b08c0d1a

不过我们的分析方法在硬件层实现,对我们来讲蓝屏也是GuestOS的一种正常状态。

5555.png


[DLL样本] 这类样本比较少见,主要是因为不太容易触发行为。好在我们开发了专门的加载器。

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=576f6fb5d8ac9c44ac3abe6f8d696036

4444.png


[文档类样本] 这些东西是APT攻击的最爱。

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=1a007aa5721ab1743e266a503434bbb3

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=e74596cb5ba2b33a9d8193b9cc0d7354

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=0bbe58ed30fcd35be418739b1eca995f

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=9c5b73c10138f6967b5e6c608b9a8c4b
http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=a728cf4da7bbdaee732fa9651c1dd0ad


有漏洞攻击的、有内嵌宏病毒的,还有需要用户交互才能触发的狡猾行为。比如第四个样本的触发秘密就隐藏在截图中 :

3333.png


[linux样本] linux系统越来越普及,样本也越来越多了。

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=ee5ff02b2417d9fb00eeea16180051f6

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=de841064a9215d27ffaf9b03b65ec4b7

比较有意思的是,第一个样本居然指定了DNS服务器来查询恶意域名,也算是对抗模拟网络的一种手段吧:

6666.png

第二个样本伪装成日志文件java.log(在类型伪装方面显然linux比windows更加方便),然后调用一些列系统命令完成恶意行为,最后覆盖netstat等常用命令实现传播和复制。

7777.png

windows样本喜欢使用API序列,但调用系统命令可能是linux样本实现目的的常见方式,显然我们的引擎还没做好准备,输出的参数还不够完整,近期需要加强了。

----------------------------------------------------------------------------

另外由于这次版本更新比较大,以前的一些历史报告可能就看不到了,请谅解……



« [分析引擎开发笔记]64位系统支持 | 分析平台升级»

评论:

tadalafil 20 mg
2020-06-05 16:45
taking viafra with cialis
  cialis and alcoholic drinks forum rules
<a href="http://tadalafilbnz.com">tadalafil
</a> - cialis+viagra
cialis 20mg dosage website
回复
Svetaknoca
2020-05-24 04:52
where can you get free is

4d97 is a miglior prezzo

4d97 acheter is angleterre

4d97 im 17 can i take is

4d97
回复
prila
2020-05-16 07:08
Our 20-19 getaway Survival manual is packed with all tools resources and the hints to secure you get through theweeks. https://divorcepapersindiapdf.wordpress.com
回复
prila
2020-04-24 16:32
I've voluntarily sold my exhusband two week ends outside of 4 monthly plus he's saying I'm being dumb, does anybody are aware of very well what the mimimum https://northcarolinadivorceformsonline.wordpress.com
回复
ypuqotp
2020-03-17 09:26
975669875 196362515
http://community.viajar.tur.br/index.php?p=/profile/shelakier
http://community.viajar.tur.br/index.php?p=/discussion/1871853/hd-otel-belgrad
http://sciidbox.com/2020/03/14/onl-%d0%be%d1%82%d0%b5%d0%bb%d1%8c-%d0%b1%d0%b5%d0%bb%d0%b3%d1%80%d0%b0%d0%b4-10/
http://zeitstationen-mannheim.de/index.php/component/k2/itemlist/user/909694
回复
jejcidn
2020-03-17 08:04
313727761 439837508
http://community.viajar.tur.br/index.php?p=/profile/mackdonagh
http://swed-leb.se/%d0%be%d1%82%d0%b5%d0%bb%d1%8c-%d0%b1%d0%b5%d0%bb%d0%b3%d1%80%d0%b0%d0%b4-29/
http://www.carlodesantis.it/%d0%ba%d0%b8%d0%bd%d0%be-%e3%80%90%d0%be%d1%82%d0%b5%d0%bb%d1%8c-%d0%b1%d0%b5%d0%bb%d0%b3%d1%80%d0%b0%d0%b4%e3%80%91-2/
https://youngstownangels.com/yte-%d0%be%d1%82%d0%b5%d0%bb%d1%8c-%d0%b1%d0%b5%d0%bb%d0%b3%d1%80%d0%b0%d0%b4-53/
http://community.viajar.tur.br/index.php?p=/profile/qhudella74
http://leonardosordo.it/%d0%ba%d0%b8%d0%bd%d0%be-%e1%90%89-%d0%be%d1%82%d0%b5%d0%bb%d1%8c-%d0%b1%d0%b5%d0%bb%d0%b3%d1%80%d0%b0%d0%b4-3/
http://zeahjp.com/bbs/1001115
回复
wbiqwtf
2020-03-17 07:48
451501604 496997492
http://bega.horse/vf1/profile/rosalieeme
http://twitter.social-website-traffic.org/blogs/viewstory/5832
https://niselnom.com/tv-%d0%be%d1%82%d0%b5%d0%bb%d1%8c-%d0%b1%d0%b5%d0%bb%d0%b3%d1%80%d0%b0%d0%b4-28/
http://sciidbox.com/2020/03/14/%d1%81%d0%bc%d0%be%d1%82%d1%80%d0%b5%d1%82%d1%8c-%d0%be%d1%82%d0%b5%d0%bb%d1%8c-%d0%b1%d0%b5%d0%bb%d0%b3%d1%80%d0%b0%d0%b4-6/
http://zeahjp.com/bbs/1071513
http://community.viajar.tur.br/index.php?p=/discussion/1870395/watch-otel-belgrad
https://firefly-glow.com/forums/users/gfhjoanna65/edit/?updated=true/users/gfhjoanna65/
回复
agxtouw
2020-03-17 07:13
98449133 862691708
http://community.viajar.tur.br/index.php?p=/discussion/1860595/hdytbe-%E1%90%89-otel-belgrad
http://community.viajar.tur.br/index.php?p=/profile/milesmcfal
http://twitter.social-website-traffic.org/blogs/viewstory/10444
http://bega.horse/vf1/profile/britneybag
http://community.viajar.tur.br/index.php?p=/discussion/1878996/film-onlayn-%E1%90%89-otel-belgrad
http://www.travelgood.com/forums/users/denacjw369348491/
http://bega.horse/vf1/discussion/47035/hd-otel-belgrad/p1
回复
cpayrxk
2020-03-17 06:40
464313153 572087694
http://community.viajar.tur.br/index.php?p=/discussion/1880040/watch-otel-belgrad
http://hoestro.com/index.php/author/tamelaotool/
http://gmclasses.in/forums/users/tawnyadunlop/
http://twitter.social-website-traffic.org/blogs/viewstory/6540
http://163.27.214.193/userinfo.php?uid=379994
回复
nyyuydk
2020-03-17 05:21
594232656 784855967
http://community.viajar.tur.br/index.php?p=/profile/egamelvina
http://163.30.42.16/~health2017/userinfo.php?uid=115630
http://swed-leb.se/%d1%84%d0%b8%d0%bb%d1%8c%d0%bc-%e3%80%90%d0%be%d1%82%d0%b5%d0%bb%d1%8c-%d0%b1%d0%b5%d0%bb%d0%b3%d1%80%d0%b0%d0%b4%e3%80%91-24/
https://sublimeclothingco.com/?p=139028
http://community.viajar.tur.br/index.php?p=/profile/eleanormcr
http://community.viajar.tur.br/index.php?p=/profile/pilarmiddl
https://thesantafevip.com/forums/users/jaysonkulikowski/edit/?updated=true/users/jaysonkulikowski/
回复
wytqryd
2020-03-17 05:05
868988191 868970829
http://hydrocarbs-gh.org/?option=com_k2&view=itemlist&task=user&id=8406459
http://community.viajar.tur.br/index.php?p=/discussion/1862430/watch-%E1%90%89-otel-belgrad
http://zeahjp.com/bbs/994505
http://community.viajar.tur.br/index.php?p=/profile/lynwoodrat
https://youngstownangels.com/%d0%be%d1%82%d0%b5%d0%bb%d1%8c-%d0%b1%d0%b5%d0%bb%d0%b3%d1%80%d0%b0%d0%b4-32/
https://youngstownangels.com/%d1%84%d0%b8%d0%bb%d1%8c%d0%bc-%d0%be%d1%82%d0%b5%d0%bb%d1%8c-%d0%b1%d0%b5%d0%bb%d0%b3%d1%80%d0%b0%d0%b4-6/
http://community.viajar.tur.br/index.php?p=/profile/reaganasla
回复
xedqzbiyehvv
2020-03-08 13:25
Фильм http://fanseriales.ru/%d1%84%d0%b8%d0%bb%d1%8c%d0%bc-%d0%b4%d0%b6%d0%be%d0%ba%d0%b5%d1%80-2020-%d1%81%d0%bc%d0%be%d1%82%d1%80%d0%b5%d1%82%d1%8c-%d0%be%d0%bd%d0%bb%d0%b0%d0%b9%d0%bd-%d0%b2-hd-%d0%ba%d0%b0%d1%87%d0%b5-4/  смотреть онлайн
回复
lbodduhxfnht
2020-03-07 21:15
https://referencement.sur-google.com/viewtopic.php?id=747673
回复
ywzqimyuouqn
2020-03-07 20:00
https://referencement.sur-google.com/viewtopic.php?id=747673
回复
Miguelror
2020-02-28 09:33
Thanks, Loads of advice.
回复

发表评论:

Powered by emlog