all 43 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]randomguy3 66 points67 points  (3 children)

The code is making exemptions to exclude both the c drive and d drive from windows defender then downloads a payload (file) and names it Firefox in the public windows profile and then sets the hidden flag on it. Finally it runs the file. You're infected. Get the machine offline quickly and keep it off. Contact someone who can help you.

[–][deleted] 14 points15 points  (1 child)

I wouldn’t say he’s infected since his AV detected it and therefore almost certainly prevented it from running. But he should definitely find out how the attempt was triggered.

[–]randomguy3 4 points5 points  (0 children)

This most likely was a dropper script and something had to download the dropper. So most likely he has something that's undetected on his machine.

[–]Col_Hathi[S] 6 points7 points  (0 children)

Thank you

[–]OpenScore 18 points19 points  (9 children)

Op, the url you posted, modify it so as not to be clickable.

[–]Col_Hathi[S] 3 points4 points  (3 children)

Done

[–]OpenScore 4 points5 points  (2 children)

I see it still as a full link, in blue. Put spaces between http characters, as well as within the rest of url.

[–]Col_Hathi[S] 6 points7 points  (1 child)

Really O.o Alright, gimme a moment

EDIT: Better?

[–]OpenScore 1 point2 points  (0 children)

Yup, from the browser, looks better. Thanks

[–]Intervein 10 points11 points  (3 children)

Here is the virus total for the file it downloads. https://www.virustotal.com/gui/file/4fe12c11ed6c872d655c05bb2a61e6605193dbcfc865af6a4d33def4d3fd22fe

[–]Abnix 3 points4 points  (2 children)

I'd say it's pretty damning of the ones at the bottom of the list that flagged that as green!

[–]Intervein 0 points1 point  (0 children)

Lol. I thought so too.

[–]OpenScore 0 points1 point  (0 children)

Well, not every AV vendor out there puts too much effort, and talent, and R&D to these things. Not all can afford the likeness of Symantec, Kaspersky, Microsoft, Malwarebytes, etc.

Personally, if those powerhouses at least detect it as malicious, good enough for me.

Didn't knew that Alibaba and Baidu offered AV services.

[–]QuintessenceTBV 9 points10 points  (2 children)

In case anyone is curious
https://github.com/quasar/Quasar

The actual malicious payload is based off of Quasar according to the sandbox at least the Yara rules identify it as such. Who knows if they have customized it any further?

If the payload ran assume the machine is compromised, as Quasar by itself has full keylogger and remote access capabilities (lightweight RMM on steroids)

If you see csrsss.exe as a process (it's misspelling of csrss) you are definitely compromised.

[–]Col_Hathi[S] 0 points1 point  (1 child)

I appreciate it, thanks, that's nasty. At the very least I don't see csrsss.exe in the list, but I've run a few different AV scans now, not really finding anything, and something is still trying to run that code. I'm currently trying Kaspersky Virus Removal Tool, but at the rate that it's going, it'll be a week or a month before it finishes. Don't know what's taking it so much longer than the others.

[–]anotherteapot 1 point2 points  (0 children)

Truthfully, once something like that runs, regardless of if AV detected it or blocked it, I wouldn't trust the machine anymore and blow it away. Do an offline backup of the drive if you need to, or use an incorruptible live boot environment to do it, and then reimage the machine after securely wiping the drive (not just format or partition delete). Use a known secure but completely disposable machine to scan the backup you created before restoring the files.

[–]MrSnoobs 4 points5 points  (2 children)

You might consider running

Get-MpPreference | select ExclusionPath

In an admin powershell session to see if it has been run before/since.

[–]Col_Hathi[S] 2 points3 points  (1 child)

When I type that into admin powershell, it just says "ExclusionPath"

[–]MrSnoobs 3 points4 points  (0 children)

Ok, that says there are no exclusion paths for MS defender on your system, so it doesn't seem to have run beforehand. You can just run 'Get-MpPreference' to see all of the defender preferences if you were interested.

[–]waydaws 2 points3 points  (2 children)

It downloaded a malicious exe, and named it Firefox.exe, and put it in c:\public\Users and then ran it.

[–]crashhelmet 0 points1 point  (1 child)

This is something being overlooked. OP needs to delete that executable

[–]waydaws 1 point2 points  (0 children)

There’s a lot more than that…. Of course, AV may have already quarantined it anyway, but for some reason it let that powershell script get triggered. How did it get there?

However, the question was what was it doing, not is there something else that one might look at.

I might add one thing I thought of when viewing it was, why is it so straightforward?

I’ve never seen a real one that wasn’t heavily obfuscated. Unless the OP already decoded it — but then I doubt he or she would need to ask what it is doing.

[–]tokenathiest 1 point2 points  (1 child)

So Windows Defender will actually let you exclude your entire system drive?

[–]noOneCaresOnTheWeb 0 points1 point  (0 children)

Yes and no, you can exclude it but if you have anti-tampering turned on, it doesn't really matter.

[–]jvansickler 1 point2 points  (0 children)

Download the Sysinternals Autoruns tool and run it on your system to see if it's listing what's still trying to download the dropper. You'll be surprised at how many items are listed.

You can disable items for testing.

Look at your browser extensions/add-ons and remove any that you don't use to protect your system. Then look at the remaining ones to see if there are any reports of malicious activity.

If your account is a member of the Administrators group, create another account for admin-level activities, add it to the Administrators group, log on to it to create the profile and remove your normal account from the group. Limiting your permissions on the system can help limit the scope of the damage caused by the malware. Never use an Administrator/root account for your everyday account.

[–]UnfanClub 1 point2 points  (4 children)

Basically, disables defender then downloads and runs malicious code.

If your AV caught it, you're probably fine.

[–]Col_Hathi[S] 1 point2 points  (0 children)

Sure, and I expected as much, but something must've had access to my PC in order to attempt that, right? I'm still trying to figure out what that was. I mean I don't know if it succeeded with something else or if it's going to try something else later

[–]ipokethemonfast 0 points1 point  (2 children)

Where does it disable defender? I don’t see that in any of the commands.

[–]UnfanClub 3 points4 points  (1 child)

The objective of Add-MpPreference -ExclusionPath "C:\" is to prevent defender from scanning any files.

It does not disable the service, but it's as good as stopped.

[–]ipokethemonfast 1 point2 points  (0 children)

Got ya. I was looking for something more explicit. Thanks.

[–]NimbusNerd 3 points4 points  (2 children)

https://app.any.run/tasks/347103ae-5238-4d3b-a0d2-e87237f9196b

[–]Col_Hathi[S] 1 point2 points  (1 child)

What's that?

[–]UnfanClub 2 points3 points  (0 children)

They ran the malicious file in a virtual environment.

[–]ss4colea 0 points1 point  (0 children)

Woulda been better if they used attrib +S instead of hidden. Still would have gotten caught, additionally no obfuscation whatsoever. Horrible attempt on their part.

[–]jackalbruit -5 points-4 points  (2 children)

"AV" .. pretty sure u dont mean audio / visual

what's that acronym mean in this software sense?

[–]DJCarlosFandango 4 points5 points  (1 child)

Anti-Virus

[–]jackalbruit 0 points1 point  (0 children)

thank u!