Cleaning rootkit problem

[kamiran.asia 5]

5 hours ago, itman said:

If MS5AC23CA6APP.DLL is allowed to run, the following will occur.

The sample submitted to VT shows the malware was executed via:

• %windir%\System32\svchost.exe -k WerSvcGroup
• %windir%\system32\WerFault.exe -u -p 2592 -s 124

-u stands for user mode, -p is process id, and is -s means it was executed via SilentProcessExit API mode.

Other analysis of this malware I reviewed notes a malicious .dll is first registered . Then the legit service registry key corresponding to svchost.exe -k WerSvcGroup .dll reference is modified to point to the malicious .dll.

The real mystery is why Eset didn't detect MS5AC23CA6APP.DLL upon download. My best guess is its packed, encrypted, etc. code.

Thanks Dears @itman and @safety

As we know , in the time of infection No AV was installed. So the Dll and mentioned services was installed in the past.

When ESET Endpoint Security installed , We saw the alerts of detection from Svchost ( Win32/TrojanDownloader.Delf.BTT ) and because the Ms32A1591EApp.dll can not be accessed by explorer and ESET Kernel , infection were persist. Because if ESET can scan that Dll , It must be detected as a variant of Win32/Packed.VMProtect.ABO.

Our Customer used KVRT.exe and clean the infected DLL.

We know that these threats use special techniques so AV not scan them in normal windows mode (Just program such as Gmer and kvrt can see them or LiveOs ) and just when inject svchost or download other Trojan ESET block them.

As @Marcos said we need memory dump to analyze more , So we are finding another infected systesm in that network.

[itman 1,659]

6 minutes ago, kamiran.asia said:

Our Customer used KVRT.exe and clean the infected DLL.

I have my doubts KVRT.exe "cleaned" anything other than removing and quarantining C:\Windows\System32\Ms32A1591EApp.dll.

I suspect how it detected the .dll is upon seeing its encrypted status, it ran it in its sandbox; the same way VT did. Once decrypted, it detected it via signature.

[kamiran.asia 5]

6 minutes ago, itman said:

I have my doubts KVRT.exe "cleaned" anything other than removing and quarantining C:\Windows\System32\Ms32A1591EApp.dll.

I suspect how it detected the .dll is upon seeing its encrypted status, it ran it in its sandbox; the same way VT did. Once decrypted, it detected it via signature.

As you can see , KVRT detection was : UDS:Trojan.Win32.Agentb.a

UDS : Urgent Detection System that use KSN (Not A signature detection)

 

[itman 1,659]

37 minutes ago, kamiran.asia said:

UDS : Urgent Detection System that use KSN (Not A signature detection)

Correction. It had been previously blacklisted by Kaspersky:

Quote

Information about suspicious activity is sent from a user’s computer to the KSN cloud. We don’t collect files, only information about them: which file tries to perform a suspicious task, what is the source of this file, which application launched it, etc.

It is often impossible to decide if a file is malicious or not, basing this decision only on data from one computer. The picture changes when it’s possible to analyze application behavior on multiple computers and also check it against a huge database of millions of legitimate apps and files. Using this data and heuristics, KSN makes a preliminary verdict about a suspected file.

If file behavior looks malicious, KSN instantly adds it to the database of our Urgent Detection System (UDS), instantly available to all users. Otherwise we add this file to an allowlist.

https://www.kaspersky.com/blog/ksn/2561/

Edited June 17, 2021 by itman

[itman 1,659]

BTW as a test, I downloaded KVRT from the MajorGeeks web site and it has a valid signature. Again, stay away from downloads employing Russian servers:

Edited June 18, 2021 by itman