One for the cybersec/linux guys

so i straight up dropped the ball and allowed an x.gen unpack to put a listener on my machine.

yeah i downloaded some jack sparra version of an ai upscaling software and low and behold …
a cmd/powershell is now opening up an hour (seems to only run once) after i turn on my system.
and trying to connect to a cdn :frowning: GRRRR! dam you cloud hosts :frowning:

ive blacklisted the ip its trying to dial out to. so its quarantined. (firewalled and host redirected to 0.0.0.0 just in case.) killed the ps1 shell it opened and same with the cmd.
but im struggling to find the dam things startup so i can kill it properly.

so suggestions on where i might look…
i have checked all the temp, tmp folders and nothing.

taskscheduler doesnt appear to have anything obvious. but i will have to look deeper to be sure.

no ps1 or bat/ini files that i can see for the date i infected the machine (12/10/22)

so now my plan is to boot into kali on the spare drive.
from there i can access all the windows files without needing to be system.
but searching via the terminal…
i need help :slight_smile:

is there a grep i can use to search the whole drive for specific file types.
or by data/time or even check the file contents for the known ip.
(i know what time i installed it, so should be pretty simple to find but no luck from inside windows so will try from linux)

ls -R | grep *.ext

is what im using atm… but theres still way to much output.
anyone got a better suggestion?

2 Likes

For starters, scan the Win-drive with rootkithunter and/or clamav.

If you uninstall the suspected s/w tool, does the powershell still come on?

1 Like

yeah. i killed the tool as soon as i realised what it had done.
and like i said it keeps popping up a powershell and cmd.
if i allow the ip the powershell backgrounds itself and starts a listener.
but if i block the ip the powershell quits as soon as it cant connect see a destination.

il give the anti-rootkit a look straight away cheers.

Could maybe get a local SBC with the target IP to fool the thing into thinking it is seeing its server.

2 Likes

Hey

Any decent threat is likely going to encode the domain it is hitting this will make it hard to grep for without determining the encoding method (usually converting the string into UTF-16 with the little endian byte order and then encoding in base64), without specific IOCs (indicators of compromise) I can’t answer exactly where the persistence mechanism exists but I can give you some advice.

I’m guessing you don’t have sysmon set up and tracking command lines and process execution?

  1. Just nuke from orbit. Don’t bother messing around trying to unravel the damage because unless everything is removed, there’s no guarantee of security within your system.
  2. Easier method - get a medicat usb created and run malwarebytes or clamav with added YARA rules on system from a non-infected Windows PE environment.
  3. If you really want to do this manually, then use the MITRE ATT&CK framework to your advantage and check the common persistence mechanisms. These will be:
    A. Boot or Logon Autostart Execution, Technique T1547 - Enterprise | MITRE ATT&CK®
    B. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Sub-technique T1547.001 - Enterprise | MITRE ATT&CK®
    C. Boot or Logon Autostart Execution: Winlogon Helper DLL, Sub-technique T1547.004 - Enterprise | MITRE ATT&CK®
    D. Boot or Logon Autostart Execution: Active Setup, Sub-technique T1547.014 - Enterprise | MITRE ATT&CK®
    E. Boot or Logon Initialization Scripts: Logon Script (Windows), Sub-technique T1037.001 - Enterprise | MITRE ATT&CK®
    F. Boot or Logon Initialization Scripts: Startup Items, Sub-technique T1037.005 - Enterprise | MITRE ATT&CK®
    G. Create or Modify System Process: Windows Service, Sub-technique T1543.003 - Enterprise | MITRE ATT&CK®
    H. Event Triggered Execution, Technique T1546 - Enterprise | MITRE ATT&CK®
    I. Event Triggered Execution: Windows Management Instrumentation Event Subscription, Sub-technique T1546.003 - Enterprise | MITRE ATT&CK®
    J. Event Triggered Execution: Application Shimming, Sub-technique T1546.011 - Enterprise | MITRE ATT&CK®
    K. Event Triggered Execution: PowerShell Profile, Sub-technique T1546.013 - Enterprise | MITRE ATT&CK®
    L. Office Application Startup, Technique T1137 - Enterprise | MITRE ATT&CK®
    M. Scheduled Task/Job, Technique T1053 - Enterprise | MITRE ATT&CK®
    N. Browser Extensions, Technique T1176 - Enterprise | MITRE ATT&CK®
    O. Event Triggered Execution: Screensaver, Sub-technique T1546.002 - Enterprise | MITRE ATT&CK®
  4. Employ some tools like BLUESPAWN, clamav, Loki, Windows Defender (actually decent), as well as hashing files and searching virustotal or alien vault otx.

For future you I’d considering setting up sysmon for logging this stuff, if not blocking. There are some good base configurations for logging only, and logging and blocking.

Feel free to DM me if you want to pass on some private details about the specifics like the malicious file hash or whatever so I can give you better suggestions.

Hope this helps.

4 Likes

@MazeFrame im not sure how service border control fits in to this mate.
do you mean blackholing the ip? like with a raspi as a router?.
(sorry mate i have holes in my game on this stuff)

@section279
yep great help thanks for your time and effort.

already ran scans with defender/avira/comodo/malware bytes.
nothing showed up so im guessing its definition isnt on virus total yet.

i have sysmon installed but i havent set it up to automate and log files. (didnt know it could. so will look at this).

as for encoding id already thought of that so grep’d for the ip in base64. no luck. but i will try other encoding as i never thought to try alternatives like utf-16.

and shit thats a lot of reading.
thanks. 10/10.

I’d try just searching for ps1 files first, see what exists and see if there’s any hits for the hashes on VirusTotal and decoding any encoded strings in said files.

The problem is that won’t detect “fileless” methods which use (for example) values stored in the registry hive on the system, which is a more common model these days.

One thing to be mindful about is a lot of C2 type servers work off DGAs (if not employing POC/more obscure methods, like communicating over specific applications). So not every domain will be malicious or even registered.

What you could do is while the system is running, capture network traffic with WireShark or tcpdump, and feed that into something like RITA.

Again, personally I’d look at just backing up what you can and reimagined the hosts as until you know all the persistence mechanisms are gone, you may be subject to more pain in the long term.

1 Like

If you want to just make a hobby of rooting it out make a VDI of the hard drive then nuke and pave the thing so you can get back to work. When you have time/motivation you can fire up the VDI in a vm and try to extract the virus.

1 Like

You mentioned the malware tries to contact some remote IP, but since it can’t reach it, it halts itself.
So, my thinking is: If you have that IP accessible by means of configuring an interface on your router to be in that network, then throw an SBC in that network to fake the remote server, you have more time to look at the malware trying to do its thing.

Shitty paint drawing with an example IP:

2 Likes

im guessing i can spin up a virtual box with windows on it. infect it and watch that.
not sure if this will work but if i set up the local network with the ip in the range its looking for,
then set up my kali box with the exact ip its looking for with an ncat listener.
maybe it will tell me something.

but i think the easies thing to do is set up sysmon on the vbox and then infect a windows image, while logging everything. the hope being it shows me where its hiding.

i know this is kinda masochistic but im enjoying this hunt :slight_smile:

1 Like

Just remember some malware has anti sandbox/vm behaviour, and others will actively attempt to infect the host machine so you may need to disguise your VM there are some methods here but I suggest you do a bit of reading on the topic.

1 Like

well tried to install sysmon logging and the config file is causing issues.
seemingly its a common one they keeps reoccurring so will have to wait for an update :confused:

good news though. it looks like i found and killed what ever the ps1 script was launching.
so wire shark shows nothing as its now quitting without dialing out even though i unblocked the script for testing. :frowning:

the search goes on… :wink:

1 Like

well turns out i found and killed the infection in the first day.
finding what was launching the powershell took a bit of work…
i scoured the whole o.s windows/prog files and so on. nothing…

then by dumb luck my browser launching tab blanked out.
so properties/change icon, but i noticed that the properties to the file were odd…
something attached itself to the browser launcher.Ink and was running an extension in the temp folder.
i checked my browser.lnk and it also had the same link to the temp file.

i cleaned it out and no more powershell popping up.

last thing to do is go through the registry and see if i can find the hashfilename it was trying to launch.

thanks for the help and suggestions guys…

4 Likes