sypticle 0 Posted November 11, 2018 Posted November 11, 2018 Recently I downloaded a RAT and the person started deleting things and downloading stuff, not too sure why but the person started to install AVAST Security on my PC? (maybe to override ESET so the RAT wouldn't get detected?) I think i did a pretty good job getting rid of the RAT? but, you can never be too sure so I installed Process Explore (alternative Task Manager) and then I checked everything with Virustotal.com, about 6 of the programs have like 1-3/60 detected, but SearchService.exe has 30/68, (i have never seen SearchService.exe before, until recently) It's located in "C:\Windows" and is 198KB in size. There isn't much info on it and I'm not quite sure what to do. Here is the Virustotal link: https://www.virustotal.com/#/file/c1ac18c9c98e3fffc50553950c154601032048b4e007ef502bc9362f1acec90f/detection It's also not verified by Microsoft.
Administrators Marcos 5,443 Posted November 11, 2018 Administrators Posted November 11, 2018 The file 490ff13c6e237ad51382426f9ef48ac44e2df540 is not malware. We won't add detection.
sypticle 0 Posted November 11, 2018 Author Posted November 11, 2018 11 minutes ago, Marcos said: The file 490ff13c6e237ad51382426f9ef48ac44e2df540 is not malware. We won't add detection. Ok, Thank you.
itman 1,799 Posted November 11, 2018 Posted November 11, 2018 I am not so sure that the search service.exe is a benign process. Here is a write up on the legit version: https://www.file.net/process/searchservice.exe.html . The important point to note is the legit version is named searchservice.exe. Note there is no space between "search" and "service" in the process name. If the process running doesn't point back to this directory, C:\Program Files\Ticno\, I would be doubly suspicious.
sypticle 0 Posted November 12, 2018 Author Posted November 12, 2018 (edited) 11 hours ago, itman said: I am not so sure that the search service.exe is a benign process. Here is a write up on the legit version: https://www.file.net/process/searchservice.exe.html . The important point to note is the legit version is named searchservice.exe. Note there is no space between "search" and "service" in the process name. If the process running doesn't point back to this directory, C:\Program Files\Ticno\, I would be doubly suspicious. Do you know if its supposed to open on startup? edit: i just checked and my version of of searchservice.exe has a space.. Edited November 12, 2018 by sypticle
itman 1,799 Posted November 12, 2018 Posted November 12, 2018 11 hours ago, sypticle said: Do you know if its supposed to open on startup? edit: i just checked and my version of of searchservice.exe has a space.. What I do know is this. Many of the detections for it on VT were for Gen:Variant.Mikey.24795. Gen:Variant.Mikey is a generic detection for adware/browser hijacker/etc.. Malwaretips.com has a few cleaning guides for earlier versions of it. Here's one: https://malwaretips.com/blogs/gen-variant-adware-mikey-10000-removal/ . Since AdwCleaner was recommended for removal of it, I would give it a shot on getting rid of this variant. You can download it here: https://www.bleepingcomputer.com/download/adwcleaner/ . What I will say about Search Service.exe is that it is located in the Windows directory. As far as I am aware of, this is not a Windows system process or utility and has no business being in that directory. Additionally, the fact that it is located in a Windows directory significantly ups the probability that the process is dangerous.
itman 1,799 Posted November 12, 2018 Posted November 12, 2018 (edited) Another suggestion is to submit Search Service.exe for a scan on the Hybrid Analysis web site here: https://www.hybrid-analysis.com/ . As best as I can determine, the file hash you submitted to Virus Total has not been previously scanned at Hybrid Analysis. If you do this, copy the link for the scan and post it. I will take a look at the sandbox analysis performed. Edited November 12, 2018 by itman
sypticle 0 Posted November 12, 2018 Author Posted November 12, 2018 5 hours ago, itman said: What I do know is this. Many of the detections for it on VT were for Gen:Variant.Mikey.24795. Gen:Variant.Mikey is a generic detection for adware/browser hijacker/etc.. Malwaretips.com has a few cleaning guides for earlier versions of it. Here's one: https://malwaretips.com/blogs/gen-variant-adware-mikey-10000-removal/ . Since AdwCleaner was recommended for removal of it, I would give it a shot on getting rid of this variant. You can download it here: https://www.bleepingcomputer.com/download/adwcleaner/ . What I will say about Search Service.exe is that it is located in the Windows directory. As far as I am aware of, this is not a Windows system process or utility and has no business being in that directory. Additionally, the fact that it is located in a Windows directory significantly ups the probability that the process is dangerous. So i ran the adwcleaner and Searchservice no longer opens on start up like before. and here is the link for the analysis: https://www.hybrid-analysis.com/sample/c1ac18c9c98e3fffc50553950c154601032048b4e007ef502bc9362f1acec90f/5be9cbea7ca3e132553fd388
itman 1,799 Posted November 12, 2018 Posted November 12, 2018 8 minutes ago, sypticle said: here is the link for the analysis: https://www.hybrid-analysis.com/sample/c1ac18c9c98e3fffc50553950c154601032048b4e007ef502bc9362f1acec90f/5be9cbea7ca3e132553fd388 With a behavior analysis score of 89/100 which is one point below the high confidence level, I would say this bugger is malicious. Especially so using the MITRE indicators noted. Did AdwCleaner get rid of the Search Service.exe in the C:\Windows directory?
sypticle 0 Posted November 12, 2018 Author Posted November 12, 2018 Just now, itman said: With a behavior analysis score of 89/100 which is one point below the high confidence level, I would say this bugger is malicious. Especially so using the MITRE indicators noted. Did AdwCleaner get rid of the Search Service.exe in the C:\Windows directory? no, all it did was get rid of the startup. so I'm guessing It's okay to delete?
itman 1,799 Posted November 12, 2018 Posted November 12, 2018 Just now, sypticle said: so I'm guessing It's okay to delete? Yes. But I would zip it up in a folder in your download directory, etc. in the very remote chance its removal borks something in the near future. After a while with no issue related to its removal surfacing, you can then delete the folder.
sypticle 0 Posted November 12, 2018 Author Posted November 12, 2018 1 minute ago, itman said: Yes. But I would zip it up in a folder in your download directory, etc. in the very remote chance its removal borks something in the near future. After a while with no issue related to its removal surfacing, you can then delete the folder. Okay, thank you very much, and thanks for the very fast replies!
itman 1,799 Posted November 12, 2018 Posted November 12, 2018 One other thing. Malware should not be able to write to the C:\Windows directory w/o full admin privileges as shown in the below screen shot; at least for Win 10. So that is something you should check out.
sypticle 0 Posted November 12, 2018 Author Posted November 12, 2018 Just now, itman said: One other thing. Malware should not be able to write to the C:\Windows directory w/o full admin privileges as shown in the below screen shot; at least for Win 10. So that is something you should check out. Okay, so when i downloaded the RAT, the person disabled my "Administrator Permissions" I'm not really sure how, but i have it enabled now though. He also kept opening up CMD and folders, so i kept pressing Alt + F4 so he could do anything,i believe he tried deleting ESET, thank god you can't delete it so easily, after that i restarted my computer, and it had an update, I'm not sure if the update was caused by the RAT or just a legit update. (it was a pretty small update)
itman 1,799 Posted November 12, 2018 Posted November 12, 2018 2 minutes ago, sypticle said: Okay, so when i downloaded the RAT, the person disabled my "Administrator Permissions" I'm not really sure how In all likehoodly, the perpetrator ran one of the Win utility processes that are increasingly being abused. A number of those can be run hidden and silently elevate to admin level. Tip - if you run as a limited admin and don't have UAC set to maximum level, you need to do so. Most of these bypasses can be detected when UAC set to max.. Yes, you will receive additional UAC alerts but the increased security factor is worth the minor annoyance.
sypticle 0 Posted November 12, 2018 Author Posted November 12, 2018 (edited) 15 minutes ago, itman said: In all likehoodly, the perpetrator ran one of the Win utility processes that are increasingly being abused. A number of those can be run hidden and silently elevate to admin level. Tip - if you run as a limited admin and don't have UAC set to maximum level, you need to do so. Most of these bypasses can be detected when UAC set to max.. Yes, you will receive additional UAC alerts but the increased security factor is worth the minor annoyance. i have 1 more question: so if i use Wireshark, and put the filter as "dns" would i be able to get the persons IP and block it in the firewall? also, i will set UAC to max. Edited November 12, 2018 by sypticle
itman 1,799 Posted November 12, 2018 Posted November 12, 2018 (edited) 26 minutes ago, sypticle said: i have 1 more question: so if i use Wireshark, and put the filter as "dns" would i be able to get the persons IP and block it in the firewall? Per the Hybrid-Analysis, this isn't necessary: Quote Network Analysis This report was generated with enabled TOR analysis DNS Requests No relevant DNS requests were made. Contacted Hosts No relevant hosts were contacted. HTTP Traffic No relevant HTTP requests were made. Edited November 12, 2018 by itman
sypticle 0 Posted November 12, 2018 Author Posted November 12, 2018 3 minutes ago, itman said: Per the Hybrid-Analysis, this isn't necessary: Okay, thank you.
galaxy 11 Posted November 13, 2018 Posted November 13, 2018 It's a pity that ESET staff don't add such an evil file as recognition. scare me a lot
Administrators Marcos 5,443 Posted November 13, 2018 Administrators Posted November 13, 2018 @sypticle The file itself is not malicious but suspicious which is not enough for a detection to be added. Please search for Serv.dll and submit it in an archive protected with the password "infected" and with a link to this topic included to samples[at]eset.com. Let me know when done.
itman 1,799 Posted November 13, 2018 Posted November 13, 2018 There are at least 42 variants of Gen:Variant.Mikey.24795 going back to 2015: https://totalhash.cymru.com/search/?av:Gen*Variant.Mikey.24795 . Average VT AV vendor detection is around 50% for these. Below are some of the variants that Eset detected in the past. I did not check all of the 42 variants for Eset detection: https://totalhash.cymru.com/analysis/?5485d4ada205b0feddf559da044d41f048dbe177 https://totalhash.cymru.com/analysis/?6c63f84bb0363fa01a70d580b8c122e743eaa36d https://totalhash.cymru.com/analysis/?3371cb7e337bf3da285e851026dbcd37f7382913
itman 1,799 Posted November 13, 2018 Posted November 13, 2018 One final comment about this Search Service.exe sample that most might have not noticed. Cloudstrike Falcon at VT detected it as 100% malicious. Assumed is the Falcon sandbox is not deployed at VT and only machine learning heuristics were deployed. However the analysis at Hybrid-Analysis does deploy the Falcon sandbox allowing for a more thorough process analysis. That analysis yielded a 89% malicious confidence rating. Now lets factor the other known variables involved. This does not imply that there are other unknown ones involved: 1. An unknown and unsigned process created in a Windows directory. 2. A Windows autorun mechanism created to run the process at system startup time. I really believe that at a minimum, Eset should have thrown a suspicious alert on this one.
Recommended Posts