Most Valued Members Nightowl 206 Posted June 8, 2020 Most Valued Members Share Posted June 8, 2020 9 hours ago, Vince said: no more popups alert for me with HIPS rules, or without HIPS rules. After a Deep Scan : Most likely it was gone when you have manually quarantined the malicious javascript file The detection of bitTorrent has nothing to do with it , switch to Deluge/qBittorent if you want a better client. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted June 8, 2020 Administrators Share Posted June 8, 2020 After carrying out investigation on this, the malicious shortcuts should now be well detected and cleaned. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 9, 2020 Most Valued Members Share Posted June 9, 2020 10 hours ago, Marcos said: After carrying out investigation on this, the malicious shortcuts should now be well detected and cleaned. Also the shortcut leads to JS script that isn't being detected by anything in VT. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted June 9, 2020 Administrators Share Posted June 9, 2020 13 minutes ago, Nightowl said: Also the shortcut leads to JS script that isn't being detected by anything in VT. I assume the script itself is encrypted, hence it cannot be detected. You can upload it here if you have it. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 9, 2020 Most Valued Members Share Posted June 9, 2020 5 minutes ago, Marcos said: I assume the script itself is encrypted, hence it cannot be detected. You can upload it here if you have it. I am sorry but unfortunately I don't have it , but @Vince should , it got uploaded to VT and probably he manually quarantined it to ESET. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 9, 2020 Most Valued Members Share Posted June 9, 2020 Here is the VT link : https://www.virustotal.com/gui/file/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5/detection Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted June 9, 2020 Administrators Share Posted June 9, 2020 Got it from VT. In fact, it's not detected because of the extension but with a correct extension it would be detected: updatewins.js - JS/Kryptik.BPU trojan. The detection was created between Feb 17-20. We'll adjust it so that such files can be normally detected. Peter Randziak and Nightowl 2 Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 9, 2020 Most Valued Members Share Posted June 9, 2020 4 minutes ago, Marcos said: Got it from VT. In fact, it's not detected because of the extension but with a correct extension it would be detected: updatewins.js - JS/Kryptik.BPU trojan. The detection was created between Feb 17-20. We'll adjust it so that such files can be normally detected. I understand , thank you Marcos. Link to comment Share on other sites More sharing options...
sadbhai 0 Posted June 9, 2020 Share Posted June 9, 2020 My computer is screwed from this! I can't open ESET or Windows Defender, the Start Bar has stopped working in Safe Mode and signing in normally resulting in black desktop with a flashing Taskbar as I've described. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted June 9, 2020 Administrators Share Posted June 9, 2020 3 minutes ago, sadbhai said: My computer is screwed from this! I can't open ESET or Windows Defender, the Start Bar has stopped working in Safe Mode and signing in normally resulting in black desktop with a flashing Taskbar as I've described. This must be a different issue not related to what has been discussed in this topic. Please create a new topic and provide ELC logs for a start. If possible, use ESET SysRescue to boot to a clean system and run a scan of your disks. Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 9, 2020 Share Posted June 9, 2020 5 hours ago, Nightowl said: Also the shortcut leads to JS script that isn't being detected by anything in VT. The script uploaded to VT is the initiator script that will run the payload script that has been previously dropped here: C:\updatewins.js . As such, this JavaScript itself is not malicious; the script in the C:\ root directory is. Hence why no one on VT detects the initiator script. Full analysis of this initiator script is here: https://www.hybrid-analysis.com/sample/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5?environmentId=120 Nightowl and Peter Randziak 2 Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 9, 2020 Most Valued Members Share Posted June 9, 2020 1 minute ago, itman said: The script uploaded to VT is the initiator script that will run the payload script that has been previously dropped here: C:\updatewins.js . As such, this JavaScript itself is not malicious; the script in the C:\ root directory is. Hence why no one on VT detects the initiator script. Full analysis of this initiator script is here: https://www.hybrid-analysis.com/sample/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5?environmentId=120 I understand , thank you ITman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 9, 2020 Most Valued Members Share Posted June 9, 2020 (edited) 6 minutes ago, itman said: The script uploaded to VT is the initiator script that will run the payload script that has been previously dropped here: C:\updatewins.js . As such, this JavaScript itself is not malicious; the script in the C:\ root directory is. Hence why no one on VT detects the initiator script. Full analysis of this initiator script is here: https://www.hybrid-analysis.com/sample/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5?environmentId=120 I believe you are mistaken , both files from my post and this file are identical , yet they were in different locations. It is the same : https://www.virustotal.com/gui/file/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5/detection It's just missing it's .ext Edited June 9, 2020 by Nightowl Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted June 9, 2020 Administrators Share Posted June 9, 2020 7 minutes ago, itman said: Hence why no one on VT detects the initiator script. The script is malicious and has been detected by ESET since Feb. As of the last update it's also detected without an extension itman 1 Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 9, 2020 Most Valued Members Share Posted June 9, 2020 They are the same probably Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 9, 2020 Share Posted June 9, 2020 One thing I want to establish is if everyone affected by this malware was running Win 7? I am still trying to figure out how the payload script got dropped to the C:\root directory in Win 10. Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 9, 2020 Share Posted June 9, 2020 5 hours ago, Marcos said: Got it from VT. In fact, it's not detected because of the extension but with a correct extension it would be detected: updatewins.js - JS/Kryptik.BPU trojan. The detection was created between Feb 17-20. We'll adjust it so that such files can be normally detected. I can confirm that ESET now detects this! Just scanned my pc and it came up with: Agent.JK trojan horse and with JK/Kryptik.BPU trojan horse. So if I would install this (cracked) software again, ESET would now block the installation!? Good job. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 9, 2020 Most Valued Members Share Posted June 9, 2020 (edited) 2 minutes ago, Namoh said: I can confirm that ESET now detects this! Just scanned my pc and it came up with: Agent.JK trojan horse and with JK/Kryptik.BPU trojan horse. So if I would install this (cracked) software again, ESET would now block the installation!? Good job. It's a fake cracked software , usually cracked software crack/bypass the activation/protection methods and usually requires the user to block connection of the software so it doesn't communicate with anything A crack that is trying to get data from a server / report data to a server is a fake crack which is a TROJAN Yet some cracking methods do require emulation of an activation server so it could get a reply from it , but this can be done local. Edited June 9, 2020 by Nightowl Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 9, 2020 Share Posted June 9, 2020 6 minutes ago, Nightowl said: I believe you are mistaken , both files from my post and this file are identical , yet they were in different locations. The malware uses multiple different scripts all named with the same prefix but created in different locations. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 9, 2020 Most Valued Members Share Posted June 9, 2020 Yea probably most of them are getting it from fake torrent or fake DL that pretends to be a cracked version of ADOBE or some kind of another software. Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 9, 2020 Share Posted June 9, 2020 (edited) 9 minutes ago, Namoh said: So if I would install this (cracked) software again, ESET would now block the installation!? Assume the malware author has already modified this second JavaScript variant; just like did for the original, to avoid signature detection. Edited June 9, 2020 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 9, 2020 Most Valued Members Share Posted June 9, 2020 11 minutes ago, Namoh said: I can confirm that ESET now detects this! Just scanned my pc and it came up with: Agent.JK trojan horse and with JK/Kryptik.BPU trojan horse. So if I would install this (cracked) software again, ESET would now block the installation!? Good job. And most probably using a fake crack/torrent that it's purpose is to infect. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 9, 2020 Most Valued Members Share Posted June 9, 2020 Crack/hacktools/keygens and etc are all detected as HACKTOOL by ESET , as if UNSAFE apps detection isn't enabled then ESET won't touch them , or warn about them , because they are not malicious to the user. Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 9, 2020 Share Posted June 9, 2020 (edited) 27 minutes ago, Marcos said: The script is malicious and has been detected by ESET since Feb. As of the last update it's also detected without an extension I really don't what you're referring to. When the original JavaScript variant appeared the end of Feb., the only AV's detecting it were Emsisoft and BitDefender. Plus, they were generic detections: https://metadefender.opswat.com/results/file/bzIwMDIyOVNKV25RQVNQTkxIeWYzbVJIUEVM/regular/multiscan?lang=en . Kaspersky gave it a suspicious detection. Edited June 9, 2020 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted June 9, 2020 Administrators Share Posted June 9, 2020 12 minutes ago, itman said: I really don't what you're referring to. This is something different which is detected by ESET as JS/Agent.AG. I was referring to the samples above, such as "updatewins". The detection was added in Feb. As Namoh wrote: "Just scanned my pc and it came up with: LNK/Agent.JK trojan horse and with JS/Kryptik.BPU trojan horse. " https://www.virustotal.com/gui/file/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5/detection Link to comment Share on other sites More sharing options...
Recommended Posts