Nataniell 0 Posted June 21 Share Posted June 21 "Hello, I need help with detection. Eset regularly blocks this web address several times a day even when I'm not doing anything on the PC. This means something is running in the background. I've run several scans and found nothing." "HTTP filter; file; https://pastebin.com/raw/GirGW7HW; URL/Urlik.AAR Object; connection interrupted; NT AUTHORITY\SYSTEM; This event occurred when trying to access the web by the application: C:\Windows\System32\cmd.exe (7140CAF2A73676D1F7CD5E8529DB861F4704C939); 67F7C5BB2071A4533299569C687A1CB8D5D03BAF;" Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted June 21 Administrators Share Posted June 21 Please provide logs collected with ESET Log Collector. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 21 Author Share Posted June 21 here eis_logs.zip Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted June 21 Administrators Share Posted June 21 According to the content downloaded from pastebin, it looks like a Coinminer attempted to download a configuration json file which was blocked. However, the detection occurred only once on 15. 6. 2024 at 22:36 and the logs do not show anything suspicious which is in contrast with your statement that the address was blocked several times a day. Please clarify. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 21 Author Share Posted June 21 because I accidentally deleted the entire web protocol instead of one line, so the connections are not visible there, but I can collect again. the block pops up after every restart and login to win Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted June 21 Administrators Share Posted June 21 Please provide also a Procmon boot log. After a reboot, stop logging only after the detection has occurred and then collect also fresh ELC logs. Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 21 Share Posted June 21 Cmd.exe shouldn't be establishing an Internet connection. Probably, some script running it at system startup time. If you create a HIPS ask rule to monitor cmd.exe startup, this will show what is running it. My suspicion is Win task scheduler service or, the script is started via registry run key. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 21 Author Share Posted June 21 When I started the process monitor, the warning did not appear yet. It popped up once before I started the monitor process. I am posting it in this log. ABout HIPS.... I am not pro user, so I dont know how to setup ask rule. eis_logs.zip Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 21 Share Posted June 21 I will add that coinminer's have code to monitor for attempted surveillance attempts. It might have just shut down when it saw Process Monitor running. Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 21 Share Posted June 21 Another point to note is you should avoid pastebin.com. It's loaded with malware: https://www.fortinet.com/blog/threat-research/malicious-use-of-pastebin Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 21 Author Share Posted June 21 Okay, and if he can't detect it through the monitor, is there any chance to find and destroy the source? Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 21 Share Posted June 21 (edited) Per VirtusTotal: https://www.virustotal.com/gui/url/73af357fc3e66e32a335e0ba9450945b4ef46a2d59ff806ee23e6caec07c2831/detection , this might be related to Sysrv-hello crypto-jacking botnet activity. Analysis of it is here: https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet . If this is the case, the coinminer is an undetected variant of xmrig. On the other hand, a related Eset detection earlier this year turned out to be a false positive: https://forum.eset.com/topic/39655-urlurlikaad-false-positive/ A posting 5 months ago directly related to this Eset detection including cmd.exe source process connecting to pastebin.com is on Reddit here: https://www.reddit.com/r/cybersecurity_help/comments/1ad2ad6/my_workstation_has_installed_cryptomining_malware/ . Problem is no resolution to the issue was posted. Edited June 21 by itman Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted June 22 Administrators Share Posted June 22 6 hours ago, Nataniell said: When I started the process monitor, the warning did not appear yet. It popped up once before I started the monitor process. I am posting it in this log. ABout HIPS.... I am not pro user, so I dont know how to setup ask rule. A Procmon boot log was not provided. First launch Procmon, then enable the option to create a boot log and reboot the machine. After a reboot wait a bit until the detection occurs, then stop logging and save the log unfiltered in the PML format. Compress the PML log and supply it along with fresh ELC logs for perusal. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 22 Author Share Posted June 22 6 hours ago, Marcos said: A Procmon boot log was not provided. First launch Procmon, then enable the option to create a boot log and reboot the machine. After a reboot wait a bit until the detection occurs, then stop logging and save the log unfiltered in the PML format. Compress the PML log and supply it along with fresh ESET Log Collector logs for perusal. I am trying to explain that as soon as I turned on Procmon, the detection did not show up since then Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 22 Share Posted June 22 13 hours ago, Marcos said: A Procmon boot log was not provided. First launch Procmon, then enable the option to create a boot log and reboot the machine. After a reboot wait a bit until the detection occurs, then stop logging and save the log unfiltered in the PML format. Compress the PML log and supply it along with fresh ELC logs for perusal. My opinion here is whatever is starting/monitoring the coinminer detects Procmon is running and won't start the coinminer. Perhaps SysInternals Autoruns is a better diagnostic choice . Also, doesn't Eset SysInpector detect Win startup tasks? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted June 22 Administrators Share Posted June 22 3 hours ago, itman said: Also, doesn't Eset SysInpector detect Win startup tasks? There's nothing suspicious in autostart locations. However, I'd recommend removing MBAM and enabling detection of potentially unsafe applications: On 6/21/2024 at 7:28 PM, Nataniell said: When I started the process monitor, the warning did not appear yet. Just to make sure, did you enable boot logging in Procmon, then rebooted the machine and waited for the detection to occur? Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 22 Share Posted June 22 An example of a coinminer that detects monitoring processes and terminates itself; Quote While running, the miner will constantly poll the list of running of processes. If it detects processes running for Process Explorer, Task Manager, Process Monitor, Process Hacker, AnVir Task Manager, PlayerUnknown's Battlegrounds (PUBG), Counterstrike: Global Offensive, Rainbox Six, or Dota 2, it will terminate the attrib.exe and Iostream.exe processes. https://www.bleepingcomputer.com/news/security/cryptocurrency-miner-plays-hide-and-seek-with-popular-games-and-tools/ Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 22 Author Share Posted June 22 36 minutes ago, Marcos said: There's nothing suspicious in autostart locations. However, I'd recommend removing MBAM and enabling detection of potentially unsafe applications: Just to make sure, did you enable boot logging in Procmon, then rebooted the machine and waited for the detection to occur? I did. Today I waited whole day after reboot and no detection. I try one day without procmon enabled. Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 22 Share Posted June 22 38 minutes ago, Marcos said: enabling detection of potentially unsafe applications: Oh, my. Most definitely this needs to be done since Eset detects XMrig as a PUA; Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 22 Author Share Posted June 22 You mean this?? I turn on agrresive? Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 22 Share Posted June 22 10 minutes ago, Nataniell said: You mean this?? I turn on agrresive? Yes. Have you uninstalled MBAM? Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 22 Author Share Posted June 22 yes Quote Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 22 Share Posted June 22 (edited) Reboot and immediately start an Eset scan. Edited June 22 by itman Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 22 Author Share Posted June 22 That's clear. I uninstalled MBAM, restarted the PC, and the detection appeared. Of course, I didn't have the monitor with the boot log turned on. I tried turning the monitor back on and restarting, and the detection didn't show up. So, the boot log recognizes it and avoids it. Now I am scaning with eset again. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 22 Author Share Posted June 22 eis_logs.zipLog from last scan.I don't see any changes, but you can see there more detections. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.