Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware logs


  • Please log in to reply
7 replies to this topic

#1 STS-1

STS-1

  • Malware Study Hall Sophomore
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:00 AM

Posted 14 April 2018 - 05:12 PM

Hi Guys:

 

So I just completed my first AV scan on a Mac where something was actually detected (14 items) and have saved the logs...I do not need assistance removing said malware, would just like to have the logs reviewed to give me an idea of exactly what was happening, and potentially

how it got there as the quarantine showed a wide variety of dates ranging from 2016 ish -up to Oct 3 2017 (the suspected infection date).

 

Thanks for any light you can shed on this for me!

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>logs</key>
    <array>
        <dict>
            <key>action</key>
            <string> </string>
            <key>date</key>
            <date>2018-04-13T00:15:08Z</date>
            <key>details</key>
            <string> </string>
            <key>type</key>
            <integer>16</integer>
        </dict>
        <dict>
            <key>action</key>
            <string> </string>
            <key>date</key>
            <date>2018-04-13T00:22:57Z</date>
            <key>details</key>
            <string> </string>
            <key>type</key>
            <integer>16</integer>
        </dict>
        <dict>
            <key>action</key>
            <string> </string>
            <key>date</key>
            <date>2018-04-13T00:23:50Z</date>
            <key>details</key>
            <string> </string>
            <key>type</key>
            <integer>14</integer>
        </dict>
        <dict>
            <key>action</key>
            <string> </string>
            <key>date</key>
            <date>2018-04-13T00:27:29Z</date>
            <key>details</key>
            <string> </string>
            <key>type</key>
            <integer>8</integer>
        </dict>
        <dict>
            <key>action</key>
            <string> </string>
            <key>date</key>
            <date>2018-04-13T00:32:03Z</date>
            <key>details</key>
            <string> </string>
            <key>type</key>
            <integer>14</integer>
        </dict>
        <dict>
            <key>action</key>
            <string>JS:Trojan.JS.Agent.SBY</string>
            <key>date</key>
            <date>2018-04-13T01:12:51Z</date>
            <key>details</key>
            <string>/Users/apple/.Trash/Recovered files #7/Outlook Temp/JC7458948.zip=&gt;JC7458948/JC7458948.jse=&gt;(INFECTED_JS)</string>
            <key>type</key>
            <integer>0</integer>
        </dict>
        <dict>
            <key>action</key>
            <string>JS:Trojan.JS.Agent.SBY</string>
            <key>date</key>
            <date>2018-04-13T01:12:52Z</date>
            <key>details</key>
            <string>/Users/apple/.Trash/Recovered files #7/Outlook Temp/JC7458948[1].zip=&gt;JC7458948/JC7458948.jse=&gt;(INFECTED_JS)</string>
            <key>type</key>
            <integer>0</integer>
        </dict>
        <dict>
            <key>action</key>
            <string>JS:Trojan.JS.Downloader.DOY</string>
            <key>date</key>
            <date>2018-04-13T01:17:10Z</date>
            <key>details</key>
            <string>/Users/apple/Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/Message Attachments/0T/0B/0M/35K/x26_35408.olk14MsgAttach=&gt;FedEx_Track_6731205384.zip=&gt;FedEx_Track_6731205384/FedEx_Track_6731205384.js=&gt;(INFECTED_JS)</string>
            <key>type</key>
            <integer>0</integer>
        </dict>
        <dict>
            <key>action</key>
            <string>JS:Trojan.JS.Downloader.DOY</string>
            <key>date</key>
            <date>2018-04-13T01:44:42Z</date>
            <key>details</key>
            <string>/Users/apple/Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/Message Sources/0T/0B/0M/35K/x27_35252.olk14MsgSource=&gt;[Subject: Preston Roman agent Fedex][Date: Wed, 29 Jun 2016 20:02:52 +0100]=&gt;FedEx_Track_6731205384.zip=&gt;FedEx_Track_6731205384/FedEx_Track_6731205384.js=&gt;(INFECTED_JS)</string>
            <key>type</key>
            <integer>0</integer>
        </dict>
        <dict>
            <key>action</key>
            <string>JS:Trojan.Cryxos.646</string>
            <key>date</key>
            <date>2018-04-13T01:44:46Z</date>
            <key>details</key>
            <string>/Users/apple/Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/Message Sources/0T/0B/0M/35K/x27_35467.olk14MsgSource=&gt;[Subject: Credit details ID: 246329][Date: Mon, 4 Jul 2016 15:34:50 +0100]=&gt;Report_TR539683952.zip=&gt;Report_TR539683952/Report_TR539683952.js=&gt;(INFECTED_JS)</string>
            <key>type</key>
            <integer>0</integer>
        </dict>1
        <dict>
            <key>action</key>
            <string>JS:Trojan.JS.Downloader.NI</string>
            <key>date</key>
            <date>2018-04-13T01:47:37Z</date>
            <key>details</key>
            <string>/Users/apple/Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/Message Sources/0T/0B/0M/44K/x27_44426.olk14MsgSource=&gt;[Subject: Delivery Notification, ID 0000661548][Date: Mon, 5 Dec 2016 21:23:31 +0100]=&gt;Label_0000661548.zip=&gt;Label_0000661548.doc.wsf=&gt;(INFECTED_JS)</string>
            <key>type</key>
            <integer>0</integer>
        </dict>
        <dict>
            <key>action</key>
            <string>JS:Trojan.Cryxos.349</string>
            <key>date</key>
            <date>2018-04-13T01:47:55Z</date>
            <key>details</key>
            <string>/Users/apple/Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/Message Sources/0T/0B/0M/45K/x27_45203.olk14MsgSource=&gt;[Subject: Parcel #0000519817 shipment problem, please review][Date: Sat, 24 Dec 2016 00:04:00 +0100]=&gt;Undelivered-Parcel-ID-0000519817.zip=&gt;Undelivered-Parcel-ID-0000519817.doc.wsf=&gt;(INFECTED_JS)</string>
            <key>type</key>
            <integer>0</integer>
        </dict>
        <dict>
            <key>action</key>
            <string>Trojan.Agent.JS.IL</string>
            <key>date</key>
            <date>2018-04-13T01:47:57Z</date>
            <key>details</key>
            <string>/Users/apple/Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/Message Sources/0T/0B/0M/45K/x27_45206.olk14MsgSource=&gt;[Subject: Parcel 000543097 delivery notification, FedEx][Date: Sat, 24 Dec 2016 22:22:16 +0300]=&gt;Undelivered-Package-000543097.zip=&gt;Undelivered-Package-000543097.doc.wsf</string>
            <key>type</key>
            <integer>0</integer>
        </dict>
        <dict>
            <key>action</key>
            <string>JS:Trojan.Cryxos.329</string>
            <key>date</key>
            <date>2018-04-13T01:48:00Z</date>
            <key>details</key>
            <string>/Users/apple/Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/Message Sources/0T/0B/0M/45K/x27_45357.olk14MsgSource=&gt;[Subject: FedEx issue #000789409: unable to delivery parcel][Date: Tue, 3 Jan 2017 02:20:25 +0000]=&gt;Undelivered-Parcel-ID-000789409.zip=&gt;Undelivered-Parcel-ID-000789409.doc.wsf=&gt;(INFECTED_JS)</string>
            <key>type</key>
            <integer>0</integer>
        </dict>
        <dict>
            <key>action</key>
            <string>JS:Trojan.Cryxos.1422</string>
            <key>date</key>
            <date>2018-04-13T01:48:24Z</date>
            <key>details</key>
            <string>/Users/apple/Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/Message Sources/0T/0B/0M/46K/x27_46256.olk14MsgSource=&gt;[Subject: Cassandra agent Fedex][Date: Tue, 17 Jan 2017 19:32:09 +0100]=&gt;GFX 3748940238.zip=&gt;GFX 3748940238/GFX 3748940238.js=&gt;(INFECTED_JS)</string>
            <key>type</key>
            <integer>0</integer>
        </dict>
        <dict>
            <key>action</key>
            <string>JS:Trojan.JS.Agent.PXR</string>
            <key>date</key>
            <date>2018-04-13T01:53:25Z</date>
            <key>details</key>
            <string>/Users/apple/Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/Message Sources/0T/0B/0M/57K/x27_57080.olk14MsgSource=&gt;[Subject: Your information must be up-to-date][Date: Thu, 10 Aug 2017 20:48:32 ]=&gt;Attached.html=&gt;(INFECTED_JS)</string>
            <key>type</key>
            <integer>0</integer>
        </dict>
        <dict>
            <key>action</key>
            <string>VB:Trojan.Valyria.1070</string>
            <key>date</key>
            <date>2018-04-13T01:56:12Z</date>
            <key>details</key>
            <string>/Users/apple/Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/Message Sources/0T/0B/0M/62K/x27_62751.olk14MsgSource=&gt;[Subject: Re: Awards Survey][Date: Mon, 4 Dec 2017 10:56:16 +0000]=&gt;Request.doc=&gt;word/vbaProject.bin</string>
            <key>type</key>
            <integer>2</integer>
        </dict>
        <dict>
            <key>action</key>
            <string>JS:Trojan.JS.Agent.SBY</string>
            <key>date</key>
            <date>2018-04-13T01:56:38Z</date>
            <key>details</key>
            <string>/Users/apple/Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/Message Sources/0T/0B/0M/64K/x27_64142.olk14MsgSource=&gt;[Subject: Sarah Mackenzie agent FedEx][Date: Tue, 16 Jan 2018 17:14:18 +0100]=&gt;JC7458948.zip=&gt;JC7458948/JC7458948.jse=&gt;(INFECTED_JS)</string>
            <key>type</key>
            <integer>0</integer>
        </dict>
        <dict>
            <key>action</key>
            <string>JS:Trojan.Cryxos.1486</string>
            <key>date</key>
            <date>2018-04-13T01:57:54Z</date>
            <key>details</key>
            <string>/Users/apple/Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/Message Sources/0T/0B/0M/65K/x27_65720.olk14MsgSource=&gt;[Subject: Dan Quinn your manager FedEx][Date: Tue, 13 Feb 2018 23:19:36 +0100]=&gt;DX46723847.rar=&gt;DX46723847\DX46723847.jse=&gt;(INFECTED_JS)</string>
            <key>type</key>
            <integer>5</integer>
        </dict>
        <dict>
            <key>action</key>
            <string> </string>
            <key>date</key>
            <date>2018-04-13T02:26:25Z</date>
            <key>details</key>
            <string> </string>
            <key>type</key>
            <integer>8</integer>
        </dict>
        <dict>
            <key>action</key>
            <string> </string>
            <key>date</key>
            <date>2018-04-13T02:42:27Z</date>
            <key>details</key>
            <string> </string>
            <key>type</key>
            <integer>15</integer>
        </dict>
        <dict>
            <key>action</key>
            <string> </string>
            <key>date</key>
            <date>2018-04-13T03:22:30Z</date>
            <key>details</key>
            <string> </string>
            <key>type</key>
            <integer>8</integer>
        </dict>
        <dict>
            <key>action</key>
            <string> </string>
            <key>date</key>
            <date>2018-04-13T04:22:24Z</date>
            <key>details</key>
            <string> </string>
            <key>type</key>
            <integer>8</integer>
        </dict>
        <dict>
            <key>action</key>
            <string> </string>
            <key>date</key>
            <date>2018-04-13T06:22:26Z</date>
            <key>details</key>
            <string> </string>
            <key>type</key>
            <integer>8</integer>
        </dict>
        <dict>
            <key>action</key>
            <string> </string>
            <key>date</key>
            <date>2018-04-13T08:22:27Z</date>
            <key>details</key>
            <string> </string>
            <key>type</key>
            <integer>8</integer>
        </dict>
        <dict>
            <key>action</key>
            <string> </string>
            <key>date</key>
            <date>2018-04-13T11:22:36Z</date>
            <key>details</key>
            <string> </string>
            <key>type</key>
            <integer>8</integer>
        </dict>
        <dict>
            <key>action</key>
            <string> </string>
            <key>date</key>
            <date>2018-04-13T12:22:31Z</date>
            <key>details</key>
            <string> </string>
            <key>type</key>
            <integer>8</integer>
        </dict>
        <dict>
            <key>action</key>
            <string> </string>
            <key>date</key>
            <date>2018-04-13T15:22:35Z</date>
            <key>details</key>
            <string> </string>
            <key>type</key>
            <integer>8</integer>
        </dict>
    </array>
</dict>
</plist>

 



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,261 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:00 AM

Posted 14 April 2018 - 05:32 PM

Do you recognize those messages from FedEx? Were they legit?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:00 AM

Posted 14 April 2018 - 08:42 PM


I have never used a Mac but most of the log detections appear to be those deteted by F-Secure.

Trojan:JS/Cryxos

Cryxos trojans display an alarming notification message saying that the user's computer or web browser has been 'blocked' due to a virus infection, and that their personal details are 'being stolen'. The user is then directed to call a phone number for assistance in the 'removal process'. This is a version of a 'call support' scam.


Trojan:JS/Agent

Trojan:Java/Rowindal is a maliciously-crafted Java class component that attempts to exploit a known vulnerability (CVE-2010-0094) in the Java Runtime Environment (JRE) in order to perform remote code execution.


Trojan-Downloader:JS/Agent

Trojan-Downloader:JS/Agent is a large family of programs that secretly download, install and execute harmful files.


VB:Trojan.Valyria

TROJ_VALYRIA is a password protected Microsoft document file containing malicious scripts embedded in its document body (detected as VBS_NEMUCOD). NEMUCOD, a script malware known through its highly obfuscated “download and execution” script, is now evolving from JavaScript to a Visual Basic Script malware.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 STS-1

STS-1
  • Topic Starter

  • Malware Study Hall Sophomore
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:00 AM

Posted 16 April 2018 - 10:24 PM

So from these logs is it correct to say that there was more than 1 infection source? The user thinks that the system was infected on Oct 3 2017 by visiting a malicious website, but if I understand this correctly there were multiple infections at different dates.... Is it possible to download multiple malware infections from a website at once? Basically I want to figure out if there was one source of infection, or multiple infections that just were not discovered until now (is it possible to tell this from the logs?) I am not sure if the fed-ex emails are legit, but I can find out.... @quietman7- I'm a little confused about why you said there was a F-secure detection, as this is a Bitdefender log?



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:00 AM

Posted 17 April 2018 - 05:10 AM

I Google searched the infection names identified in the logs and most came back to definitions by F-Secure. It is possible that Bitdender uses the same naming conventions but the search did not yield any results.

Typically, each security vendor uses their own naming conventions to identify various types of malware so it's sometimes difficult to determine exactly what has been detected or the nature of the threat without knowing more information about the detection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 buddy215

buddy215

  • Moderator
  • 13,261 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:00 AM

Posted 17 April 2018 - 07:14 AM

As to whether the emails are legit....I would think it rather gullible to fall for the same type of scam multiple times. 

Also....that "malware" may not infect an Apple computer...assuming those emails are from a non-legit source. 


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 STS-1

STS-1
  • Topic Starter

  • Malware Study Hall Sophomore
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:00 AM

Posted 23 April 2018 - 11:25 AM

Ok, thanks guys that gives me more info to look up and review...Appreciate the help! (do I need to close the topic or anything?)



#8 buddy215

buddy215

  • Moderator
  • 13,261 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:00 AM

Posted 23 April 2018 - 12:36 PM

Topic will stay open....you're welcome


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users