Author Topic: What can sefely be fixed? (Read 7915 times)

Satchfan · « **on:** December 23, 2019, 02:39:10 PM »

I have a user whose PC is heavily infected and before dealing with locked files and fixes using FRST, I'd like to know what to do with these - is it safe to 'fix' them?

Quote

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Proc.Svchost (Malicious)] svchost.exe (3980) -- C:\Windows\SysWOW64\svchost.exe -> Found
[Proc.Svchost (Malicious)] svchost.exe (3992) -- C:\Windows\SysWOW64\svchost.exe -> Found
[Proc.Svchost (Malicious)] svchost.exe (2332) -- C:\Windows\SysWOW64\svchost.exe -> Found
[Proc.Svchost (Malicious)] svchost.exe (9800) -- C:\Windows\SysWOW64\svchost.exe -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Hidden.From.Registry (Malicious)] Msfs (0) -- N/A -> Found
[Hidden.From.Registry (Malicious)] mshidkmdf (0) -- \SystemRoot\System32\drivers\mshidkmdf.sys -> Found
[Hidden.From.Registry (Malicious)] mshidumdf (0) -- \SystemRoot\System32\drivers\mshidumdf.sys -> Found
[Hidden.From.Registry (Malicious)] MSKSSRV (0) -- \SystemRoot\System32\drivers\MSKSSRV.sys -> Found
[Hidden.From.Registry (Malicious)] msiserver (0) -- C:\WINDOWS\system32\msiexec.exe /V -> Found

Satchfan

Curson · « **Reply #1 on:** December 23, 2019, 04:38:17 PM »

Hi Satchfan,

At first sight, these look like legit Windows files.
Could you please ask the user to export RogueKiller full JSON scan report and attach it with your next reply ? A link to the disinfection thread will also be useful.

EDIT : An Adlice Diag full log could also prove to be helpful.

Regards.

Satchfan · « **Reply #2 on:** December 23, 2019, 05:44:30 PM »

Will do when I hear from them.

Satchfan · « **Reply #3 on:** December 23, 2019, 11:32:55 PM »

No reply yet but topic is here:

https://forums.whatthetech.com/index.php?showtopic=132142

Satchfan · « **Reply #4 on:** December 25, 2019, 09:54:19 AM »

I asked them to run a cmd command as follows:

RogueKillerCMD.exe -scan -params "-reportpath """C:\report.json""""

It didn't work. Please see the topic.

Curson · « **Reply #5 on:** December 26, 2019, 01:40:18 AM »

Hi Satchfan,

Thanks for your feedback.
RogueKillerCMD cannot be used like that anymore. We didn't have the time to update the documentation yet, sorry about that.

The best way is to directly use RogueKiller with this method to export the JSON log.
After opening the last report, it's possible to export it into JSON using the "Export" button > "Json file".

Additionally, I read the FRST log and I think it's possible that the rootkit is messing with some drivers keys enumeration, so it might not be safe to delete these files :

Code: [Select]

[Hidden.From.Registry (Malicious)] mshidkmdf (0) -- \SystemRoot\System32\drivers\mshidkmdf.sys -> Found
[Hidden.From.Registry (Malicious)] mshidumdf (0) -- \SystemRoot\System32\drivers\mshidumdf.sys -> Found
[Hidden.From.Registry (Malicious)] MSKSSRV (0) -- \SystemRoot\System32\drivers\MSKSSRV.sys -> Found
[Hidden.From.Registry (Malicious)] msiserver (0) -- C:\WINDOWS\system32\msiexec.exe /V -> Found

I recommend to zip them from recovery using FRST and manually analyse them.
By the way, is this infection common ? I asked my colleges at Adlice and they didn't have heard of it.

Regards.

Satchfan · « **Reply #6 on:** December 26, 2019, 12:54:36 PM »

Thanks for the information.

It doesn't appear to be a SmartService infection, which was my first thought, but a Baidu Cloud infection.

I haven't come across anything quite as bad as this but this topic also had a similar one:

https://www.bleepingcomputer.com/forums/t/633736/some-unknown-program-is-trying-to-change-my-homepage-some-pop-up-ads/

I've asked for the json log and will post here when I get it.

Curson · « **Reply #7 on:** December 27, 2019, 06:35:06 AM »

Hi Satchfan,

Thanks for the feedback.
This is a really curious infection because, even when the rootkit driver cannot be removed from Normal Mode, RogueKiller is able to detect it and that's not the case here.

Regards.

Satchfan · « **Reply #8 on:** December 28, 2019, 10:01:49 PM »

Haven't got a clue if this is the report you wanted bt this is what the OP sent:

https://forums.whatthetech.com/index.php?showtopic=132142&view=findpost&p=889977

The FRST log I asked for was incomplete and have asked for the whole log. I'll let you know the outcome.

Curson · « **Reply #9 on:** December 29, 2019, 01:38:01 AM »

Hi Satchfan,

Yes, this is the JSON report, but incomplete as well.

Regards.

Satchfan · « **Reply #10 on:** December 29, 2019, 03:44:46 PM »

OP has sent another json which is all gobbldygook to me. Too long to post but reply is here:

https://forums.whatthetech.com/index.php?showtopic=132142&view=findpost&p=889986

Thanks

Nina

Curson · « **Reply #11 on:** December 30, 2019, 09:37:53 PM »

Hi Nina,

The interesting part is here :

Code: [Select]

{
	"scan_what": 0,
	"scan_how": [1, 2, 3, 4, 8, 6, 5, 7],
	"vendors": ["Hidden.From.Registry"],
	"name": "Msfs",
	"name_process": "",
	"target": "",
	"pid": 0,
	"path_process": "",
	"path": "",
	"file_md5": "",
	"file_sha256": "",
	"file_exists": false,
	"file_signed": false,
	"file_signer": "",
	"file_vtscore": -1,
	"file_vttotal": 0,
	"is_malicious": true,
	"detection_level": 2,
	"status_str": "Found",
	"status_choice": 2,
	"status_kill": 0,
	"malpe_score": -1.0,
	"id": 6
},
{
	"scan_what": 0,
	"scan_how": [1, 2, 3, 4, 8, 6, 5, 7],
	"vendors": ["Hidden.From.Registry"],
	"name": "mshidkmdf",
	"name_process": "",
	"target": "C:\\Windows\\System32\\drivers\\mshidkmdf.sys",
	"pid": 0,
	"path_process": "",
	"path": "\\SystemRoot\\System32\\drivers\\mshidkmdf.sys",
	"file_md5": "22813FD068277CC4994CB3FB5547AA23",
	"file_sha256": "AA5FCFEE8161EA12ED65FAB5A662EE3BFF5B7D725DEFF081FCB45C534FAC976A",
	"file_exists": true,
	"file_signed": false,
	"file_signer": "",
	"file_vtscore": -1,
	"file_vttotal": 0,
	"is_malicious": true,
	"detection_level": 2,
	"status_str": "Found",
	"status_choice": 2,
	"status_kill": 0,
	"malpe_score": -1.0,
	"id": 7
},
{
	"scan_what": 0,
	"scan_how": [1, 2, 3, 4, 8, 6, 5, 7],
	"vendors": ["Hidden.From.Registry"],
	"name": "mshidumdf",
	"name_process": "",
	"target": "C:\\Windows\\System32\\drivers\\mshidumdf.sys",
	"pid": 0,
	"path_process": "",
	"path": "\\SystemRoot\\System32\\drivers\\mshidumdf.sys",
	"file_md5": "ED11DC4C201FF6C06F171E18B379B589",
	"file_sha256": "37E1901ECF54A22D016B844B68847B3894EDCA7854D713C46951BD41684735BB",
	"file_exists": true,
	"file_signed": false,
	"file_signer": "",
	"file_vtscore": -1,
	"file_vttotal": 0,
	"is_malicious": true,
	"detection_level": 2,
	"status_str": "Found",
	"status_choice": 2,
	"status_kill": 0,
	"malpe_score": -1.0,
	"id": 8
},
{
	"scan_what": 0,
	"scan_how": [1, 2, 3, 4, 8, 6, 5, 7],
	"vendors": ["Hidden.From.Registry"],
	"name": "MSKSSRV",
	"name_process": "",
	"target": "C:\\Windows\\System32\\drivers\\mskssrv.sys",
	"pid": 0,
	"path_process": "",
	"path": "\\SystemRoot\\System32\\drivers\\MSKSSRV.sys",
	"file_md5": "E3B4680BAB18D0898E80C6E4FE05BF55",
	"file_sha256": "2F215EB0122A796674123241D7F34849B4A77E9376A373968D5ADAFAB4D428B2",
	"file_exists": true,
	"file_signed": false,
	"file_signer": "",
	"file_vtscore": -1,
	"file_vttotal": 0,
	"is_malicious": true,
	"detection_level": 2,
	"status_str": "Found",
	"status_choice": 2,
	"status_kill": 0,
	"malpe_score": -1.0,
	"id": 9
},
{
	"scan_what": 0,
	"scan_how": [1, 2, 3, 4, 8, 6, 5, 7],
	"vendors": ["Hidden.From.Registry"],
	"name": "msiserver",
	"name_process": "",
	"target": "C:\\Windows\\System32\\msiexec.exe",
	"pid": 0,
	"path_process": "",
	"path": "C:\\WINDOWS\\system32\\msiexec.exe /V",
	"file_md5": "2D9F692E71D9985F1C6237F063F6FE76",
	"file_sha256": "199B3890D28A1F5906F4014E73615A268B3C4414F1F71697BF13E0D464258D54",
	"file_exists": true,
	"file_signed": false,
	"file_signer": "",
	"file_vtscore": -1,
	"file_vttotal": 0,
	"is_malicious": true,
	"detection_level": 2,
	"status_str": "Found",
	"status_choice": 2,
	"status_kill": 0,
	"malpe_score": -1.0,
	"id": 10
}

According to the hashes reported by RogueKiller and after submitting them to VirusTotal, these files are legit.
It may be a bug with RogueKiller or, like I said earlier, the rootkit is messing with the files enumeration functions. In any case, it could be interesting to see if those detections are still present after the rootkit removal.

I will follow at thread at whatthetech with great interest.

Regards.

Satchfan · « **Reply #12 on:** December 31, 2019, 10:47:15 AM »

Thanks for the reply and your help so far. I'll see how it pans out.

As this is not a SmartService infection and the OP is having trouble with the RE, I may try MBAR to deal with the rootkit and take it from there.

Nina

Curson · « **Reply #13 on:** January 01, 2020, 06:26:58 AM »

Hi Nina,

You are very welcome.
MBAR may work. At least, RogueKiller driver wasn't unable to load. With a little chance, it will be the same with MBAR driver.

Regards.

Curson · « **Reply #14 on:** January 06, 2020, 05:40:42 PM »

Hi Nina,

I just saw that MBAR was able to detect and delete the rootkit successfully. Could you please ask the user to upload this file from MBAR quarantine ?

Quote

c:\windows\system32\msdd0c5c30app.dll (Trojan.Crypt) -> Delete on reboot. [d5ced26c0fc7e6503f612d3009f8b64a]

It will be very interesting for us to analyse it so we can improve RogueKiller detection efficiency of this particular malware.

Regards.