分析平台再次升级

2017-3-31 Nie.Meining Life

其实中途已经更新过好几个版本了,只是人老了比较懒,一直没更新日志,猛然一看上一篇日志居然是两年前写的……

这期间其实发生了不少事,比如N个项目开发,比如发表论文和撰写专利,以及历尽千辛万苦累感不爱终于毕业了……

废话不多说,新版分析系统更新内容包括检测项目增加、检测能力加强、匹配规则优化等多个方面。

访问地址依旧http://tcasoft.com/,欢迎大家测试并提出宝贵意见!

--------------------------------------------------------------------------------------------------

另外分享一些比较有意思的恶意代码分析报告,有新有旧:

[java样本] 最近捕获到的java样本越来越多,这是一种新的趋势吗?

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=d97eded86dcd31b357e511b3df61029e

比较有意思的是,自己本来就是个java,还要再释放一个vbs,虽然vbs查询WMI的确挺方便:

1111.png


[js样本] 当然更大的趋势是各种脚本Downloader,也就是勒索软件……

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=6a71148619077ce9416659ee42b4db15

不过这类样本的存活周期往往比较短暂,为了触发js可能的后续行为我们实现了网络模拟:

2222.png

有兴趣的伙伴也可以下载pcap包进一步分析。


[BSOD样本] 对于某些加钩子的分析引擎可能会被一起弄崩溃吧。

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=39a76b8b933a0c0a87430625b08c0d1a

不过我们的分析方法在硬件层实现,对我们来讲蓝屏也是GuestOS的一种正常状态。

5555.png


[DLL样本] 这类样本比较少见,主要是因为不太容易触发行为。好在我们开发了专门的加载器。

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=576f6fb5d8ac9c44ac3abe6f8d696036

4444.png


[文档类样本] 这些东西是APT攻击的最爱。

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=1a007aa5721ab1743e266a503434bbb3

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=e74596cb5ba2b33a9d8193b9cc0d7354

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=0bbe58ed30fcd35be418739b1eca995f

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=9c5b73c10138f6967b5e6c608b9a8c4b
http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=a728cf4da7bbdaee732fa9651c1dd0ad


有漏洞攻击的、有内嵌宏病毒的,还有需要用户交互才能触发的狡猾行为。比如第四个样本的触发秘密就隐藏在截图中 :

3333.png


[linux样本] linux系统越来越普及,样本也越来越多了。

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=ee5ff02b2417d9fb00eeea16180051f6

http://tcasoft.com/tcaCloudPlatform/report/toViewReport.action?rid=de841064a9215d27ffaf9b03b65ec4b7

比较有意思的是,第一个样本居然指定了DNS服务器来查询恶意域名,也算是对抗模拟网络的一种手段吧:

6666.png

第二个样本伪装成日志文件java.log(在类型伪装方面显然linux比windows更加方便),然后调用一些列系统命令完成恶意行为,最后覆盖netstat等常用命令实现传播和复制。

7777.png

windows样本喜欢使用API序列,但调用系统命令可能是linux样本实现目的的常见方式,显然我们的引擎还没做好准备,输出的参数还不够完整,近期需要加强了。

----------------------------------------------------------------------------

另外由于这次版本更新比较大,以前的一些历史报告可能就看不到了,请谅解……



« [分析引擎开发笔记]64位系统支持 | 分析平台升级»

评论:

Aarontic
2020-01-20 16:24
http://tadalafil000.com/ - buy tadalafil http://prednisolonegenericbuy.com/ - buy prednisolone http://tadalafilo0o.com/ - buy generic tadalafil http://prozac0i0.com/ - prozac http://allopurinold6j.com/ - generic allopurinol http://prednisoned6j.com/ - buy generic prednisone http://xenicalby6.com/ - xenical http://levitraf5h.com/ - buy levitra online
回复
Aarontic
2020-01-20 00:54
http://prednisolonea4.com/ - buy prednisolone online http://viagrag7.com/ - generic viagra http://albuterolly6.com/ - cheap albuterol http://cialis204.com/ - buy generic cialis http://prednisoned6j.com/ - generic prednisone http://vardenafilf5h.com/ - buy vardenafil http://cleocingel.us.com/ - cheap cleocin
回复
Aarontic
2020-01-18 20:33
http://viagrag7.com/ - buy viagra online http://cialis101.com/ - generic cialis
回复
Aarontic
2020-01-18 15:10
http://allopurinolf5h.com/ - buy allopurinol http://prozacby6.com/ - prozac generic http://metformind6j.com/ - metformin generic http://levitrad6j.com/ - cheap levitra http://sildenafilo0o.com/ - generic sildenafil
回复
Aarontic
2020-01-18 04:52
http://sildenafilf5h.com/ - buy generic sildenafil http://sildenafilo0o.com/ - buy generic sildenafil http://prednisoneby6.com/ - prednisone http://cephalexind6j.com/ - generic cephalexin http://cialisg7.com/ - cialis buy http://cialisb4.com/ - cialis generic http://sildenafil0i0.com/ - sildenafil online http://sildenafilb4.com/ - generic sildenafil
回复
Aarontic
2020-01-18 02:37
http://cialis204.com/ - generic cialis http://tetracyclinea4.com/ - tetracycline buy http://prednisonef5h.com/ - prednisone online http://vardenafilf5h.com/ - vardenafil buy http://levitra0i0.com/ - buy levitra online
回复
Aarontic
2020-01-18 01:40
http://retinad6j.com/ - retin-a buy http://prednisoneby6.com/ - prednisone generic http://lasix0i0.com/ - lasix online http://lasixa4.com/ - buy lasix online
回复
Aarontic
2020-01-17 20:05
http://viagrad7l.com/ - viagra
回复
Aarontic
2020-01-17 19:09
http://baclofen0i0.com/ - buy baclofen online http://cialis00.com/ - buy cialis online http://viagrao0o.com/ - viagra buy http://levitraa4.com/ - generic levitra http://lasixa4.com/ - lasix http://zithromaxd6j.com/ - buy zithromax http://albuterol1s1.com/ - buy generic albuterol http://prednisolonef5h.com/ - buy prednisolone
回复
jymourgek
2020-01-17 02:52
https://loanpaydaythz.com/ poor credit loans
回复
Aarontic
2020-01-17 01:05
http://cafergot0i0.com/ - buy cafergot online http://tadalafil204.com/ - buy tadalafil http://sildenafilg8.com/ - sildenafil buy http://retina0i0.com/ - buy generic retin-a
回复
Aarontic
2020-01-14 15:15
http://albuterold7l.com/ - albuterol generic http://tadalafilg7.com/ - buy tadalafil http://propecia1s1.com/ - propecia online http://cialisby6.com/ - cialis buy http://prozac1s1.com/ - prozac http://tetracyclined6j.com/ - buy tetracycline http://robaxin.us.org/ - robaxin http://ventolin0i0.com/ - buy ventolin
回复
Aarontic
2020-01-14 05:33
http://propeciaby6.com/ - buy propecia http://prednisoned6j.com/ - buy prednisone http://metformin0i0.com/ - buy metformin
回复
Aarontic
2020-01-14 04:26
http://robaxin.us.org/ - buy robaxin http://xenicald6j.com/ - buy generic xenical http://viagraf5h.com/ - viagra http://prozaca4.com/ - generic prozac http://propeciaf5h.com/ - generic propecia
回复
Aarontic
2020-01-13 22:42
http://zithromax0i0.com/ - generic zithromax http://tadalafilg8.com/ - tadalafil online http://sildenafil111.com/ - cheap sildenafil http://tadalafilb4.com/ - generic tadalafil http://tadalafilf5h.com/ - tadalafil generic http://wellbutrind6j.com/ - buy wellbutrin
回复

发表评论:

Powered by emlog