itman 1,755 Posted June 22 Share Posted June 22 My best guess at this point is a Win service has been created that auto runs at system startup time. I saw something similar running as; svchost.exe cmd http:\\some Ip address with pastebin.com URL. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 22 Author Share Posted June 22 Ok so any more ideas what I can do? Quote Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 22 Share Posted June 22 (edited) 1 hour ago, Nataniell said: Ok so any more ideas what I can do? Let's wait till Eset scan completes to see if it found anything. Edited June 22 by itman Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 23 Author Share Posted June 23 eset found nothing new Quote Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 23 Share Posted June 23 Something new today. Eset has blacklisted the pastebin.com domain used by this coinminer; As such, you should no longer be receiving any Eset alerts when the coinminer attempts to connect to the pastebin.com domain in question. Rather the connection attempt is silently blocked by Eset HTTP filtering. This can be verified by reviewing Eset filtered web sites log. However, the coinminer still exists on your device. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 23 Author Share Posted June 23 Ok so I have to format disk? Quote Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 23 Share Posted June 23 32 minutes ago, Nataniell said: Ok so I have to format disk? Wait till tomorrow to see what @Marcos can come up with. It's the weekend and Eset support personnel are not at work. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted June 24 Administrators Share Posted June 24 Is the threat detected or pastebin url blocked whenever you reboot the machine without Procmon running? Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 24 Author Share Posted June 24 (edited) Yes, if the Procmon is not running, it is within 2-3 minutes after every reboot Edited June 24 by Nataniell Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted June 24 Administrators Share Posted June 24 What if you rename procmon.exe to proc.cmd for instance and run it under this name? Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 24 Author Share Posted June 24 Renaming does not work Quote Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 24 Share Posted June 24 50 minutes ago, Nataniell said: Renaming does not work Do you mean that Process Monitor would not start when named proc.cmd? If that is the case, rename it to monitor.exe and see if that works. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted June 24 Administrators Share Posted June 24 Please provide logs from the Autoruns and Gmer tools as well. Also to rule out a possible active rootkit being on the machine and hiding the malware, I'd recommend starting the system from a clean medium and running a disk scan, e.g. with the ESET Online scanner. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 24 Author Share Posted June 24 3 hours ago, Marcos said: Please provide logs from the Autoruns and Gmer tools as well. Also to rule out a possible active rootkit being on the machine and hiding the malware, I'd recommend starting the system from a clean medium and running a disk scan, e.g. with the ESET Online scanner. What do you mean by starting system from clean medium? I sending logs from Autoruns and Gmer but I'm not sure if I've collected them correctly with the correct settings. logs.rar Quote Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 24 Share Posted June 24 @Marcos, here's an article on a coinminer with behavior similar to what is going on here: https://asec.ahnlab.com/en/40673/ . It includes pastebin.com use, etc.. It also used a .json file to deploy xmrig coinminer. Quote Link to comment Share on other sites More sharing options...
MHRSFI 1 Posted June 24 Share Posted June 24 (edited) I believe we can use HIPS rules to identify which file is executing the command to connect to pastebin.com Here's how you can do it: 1. Navigate to Settings > HIPS > Rules 2. Click Add 3. Enter a name for the rule 4. For the action, select Block 5. Enable the Application toggle, the Enable toggle, and the Notify user toggle 6. Set the logging severity to Warning 7. In the Source applications window, click Add and enter C:\Windows\System32\cmd.exe 8. On the next page, enable the Start new application toggle 9. Select All applications from the drop-down menu and click Finish After this, you will be able to see in the HIPS logs which application is executing cmd.exe Edited June 24 by MHRSFI Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 24 Author Share Posted June 24 (edited) This one? @MHRSFI Edited June 24 by Nataniell Quote Link to comment Share on other sites More sharing options...
MHRSFI 1 Posted June 24 Share Posted June 24 22 minutes ago, Nataniell said: This one? @MHRSFI I don't see anything wrong with the log in your picture. Could you try adding another rule similar to the previous one? For step 5, instead of adding cmd.exe, select All applications. On the next page, enable All application operations. Then, click Add and enter C:\Windows\System32\cmd.exe If you find these rules unhelpful, you should remove them. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 24 Author Share Posted June 24 (edited) 5 minutes ago, MHRSFI said: I don't see anything wrong with the log in your picture. Could you try adding another rule similar to the previous one? For step 5, instead of adding cmd.exe, select All applications. On the next page, enable All application operations. Then, click Add and enter C:\Windows\System32\cmd.exe If you find these rules unhelpful, you should remove them. Conhost.exe is in that picture... This Conhost use CMD.exe after reboot. Edited June 24 by Nataniell Quote Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 24 Share Posted June 24 (edited) 1 hour ago, MHRSFI said: 7. In the Source applications window, click Add and enter C:\Windows\System32\cmd.exe 8. On the next page, enable the Start new application toggle 9. Select All applications from the drop-down menu Change the rule to the following; 1 . In the Source applications window, delete C:\Windows\System32\cmd.exe. In the top window, select "All applications." 2. In the Applications section, in the top window select "Specific applications." Then add C:\Windows\System32\cmd.exe and C:\Windows\SysWOW64\cmd.exe. This will show what is running cmd.exe. I suspect it will show svchost.exe which really tell us nothing since we need to know what service is being used. Post a screen shot of the Eset alert. I believe that might show the service being used. Edited June 24 by itman MHRSFI 1 Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 24 Author Share Posted June 24 What now? Quote Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 24 Share Posted June 24 5 minutes ago, Nataniell said: What now? Something is wrong with your HIPS rule. Post a screen shot of Source applications and Applications sections. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 24 Author Share Posted June 24 First source apps then appliocations Quote Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 24 Share Posted June 24 2 minutes ago, Nataniell said: First source apps Does the shown wording translate to All Applications? Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 24 Author Share Posted June 24 yes - všechny aplikace = all aplications Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.