Jump to content

Threat Removed


Go to solution Solved by Marcos,

Recommended Posts

I have hundreds of popups saying a threat (Trojan downloader) was found in a file that powershell tried to access. 

ALrUJMQ.png

The "file" link in the popup only contains the text "script" so that isn't of any use.

I have run a scan with no detections.

Log record:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
01-Feb-23 9:53:16 PM;AMSI scanner;file;script;PowerShell/TrojanDownloader.Agent.GHN trojan;blocked;<ComputerName>\<UserName>;;4701E8D5946643D4AFE68AE5786FE84335C95BA9;

I ran diagnostics for a few minutes and stopped it shortly after the detection. Logs attached. I had to delete the 5 .pcapng files as these were ~100MB each and pushed the zip over the upload limit. Can attached individually if need be.

Thanks

Diagnostics.zip

Link to comment
Share on other sites

  • Administrators
  • Solution

Please provide these files (do not delete them yet):

C:\WINDOWS\System32\A3DA.tmp\A3EB.tmp.ps1
C:\WINDOWS\System32\DFBE.tmp\DFBF.tmp.ps1

Link to comment
Share on other sites

Seems to have stopped after a reboot 👍

I've found a 7zip archive of the A3DA folder that EIS warned about some time ago, but I otherwise deleted, if you want it for analysis (attached). I further zipped it to upload, but can't rezip the original files due to EIS quarantining with any interaction.

Thanks

A3DA.tmp.possibleVirus.7z.zip

Link to comment
Share on other sites

  • Administrators

We were able to add a detection based on your logs and the sample above confirmed that we were right. The script is a loader detected as PowerShell/Agent.ASW trojan.  The payload had already been detected for some time.

Thank you.

Link to comment
Share on other sites

A few comments here.

There a multiple postings in the forum about this attack method. The malware creators are exploiting a Windows bypass method to get around directly dropping a file into the System32 directory. Namely, create a directory there and drop your file into that directory.

Next is the "folly" in using signatures to detect a malicious script. As shown multiple times at malwaretips.com, a minor script modification will defeat an existing Eset signature detection of the original script. The poster was lucky here in that the payload deployed by the script was one Eset had a signature detection for. If the payload was a 0-day one, he would have been nailed.

Eset HIPS needs to be "beefed up" to detect suspicious script file creations. A file being created under hidden file critera; e.g. xxxxxx.tmp.ps1, with a script suffix is suspicious and should be quarantined until it is further examined by a malware expert.

Alternatively, implement what Microsoft Defender does via optional ASR rule. Block execution of any obfuscated script via HIPS option.

Edited by itman
Link to comment
Share on other sites

  • Administrators
8 hours ago, itman said:

Block execution of any obfuscated script via HIPS option.

Obfuscated scripts are used by legitimate tools and on the Internet even by bank sites.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...