{"id":2646,"date":"2023-05-12T17:09:25","date_gmt":"2023-05-12T09:09:25","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=2646"},"modified":"2023-05-12T18:36:44","modified_gmt":"2023-05-12T10:36:44","slug":"%e8%aa%8d%e8%ad%98akira%e4%b8%80%e7%a8%ae%e6%ad%a3%e5%9c%a8%e8%bf%85%e9%80%9f%e6%93%b4%e5%a4%a7%e5%85%b6%e5%8f%97%e5%ae%b3%e8%80%85%e5%90%8d%e5%96%ae%e6%96%b0%e5%9e%8b%e7%9a%84%e5%8b%92%e7%b4%a2","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=2646","title":{"rendered":"\u8a8d\u8b58Akira:\u4e00\u7a2e\u6b63\u5728\u8fc5\u901f\u64f4\u5927\u5176\u53d7\u5bb3\u8005\u540d\u55ae\u7684\u65b0\u578b\u52d2\u7d22\u8edf\u9ad4!"},"content":{"rendered":"\n

Key points:<\/p>\n\n\n\n

>\u4eca\u5e743\u6708\u624d\u51fa\u73fe\u7684\u5df2\u5c0d16\u5bb6\u7d44\u7e54\u767c\u52d5\u653b\u64ca\uff0c\u52d2\u7d22\u91d1\u984d\u753120\u842c\u5230100\u842c\u7f8e\u5143\u4e0d\u7b49\u3002<\/p>\n\n\n\n

>\u53d7\u5bb3\u516c\u53f8\u5206\u4f48\u5728\u5404\u500b\u884c\u696d\uff0c\u5305\u62ec\u6559\u80b2\u3001\u91d1\u878d\u3001\u623f\u5730\u7522\u3001\u88fd\u9020\u548c\u8aee\u8a62\u3002<\/p>\n\n\n\n

\"\"
Akira \u52d2\u7d22\u8edf\u9ad4\u63ed\u79d8\u7db2\u7ad9<\/figcaption><\/figure>\n\n\n\n

Akira\u52d2\u7d22\u8edf\u9ad4\u65bc2023\u5e743\u6708\u624d\u6d6e\u51fa\u6c34\u9762\uff0c\u6839\u64da\u8cc7\u5b89\u5718\u968a MalwareHunterTeam<\/a>\u767c\u73fe\u4e86 Akira \u52d2\u7d22\u8edf\u9ad4\u6a23\u672c \uff0c\u4ed6\u5011\u8207 BleepingComputer <\/a>\u5171\u4eab\u4e86\u540c\u4e00\u6a23\u672c\uff0c\u4ee5\u4fbf\u5c0d\u5176\u9032\u884c\u5206\u6790\u3002\u6839\u64da\u5206\u6790\u7d50\u679c\uff0c\u5728\u57f7\u884c\u6642\uff0cAkira \u901a\u904e\u904b\u884c\u4ee5\u4e0b PowerShell \u547d\u4ee4\u522a\u9664\u8a2d\u5099\u4e0a\u7684 Windows \u5377\u5f71\u5099\u4efd\uff1a<\/p>\n\n\n\n

powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject”<\/p>\n\n\n\n

\u7136\u5f8c\uff0c\u52d2\u7d22\u8edf\u9ad4\u5c07\u7e7c\u7e8c\u52a0\u5bc6\u5305\u542b\u4ee5\u4e0b\u6a94\u6848\u526f\u6a94\u540d\u7684\u6a94\u6848\uff1a<\/p>\n\n\n\n

.accdb, .accde, .accdc, .accdt, .accdr, .adb, .accft, .adf, .ade, .arc, .adp, .alf, .ora, .btr, .ask, .cat, .bdf, .ckp, .cdb, .cpd, .cma, .dad, .dacpac, .daschema, .dadiagrams, .db-shm, .db-wal, .dbf, .dbc, .dbt, .dbs, .dbx, .dbv, .dct, .dcb, .ddl, .dcx, .dlis, .dsk, .dqy, .dtsx, .dsn, .eco, .dxl, .edb, .ecx, .exb, .epim, .fdb, .fcd, .fmp, .fic, .fmpsl, .fmp12, .fol, .fpt, .gdb, .frm, .gwi,<\/p>\n\n\n\n

.grdb, .his, .hdb, .idb, .itdb, .ihx, .jet, .itw, .kdb, .jtx, .kexic, .kexi, .lgc, .kexis, .maf, .lwx, .mar, .maq, .mav, .mas, .mdf, .mdb, .mrg, .mpd, .mwb, .mud, .ndf, .myd, .nrmlib, .nnt, .nsf, .nyf,<\/p>\n\n\n\n

.nwdb, .oqy, .odb, .owc, .orx, .pdb, .pan, .pnz, .pdm, .qvd, .qry, .rctd, .rbf, .rodx, .rod, .rsd, .rpd, .sbf, .sas7bdat, .sdb, .scx, .sdf, .sdc, .spq, .sis, .sqlite, .sql, .sqlitedb, .sqlite3, .temx, .tps,<\/p>\n\n\n\n

.tmd, .trm, .trc, .udl, .udb, .usr, .vpd, .vis, .wdb, .vvv, .wrk, .wmdb, .xld, .xdb, .abcddb, .xmlff, .abx, .abs, .adn, .accdw, .icg, .hjt, .kdb, .icr, .maw, .lut, .mdt, .mdn, .vhd, .vdi, .pvm, .vmdk,<\/p>\n\n\n\n

.vmsn, .vmem, .nvram, .vmsd, .raw, .vmx, .subvol, .qcow2, .vsv, .bin, .vmrs, .avhd, .avdx, .vhdx, .iso, .vmcx<\/p>\n\n\n\n

\u52a0\u5bc6\u6642\uff0c\u8df3\u904e\u5728\u8cc7\u6e90\u56de\u6536\u6876\u3001\u7cfb\u7d71\u5377\u5f71\u8cc7\u6599\u3001Boot\u3001ProgramData \u548c Windows \u6a94\u6848\u593e\u4e2d\u627e\u5230\u7684\u6a94\u6848\uff0c\u5b83\u9084\u907f\u514d\u4f7f\u7528 .exe\u3001.lnk\u3001.dll\u3001.msi \u548c .sys \u6a94\u6848\u526f\u6a94\u540d\u52a0\u5bc6 Windows \u7cfb\u7d71\u6a94\u6848\u3002<\/p>\n\n\n\n

\u52a0\u5bc6\u6a94\u6848\u6642\uff0c\u52d2\u7d22\u8edf\u9ad4\u6703\u52a0\u5bc6\u6a94\u6848\u4e26\u9644\u52a0 .akira \u526f\u6a94\u540d\uff0c\u8a72\u526f\u6a94\u540d\u5c07\u9644\u52a0\u5230\u6a94\u6848\u540d\u4e2d\u3002<\/p>\n\n\n\n

\u4f8b\u5982\uff0c\u540d\u70ba 1.doc \u7684\u526f\u6a94\u540d\u5c07\u88ab\u52a0\u5bc6\u4e26\u91cd\u547d\u540d\u70ba 1.doc.akira\uff0c\u5982\u4e0b\u9762\u7684\u52a0\u5bc6\u526f\u6a94\u540d\u593e\u6240\u793a:<\/p>\n\n\n\n

\"\"
Photo Credit: BleepingComputer<\/figcaption><\/figure>\n\n\n\n

Akira\u9084\u4f7f\u7528 Windows Restart Manager API \u4f86\u95dc\u9589\u9032\u7a0b\u6216\u95dc\u9589\u53ef\u80fd\u4f7f\u6a94\u6848\u4fdd\u6301\u6253\u958b\u72c0\u614b\u4e26\u963b\u6b62\u52a0\u5bc6\u7684 Windows \u670d\u52d9\u3002<\/p>\n\n\n\n

\u6bcf\u500b\u96fb\u8166\u6a94\u6848\u593e\u90fd\u5c07\u5305\u542b\u4e00\u500b\u540d\u70baakira_readme.txt \u7684\u52d2\u7d22\u4fe1\uff0c\u5176\u4e2d\u5305\u542b\u6709\u95dc\u53d7\u5bb3\u8005\u6a94\u6848\u6240\u767c\u751f\u60c5\u6cc1\u7684\u8cc7\u6599\u4ee5\u53ca\u6307\u5411 Akira \u63ed\u79d8\u7db2\u7ad9\u548c\u8ac7\u5224\u7db2\u7ad9\u7684\u9023\u7d50\u3002<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u6bcf\u500b\u53d7\u5bb3\u8005\u90fd\u6709\u4e00\u500b\u552f\u4e00\u7684\u5354\u5546\u5bc6\u78bc\uff0c\u4ee5\u9023\u7d50\u8ac7\u5224\u7db2\u7ad9\uff0c\u53d7\u5bb3\u8005\u53ef\u4ee5\u4f7f\u7528\u804a\u5929\u7cfb\u7d71\u8207Akira\u9032\u884c\u8ac7\u5224\u3002\u4ee5\u76ee\u524d\u7684\u4e86\u89e3\uff0c\u5982\u679c\u53d7\u5bb3\u8005\u4e0d\u9700\u8981\u89e3\u5bc6\u5de5\u5177\uff0c\u53ea\u8981\u9632\u6b62\u654f\u611f\u8cc7\u6599\u5916\u6d29\u7684\u8a71\uff0cAkira\u662f\u4e00\u500b\u9858\u610f\u964d\u4f4e\u8d16\u91d1\u50f9\u683c\u7684\u52d2\u7d22\u8edf\u9ad4\u7d44\u7e54\u3002<\/p>\n\n\n\n

Akira\u52d2\u7d22\u8edf\u9ad4\u7684\u90e8\u5206\u5165\u4fb5\u6307\u6a19(Indicator of compromise -IOCs):<\/p>\n\n\n\n

3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c<\/p>\n","protected":false},"excerpt":{"rendered":"

Key points: >\u4eca\u5e743\u6708\u624d\u51fa\u73fe\u7684\u5df2\u5c0d16\u5bb6\u7d44\u7e54\u767c\u52d5\u653b\u64ca\uff0c\u52d2\u7d22\u91d1\u984d\u753120\u842c\u5230100\u842c\u7f8e\u5143\u4e0d\u7b49\u3002 &gt READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-2646","post","type-post","status-publish","format-standard","hentry","category-6"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/2646","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2646"}],"version-history":[{"count":5,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/2646\/revisions"}],"predecessor-version":[{"id":2657,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/2646\/revisions\/2657"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2646"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2646"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2646"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}