Jump to content

URL/Urlik.AAR Object - pastebin - virus?


Go to solution Solved by Nataniell,

Recommended Posts

Posted (edited)

No, just one, that log shows the first settings and then your adjusted settings together

Edited by Nataniell
Link to comment
Share on other sites

5 minutes ago, Nataniell said:

No, just one, that log shows the first settings and then your adjusted settings together

Delete the first HIPS rule. The only one that should be active is the one I posted. Then clear your HIPS log so only cmd.exe startup entries are shown thereafter.

Link to comment
Share on other sites

I am going to dinner. Will log back on later. In the mean time post a new HIPS log after doing the above.

Link to comment
Share on other sites

I will also add once you post the screen shot of the HIPS detection's for only cmd.exe startup, disable the HIPS rule by removing its checkmark. Make sure to save this change. Otherwise, your HIPS log will become huge with all these blocked entries.

Link to comment
Share on other sites

Waiting for a new HIPS log screenshot, I've extracted relevant entries from the above log;

Eset_HIPS_Log.thumb.png.514a60a17fd0466c0bbf6ec41b16799c.png

@Marcos, I found a posting on Reddit that appears related;

Quote

The string might be different for you. Secureboot.exe in "C:\ProgramFiles\WindowsPowerShell\Modules\SecureBoot" creates that file and writes to it, then marks it for deletion, and then cmd.exe launches and reads that file before the file vanishes. I assume this is the actual miner command which is running inside cmd.exe )

https://www.reddit.com/r/antivirus/comments/19afutf/cmdexe_using_30_cpu_how_can_i_find_out_what/

I suspect SecureBoot directory files might be the source here.

In any case, a very nasty coinminer indeed.

Link to comment
Share on other sites

After fresh boot only 3 apps are in HIPS rulle, chrome.exe, bluemail.exe, secureboot64.exe as you mention...

 

image.thumb.png.1e35c38443aeb99307f7461855520c9a.png

Link to comment
Share on other sites

As referenced in the above linked Reddit article, this also can track cmd.exe execution: https://superuser.com/questions/1575059/how-to-tell-what-command-were-executed-by-cmd-exe-pop-up . Problem is it's enabled via Group Policy and you need a Win Pro version for that.

Edited by itman
Link to comment
Share on other sites

9 minutes ago, Nataniell said:

I have Win Pro. What I should do? 

Nothing for the time being. I saw another posting where the poster started he couldn't get it to work.

Link to comment
Share on other sites

39 minutes ago, Nataniell said:

I did the setup as instructed and got this log.

You can disable the Group Policy entry.

It's purpose was to detect what was running cmd.exe in console host mode; i.e. the black window for it appears on the desktop.

It's a given this coinminer is running cmd.exe in hidden mode.

Link to comment
Share on other sites

1 minute ago, itman said:

You can disable the Group Policy entry.

It's purpose was to detect what was running cmd.exe in console host mode; i.e. the black window for it appears on the desktop.

It's a given this coinminer is running cmd.exe in hidden mode.

Yes, but that log also found secureboot.exe. So how can I cure this? 

Link to comment
Share on other sites

  • Solution

Ok I just deleted \ProgramData\Microsoft\Windows\SystemSecure\Modules\System\secureboot64.exe

And pastebin detection has gone. This path was invisible in windows browser. I had to use Autorun to locate this file.

I hope this deletion was enough. 

Link to comment
Share on other sites

13 minutes ago, Nataniell said:

Ok I just deleted \ProgramData\Microsoft\Windows\SystemSecure\Modules\System\secureboot64.exe

Yes, indeed, I have never see a reference to secureboot64.exe. On the other hand, I have seen references to secureboot.exe there although I could not find any detailed explanation on it.

Reboot your PC and hopefully you won't have any problems booting Windows. If you do, you will have to enter Recovery mode and run Startup Repair option.

Edited by itman
Link to comment
Share on other sites

2 minutes ago, itman said:

\ProgramData\Microsoft\Windows\SystemSecure\Modules\System\

Recheck this folder again and see what is stored there.

Link to comment
Share on other sites

4 minutes ago, Nataniell said:

A lot of things

What I meant is if secureboot.exe exits there.

Link to comment
Share on other sites

Another question.

Did Autoruns show this entry,  \ProgramData\Microsoft\Windows\SystemSecure\Modules\System\secureboot64.exe, in red color?

Link to comment
Share on other sites

  • Administrators

Could you please upload the file secureboot64.exe (~700 MB) compressed in an archive to https://www.virustotal.com and share the link to scan results? It appears that a file with such name has never been uploaded there for a scan.

 

Link to comment
Share on other sites

6 hours ago, itman said:

Another question.

Did Autoruns show this entry,  \ProgramData\Microsoft\Windows\SystemSecure\Modules\System\secureboot64.exe, in red color?

Yes it was red. And file not exist anymore here. I uploaded file to virust total through AutoRun but I don't know if scan was completed before deletion.

Link to comment
Share on other sites

My guess here is secureboot64.exe started secureboot.exe with a command line string for cmd.exe to connect to the pastebin domain hosting the coinminer. If this is the case, we now have another Win "living-off-the-land" attack method.

 

Link to comment
Share on other sites

@Nataniell. also monitor Chrome and your e-mail client for any abnormal behavior since cmd.exe was being started from both which is not normal. My guess here is this was to disable the coin miner when either was executing to avoid detection via sluggish performance and the like. My guess is there won't be any problems since whatever was being executed would just fail.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...