Firmware replying trojan that uses genuine windows remoting to take over

[larrytash]

Firmware deploys this trojan that allows complete remote control of a system using almost entirely genuine windows components to avoid detection.

1- There should be a "setupact.log" in here that describes how the file comes out of Firmware and gets around the Windows setup process to infect the machine. It seems that zipping the file may have removed it and the only way I could create a new one would be to reinstall windows

    -If you can't get this file out of the zip it's very unfortunate as it shows the entire strategy the system deployed with, but it seems the Zipping process may have removed the .log
2- Look through "RunExeActionAllowedList.dat" which is the code that seems to deploy the system for using genuine windows products to take over the machine
3- FRST - Copy.txt are all the detections from FARBAR Run Scan Tool which show a list of what the trojan had done (though some of it was removed in a first-round "Fix" by that tool)
4- The "KnownGameList.Bin" appears to be an access method used in concert with Xbox GameBar

The system seems to change the DNS to a different IP and repeatedly triggers (and copies over if you delete it) mstsc.exe. There are dozens of copies of this file in different folders that it uses to restore itself

I have previously uploaded more files but apparently that wasn't preferred. Please use these to ask me if you'd like a specific file

Panther or Hxtsr trj.zip

[David H. Lipman]

As noted earlier, each file submitted needs an  accompanying Virus Total Report URL.  Please follow the submission guidelines.

https://www.virustotal.com/gui/file/afcbdeb450031d384de9de22e110a321bbbfb7f8730084f8f958f9c26cea086c/detection

https://www.virustotal.com/gui/file/ce9d5ef18ce74eeeb404e56ecd36cae87c8e66cca1c01f31e6823a6bb61e65f1/detection

[larrytash]

If I plug my computer into any network long enough to do something like that 4104 powershell commands start irreversibly changing all kinds of settings and opening back doors and then I have to reinstall again at best. I’m trying to help identify something that appears sophisticated, which I was under the impression you guys Would be excited about. But if not my apologies

There is the FARBAR detection strafed which should substitute

[David H. Lipman]

Based upon what you are reporting, please read;  I'm infected - What do I do now?  then create a post in;  Windows Malware Removal Help & Support 

A UNITE trained Forum Helper will assist you in sussing  out this PC and any files deemed malicious can specifically be extracted and submitted by the Forum Helper.

 

 

[larrytash]

Nope- I want Malwarebytes to detect this severe Trojan from now on. That’s NOT what I need to read. Clearly malwarebytes has zero interest in actually stopping new threats

[AdvancedSetup]

Hello @larrytash

None of these files are detected as a threat by any security vendor. Not a single one.

FRST - Copy.txt
Edited text log file from the Farbar scanner. ASCII text

KnownGameList.bin
0/58 on VT (no one detects this as a threat)
https://www.virustotal.com/gui/file/afcbdeb450031d384de9de22e110a321bbbfb7f8730084f8f958f9c26cea086c

mbamchameleon.sys
0/70 on VT (no one detects this as a threat - this is our Malwarebytes driver file)
https://www.virustotal.com/gui/file/ce9d5ef18ce74eeeb404e56ecd36cae87c8e66cca1c01f31e6823a6bb61e65f1

 

RunExeActionAllowedList.dat
0/58 on VT (no one detects this as a threat)
https://www.virustotal.com/gui/file/f2c16345e78d5471731aa7c9c5e8dc85e25d06a36a518e8a01e80cf8ae781a26?nocache=1

 

If you are having an issue with your computer and a possible malware threat, please grab some logs and we'll assist you in checking and cleaning your computer if possible.

 

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

Edited May 2, 2023 by AdvancedSetup
Updated information

[larrytash]

You’re right, providing Remote Desktop control to whoever planted the code, granting full remote powershell scripting rights which are then used to log all files and activity for remote copying,  allowing enabling and accessing the guest account even if it is disabled, taking file and folder ownership, injecting the base code into fresh Windows installs from firmware (apparently Nvidia and Realtek device firmware), and rerouting the DNS to the hacker’s computer in Nebraska… that’s not malware because no one else’s software hits on it and it’s doing it through genuine windows files.

 360 Global Security has a report on an “oldpanther” ransomware that appears to be the same thing plus encrypting files. Available on Google

 You can open and read the .dat easily to see its playbook. It’s scripting the file distribution right there

When I can find a public Ethernet to plug into I’ll use the MWB support tools and upload. But since this can’t be Removed I can’t plug it into any of my networks currently

[AdvancedSetup]

No one said your computer was not infected. We said the files you uploaded are not responsible.

Please physically take your computer to local computer repair shop and have them assist you.

Thank you and best wishes

 

 

[larrytash]

It is responsible. Open the .dat file

The xbox gamebar token was used at one point to get in through Microsoft Live 

[AdvancedSetup]

No, the file alone cannot do anything. It requires an application or process to call it.

It is a .JSON file withe multiple command structures most of which on their own don't necessarily mean it's bad. It's possible but we'd need to see the program or process that calls it and what it passes along to the program or another process.

 

[larrytash]

Again, I’m not asking for my computer to be fixed. I’m asking malwarebytes to take it seriously that someone figured out how to use almost all Native windows functions to fully take over computers. I didn’t know I had a game bar, but they appear to have used Xbox game bar to get in, then planted a Trojan which executes the steps down in the .dat file among others, taking over mstsc.exe and osk.exe and multiple other files. Then running powershell commands.. and you’ve got the whole thing

I grabbed a number of powershell files to run on virustotal against the AI system but have no public Ethernet to do it on currently

 

 

 

 

[larrytash]

 

https://blog.360totalsecurity.com/en/panther-ransomware-strikes-again/

 

Edited May 2, 2023 by AdvancedSetup
Disabled live hyperlinks

[larrytash]

I am sorry I don’t have the setupact.log as it really shows every step but it didn’t zip

I ran multiple 4104 powershell scripts through chatgpt to see what they did and they were changing permissions, changing defender and MWB settings, t taking various ownership, etc etc

[AdvancedSetup]

I'm sorry but as I've said these are .json files. What they are doing may or may not be dangerous. Without access to a computer and logs there is zero we can do about it.

The files you provided do absolutely nothing on their own. They are ASCII TEXT files. They can be used as script files but not on their own.

Unless you wish to provide the requested logs or have an actual executable program to submit there is nothing for us to do.

 

 

Edited May 2, 2023 by AdvancedSetup
Updated information

[larrytash]

I’ll get those logs when possible. 
 

There’s a log in windows\Panther including “[svchost.exe] Enter WinReIsWimBootEnabled” … “[RelPost.exe] Enter WinReSetTriggerFile”

So it would seem they are using Wimboot to create a background environment from early in the boot, possibly storing it in the windows recovery partition. There is some trigger file that causes it to turn on, then it starts opening MoUsoCoreWorker, mstsc.exe, osk.exe etc to take over the computer for powershell scripting

When possible I’ll get the MWB support logs

[larrytash]

Logs from MWB Support Tool

mbst-grab-results.zip

[larrytash]

Powershell script run by 4104:

Creating Scriptblock text (1 of 1):
{
        $script:ExpectingException = $true
        $events = get-winevent -path $TraceFile -Oldest -FilterXPath "*[System[Provider[@Name='Microsoft-Windows-Diagnostics-Networking'] and (EventID=6100)]]" -ErrorAction SilentlyContinue
        $script:ExpectingException = $false
        foreach($event in $events)
        {
            #events indexed by time they were emitted
            if(($event -ne $null) -and !$Global:ReportEvents.ContainsKey($event.TimeCreated))
            {
                #Add helper class name to title so that it's easily distinguishable in the report without having to expand it
                $eventTitle = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.HelperClassEventNameWithHCName,
                                    [System.Globalization.CultureInfo]::CurrentUICulture.TextInfo.ToTitleCase($event.Properties[0].Value));

                "<Objects><Object Type=""System.String""><PRE><![CDATA["+$event.Message +"]]></PRE></Object></Objects>" | Update-DiagReport -id DiagInformation -name $eventTitle
                $Global:ReportEvents.Add($event.TimeCreated, $event)
            }
        }
    }

ScriptBlock ID: 98faba36-8011-4820-b876-b9a559211c51
Path: C:\Users\Chaz\AppData\Local\Temp\SDIAG_deb8d06e-bbd7-4912-9d13-83133a10a6de\UtilityFunctions.ps1

[larrytash]

Another 4104 Powershell script:

Creating Scriptblock text (2 of 4):

    $sb = New-Object System.Text.StringBuilder $textToEscape.Length;
    for($i=0; $i -lt $textToEscape.Length; $i++)
    {
        $curChar = $textToEscape[$i];
        if($curChar -eq '\n')
        {
            $null = $sb.Append("\par");
        }
        elseif(($curChar -lt 0x20) -or ($curChar -eq '{') -or ($curChar -eq '}') -or ($curChar -eq '\\'))
        {
            $null = $sb.Append("\'");
            $null = $sb.Append(([int]$curChar).ToString("X2", [System.Globalization.CultureInfo]::InvariantCulture));
        }
        elseif($curChar -lt 0x80)
        {
            $null = $sb.Append($curChar);
        }
        else
        {
            $null = $sb.Append("\u");
            $null = $sb.Append(([int]$curChar).ToString([System.Globalization.CultureInfo]::InvariantCulture));
            $null = $sb.Append('?');
        }

    }

   return $sb.ToString();

}

function IsValidURL($URL)
{
    &{
        $uri = [System.URI]($URL);
        $scheme = $uri.scheme;
        if(($scheme -eq "http" ) -or ($scheme -eq "https") -or ($scheme -eq "ftp"))
        {
            return $uri.ToString();
        }
        else
        {
            return $null;
        }
    }
     trap [Exception]
    {
        return $null;
    }
}

function GetDefaultBrowser()
{
    [string]$assocString = $null
    $dll = "NetworkDiagnosticSnapIn.dll"

    try
    {
        RegSnapin $dll
    
        $assocString = [Microsoft.Windows.Diagnosis.Network.AssociationInfo]::GetAssociation("http","open");
        trap [Exception]
        {
            $assocString = $null;
        }
    }
    finally
    {
        UnregSnapin $dll
    }

    return $assocString;
}

function GetWebNDFIncidentData($URL, $DefaultConnectivity)
{
    #build entry point parameters
    $haXML = "<HelperAttributes><HelperAttribute><Name>URL</Name><Type>AT_STRING</Type><Value><![CDATA[" + $URL +  "]]></Value></HelperAttribute>"
    if($DefaultConnectivity)
    {
        #sqm explorer as the client rather than sdiaghost.exe
        $haXML += "<HelperAttribute><Name>NDFSQMCallerApplication</Name><Type>AT_STRING</Type><Value>Windows\Explorer.EXE</Value></HelperAttribute>"
        $defaultBrowser = GetDefaultBrowser;
        if($defaultBrowser)
        {
            $haXML += "<HelperAttribute><Name>AppID</Name><Type>AT_STRING</Type><Value>"+ $defaultBrowser + "</Value></HelperAttribute>"
        }
    }
    $haXML += "</HelperAttributes>"
    return @{"HelperClassName" = "WinInetHelperClass"; "HelperAttributes" =$haXML}
}

function GetValidURL($CandidateURL)
{
    $toReturn = $null
    $url = IsValidURL $CandidateURL
    if($url -eq $null)
    {
        if($CandidateURL.IndexOf("://") -eq -1)
        {
            $updatedURL = "http://" + $CandidateURL
            $url = IsValidURL $updatedURL
            if($url)
            {
                $toReturn = $url
            }
        }
    }
    else
    {
        $toReturn = $url
    }

    return $toReturn
}

function GetErrorRTF($Description, $Error)
{
  $escapedDesc = EscapeForRTF $Description;
  $escapedError = EscapeForRTF $Error;
  $rtf = LoadResourceString($ERROR_MSG_RTF_RESOURCE);
  return $rtf.Replace("%DESC%", $escapedDesc).Replace("%ERROR%", $escapedError);
}

function WebEntry()
{
    $IT_WebChoice = Get-DiagInput -ID "IT_WebChoice"
    if($IT_WebChoice -eq $null)
    {
          #Failed retriving Web Choice
          return $null
    }

    $IT_URL = $DefaultDiagURL
    if(!($IT_WebChoice -eq "Internet"))
    {
        $IT_URL = Get-DiagInput -ID "IT_URL"
        if($IT_URL -eq $null) {
          #Failed retriving URL
          return $null
        }

        #verify that it is a valid URL
        $validURL = GetValidURL $IT_URL[0]
        while($validURL -eq $null)
        {
                #build the RTF text
                $replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidURL_FormatError, $IT_URL[0]);
                $RTFText = GetErrorRTF ($localizationString.interaction_InvalidURL_Desc) ($replacedError);

                #reprompt for input
                $IT_URL = Get-DiagInput -ID "IT_Invalid_URL" -p @{"URL" = $IT_URL; "RTFText" = $RTFText}
                if($IT_URL -eq $null) {
                      #Failed retriving URL
                      return $null
                }

                $validURL = GetValidURL $IT_URL[0]
        }
    }

    return GetWebNDFIncidentData $validURL $false
}

function IsUNCFormat($UNC)
{
     &{
        $uri = [System.URI]($UNC);
        $scheme = $uri.scheme;
        if(($scheme -eq "file" ))
        {
            if($uri.IsUnc)
            {
                return $uri.LocalPath;
            }
        }
        return $null;
    }
     trap [Exception]
    {
        return $null;
    }
}

#function assumes passed in UNC is in \\host\share form (share can be missing)
function ContainsInvalidUNCChars($UNC)
{
    &{
        #will return an exception if the string has invalid characters
        $ignoreResult = [System.IO.Path]::IsPathRooted($UNC)

        #check the path for invalid characters
        #remove the starting slashes
        $tmp = $UNC.Substring(2)
        $nextSlash = $tmp.IndexOf("\")
        if(($nextSlash -lt 0) -or ($nextSlash -eq ($nextSlash.Length - 1)))
        {
            #string only contains hostname
            #hostname is already validated in IsUNCFormat function
            return $false
        }
        #remove host and backslash after host
        $UNCPath = $tmp.Substring($nextSlash+1)

        #under certain circumstances some of these make it through the above check
        #so we do a direct sanity check here
        if(!($UNCPath.IndexOfAny(@('/',':','*','?','"','<','>','|')) -eq -1))
        {
            return $true;
        }

        return $false;
    }
    trap [Exception]
    {
        return $true;
    }
}

function GetValidUNC($CandidateUNC)
{
    $toReturn = $null

    #is it valid
    $unc = IsUNCFormat $CandidateUNC
    if($unc)
    {
        $invalidChars = ContainsInvalidUNCChars $unc
        if($invalidChars)
        {
            $toReturn = -1;
        }
        else
        {
            $toReturn = $unc
        }
    }

    return $toReturn;
}

function GetUNCNDFIncidentData($UNC)
{
    #build entry point parameters
    $haXML = "<HelperAttributes><HelperAttribute><Name>UNCPath</Name><Type>AT_STRING</Type><Value><![CDATA[" + $UNC +  "]]></Value></HelperAttribute></HelperAttributes>"
    return @{"HelperClassName" = "SMBHelperClass"; "HelperAttributes" =$haXML}
}

function FileSharingEntry()
{
    $IT_UNC = Get-DiagInput -ID "IT_UNC"
    if($IT_UNC -eq $null) {
      #Failed retriving UNC path
      return $null
    }

    #assign input to non-array variable to facilitate usage and transform
    $validUNC = GetValidUNC $IT_UNC[0]
    while((!$validUNC) -or ($validUNC -eq -1))
    {
        #build the RTF text
        #use original entry for re-prompt even though "file://" UNC may have been transformed
        $replacedError = "";
        if(!$validUNC)
        {
            $replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidUNC_FormatError, $IT_UNC[0]);
        }
        else
        {
            $replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidUNC_CharError, $IT_UNC[0]);
        }
        $RTFText = GetErrorRTF ($localizationString.interaction_InvalidUNC_Desc) ($replacedError);

        #reprompt for input
        $IT_UNC = Get-DiagInput -ID "IT_Invalid_UNC" -p @{"UNC" = $IT_UNC; "RTFText" = $RTFText}
        if($IT_UNC -eq $null) {
              #Failed retriving UNC path
              return $null
        }

        $validUNC = GetValidUNC $IT_UNC[0]
    }

    return GetUNCNDFIncidentData $validUNC
}

function NetworkAdapterEntry()
{
    #enumerate interfaces to build options list
    $interfaces = get-wmiobject -class Win32_NetworkAdapter
    #hash table with options
    $optionList = @()
    foreach($curInterface in $interfaces)
    {
        if($curInterface.GUID -ne $null)
        {
              $curHash = @{"Name"=$curInterface.NetConnectionID}
              $curHash += @{"Description"=$curInterface.NetConnectionID}
              $curHash += @{"Value"=$curInterface.GUID}

              $optionList += @($curHash)
        }
    }

    if($optionList.Count -gt 1)
    {
        #add zero guid entry to check all interfaces
        $optionList += @(@{"Name"=$localizationString.interaction_AllAdapters; "Description"=$localizationString.interaction_AllAdapters; "Value"="{00000000-0000-0000-0000-000000000000}"; "ExtensionPoint"="<Default />"})

        #get interface selection from user
        $IT_NetworkAdapter = Get-DiagInput -ID "IT_NetworkAdapter" -c $optionList

        if($IT_NetworkAdapter -eq $null) {
           throw "Failed retriving Network Connetion ID from user"
        }
    }
    elseif($optionList.Count -eq 1)
    {
        $IT_NetworkAdapter = $optionList[0]["Value"]
    }
    else
    {
        #No NICs, do zero GUID diag
        $IT_NetworkAdapter = "{00000000-0000-0000-0000-000000000000}"
    }

    #build entry point parameters
    $haXML = "<HelperAttributes><HelperAttribute><Name>guid</Name><Type>AT_GUID</Type><Value>" + $IT_NetworkAdapter +  "</Value></HelperAttribute></HelperAttributes>"
    return @{"HelperClassName" = "NetConnection"; "HelperAttributes" =$haXML}
}

function WinsockEntry()
{
    $IT_RemoteAddress = Get-DiagInput -ID "IT_RemoteAddress"
    if($IT_RemoteAddress -eq $null -or  $IT_RemoteAddress[0].Length -eq 0) {
      #Failed retriving Remote Address
      return $null
    }

    $IT_Protocol = Get-DiagInput -ID "IT_Protocol"
    if($IT_Protocol -eq $null -or  $IT_Protocol[0].Length -eq 0) {
      #Failed retriving Remote Port
      return $null
    }

    $IT_ApplicationID = Get-DiagInput -ID "IT_ApplicationID"
    if($IT_ApplicationID -eq $null -or  $IT_ApplicationID[0].Length -eq 0) {
      #Failed retriving Application ID
      return $null
    }

    #build entry point parameters
    $haXML = "<HelperAttributes><HelperAttribute><Name>remoteaddr</Name><Type>AT_SOCKADDR</Type><Value>" + $IT_RemoteAddress  +  "</Value></HelperAttribute>";
    $haXML += "<HelperAttribute><Name>protocol</Name><Type>AT_UINT32</Type><Value>" + $IT_Protocol +  "</Value></HelperAttribute>";
    $haXML += "<HelperAttribute><Name>localaddr</Name><Type>AT_SOCKADDR</Type><Value>0.0.0.0</Value></HelperAttribute>";
    $haXML += "<HelperAttribute><Name>appid</Name><Type>AT_STRING</Type><Value>" + $IT_ApplicationID + "</Value></HelperAttribute>";
    $haXML += "</HelperAttributes>";
    return @{"HelperClassName" = "Winsock"; "HelperAttributes" =$haXML}
}

function GroupingEntry()
{
    $IT_GroupName = Get-DiagInput -ID "IT_GroupName"
    if($IT_GroupName -eq $null -or  $IT_GroupName[0].Length -eq 0) {
      #Failed retriving Remote Address
      return $null
    }

    #build entry point parameters
    $haXML = "<HelperAttributes><HelperAttribute><Name>groupname</Name><Type>AT_STRING</Type><Value>" + $IT_GroupName +  "</Value></HelperAttribute></HelperAttributes>"
    return @{"HelperClassName" = "GroupingHelperClass"; "HelperAttributes" =$haXML}
}

function GetValidExePath($File)
{
     &{
        $uri = [System.URI]($File);
        $scheme = $uri.scheme;
        if(($scheme -eq "file" ))
        {
            #make sure it send in .exe
            if($File.ToLower().IndexOf(".exe") -eq ($File.Length - 4))
            {
                return $File;
            }
        }
        return $null;
    }
    trap [Exception]
    {
        return $null;
    }
}

function InboundEntry()
{
    $staticOptionRes = @($INBOUND_FILESHARE_RESOURCE, $INBOUND_REMOTEDESKTOP_RESOURCE, $INBOUND_DISCOVERY_RESOURCE)
    $staticOptions = @($INBOUND_FILESHARE_PARAM, $INBOUND_REMOTEDESKTOP_PARAM, $INBOUND_DISCOVERY_PARAM)
    # If defined for the corresponding option, the item will be filtered out if the current sku matches anything in the list
    # Sku values as defined in the OperatingSystemSKU property of Win32_OperatingSystem
    $SKUFilters = @($null, @(2,3,5,11), $null)

    #get the SKU, to filter out inappropriate static options
    $SKUObject = get-wmiobject -class Win32_OperatingSystem -property "OperatingSystemSKU"
    $SKU = $SKUObject.OperatingSystemSKU

    $optionList = @()
    $curOptionIndex = 0
    for($curStaticOption = 0; $curStaticOption -lt $staticOptions.Length; $curStaticOption++)
    {
        $SKUFilter = $SKUFilters[$curStaticOption]
        if($SKUFilter)
        {
            if($SKUFilter -contains $SKU)
            {
                #should filter out this option from the list because it is not present in the SKU
                continue;
            }
        }

        $curApp = LoadResourceString($staticOptionRes[$curStaticOption])
        $curHash = @{}
        $curHash.Add("Name",$curApp)
        $curHash.Add("Value",$curOptionIndex)
        $curHash.Add("Description",$curApp)
        $curHash.Add("HelperAttributeName","serviceid")
        $curHash.Add("HelperAttributeValue",$staticOptions[$curStaticOption])
        $optionList += $curHash
        $curOptionIndex++
    }

    #add dynamic options (do not fail if call fails)
    $script:ExpectingException = $true
    
    $dll = "NetworkDiagnosticSnapIn.dll"

    try
    {
        RegSnapin $dll
        
        $droppedApps = [Microsoft.Windows.Diagnosis.Network.FirewallApi.ManagedMethods]::GetDiagnosticAppInfo()
        $script:ExpectingException = $false
        if($droppedApps)
        {
            foreach($droppedApp in $droppedApps)
            {
                #omit svchosts since we cannot display a friendly name for them
                if($droppedApp.Path.IndexOf("svchost") -eq -1)
                {
                    $appEntryDisplayStr = [System.String]::Format([System.Globalization.Cul

ScriptBlock ID: 9dde433b-59f7-43ff-9724-da85bd9a7705
Path: C:\Users\Chaz\AppData\Local\Temp\SDIAG_fc401818-2c95-4b72-9b00-d91a618105c1\UtilityFunctions.ps1

[larrytash]

When I try to run the repair function of the MWB Support Tool it exits

[larrytash]

I used VirusTotal to check IP 205.171.2.65 which came out of the DNS settings flagged by FARBAR on a totally clean partition reinstall of Windows. It came back "FortinetMalware,  Xcitium Verdict Cloud Malware"

So this malware has routed traffic from my computer to an IP that VirusTotal believes to contain malware at least from two sources

[AdvancedSetup]

The logs don't include our software.

The logs don't include the Farbar scanner logs

 

Let's finalize this.

 

Do you want help cleaning your computer or not?

 

There are quite literally thousands of all kinds of scripts out there that are destructive to computers but just having a text file without a loading point does absolutely nothing.

We are not interested in most of these scripts. Many people can write them daily around the clock, but without having a way to run them on a remote computer and gain something from it is pretty much useless.

 

If you do not want help cleaning this computer I will be closing this topic soon.

If you DO want help cleaning this computer then please get me the following logs.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

[larrytash]

VirusTotal said this powershell script had 2 Mitre tactics based on Zenbox behavior analysis

First PS script.txt

[AdvancedSetup]

Please see above.

I do not wish to see anymore scripts. If you're not looking for help to clean the computer I will closing this topic. I've explained why many times now that scripts alone do nothing.

Thank you again

 

[larrytash]

Attached are Farbar logs, Malware bytes quickscan logs, malwarebytes support logs (in the zip includes MBAM service folder with logs, mbst-check-results, setup logs, etc). So these are, indeed, your logs and FRST logs

MB Scan report.txt mbst-check-results.txt mbst-grab-results.zip Addition.txt FRST.txt

[larrytash]

Also this svchost.exe seems to be at the root of the problem. VirusTotal says the timestamp of the file is suspicious. It appears the attack involves switching out SVCHost.exe to this version (attached). It leads to all kinds of suspicious services that can't be disabled, such as BcastDVRUserService_47d69 and they always come with that ending sequence, they all can't be turned off, they all come from svchost.exe cmd line prompts, and they all have to do with networking, screen grabbing, etc.

This svchost.ext comes up signed but if you actually look at the VirusTotal -> Behavior tab, it is resolving to these DNS locations:

 fp2E7A.wpc.2BE4.phicdn.net
fp2e7a.wpc.2be4.phicdn.net
fp2e7a.wpc.phicdn.net
prda.aadg.msidentity.com
windowsupdatebg.s.llnwi.net
x1.c.lencr.org

It mentions these IP traffic locations:
13.107.12.50:80 (TCP)
131.253.33.203:80 (TCP)
192.168.0.12:137 (UDP)
192.168.0.1:137 (UDP)
192.229.211.108:80 (TCP)
20.22.113.133:443 (TCP)
20.62.24.77:443 (TCP)
20.80.129.13:443 (TCP)
20.99.132.105:443 (TCP)
20.99.133.109:443 (TCP)
20.99.184.37:443 (TCP)
20.99.185.48:443 (TCP)
20.99.186.246:443 (TCP)
23.209.116.9:443 (TCP)
23.215.176.163:443 (TCP)
23.216.147.62:443 (TCP)
23.216.147.64:443 (TCP)
23.216.147.76:443 (TCP)
23.40.197.137:443 (TCP)
23.40.197.184:443 (TCP)
23.40.197.40:443 (TCP)
52.154.209.174:443 (TCP)
52.185.73.156:443 (TCP)
a83f:8110:0:0:0:0:2002:0:53 (UDP)
a83f:8110:0:0:0:8000:0:0:53 (UDP)
a83f:8110:0:0:100:0:0:0:53 (UDP)
a83f:8110:0:0:100:0:1800:0:53 (UDP)
a83f:8110:0:0:1400:1400:2800:3800:53 (UDP)
a83f:8110:0:0:1b00:100:2800:0:53 (UDP)
a83f:8110:0:0:2800:0:0:0:53 (UDP)
a83f:8110:0:0:4d8a:21:0:0:53 (UDP)
a83f:8110:0:0:629b:2800:0:0:53 (UDP)
a83f:8110:0:0:700:700:2800:4000:53 (UDP)
a83f:8110:0:0:e600:0:0:0:53 (UDP)
a83f:8110:0:33c0:3985:9000:0:f84:53 (UDP)
a83f:8110:1a1a:1aff:1a1a:1aff:1a1a:1aff:53 (UDP)
a83f:8110:1a1a:1aff:1b1b:1bff:1b1b:1bff:53 (UDP)
a83f:8110:2800:1800:4000:1800:1800:100:53 (UDP)
a83f:8110:4747:47ff:4747:47ff:4747:47ff:53 (UDP)
a83f:8110:508:10ff:70a:12ff:70a:12ff:53 (UDP)
a83f:8110:584a:b5b1:17cb:1ec8:0:0:53 (UDP)
a83f:8110:7300:6b00:7600:6f00:6c00:7500:53 (UDP)
a83f:8110:7600:6900:6c00:6500:6700:6500:53 (UDP)
a83f:8110:9004:200:6a00:0:5c00:6400:53 (UDP)
a83f:8110:aa01:0:0:0:0:0:53 (UDP)
a83f:8110:ffff:ffff:0:0:0:0:53 (UDP)

 

It dropped 300 files according to VirusTotal, here are some of them:

• C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9F0.tmp
•  
  C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9F0.tmp.WERInternalMetadata.xml
•  
  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAAB.tmp
•  
  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAAB.tmp.csv
•  
  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFACC.tmp
•  
  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFACC.tmp.txt
•  
  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAFA.tmp
•  
  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAFA.tmp.WERInternalMetadata.xml
•  
  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB1B.tmp
•  
  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB1B.tmp.csv
•  
  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB4B.tmp
•  
  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB4B.tmp.txt
•  
  C:\Windows\System32\spp\store\2.0\cache\cache.dat
•  
  C:\Windows\System32\spp\store\2.0\data.dat.tmp

svchost exe.zip