Jump to content

Recommended Posts

Posted

Recently I downloaded a RAT and the person started deleting things and downloading stuff, not too sure why but the person started to install AVAST Security on my PC? (maybe to override ESET so the RAT wouldn't get detected?) I think i did a pretty good job getting rid of the RAT? but, you can never be too sure so I installed Process Explore (alternative Task Manager) and then I checked everything with Virustotal.com, about 6 of the programs have like 1-3/60 detected, but SearchService.exe has 30/68, (i have never seen SearchService.exe before, until recently)
It's located in "C:\Windows" and is 198KB in size.
There isn't much info on it and I'm not quite sure what to do.
Here is the Virustotal link: https://www.virustotal.com/#/file/c1ac18c9c98e3fffc50553950c154601032048b4e007ef502bc9362f1acec90f/detection
It's also not verified by Microsoft.

Annotation (13).png

  • Administrators
Posted

The file 490ff13c6e237ad51382426f9ef48ac44e2df540 is not malware. We won't add detection.

Posted
11 minutes ago, Marcos said:

The file 490ff13c6e237ad51382426f9ef48ac44e2df540 is not malware. We won't add detection.

Ok, Thank you.

Posted

I am not so sure that the search service.exe is a benign process. Here is a write up on the legit version: https://www.file.net/process/searchservice.exe.html .

The important point to note is the legit version is named searchservice.exe. Note there is no space between "search" and "service" in the process name. If the process running doesn't point back to this directory, C:\Program Files\Ticno\, I would be doubly suspicious.

Posted (edited)
11 hours ago, itman said:

I am not so sure that the search service.exe is a benign process. Here is a write up on the legit version: https://www.file.net/process/searchservice.exe.html .

The important point to note is the legit version is named searchservice.exe. Note there is no space between "search" and "service" in the process name. If the process running doesn't point back to this directory, C:\Program Files\Ticno\, I would be doubly suspicious.

Do you know if its supposed to open on startup?
edit: i just checked and my version of of searchservice.exe has a space..

Edited by sypticle
Posted
11 hours ago, sypticle said:

Do you know if its supposed to open on startup?
edit: i just checked and my version of of searchservice.exe has a space..

What I do know is this.

Many of the detections for it on VT were for Gen:Variant.Mikey.24795. Gen:Variant.Mikey is a generic detection for adware/browser hijacker/etc..

Malwaretips.com has a few cleaning guides for earlier versions of it. Here's one: https://malwaretips.com/blogs/gen-variant-adware-mikey-10000-removal/ . Since AdwCleaner was recommended for removal of it, I would give it a shot on getting rid of this variant. You can download it here: https://www.bleepingcomputer.com/download/adwcleaner/ .

What I will say about Search Service.exe is that it is located in the Windows directory. As far as I am aware of, this is not a Windows system process or utility and has no business being in that directory. Additionally, the fact that it is located in a Windows directory significantly ups the probability that the process is dangerous.  

Posted (edited)

Another suggestion is to submit Search Service.exe for a scan on the Hybrid Analysis web site here: https://www.hybrid-analysis.com/ . As best as I can determine, the file hash you submitted to Virus Total has not been previously scanned at Hybrid Analysis. If you do this, copy the link for the scan and post it. I will take a look at the sandbox analysis performed.

Edited by itman
Posted
5 hours ago, itman said:

What I do know is this.

Many of the detections for it on VT were for Gen:Variant.Mikey.24795. Gen:Variant.Mikey is a generic detection for adware/browser hijacker/etc..

Malwaretips.com has a few cleaning guides for earlier versions of it. Here's one: https://malwaretips.com/blogs/gen-variant-adware-mikey-10000-removal/ . Since AdwCleaner was recommended for removal of it, I would give it a shot on getting rid of this variant. You can download it here: https://www.bleepingcomputer.com/download/adwcleaner/ .

What I will say about Search Service.exe is that it is located in the Windows directory. As far as I am aware of, this is not a Windows system process or utility and has no business being in that directory. Additionally, the fact that it is located in a Windows directory significantly ups the probability that the process is dangerous.  

So i ran the adwcleaner and Searchservice no longer opens on start up like before.
and here is the link for the analysis: https://www.hybrid-analysis.com/sample/c1ac18c9c98e3fffc50553950c154601032048b4e007ef502bc9362f1acec90f/5be9cbea7ca3e132553fd388

Posted
8 minutes ago, sypticle said:

With a behavior analysis score of 89/100 which is one point below the high confidence level, I would say this bugger is malicious. Especially so using the MITRE indicators noted.

Did AdwCleaner get rid of the Search Service.exe in the C:\Windows directory?

Posted
Just now, itman said:

With a behavior analysis score of 89/100 which is one point below the high confidence level, I would say this bugger is malicious. Especially so using the MITRE indicators noted.

Did AdwCleaner get rid of the Search Service.exe in the C:\Windows directory?

no, all it did was get rid of the startup.
so I'm guessing It's okay to delete?

Posted
Just now, sypticle said:

so I'm guessing It's okay to delete?

Yes.

But I would zip it up in a folder in your download directory, etc. in the very remote chance its removal borks something in the near future. After a while with no issue related to its removal surfacing, you can then delete the folder.

Posted
1 minute ago, itman said:

Yes.

But I would zip it up in a folder in your download directory, etc. in the very remote chance its removal borks something in the near future. After a while with no issue related to its removal surfacing, you can then delete the folder.

Okay, thank you very much, and thanks for the very fast replies!

Posted

One other thing.

Malware should not be able to write to the C:\Windows directory w/o full admin privileges as shown in the below screen shot; at least for Win 10. So that is something you should check out.

Windows_Folder.thumb.png.4bdc914d3573e715fc38f3e37017a477.png 

Posted
Just now, itman said:

One other thing.

Malware should not be able to write to the C:\Windows directory w/o full admin privileges as shown in the below screen shot; at least for Win 10. So that is something you should check out.

Windows_Folder.thumb.png.4bdc914d3573e715fc38f3e37017a477.png 

Okay, so when i downloaded the RAT, the person disabled my "Administrator Permissions" I'm not really sure how, but i have it enabled now though.
He also kept opening up CMD and folders, so i kept pressing Alt + F4 so he could do anything,i believe he tried deleting ESET, thank god you can't delete it so easily, after that i restarted my computer, and it had an update, I'm not sure if the update was caused by the RAT or just a legit update. (it was a pretty small update)

Posted
2 minutes ago, sypticle said:

Okay, so when i downloaded the RAT, the person disabled my "Administrator Permissions" I'm not really sure how

In all likehoodly, the perpetrator ran one of the Win utility processes that are increasingly being abused. A number of those can be run hidden and silently elevate to admin level.

Tip - if you run as a limited admin and don't have UAC set to maximum level, you need to do so. Most of these bypasses can be detected when UAC set to max.. Yes, you will receive additional UAC alerts but the increased security factor is worth the minor annoyance.

Posted (edited)
15 minutes ago, itman said:

In all likehoodly, the perpetrator ran one of the Win utility processes that are increasingly being abused. A number of those can be run hidden and silently elevate to admin level.

Tip - if you run as a limited admin and don't have UAC set to maximum level, you need to do so. Most of these bypasses can be detected when UAC set to max.. Yes, you will receive additional UAC alerts but the increased security factor is worth the minor annoyance.

i have 1 more question: so if i use Wireshark, and put the filter as "dns" would i be able to get the persons IP and block it in the firewall?
also, i will set UAC to max.

Edited by sypticle
Posted (edited)
26 minutes ago, sypticle said:

i have 1 more question: so if i use Wireshark, and put the filter as "dns" would i be able to get the persons IP and block it in the firewall?

Per the Hybrid-Analysis, this isn't necessary:

Quote

 

Network Analysis

fa-onion.svg This report was generated with enabled TOR analysis

DNS Requests

No relevant DNS requests were made.

Contacted Hosts

No relevant hosts were contacted.

HTTP Traffic

No relevant HTTP requests were made.

 

 

Edited by itman
Posted
3 minutes ago, itman said:

Per the Hybrid-Analysis, this isn't necessary:

 

Okay, thank you.

Posted

It's a pity that ESET staff don't add such an evil file as recognition. scare me a lot

  • Administrators
Posted

@sypticle The file itself is not malicious but suspicious which is not enough for a detection to be added. Please search for Serv.dll and submit it in an archive protected with the password "infected" and with a link to this topic included to samples[at]eset.com.

Let me know when done.

Posted

There are at least 42 variants of Gen:Variant.Mikey.24795 going back to 2015: https://totalhash.cymru.com/search/?av:Gen*Variant.Mikey.24795 . Average VT AV vendor detection is around 50% for these.

Below are some of the variants that Eset detected in the past. I did not check all of the 42 variants for Eset detection:

https://totalhash.cymru.com/analysis/?5485d4ada205b0feddf559da044d41f048dbe177

https://totalhash.cymru.com/analysis/?6c63f84bb0363fa01a70d580b8c122e743eaa36d

https://totalhash.cymru.com/analysis/?3371cb7e337bf3da285e851026dbcd37f7382913

Posted

One final comment about this Search Service.exe sample that most might have not noticed.

Cloudstrike Falcon at VT detected it as 100% malicious. Assumed is the Falcon sandbox is not deployed at VT and only machine learning heuristics were deployed. However the analysis at Hybrid-Analysis does deploy the Falcon sandbox allowing for a more thorough process analysis. That analysis yielded a 89% malicious confidence rating. 

Now lets factor the other known variables involved. This does not imply that there are other unknown ones involved:

1. An unknown and unsigned process created in a Windows directory.

2. A Windows autorun mechanism created to run the process at system startup time.

I really believe that at a minimum, Eset should have thrown a suspicious alert on this one.  

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...