Jump to content

Threat Found after reboot (BH/GenKryptic.1); in unknown file that powershell tried to access: CANNOT DELETE!

twingall1

By twingall1
in Malware Finding and Cleaning

 Share
Go to solution Solved by Marcos,

Recommended Posts

twingall1

twingall1 0

Posted
Posted

Every reboot >> 30seconds >> ESET notification pops up: "Threat (BH/GenKryptic.1) found in file that powershell tried to access"

..i click DELETE, but get the error message shown at the bottom of the screenshot attatched.

ESET does not tell me WHAT file is the infected one. But by checking EventViewer Powershell logs, looks like the file problem file was Microsoft_Framework.js(?) 

However, on scanning Microsoft_Framework.js, and Powershell.exe, individually via ESET; they come up clean. 

I'm at a loss here; need to get through two steps:

1: finding the infected file (making ESET notifs more verbose or some such??)

2: getting permissions to delete/restore the infected file

 

Any advice would be greatly appreciated,

Thanks,

T

Screenshot 2022-11-14 024756.png

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,909

Posted
  • Administrators
Posted

Please provide:

1, Microsoft_Framework.js
2, Logs collected with ESET Log Collector (select Threat detection from the menu)

Also move Microsoft_Framework.js to a separate folder (e.g. c:\eset), reboot the machine and see if the detection continues. Do not delete any suspicious files until we instruct you.

Link to comment
Share on other sites
twingall1

twingall1 0

Posted
  • Author
Posted

I managed to turn on Log collector just moments before the threat pop-up appeared (happens v soon after reboot)

I've given links the eis_logs.zip and the Microsoft_Framework.js (former too big too attach here, latter not permitted file extension)

Google drive links:

eis_logs.zip  https://drive.google.com/file/d/1miFz5wVnTkvasMc9YvAO3LBbsZV3aYoT/view?usp=sharing

Microsoft_Framework.js https://drive.google.com/file/d/1ctXsbLYoaKMSFmtavNe7oGars1BUU_zD/view?usp=sharing

 

... After this, i moved Microsoft_Framework.js to C:\eset as instructed and this worked: No threat message pop-up, yay, progress!

Please advise what i should do now; is there an easy way to replace Microsoft_Framework.js with non-infected version?

I am Windows 10 Home: Version 10.0.19043 Build 19043

Thanks for your speedy response and advice,

T

Link to comment
Share on other sites
twingall1

twingall1 0

Posted
  • Author
Posted
7 hours ago, twingall1 said:

... After this, i moved Microsoft_Framework.js to C:\eset as instructed and this worked: No threat message pop-up, yay, progress!

*no threat message pop-up after reboot

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,909

Posted
  • Administrators
Posted

Delete also HKCU\SOFTWARE\Microsoft\Mircosoft. It's just a benign blob that the PowerShell script reads, decrypts and loads. After decryption, it's detected as @Backdoor.MSIL/Agent.DAK, most likely with the detection added in 2016.

Link to comment
Share on other sites
twingall1

twingall1 0

Posted
  • Author
Posted

probably removed by ESET or malwarebytes already (just installed both in last couple days)

Can i live without Microsoft_Framework.js in it's original folder?

Link to comment
Share on other sites
  • Administrators
  • Solution
Marcos

Marcos 4,909

Posted
  • Administrators
  • Solution
Posted

You can delete it. The file is benign unless decrypted and run, however, it would be detected at this point. We are also going to add a detection for the PowerShell script that reads data from the file and runs the code after decryption.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...