Jump to content

Tzatz

Members
  • Posts

    23
  • Joined

  • Last visited

About Tzatz

  • Rank
    Newbie
    Newbie

Profile Information

  • Location
    Canada
  1. I believe they may have attempted to gain persistence but failed. I do have core isolation & secure boot enabled. A year ago someone managed to bypass both and install a fresh unloaded bootloader which I found with GMER, just prior to rebooting, it detected a rootkit in the MBR. Upon reboot I, for the first time, was asked to insert a password to login to windows, even though I had enabled automatic logon. It was clearly trying to steal my password, after simply powering the computer off, and rebooting, no password was requested, gmer was clean, and the threat not persistent. I then found cisco's MBR FILTER and used this to prevent these types of attacks. I also modified its installer and renamed the dll to make sure malware could only detect it by hash. Though they HAD bypassed core-isolation & secureboot, and modified the MBR initially, they did not gain persistence, and still wanted my password for elevation. Far as I can tell. The only reason I ran GMER was because I had just enabled "DCOM" on my computer, and wondered if something may have been hiding there waiting to be initiated. My WMI repository was found to be inconsistent as well. The WS file had a unique hash never before detected by VT suggesting this may have been a targeted attack. My windows/sysmon logs do not go back far enough for adequate forensics. I block powershell and wmi via firewall so even if it ran it would not connect to the internet. I did recently have a legitimate brave browser extension "Video Speed Controller" hijacked/hollowed and replaced with what appeared to be adware, which redirected all search query's on google to domains blocked by my hosts file. The problem went away after uninstalling and reinstalling the extension. I suspected 1. rogue elements within google itself at fault, 2. brave was exploited while browsing a malicious javascript, or 3. the code the extension injects into html5 to control video speeds may be vulnerable to exploitation. Another possibility repacked software or esets classification, 'potentially unsafe applications.' Its been over two years since kapersky offline, eset, adaware, malwarebytes, zemana, or rogue killer has detected ANY adware, spyware, or virus active and installed persistently onto my computer. If I am not mistaken, it appears this java malware uses wmic to query the computer about virtualization and security related software. And powershell to download the payload. Can an inconsistent WMI repository suggest tampering by malware? The command "winmgmt /verifyrepository" checks for consistency, and my WMI is currently consistent. I installed custom event viewer WMI SubscriberMonitor notifications to log newly created WMI consumers and processes, and an attending custom script (attached) to automatically disable wmi and alert upon detection of WMI EventConsumer, EventFilter, FilterToConsumerBinding implants. It also checks the WMI repository for consistency. Though in terms of its detection capability, looks somewhat primitive compared to your amazing little WMI script here. I also use exploit mitigations to block wmic.exe & WmiPrvSE.exe from invoking child processes or from accessing remote images, so methods such as "Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList wscript.exe" are thwarted. Do you have any software for scanning for malicious certificates? WMI_Monitor.zip
  2. Here is another analysis https://www.hybrid-analysis.com/sample/e0f8a75737f932454aa9a325d35a7abc837fd05c23b5a5d1360d6ba1a6fb6479/60fbc6767746783ee4496bf6
  3. Ok got it working by simply pointing the batch to windows 7's internal wscript.exe instead, here are the results: https://analyze.intezer.com/analyses/6a7b919d-7f40-4019-9e6b-7f6bc7c5be89 It connects to a command and control center at hxxp://api.backend-chat.com/connect likely to grab a prepared payload of sorts, likely mimikatz or meterpeter, to further exploit the machine, perhaps based on the machines characteristics. It may query the machine possibly for anti-virtualization. The target url has no malicious data associated with it suggesting this could be a very targeted and or fresh attack, the C&C is probably quite new. Here are a few things it does: Command and Scripting Interpreter :: Unix Shell Hide Artifacts :: NTFS File Attributes Query Registry System Information Discovery here are the results, click TTPs, IOC's, and Behavior: (References to certutil or"Ingress Tool Transfer" are just my addition in order to create a script that worked on these machines) https://analyze.intezer.com/analyses/6a7b919d-7f40-4019-9e6b-7f6bc7c5be89
  4. Yes this particular drop was designed only to run on windows 10...
  5. Perhaps it has something to do with the vms all being windows 7 machines, this ws.exe was created in 2019... from intezer analysis, . https://analyze.intezer.com/analyses/2b18e032-87bc-4ec2-9f5f-c6561b505220
  6. As you can see, uploading the same payload file to YOMI sandbox for analysis it actually executed the code as it should have, https://yomi.yoroi.company/report/60fb8faf1cea016952883436/60fb903f5fc08ba98419ef33/behavior It does not report any internet connectivity however.
  7. Hybrid Analysis is not accurately running the script I created, which is attached. I don't understand. It should also list underneath some variation of the following: START %TEMP%\ws.exe /E:jscript /b %TEMP%\ws EpmTG6iCDsBeVLWu8agXIy7=9PcM2ftkdFSj4KbhxQ1qrzAn+YoN/3UJR5wv0ZHOl This command seems to work on its own when I run it in windows. I see ws.exe loaded with the commandline above. CrowdStrike is ignoring this. I ran this script in sandboxie and it stated that it attempted to connect to the internet; hybrid analysis does not want to execute the final command which initiates the payload. I had a DOS immediately after uploading it to H.A, my internet went down shortly. VT analyzes the plain old original ws script, and is smart enough to automatically execute it with wscript.exe, however there seems to be a key or a signature in the .lnk shortcut that is required for the js to execute properly. I tried varying commands recommended on stackexchange but I did not see any output log or data. So I created my own batch script with the payload and ws.exe embedded within it, drops them to the temp folder and then executes the original string in the .lnk C:\Users\Ty\AppData\Roaming\WS\ws.exe /E:jscript /b C:\Users\Ty\AppData\Roaming\WS\ws EpmTG6iCDsBeVLWu8agXIy7=9PcM2ftkdFSj4KbhxQ1qrzAn+YoN/3UJR5wv0ZHOl My script uses: START %TEMP%\ws.exe /E:jscript /b %TEMP%\ws EpmTG6iCDsBeVLWu8agXIy7=9PcM2ftkdFSj4KbhxQ1qrzAn+YoN/3UJR5wv0ZHOl What works on my computer does not execute on Hybrid Analysis: Any idea how I can get Hybrid Analysis to actually execute this malware for analysis? payload.zip
  8. Yes quite clever, Kapersky was the only av software to accurately detect this. https://www.virustotal.com/gui/file/feeb34bc3dcd25baaa5c3d7c012e85411042802ab0ba44100a10731061bb701b/detection Oh, now since yesterday, two ... check points zone alarm as well.
  9. TX I added this to eset HIPS. Nice especially for forensics, I never saw this drop on my pc a week ago. It was just by chance I found it just browsing around, and most wevt logs were since truncated. Immediate detection will be useful for forensics and response + I will know if this was due to a downloaded file or a remote attacker. I noted that ws.exe is microsofts wscript, there is a pay load in the first string of the ws file, its relatively large, its 14,780 characters, but obfuscated, so I can't tell what it is trying to execute. I suspect it does something like disables defender & installs a payload. Or if it is a state actor, hardware persistence. Given its persistence for the other user who deleted those files, I am leery of it infecting my firmware or psp, so if I attempt experimenting running this, I will turn off the internet first. I was pondering setting it up as an automated batch file and send it to hybrid-analysis.
  10. So Microsoft automatically detects if any code loading is compatible with certain mitigations? While I do not know about the rest, there are some things I would recommend however, like not allowing child processes or remote images on wmic, and WmiPrvSE.exe
  11. Looks like it never got anywhere: Applocker event 8029, thankfully: C:\Users\Ty\AppData\Roaming\WS\ws was prevented from running due to Config CI policy.
  12. This finding was reported just 7 days ago by one other user online, here https://stackoverflow.com/questions/68384585/found-this-script-plus-the-exe-file-in-my-app-data-folder-i-wonder-what-does-th He suspects it is possibly a keylogger. Lnk File: C:\Users\Ty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ws.lnk Shortcut points to script+ws.exe: C:\Users\Ty\AppData\Roaming\WS\ws.exe /E:jscript /b C:\Users\Ty\AppData\Roaming\WS\ws EpmTG6iCDsBeVLWu8agXIy7=9PcM2ftkdFSj4KbhxQ1qrzAn+YoN/3UJR5wv0ZHOl Can someone here determine or explain to me how I can determine the code that is being launched here?
  13. Is this combination recommended only for software for commandline capable software, (like powershell, WMIC, etc) do you have a different recommendation for different software, or is this a universal recommendation?
  14. IWOW. WOW WOW! Thank you for the tips! I wish this were more public information. I will keep this noted. One little mess up and your whole security may be crippled. I just came across this also, so if there is a means to bypass CIG enforcement, such as CIGslip this is where antivirus systems could be very useful https://beta.darkreading.com/vulnerabilities-threats/cigslip-lets-attackers-bypass-microsoft-code-integrity-guard?web_view=true I have noticed previously that forcing ACG on programs caused issues; such as Firefox not loading, so perhaps it is enforced by default conditionally or system files only.
  15. WOW. WOW WOW! Thank you for the tips! I wish this were more public information. I will keep this noted. One little mess up and your whole security may be crippled. I just came across this also, so if there is a means to bypass CIG enforcement, such as CIGslip this is where antivirus systems could be very useful https://beta.darkreading.com/vulnerabilities-threats/cigslip-lets-attackers-bypass-microsoft-code-integrity-guard?web_view=true
×
×
  • Create New...