Jump to content

URL/Urlik.AAR Object - pastebin - virus?

Nataniell
 Share
Go to solution Solved by Nataniell,

Recommended Posts

itman

itman 1,717

Posted
Posted
5 minutes ago, Nataniell said:

No, just one, that log shows the first settings and then your adjusted settings together

Delete the first HIPS rule. The only one that should be active is the one I posted. Then clear your HIPS log so only cmd.exe startup entries are shown thereafter.

Link to comment
Share on other sites
itman

itman 1,717

Posted
Posted

I will also add once you post the screen shot of the HIPS detection's for only cmd.exe startup, disable the HIPS rule by removing its checkmark. Make sure to save this change. Otherwise, your HIPS log will become huge with all these blocked entries.

Link to comment
Share on other sites
itman

itman 1,717

Posted
Posted

Waiting for a new HIPS log screenshot, I've extracted relevant entries from the above log;

Eset_HIPS_Log.thumb.png.514a60a17fd0466c0bbf6ec41b16799c.png

@Marcos, I found a posting on Reddit that appears related;

Quote

The string might be different for you. Secureboot.exe in "C:\ProgramFiles\WindowsPowerShell\Modules\SecureBoot" creates that file and writes to it, then marks it for deletion, and then cmd.exe launches and reads that file before the file vanishes. I assume this is the actual miner command which is running inside cmd.exe )

https://www.reddit.com/r/antivirus/comments/19afutf/cmdexe_using_30_cpu_how_can_i_find_out_what/

I suspect SecureBoot directory files might be the source here.

In any case, a very nasty coinminer indeed.

Link to comment
Share on other sites
itman

itman 1,717

Posted
Posted (edited)

As referenced in the above linked Reddit article, this also can track cmd.exe execution: https://superuser.com/questions/1575059/how-to-tell-what-command-were-executed-by-cmd-exe-pop-up . Problem is it's enabled via Group Policy and you need a Win Pro version for that.

Edited by itman
Link to comment
Share on other sites
itman

itman 1,717

Posted
Posted
39 minutes ago, Nataniell said:

I did the setup as instructed and got this log.

You can disable the Group Policy entry.

It's purpose was to detect what was running cmd.exe in console host mode; i.e. the black window for it appears on the desktop.

It's a given this coinminer is running cmd.exe in hidden mode.

Link to comment
Share on other sites
Nataniell

Nataniell 0

Posted
  • Author
Posted
1 minute ago, itman said:

You can disable the Group Policy entry.

It's purpose was to detect what was running cmd.exe in console host mode; i.e. the black window for it appears on the desktop.

It's a given this coinminer is running cmd.exe in hidden mode.

Yes, but that log also found secureboot.exe. So how can I cure this? 

Link to comment
Share on other sites
  • Solution
Nataniell

Nataniell 0

Posted
  • Author
  • Solution
Posted

Ok I just deleted \ProgramData\Microsoft\Windows\SystemSecure\Modules\System\secureboot64.exe

And pastebin detection has gone. This path was invisible in windows browser. I had to use Autorun to locate this file.

I hope this deletion was enough. 

Link to comment
Share on other sites
itman

itman 1,717

Posted
Posted (edited)
13 minutes ago, Nataniell said:

Ok I just deleted \ProgramData\Microsoft\Windows\SystemSecure\Modules\System\secureboot64.exe

Yes, indeed, I have never see a reference to secureboot64.exe. On the other hand, I have seen references to secureboot.exe there although I could not find any detailed explanation on it.

Reboot your PC and hopefully you won't have any problems booting Windows. If you do, you will have to enter Recovery mode and run Startup Repair option.

Edited by itman
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,158

Posted
  • Administrators
Posted

Could you please upload the file secureboot64.exe (~700 MB) compressed in an archive to https://www.virustotal.com and share the link to scan results? It appears that a file with such name has never been uploaded there for a scan.

 

Link to comment
Share on other sites
Nataniell

Nataniell 0

Posted
  • Author
Posted
6 hours ago, itman said:

Another question.

Did Autoruns show this entry,  \ProgramData\Microsoft\Windows\SystemSecure\Modules\System\secureboot64.exe, in red color?

Yes it was red. And file not exist anymore here. I uploaded file to virust total through AutoRun but I don't know if scan was completed before deletion.

Link to comment
Share on other sites
itman

itman 1,717

Posted
Posted

My guess here is secureboot64.exe started secureboot.exe with a command line string for cmd.exe to connect to the pastebin domain hosting the coinminer. If this is the case, we now have another Win "living-off-the-land" attack method.

 

Link to comment
Share on other sites
itman

itman 1,717

Posted
Posted

@Nataniell. also monitor Chrome and your e-mail client for any abnormal behavior since cmd.exe was being started from both which is not normal. My guess here is this was to disable the coin miner when either was executing to avoid detection via sluggish performance and the like. My guess is there won't be any problems since whatever was being executed would just fail.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...