ESET I.S. Agressively blocking URL, can't find app

[Nightowl 202]

9 hours ago, Vince said:

no more popups alert for me with HIPS rules, or without HIPS rules.

After a Deep Scan  :

Most likely it was gone when you have manually quarantined the malicious javascript file

The detection of bitTorrent has nothing to do with it , switch to Deluge/qBittorent if you want a better client.

[Marcos 5,071]

After carrying out investigation on this, the malicious shortcuts should now be well detected and cleaned.

[Nightowl 202]

10 hours ago, Marcos said:

After carrying out investigation on this, the malicious shortcuts should now be well detected and cleaned.

Also the shortcut leads to JS script that isn't being detected by anything in VT.

[Marcos 5,071]

13 minutes ago, Nightowl said:

Also the shortcut leads to JS script that isn't being detected by anything in VT.

I assume the script itself is encrypted, hence it cannot be detected. You can upload it here if you have it.

[Nightowl 202]

5 minutes ago, Marcos said:

I assume the script itself is encrypted, hence it cannot be detected. You can upload it here if you have it.

I am sorry but unfortunately I don't have it , but @Vince should , it got uploaded to VT

and probably he manually quarantined it to ESET.

[Nightowl 202]

Here is the VT link : https://www.virustotal.com/gui/file/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5/detection

[Marcos 5,071]

Got it from VT. In fact, it's not detected because of the extension but with a correct extension it would be detected:
updatewins.js - JS/Kryptik.BPU trojan. The detection was created between Feb 17-20. We'll adjust it so that such files can be normally detected.

[Nightowl 202]

4 minutes ago, Marcos said:

Got it from VT. In fact, it's not detected because of the extension but with a correct extension it would be detected:
updatewins.js - JS/Kryptik.BPU trojan. The detection was created between Feb 17-20. We'll adjust it so that such files can be normally detected.

I understand , thank you Marcos.

[sadbhai 0]

My computer is screwed from this! I can't open ESET or Windows Defender, the Start Bar has stopped working in Safe Mode and signing in normally resulting in black desktop with a flashing Taskbar as I've described.

 

[Marcos 5,071]

3 minutes ago, sadbhai said:

My computer is screwed from this! I can't open ESET or Windows Defender, the Start Bar has stopped working in Safe Mode and signing in normally resulting in black desktop with a flashing Taskbar as I've described.

This must be a different issue not related to what has been discussed in this topic. Please create a new topic and provide ELC logs for a start. If possible, use ESET SysRescue to boot to a clean system and run a scan of your disks.

[itman 1,659]

5 hours ago, Nightowl said:

Also the shortcut leads to JS script that isn't being detected by anything in VT.

The script uploaded to VT is the initiator script that will run the payload script that has been previously dropped here: C:\updatewins.js . As such, this JavaScript itself is not malicious; the script in the C:\ root directory is. Hence why no one on VT detects the initiator script.

Full analysis of this initiator script is here: https://www.hybrid-analysis.com/sample/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5?environmentId=120

 

[Nightowl 202]

1 minute ago, itman said:

The script uploaded to VT is the initiator script that will run the payload script that has been previously dropped here: C:\updatewins.js . As such, this JavaScript itself is not malicious; the script in the C:\ root directory is. Hence why no one on VT detects the initiator script.

Full analysis of this initiator script is here: https://www.hybrid-analysis.com/sample/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5?environmentId=120

 

I understand , thank you ITman

[Nightowl 202]

6 minutes ago, itman said:

The script uploaded to VT is the initiator script that will run the payload script that has been previously dropped here: C:\updatewins.js . As such, this JavaScript itself is not malicious; the script in the C:\ root directory is. Hence why no one on VT detects the initiator script.

Full analysis of this initiator script is here: https://www.hybrid-analysis.com/sample/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5?environmentId=120

 

I believe you are mistaken , both files from my post and this file are identical , yet they were in different locations.

It is the same : https://www.virustotal.com/gui/file/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5/detection

It's just missing it's .ext

Edited June 9, 2020 by Nightowl

[Marcos 5,071]

 

7 minutes ago, itman said:

Hence why no one on VT detects the initiator script.

The script is malicious and has been detected by ESET since Feb. As of the last update it's also detected without an extension

[Nightowl 202]

They are the same probably

[itman 1,659]

One thing I want to establish is if everyone affected by this malware was running Win 7?

I am still trying to figure out how the payload script got dropped to the C:\root directory in Win 10.

[Namoh 0]

5 hours ago, Marcos said:

Got it from VT. In fact, it's not detected because of the extension but with a correct extension it would be detected:
updatewins.js - JS/Kryptik.BPU trojan. The detection was created between Feb 17-20. We'll adjust it so that such files can be normally detected.

I can confirm that ESET now detects this!
Just scanned my pc and it came up with: Agent.JK trojan horse and with JK/Kryptik.BPU trojan horse.

So if I would install this (cracked) software again, ESET would now block the installation!?

Good job.

[Nightowl 202]

2 minutes ago, Namoh said:

I can confirm that ESET now detects this!
Just scanned my pc and it came up with: Agent.JK trojan horse and with JK/Kryptik.BPU trojan horse.

So if I would install this (cracked) software again, ESET would now block the installation!?

Good job.

It's a fake cracked software , usually cracked software crack/bypass the activation/protection methods and usually requires the user to block connection of the software so it doesn't communicate with anything

A crack that is trying to get data from a server / report data to a server is a fake crack which is a TROJAN

Yet some cracking methods do require emulation of an activation server so it could get a reply from it , but this can be done local.

Edited June 9, 2020 by Nightowl

[itman 1,659]

6 minutes ago, Nightowl said:

I believe you are mistaken , both files from my post and this file are identical , yet they were in different locations.

The malware uses multiple different scripts all named with the same prefix but created in different locations.

[Nightowl 202]

Yea probably most of them are getting it from fake torrent or fake DL that pretends to be a cracked version of ADOBE or some kind of another software.

[itman 1,659]

9 minutes ago, Namoh said:

So if I would install this (cracked) software again, ESET would now block the installation!?

Assume the malware author has already modified this second JavaScript variant; just like did for the original, to avoid signature detection.

Edited June 9, 2020 by itman

[Nightowl 202]

11 minutes ago, Namoh said:

I can confirm that ESET now detects this!
Just scanned my pc and it came up with: Agent.JK trojan horse and with JK/Kryptik.BPU trojan horse.

So if I would install this (cracked) software again, ESET would now block the installation!?

Good job.

And most probably using a fake crack/torrent that it's purpose is to infect.

[Nightowl 202]

Crack/hacktools/keygens and etc are all detected as HACKTOOL by ESET , as if UNSAFE apps detection isn't enabled then ESET won't touch them , or warn about them , because they are not malicious to the user.

 

[itman 1,659]

27 minutes ago, Marcos said:

The script is malicious and has been detected by ESET since Feb. As of the last update it's also detected without an extension

I really don't what you're referring to.

When the original JavaScript variant appeared the end of Feb., the only AV's detecting it were Emsisoft and BitDefender. Plus, they were generic detections: https://metadefender.opswat.com/results/file/bzIwMDIyOVNKV25RQVNQTkxIeWYzbVJIUEVM/regular/multiscan?lang=en . Kaspersky gave it a suspicious detection.

Edited June 9, 2020 by itman

[Marcos 5,071]

12 minutes ago, itman said:

I really don't what you're referring to.

This is something different which is detected by ESET as JS/Agent.AG. I was referring to the samples above, such as "updatewins". The detection was added in Feb. As Namoh wrote: "Just scanned my pc and it came up with: LNK/Agent.JK trojan horse and with JS/Kryptik.BPU trojan horse. "

https://www.virustotal.com/gui/file/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5/detection