Jump to content

FoxxyEm

Members
  • Posts

    1
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Hi! New here. Dealing with come malware. First some background. I saw an program in process explorer with a revoked certificate (namely: IntuitUpdateService) that connected to IPs ArcSite Threat Intellegence associates with APT 27 according to VirusTotal. The suspicious process only pinged 3 different malware scanners so it would normally seem like a false positive. However, last time I saw that on VirusTotal, it turned out I had a RAT and the adversary attempted to delete log files while I was looking at them. I successfully managed to get Defender to pick some stuff up after disabling a suspicious SvcHost.exe process and the moment Defender let me know what was up, I got a popup saying my administrator and locked me out of Defender... which is ridiculous because it was my personal laptop. Anyways, back to the present and my desktop. I booted into safe mode a noticed I couldn't open Security settings or Defender at all. I checked Malwarebytes and noticed that everything, which showed as enabled normally, shows as disabled in safe mode. So, I booted up into PALADIN Forensic and imaged the drives. Upon analysis, I noticed a deleted Security.evtx file. Looks like sanitizer checks triggered it. I exported it and noticed some Spanish in there talking about credit cards. I opened in UTF-8 and noticed some escape characters so I put a .html at the end of it. Chrome opened it showing Chinese characters but crashed because of the size. Firefox showed what appeared to be corrupted data. It took some guess and check work, but I got it to show the Chinese characters in Firefox by adding a big5 HTML header to change the encoding. I copied everything into a .txt and passed the whole thing through Translate and noticed some..... ummmmmm... very concerning stuff with any part that came out readable. I don't totally trust google translate but it was uh.... lots of concerning stuff. I was wondering if I could send some of it in for analysis. Either the log file or the whole image so someone more qualified than me can analyze this. I feel like several Malware samples will come out of this. If not, any tips on scanning the forensic images? Identifying how it happened?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.