Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Fileless.MTGen/Trojan:HTML/Brocoiner!rfn


  • This topic is locked This topic is locked
5 replies to this topic

#1 rrice

rrice

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 13 December 2017 - 12:34 PM

First, the machine that has this infection is having it's HD replaced and the infected HD will be zeroed out and re-imaged.

 

The infected machine started with 4 separate incidents of the Trojan:HTML/Brocoiner!rfn flagging the system. the Microsoft Forefront software grabbed this, but apparently not the entire thing.

 

Monday, Rootkit.Fileless.MTGen started showing up on this machine. Forefront would grab it, but it would be put back instantly. Yesterday, I ran a full scan with Malwarebytes. I watched has Malwarebytes removed this and everything was put back. I pulled a couple of files to a USB drive before disabling the machine on the network.

 

What I am really looking for is some information on this infection and possible the type of encryption used inside of the BAT file that seemed to run the entire thing.

 

This is the Malwarebytes scan log. It's identical to each scan run.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/12/17
Scan Time: 12:01 PM
Log File: 19ae9706-df5e-11e7-bb3b-000000000000.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3474
License: Trial

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 400067
Threats Detected: 9
Threats Quarantined: 9
Time Elapsed: 1 hr, 28 min, 40 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 2
Rootkit.Fileless.MTGen, HKU\S-1-5-21-2137594615-1558138788-1617787245-3887_Classes\uwnexucuxv\SHELL\OPEN\COMMAND, Quarantined, [1283], [443829],1.0.3474
Rootkit.Fileless.MTGen, HKU\S-1-5-21-2137594615-1558138788-1617787245-3887_Classes\ghalqipol\SHELL\OPEN\COMMAND, Quarantined, [1283], [440418],1.0.3474

Registry Value: 4
Rootkit.Fileless.MTGen, HKU\S-1-5-21-2137594615-1558138788-1617787245-3887_Classes\uwnexucuxv\SHELL\OPEN\COMMAND|, Quarantined, [1283], [443829],1.0.3474
Rootkit.Fileless.MTGen, HKU\S-1-5-21-2137594615-1558138788-1617787245-3887_Classes\ghalqipol\SHELL\OPEN\COMMAND|, Quarantined, [1283], [440418],1.0.3474
Trojan.Fileless.MTGen, HKU\S-1-5-21-2137594615-1558138788-1617787245-3887\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^LKURIPSU, Quarantined, [1636], [262350],1.0.3474
Trojan.Fileless.MTGen, HKU\S-1-5-21-2137594615-1558138788-1617787245-3887\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^SATYNA, Quarantined, [1636], [262350],1.0.3474

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 3
Rootkit.Fileless.MTGen, C:\USERS\GNORGA\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\ICLIRAJICD.LNK, Quarantined, [1283], [-1],0.0.0
Rootkit.Fileless.MTGen, C:\USERS\GNORGA\START MENU\PROGRAMS\STARTUP\ICLIRAJICD.LNK, Quarantined, [1283], [-1],0.0.0
Trojan.Fileless.MTGen, C:\USERS\GNORGA\APPDATA\LOCAL\YXGUWQUH\QVYJKUKC.BAT, Quarantined, [1636], [450287],1.0.3474

Physical Sector: 0
(No malicious items detected)


(end)

The BAT file had the following content

echo JfaFMFqa0I4xCg7Of
echo PJJ9Bm0KIdJ
echo 8aDqK3AEjQ7zgfn5zhOpQKqcnCgsYzJM7Cu
echo lTex1JQA3cHV6PY
echo SbuExB0690MqC5mU4TkylzAuaBgS
echo Q3Gdtqy8rfDIfpwjIJZA1
start "rS8Y2WifjokflQwiuts" "%LOCALAPPDATA%\Ynpegni\agpimat.fdytkov"
echo 6ZqtNr7qdrrlznMyOdSr3Eqk0iiZyGhC9cU
echo DDA0R2CZZLpQjpm6qB8W1WzZHcT7vTIP
echo 2jHRtWMFIeSl1XdFIAodvXWaH6fhQ
echo WnzI9jrRwZcru8
echo gJFcgdCVL
echo LxZe0dnQEKJjpBrq4b5kU6AkwyRi
echo nDnIHHnNZoj

When Malwarebytes removed the files, something put this back, then this put the Ynpegni\agpimat.fdytkov file back.

 

This isn't a Base64 encryption that I can tell. I tried running a hash check on the files and the hashes don't come back with anything.

 

I'm (we're) wondering if the incident is isolated to this one machine or if we have something bigger to worry about. 

Anyone know of a way to try and decipher this text? From what i've read, bits and pieces here and elsewhere have Rootkit.Fileless.MTGen being of Polish origination with a key logger.

 

Regardless, the machine seems to have a rootkit or very well concealed shell that isn't being detected.

 

Though it's echoing the content, the command line windows that did open, never displayed anything. However the AppData directory is the only part no encrypted.

 

Thanks in advanced.



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:40 PM

Posted 13 December 2017 - 12:43 PM

Hi rrice :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Since this machine's HDD will be replaced, why do you want to clean it up? Is it because the replacement will take a few more days?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 rrice

rrice
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 13 December 2017 - 12:52 PM

Due to the work environment, we don't want an infected machine on the network. 

Also, due to everything that's been going on in the world of malware, we would like to know that with this coding in the BAT file, if we need to worry about more or just write it off. 

The replacement will be done in a few hours so the HD will be swapped out.

 

I am more looking into the Forensics of this.



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:40 PM

Posted 13 December 2017 - 07:49 PM

Let's see if we can collect all the samples before the HDD get removed then.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.
  • Download the right version of FRST for your system:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your Desktop
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds
  • Make sure the Addition.txt box is checked
  • Click on the Scan button
    KSJwAxg.png
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files
  • Copy and paste the content of both FRST.txt and Addition.txt in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:40 PM

Posted 16 December 2017 - 02:20 PM

Hi rrice,

Are you still with me?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:40 PM

Posted 19 December 2017 - 07:58 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users