First, the machine that has this infection is having it's HD replaced and the infected HD will be zeroed out and re-imaged.
The infected machine started with 4 separate incidents of the Trojan:HTML/Brocoiner!rfn flagging the system. the Microsoft Forefront software grabbed this, but apparently not the entire thing.
Monday, Rootkit.Fileless.MTGen started showing up on this machine. Forefront would grab it, but it would be put back instantly. Yesterday, I ran a full scan with Malwarebytes. I watched has Malwarebytes removed this and everything was put back. I pulled a couple of files to a USB drive before disabling the machine on the network.
What I am really looking for is some information on this infection and possible the type of encryption used inside of the BAT file that seemed to run the entire thing.
This is the Malwarebytes scan log. It's identical to each scan run.
Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/12/17 Scan Time: 12:01 PM Log File: 19ae9706-df5e-11e7-bb3b-000000000000.json Administrator: Yes -Software Information- Version: 18.104.22.1683 Components Version: 1.0.262 Update Package Version: 1.0.3474 License: Trial -System Information- OS: Windows 8.1 CPU: x64 File System: NTFS User: System -Scan Summary- Scan Type: Custom Scan Result: Completed Objects Scanned: 400067 Threats Detected: 9 Threats Quarantined: 9 Time Elapsed: 1 hr, 28 min, 40 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 Rootkit.Fileless.MTGen, HKU\S-1-5-21-2137594615-1558138788-1617787245-3887_Classes\uwnexucuxv\SHELL\OPEN\COMMAND, Quarantined, , ,1.0.3474 Rootkit.Fileless.MTGen, HKU\S-1-5-21-2137594615-1558138788-1617787245-3887_Classes\ghalqipol\SHELL\OPEN\COMMAND, Quarantined, , ,1.0.3474 Registry Value: 4 Rootkit.Fileless.MTGen, HKU\S-1-5-21-2137594615-1558138788-1617787245-3887_Classes\uwnexucuxv\SHELL\OPEN\COMMAND|, Quarantined, , ,1.0.3474 Rootkit.Fileless.MTGen, HKU\S-1-5-21-2137594615-1558138788-1617787245-3887_Classes\ghalqipol\SHELL\OPEN\COMMAND|, Quarantined, , ,1.0.3474 Trojan.Fileless.MTGen, HKU\S-1-5-21-2137594615-1558138788-1617787245-3887\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^LKURIPSU, Quarantined, , ,1.0.3474 Trojan.Fileless.MTGen, HKU\S-1-5-21-2137594615-1558138788-1617787245-3887\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^SATYNA, Quarantined, , ,1.0.3474 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 3 Rootkit.Fileless.MTGen, C:\USERS\GNORGA\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\ICLIRAJICD.LNK, Quarantined, , [-1],0.0.0 Rootkit.Fileless.MTGen, C:\USERS\GNORGA\START MENU\PROGRAMS\STARTUP\ICLIRAJICD.LNK, Quarantined, , [-1],0.0.0 Trojan.Fileless.MTGen, C:\USERS\GNORGA\APPDATA\LOCAL\YXGUWQUH\QVYJKUKC.BAT, Quarantined, , ,1.0.3474 Physical Sector: 0 (No malicious items detected) (end)
The BAT file had the following content
echo JfaFMFqa0I4xCg7Of echo PJJ9Bm0KIdJ echo 8aDqK3AEjQ7zgfn5zhOpQKqcnCgsYzJM7Cu echo lTex1JQA3cHV6PY echo SbuExB0690MqC5mU4TkylzAuaBgS echo Q3Gdtqy8rfDIfpwjIJZA1 start "rS8Y2WifjokflQwiuts" "%LOCALAPPDATA%\Ynpegni\agpimat.fdytkov" echo 6ZqtNr7qdrrlznMyOdSr3Eqk0iiZyGhC9cU echo DDA0R2CZZLpQjpm6qB8W1WzZHcT7vTIP echo 2jHRtWMFIeSl1XdFIAodvXWaH6fhQ echo WnzI9jrRwZcru8 echo gJFcgdCVL echo LxZe0dnQEKJjpBrq4b5kU6AkwyRi echo nDnIHHnNZoj
When Malwarebytes removed the files, something put this back, then this put the Ynpegni\agpimat.fdytkov file back.
This isn't a Base64 encryption that I can tell. I tried running a hash check on the files and the hashes don't come back with anything.
I'm (we're) wondering if the incident is isolated to this one machine or if we have something bigger to worry about.
Anyone know of a way to try and decipher this text? From what i've read, bits and pieces here and elsewhere have Rootkit.Fileless.MTGen being of Polish origination with a key logger.
Regardless, the machine seems to have a rootkit or very well concealed shell that isn't being detected.
Though it's echoing the content, the command line windows that did open, never displayed anything. However the AppData directory is the only part no encrypted.
Thanks in advanced.