Jump to content

Help identifying possible rootkit


Recommended Posts

I’m currently analyzing an endpoint which most likely is compromised and need some help on breaking down what the malware has done. Due to possible more infected endpoints I’m out to identify the root of it – making it possible to determine if other endpoints are compromised.

One day the machine (Win10) suddenly started to consume high amounts of CPU resources without any process showing this consumption in the task manager.

This persisted for days and survived reboots. To look for techniques for persistence I did try Sysinternals Autoruns and ProcessExp, although there were no obvious/super-suspicious processes, task, services, reg-entries or dlls to make a next move on.

Due to suspicion of rootkit-malware I did a scan with GMER. It reported on some interesting findings, listed below(only snippets of the whole list).

.text C:\WINDOWS\system32\wbem\wmiprvse.exe[‘removed’] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA [‘removed’] 5 bytes JMP [‘removed’]

.text C:\WINDOWS\system32\wbem\wmiprvse.exe[‘removed’] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW [‘removed’] 5 bytes JMP [‘removed’]

.text C:\WINDOWS\system32\wbem\wmiprvse.exe[‘removed’] C:\WINDOWS\system32\USER32.dll!SetWindowsHookA [‘removed’] 5 bytes JMP [‘removed’] 

 

Although I’m quite new to such analysis my theory is that these are signs of key-logging and/or dll-injection.

Next I find these entries interesting (only some examples, full report listed several functions per dll)
 

.text C:\Program Files(x86)\Google\Chrome\Application\chrome.exe[‘removed’] @ C:\WINDOWS\system32\KERNEL32.DLL!CreateRemoteThread [‘removed’] 5 bytes JMP [‘removed’]

(...)

.text C:\Program Files(x86)\Google\Chrome\Application\chrome.exe[‘removed’] @ C:\WINDOWS\system32\ntdll.dll!NtCreateFile [‘removed’] 16 bytes {MOV RAX ,[‘removed’]; JMP RAX }

(...)

IAT C:\Program Files(x86)\Google\Chrome\Application\chrome.exe[‘removed’] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [‘removed’]

 

Can anybody give me any clues on how to further analyze this? Any theories on whether or how threads/processes are hidden? And any thoughts on what technique can be utilized for persistence and how to identify it?

Thank you!

 

Link to post
Share on other sites

  • Root Admin

Hello @pcf4pt and :welcome:

Unfortunately we're not a training facility on how to detect and remove malware. The tool of choice for non automated detection and removal is the program FRST. If you like you can run the scan and post the logs and I'll review to let you know what I find.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.