Jump to content

Win32/Packed.Themida.HFL


Go to solution Solved by Marcos,

Recommended Posts

  • Administrators

What program is detected with that name? Do you consider it legitimate or malicious or grey (crack, keygen, etc.)? Please provide the whole record pertaining to the detection from the Detection log.

Link to post
Share on other sites

HI Marcos.

thanks for your answer. Its not a Programm, its a file. I think its any kind of a trojan. In the following pictures, you can see it.

Here is the detecting log: Zeit;Scanner;Objekttyp;Objekt;Erkennung;Aktion;Benutzer;Information;Hash;Zuerst hier gesehen
28.11.2020 11:19:16;Echtzeit-Dateischutz;Datei;C:\WINDOWS\TEMP\ec4b3ab6-14a3-3a24-522c-23f67832b6d1\e4afb5cd-2616-2ade-b688-275bb99d0281.exe;eine Variante von Win32/Packed.Themida.HFL Trojaner;durch Löschen gesäubert;NT-AUTORITÄT\SYSTEM;Ereignis beim Erstellen einer neuen Datei durch die Anwendung: C:\Program Files (x86)\nodejs\node.exe (D4D4F25931EE30DE1BA81BEB67E0D2CE41BF7A2E).;2AFFEEDAEF525BC9FA609710DEB24AF5477E3D9A;27.11.2020 19:44:43

 

I´m sorry that all is wrote in german :( 

 

And that happen every time, when i start my pc.

 

Screenshot (67).png

Link to post
Share on other sites
  • Administrators

Is the file continually being re-created and detected? In the post above you wrote that you had deleted the file so I assume the malware was detected and cleaned and therefore the case is solved.

Link to post
Share on other sites

The first question is did you purposely install Node js.  Or, does any software you have installed use Node js?

Ref.: https://www.geeksforgeeks.org/installation-of-node-js-on-windows/

Per the linked reference, node js is installed on your device as evidenced by the creation on this directory, C:\Program Files (x86)\nodejs.

However, a malware based install of Node js can be evidenced by creation of this Windows environment variable:

Quote

If you use any other format for installing node.js on your PC, you should put the system variable path for node.js as follows:

PATH : C:\Users\[username]\AppData\Roaming\npm
C:\Program Files\nodejs (Path to the nodejs folder)

Also Eset's detection appears to be for this file, C:\WINDOWS\TEMP\ec4b3ab6-14a3-3a24-522c-23f67832b6d1\e4afb5cd-2616-2ade-b688-275bb99d0281.exe. One possibility is something running at system startup via a startup entry or scheduled task using Node js to create the C:\WINDOWS\TEMP\ file.

Edited by itman
Link to post
Share on other sites

At first. thank you for your answer @itman!

How can i check if a programm use Node Js?
The Path C:\Users\[username]\AppData\Roaming\npm is empty. But in C:\Program Files\nodejs are many files, documents etc.

Should i delete the node js folder or what should i do?

nodejs 28.11.2020 16_27_15.png

nodejs 28.11.2020 16_27_28.png

nodejs 28.11.2020 16_28_17.png

Link to post
Share on other sites

The legit installation path for Node js is C:\Program Files\nodejs. However on your device, Node js is installed in C:\Program Files (x86)\nodejs. This is highly suspicious.

Also it is not easy to dump a file into C:\WINDOWS\TEMP\ directory in Win 10. You don't even have read access to that directory if running under default limited admin account. As such, I believe a scheduled task was created to run with highest privileges that is running at system startup time. This task is creating the .exe in the C:\WINDOWS\TEMP\ directory that Eset is detecting. One possibility is the scheduled task is using Node js to remotely connect to attacker's C&C server to download this .exe.

Link to post
Share on other sites
2 minutes ago, Sneaxi said:

Ok thanks @itman so what should i do next so i can fix this problem?

1. Upload in your next posting the logs @Marcos requested.

2. You can also use Win Task Manager to review task startup history related to Win startup times for suspicious task startup entries. Or, you can use SysInternals Autoruns: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns to do the same which will scan all Win startup tasks. This tool can also be configured to use VirusTotal to scan all startup entries.

Warning! Do not remove anything anywhere unless you know what you are doing and you have provided a recovery method to restore whatever you removed in case you bork your system due to this removal.

Link to post
Share on other sites
  • Administrators

Node.js is not among installed applications. There are 2 tasks that launch node.exe:

  <NODE NAME="Task" TR="N=5601" VALUE="c:\windows\system32\tasks\MicrosoftApp-VAppvStrm" EVAL="5">
   <NODE NAME="Command line" TR="N=5602" VALUE="c:\program files (x86)\nodejs\node.exe C:\WINDOWS\Installer\{408F648F-8DE2-46A2-A438-6BFE439FD553}\{84EFCD6A-635D-4ABD-8E6F-35C7E83DEA26}" EVAL="5" LINK="1038" MLINK="1035,1038" />
  </NODE>

  <NODE NAME="Task" TR="N=5601" VALUE="c:\windows\system32\tasks\Remotezugriff-IP-ARP-Treiber RPC-Endpunktzuordnung Windows-Sofortverbindung" EVAL="5">
   <NODE NAME="Command line" TR="N=5602" VALUE="&quot;c:\program files (x86)\nodejs\node.exe&quot; &quot;C:\ProgramData\Package Cache\{163F3977-9019-44B0-99E1-BDDB91800A25}\{1E1869BF-A5D2-4B51-9FAB-3060C2E68ACE}&quot;" EVAL="5" LINK="1064" MLINK="1035,1064" />
  </NODE>

Does the detection continue after disabling these 2 tasks? If not, please provide the 2 files that the node.exe opens.

Also it appears that you have v. 6.10.3 while the latest one is 15.3.0. I'd suggest downloading and installing the latest version from https://nodejs.org/en/ and then uninstalling it.

Last but not least I'd strongly recommend enabling the LiveGrid Feedback system which will also improve detection and cleaning capabilities of the ESET product. Since you have a trial version installed, if you decide to purchase a license I'd recommend that you choose ESET Internet Security (or ESET Smart Security Premium if you'd like to get also Password manager and Disk encryption features). Unlike EAV, EIS and ESSP protects you also from RDP brute-force attacks which is a common infection vector through which attackers gain access to victim's system and run ransomware, steal data or do whatever they want.

Link to post
Share on other sites
  • Administrators

If you run Task Scheduler via the Start menu, you should see them among active tasks:

image.png

Node.js is a JavaScript runtime, an alternative to the system wscript.exe.

Link to post
Share on other sites

@Marcos it worked so Eset no longer recognizes a threat after starting the computer. Thank you! ❤️

And @itman also thanks for your all Support!

If there is another problem or something similar, I will get back to you here in this post

Link to post
Share on other sites

We can also assume this Node js based crud was created prior to the Eset trial version installation.

Do yourself a favor and purchase an Eset license.

-EDIT- Also heed @Marcos advice about getting rid of Node Js. Its presence opens you up to ransomware attacks that deploy components of it. Ref.: https://soanvig.github.io/node-ransomware/

Edited by itman
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...