CAB 0 Posted March 1, 2018 Share Posted March 1, 2018 I seem to be having the same issue as Marco2526 in this topic from last year: https://forum.eset.com/topic/13651-powershell-script-possible-malicious-attack/ I have a server that has a mysterious power-shell processes that reopens on a continuous basis. It seems to be generating malicious files that ESET file Security is thankfully cleaning. The powershell script generates files infected with Coinminer.cz, and other trojans. I believe the script is using WMI for persistence, as described by James R in the previous topic. I've run the WMILister_20.vbs script JamesR suggested in the previous topic. The results of the script are attached to this post. However, when I run the recommended powershell commands, they seem to have no effect in removing the issue. Do I need to modify the powershell scripts for this specific variant of WMI persistence? Please advise. Thanks, DumpedScrpts.txt Link to comment Share on other sites More sharing options...
Administrators Marcos 5,072 Posted March 1, 2018 Administrators Share Posted March 1, 2018 I would always start with providing logs collected by ELC. Please collect them and provide us with the generated archive. Link to comment Share on other sites More sharing options...
CAB 0 Posted March 1, 2018 Author Share Posted March 1, 2018 Hi Marcos, Please see attached for requested logs efsw_logs.zip Link to comment Share on other sites More sharing options...
ESET Staff JamesR 52 Posted March 1, 2018 ESET Staff Share Posted March 1, 2018 (edited) @CAB Please download and generate an ELC log from here: https://www.eset.com/int/support/log-collector/ Also, please try this newer version of the WMILister v3.0 on the server. Please supply any logs generated by this tool to me or Marcos so we can ensure we improve in product detection/cleaning. If any odd scripts are found, you will be prompted if you want to remove them. It is best to review the log which will be saved inside of a Log folder in the same folder the utility was run from. https://eset.sharefile.com/d-sb6232c1bc5240709 Run this command as admin: cscript //nologo WMILister_30.vbs If scripts are found, you will be prompted to remove them. The prompt will remove all scripts it finds if you tell it to. Here is an example output for no scripts found: Advanced use: This version 3.0 has command line switches. Use this command to see possible switches: cscript //nologo WMILister_30.vbs /? These are the possible commands to scan and clean remote machines (Port 135 inbound and port 445 outbound both need to be open on remote machine. Same open ports are seemingly used for malware to spread, so infected computers likely already have these ports open). Examples of switch usage are: Machine Name: cscript //nologo WMILister_30.vbs /s:MachineName IP Address: cscript //nologo WMILister_30.vbs /s:10.20.30.40 Force Cleaning with no prompt (use at own risk as this risks removal of non malicious WMI Scripts): cscript //nologo WMILister_30.vbs /f cscript //nologo WMILister_30.vbs /s:MachineName /f cscript //nologo WMILister_30.vbs /s:10.20.30.40 /f Edited March 1, 2018 by JamesR added example usage of switches Link to comment Share on other sites More sharing options...
Recommended Posts