shmu26

Level 79
Content Creator
Trusted
Verified
I have done everything according to your settings but unfortunately one malware can be written to disk.No malware is active but still managed to enroll.Can you advise me what settings do in novirustnx that this malware can not be written to disk thanks.Alternatively I could send a sample pm:
It is in fact my only defense.

vulnerable process standart
novirustnx

https://www.hybrid-analysis.com/sample/874386307b593bd7cc783b17c179849351f8a9b1f72e815e05337ba6c35ac298?environmentId=100


Hi, I can't analyse this in-depth, maybe @Umbra can handle it?

But I can tell you in a general way that NVT ERP does not block all types of executable files. It primarily blocks exe files, and in addition, the default vulnerable processes list will produce prompts whenever a script interpreter is invoked, unless you specifically whitelisted that particular command-line. So you are covered for the scripts, too.

But it will not block the rarer executable file types by default. For instance, HTA files are not blocked or prompted.
The tweak for this is to add the corresponding process to the vulnerable processes list.
For instance, in order to get a prompt everytime a HTA wants to execute, you would add MSHTA.exe to the VPL. You need to add it both in system32 and in syswow64.

I hope someone else can analyse what went wrong here.
 

Davidov

Level 10
Hi, I can't analyse this in-depth, maybe @Umbra can handle it?

But I can tell you in a general way that NVT ERP does not block all types of executable files. It primarily blocks exe files, and in addition, the default vulnerable processes list will produce prompts whenever a script interpreter is invoked, unless you specifically whitelisted that particular command-line. So you are covered for the scripts, too.

But it will not block the rarer executable file types by default. For instance, HTA files are not blocked or prompted.
The tweak for this is to add the corresponding process to the vulnerable processes list.
For instance, in order to get a prompt everytime a HTA wants to execute, you would add MSHTA.exe to the VPL. You need to add it both in system32 and in syswow64.

I hope someone else can analyse what went wrong here.
Can you give me a screenshot to add Mshta.exe thanks to the VPL TNX.maybe voodooshield would be a better choice do not you think?
 
  • Like
Reactions: AtlBo and shmu26

shmu26

Level 79
Content Creator
Trusted
Verified
Can you give me a screenshot to add Mshta.exe thanks to the VPL TNX.maybe voodooshield would be a better choice do not you think?
here is screenshot for mshta. Look at end of list, not at the process that I accidentally highlighted.
About VS: try it, see if you like it.
NVT ERP is more tweakable and you can achieve a higher level of control over your system. Also, it is easier to understand how it works and what it does.
VS is harder to understand. I have asked the dev a number of questions about how his product works, and I usually get a vague answer or no answer at all. But I can't knock it, it is a good product, and anyways, I like Dan!
Capture.PNG
.
 
Last edited:

Davidov

Level 10
here is screenshot for mshta. Look at end of list, not at the process that I accidentally highlighted.
About VS: try it, see if you like it.
NVT ERP is more tweakable and you can achieve a higher level of control over your system. Also, it is easier to understand how it works and what it does.
VS is harder to understand. I have asked the dev a number of questions about how his product works, and I usually get a vague answer or no answer at all. But I can't knock it, it is a good productView attachment 126074 .
Thank you for the screenshot mam rad free products or lifetime licenses Thank you again for the quick reply.
We'll see what Umbro has also to be expressed.
 
  • Like
Reactions: AtlBo and shmu26

shmu26

Level 79
Content Creator
Trusted
Verified
Thank you for the screenshot mam rad free products or lifetime licenses Thank you again for the quick reply.
sorry, I did not understand what you meant by "mam rad"
VS is free, but if you want to tweak it at all, you need the paid edition
NVT ERP free beta will probably stay exactly what it is, forever. Because the dev hasn't been working on it for a really long time. Fortunately for us, it still works, we just have to refresh the vulnerable processes list after a major windows update (because it identifies these processes by their hash value.)

about the test you did, where NVT ERP didn't block everything:
this is just an idea, but maybe the malware had a digital signature that is on your trusted vendors list?
 
  • Like
Reactions: AtlBo
5

509322

Just because a new directory has been created does not mean the system has been compromised.

Anyhow...

Java.exe and Javaw.exe have not been added to the Vulnerable Process list.

Javaws.exe executes and creates the directory you see in the video:

javaw.exe -jar %USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU (PID: 3968)

2016-12-06 14:56:45,136 NtCreateFile ShareAccess: 3
FileName: C:\Documents and Settings\User\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU
DesiredAccess: 0x80100080
CreateDisposition: 1
FileHandle: 0x00000784
success 0x00000000

RED = Whitelisted = Allowed according the settings shown in the video

Analysed 27 processes in total (System Resource Monitor).
  • javaw.exe -jar "C:\OUR_RFQ_00132432_DR.jar" (PID: 3536)
    • cmd.exe /C cscript.exe %TEMP%\Retrive1058460326490019966.vbs (PID: 3428)
      • cscript.exe %TEMP%\Retrive1058460326490019966.vbs (PID: 3868)
    • cmd.exe /C cscript.exe %TEMP%\Retrive1149615568008974626.vbs (PID: 2460)
      • cscript.exe %TEMP%\Retrive1149615568008974626.vbs (PID: 2524)
    • xcopy.exe xcopy "%PROGRAMFILES%\Java\jre1.8.0_25" "%APPDATA%\Oracle\" /e (PID: 2736)
    • cmd.exe (PID: 3584)
    • reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v oQVctnZIiYT /t REG_EXPAND_SZ /d "\"%APPDATA%\Oracle\bin\javaw.exe\" -jar \"%USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU\"" /f (PID: 3944)
    • attrib.exe attrib +h "%USERPROFILE%\ciqrTxXDYEf\*.*" (PID: 3980)
    • attrib.exe attrib +h "%USERPROFILE%\ciqrTxXDYEf" (PID: 3964)
    • javaw.exe -jar %USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU (PID: 3968)
      • cmd.exe /C cscript.exe %TEMP%\Retrive3984093991566103404.vbs (PID: 4016)
        • cscript.exe %TEMP%\Retrive3984093991566103404.vbs (PID: 3996)
      • cmd.exe /C cscript.exe %TEMP%\Retrive7448424145153749442.vbs (PID: 600)
        • cscript.exe %TEMP%\Retrive7448424145153749442.vbs (PID: 1180)
      • cmd.exe (PID: 2504)
      • WMIC.exe WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List (PID: 3532)
      • cmd.exe (PID: 1684)
        • reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 3456)
      • cmd.exe (PID: 3212)
        • reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 2172)
      • cmd.exe (PID: 2508)
        • reg.exe reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 2088)
      • cmd.exe (PID: 3156)
        • reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 3016)
      • cmd.exe (PID: 2608)
        • reg.exe reg query "HKEY_CURRENT_USER\Software\HeidiSQL\Servers" (PID: 2640)
 
Last edited by a moderator:

shmu26

Level 79
Content Creator
Trusted
Verified
Just because a new directory has been created does not mean the system has been compromised.

Anyhow...

Java.exe and Javaw.exe have not been added to the Vulnerable Process list.

Javaws.exe executes and creates the directory you see in the video:

javaw.exe -jar %USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU (PID: 3968)

2016-12-06 14:56:45,136 NtCreateFile ShareAccess: 3
FileName: C:\Documents and Settings\User\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU
DesiredAccess: 0x80100080
CreateDisposition: 1
FileHandle: 0x00000784
success 0x00000000

RED = Whitelisted = Allowed according the settings shown in the video

Analysed 27 processes in total (System Resource Monitor).
  • javaw.exe -jar "C:\OUR_RFQ_00132432_DR.jar" (PID: 3536)
    • cmd.exe /C cscript.exe %TEMP%\Retrive1058460326490019966.vbs (PID: 3428)
      • cscript.exe %TEMP%\Retrive1058460326490019966.vbs (PID: 3868)
    • cmd.exe /C cscript.exe %TEMP%\Retrive1149615568008974626.vbs (PID: 2460)
      • cscript.exe %TEMP%\Retrive1149615568008974626.vbs (PID: 2524)
    • xcopy.exe xcopy "%PROGRAMFILES%\Java\jre1.8.0_25" "%APPDATA%\Oracle\" /e (PID: 2736)
    • cmd.exe (PID: 3584)
    • reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v oQVctnZIiYT /t REG_EXPAND_SZ /d "\"%APPDATA%\Oracle\bin\javaw.exe\" -jar \"%USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU\"" /f (PID: 3944)
    • attrib.exe attrib +h "%USERPROFILE%\ciqrTxXDYEf\*.*" (PID: 3980)
    • attrib.exe attrib +h "%USERPROFILE%\ciqrTxXDYEf" (PID: 3964)
    • javaw.exe -jar %USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU (PID: 3968)
      • cmd.exe /C cscript.exe %TEMP%\Retrive3984093991566103404.vbs (PID: 4016)
        • cscript.exe %TEMP%\Retrive3984093991566103404.vbs (PID: 3996)
      • cmd.exe /C cscript.exe %TEMP%\Retrive7448424145153749442.vbs (PID: 600)
        • cscript.exe %TEMP%\Retrive7448424145153749442.vbs (PID: 1180)
      • cmd.exe (PID: 2504)
      • WMIC.exe WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List (PID: 3532)
      • cmd.exe (PID: 1684)
        • reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 3456)
      • cmd.exe (PID: 3212)
        • reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 2172)
      • cmd.exe (PID: 2508)
        • reg.exe reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 2088)
      • cmd.exe (PID: 3156)
        • reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 3016)
      • cmd.exe (PID: 2608)
        • reg.exe reg query "HKEY_CURRENT_USER\Software\HeidiSQL\Servers" (PID: 2640)
thanks for the awesome analysis!
 
  • Like
Reactions: AtlBo

Davidov

Level 10
sorry, I did not understand what you meant by "mam rad"
VS is free, but if you want to tweak it at all, you need the paid edition
NVT ERP free beta will probably stay exactly what it is, forever. Because the dev hasn't been working on it for a really long time. Fortunately for us, it still works, we just have to refresh the vulnerable processes list after a major windows update (because it identifies these processes by their hash value.)

about the test you did, where NVT ERP didn't block everything:
this is just an idea, but maybe the malware had a digital signature that is on your trusted vendors list?

"mam rad" = I like. sory of not translated.. if it were signed malware probably would not show up novirustnx "blocked" it is my opinion.
 
  • Like
Reactions: AtlBo

Davidov

Level 10
Just because a new directory has been created does not mean the system has been compromised.

Anyhow...

Java.exe and Javaw.exe have not been added to the Vulnerable Process list.

Javaws.exe executes and creates the directory you see in the video:

javaw.exe -jar %USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU (PID: 3968)

2016-12-06 14:56:45,136 NtCreateFile ShareAccess: 3
FileName: C:\Documents and Settings\User\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU
DesiredAccess: 0x80100080
CreateDisposition: 1
FileHandle: 0x00000784
success 0x00000000

RED = Whitelisted = Allowed according the settings shown in the video

Analysed 27 processes in total (System Resource Monitor).
  • javaw.exe -jar "C:\OUR_RFQ_00132432_DR.jar" (PID: 3536)
    • cmd.exe /C cscript.exe %TEMP%\Retrive1058460326490019966.vbs (PID: 3428)
      • cscript.exe %TEMP%\Retrive1058460326490019966.vbs (PID: 3868)
    • cmd.exe /C cscript.exe %TEMP%\Retrive1149615568008974626.vbs (PID: 2460)
      • cscript.exe %TEMP%\Retrive1149615568008974626.vbs (PID: 2524)
    • xcopy.exe xcopy "%PROGRAMFILES%\Java\jre1.8.0_25" "%APPDATA%\Oracle\" /e (PID: 2736)
    • cmd.exe (PID: 3584)
    • reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v oQVctnZIiYT /t REG_EXPAND_SZ /d "\"%APPDATA%\Oracle\bin\javaw.exe\" -jar \"%USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU\"" /f (PID: 3944)
    • attrib.exe attrib +h "%USERPROFILE%\ciqrTxXDYEf\*.*" (PID: 3980)
    • attrib.exe attrib +h "%USERPROFILE%\ciqrTxXDYEf" (PID: 3964)
    • javaw.exe -jar %USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU (PID: 3968)
      • cmd.exe /C cscript.exe %TEMP%\Retrive3984093991566103404.vbs (PID: 4016)
        • cscript.exe %TEMP%\Retrive3984093991566103404.vbs (PID: 3996)
      • cmd.exe /C cscript.exe %TEMP%\Retrive7448424145153749442.vbs (PID: 600)
        • cscript.exe %TEMP%\Retrive7448424145153749442.vbs (PID: 1180)
      • cmd.exe (PID: 2504)
      • WMIC.exe WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List (PID: 3532)
      • cmd.exe (PID: 1684)
        • reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 3456)
      • cmd.exe (PID: 3212)
        • reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 2172)
      • cmd.exe (PID: 2508)
        • reg.exe reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 2088)
      • cmd.exe (PID: 3156)
        • reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 3016)
      • cmd.exe (PID: 2608)
        • reg.exe reg query "HKEY_CURRENT_USER\Software\HeidiSQL\Servers" (PID: 2640)
thanks for analiza. No harmful process was not created just bothered me that malware was able to write to disk. What would you recommend for action? Insert into endangered java process? Will not create too popups?
 
  • Like
Reactions: AtlBo

shmu26

Level 79
Content Creator
Trusted
Verified
if it were signed malware probably would not show up novirustnx "blocked" it is my opinion.
you are right. It it is signed, and it is on the trusted vendors list (which is enabled by default, although you can modify the list, or even disable it if you wish), then you will get no prompt or message or anything.
 
  • Like
Reactions: AtlBo

shmu26

Level 79
Content Creator
Trusted
Verified
thanks for analiza. No harmful process was not created just bothered me that malware was able to write to disk. What would you recommend for action? Insert into endangered java process? Will not create too popups?
I don't have java installed on my computer, so I don't know if it will create a lot of pop-ups with your usage. But usually, you can solve that problem by editing the whitelisted command-line with wildcards.
Typically, this means replacing variables and random character strings with *. If you understand command lines and wildcards, you can create do more complex editing.

for instance, I had a commandline string like this:
"C:\Program Files (x86)\Zipware\Zipware.exe" "from-contextmenu-C:\ProgramData\Zipware\Working\SelectedItems-2016120612030774.txt"

after editing, it is like this:
"C:\Program Files (x86)\Zipware\Zipware.exe" "from-contextmenu-C:\ProgramData\Zipware\Working\SelectedItems-*.txt"
 
  • Like
Reactions: AtlBo and Av Gurus

Davidov

Level 10
I can write me somewhere along the way I might in Java to process vulnerable thank you very much.

I do not know if this is correct.

C:\ProgramData\Oracle\Java\javapath\javaw.exe

C:\ProgramData\Oracle\Java\javapath\javaws.exe
 
Last edited:
  • Like
Reactions: AtlBo and frogboy

shmu26

Level 79
Content Creator
Trusted
Verified
I can write me somewhere along the way I might in Java to process vulnerable thank you very much.

I do not know if this is correct.

C:\ProgramData\Oracle\Java\javapath\javaw.exe

C:\ProgramData\Oracle\Java\javapath\javaws.exe
it looks right to me, but I don't have java on my computer, so I cannot actually check.
If you were able to find the files at those paths, then they must be right.
The general rule is that windows system files will very often be found in two locations: system32 and syswow64. But program files are not like that. If you found them once, that's it. You got them.
 

Av Gurus

Level 29
Trusted
Malware Hunter
Verified
Can we make a summery (If I want to prepare NVTERP for Lockdown Mode):

Installation: Recommended or Custom?
Clipboard02.jpg

If we choose Custom, what settings?
Clipboard03.jpg

In settings:

"General", what to check/un-check (if we whitelist C:\Program Files, C:\Program Files (x86), C:\Windows, Custom folders)?
Clipboard04.jpg

"Signed Processes" (for max security)?
Clipboard05.jpgClipboard01.jpg

"External Devices" check all?
Clipboard06.jpg

"Lockdown Mode" default or...?
Clipboard07.jpg

Add to "Vulnerable Processes", something else?
C:\Windows\System32\mshta.exe
C:\Windows\SysWOW64\mshta.exe
Clipboard08.jpg

Whitelist all .exe in:
C:\Program Files
C:\Program Files (x86)
C:\Windows
Custom folders
Clipboard09.jpg Clipboard10.jpg Clipboard11.jpg
 

Davidov

Level 10
Can we make a summery (If I want to prepare NVTERP for Lockdown Mode):

Installation: Recommended or Custom?
View attachment 126270

If we choose Custom, what settings?
View attachment 126271

In settings:

"General", what to check/un-check (if we whitelist C:\Program Files, C:\Program Files (x86), C:\Windows, Custom folders)?
View attachment 126272

"Signed Processes" (for max security)?
View attachment 126273View attachment 126280

"External Devices" check all?
View attachment 126274

"Lockdown Mode" default or...?
View attachment 126275

Add to "Vulnerable Processes", something else?
C:\Windows\System32\mshta.exe
C:\Windows\SysWOW64\mshta.exe
View attachment 126276

Whitelist all .exe in:
C:\Program Files
C:\Program Files (x86)
C:\Windows
Custom folders
View attachment 126277 View attachment 126278 View attachment 126279

OK to set it according to you tnx
 
  • Like
Reactions: AtlBo

shmu26

Level 79
Content Creator
Trusted
Verified
Can we make a summery (If I want to prepare NVTERP for Lockdown Mode):

Installation: Recommended or Custom?
View attachment 126270

If we choose Custom, what settings?
View attachment 126271

In settings:

"General", what to check/un-check (if we whitelist C:\Program Files, C:\Program Files (x86), C:\Windows, Custom folders)?
View attachment 126272

"Signed Processes" (for max security)?
View attachment 126273View attachment 126280

"External Devices" check all?
View attachment 126274

"Lockdown Mode" default or...?
View attachment 126275

Add to "Vulnerable Processes", something else?
C:\Windows\System32\mshta.exe
C:\Windows\SysWOW64\mshta.exe
View attachment 126276

Whitelist all .exe in:
C:\Program Files
C:\Program Files (x86)
C:\Windows
Custom folders
View attachment 126277 View attachment 126278 View attachment 126279
if you want lockdown mode, so first make sure your system is absolutely clean, because you are about to whitelist everything you got!

on the applications tab, whitelist the entire contents of your various programs folders, including subfolders.
do the same with Windows folder.

then, untick allow system processes, and untick allow program folder, and put the tick by don't trust signed processes.

you can add whatever you want to the vulnerable processes list. The basics are already there.

I think that should do it.

I did not recognize a lot of your screenshots. We must not be on the same version.
 

Davidov

Level 10
if you want lockdown mode, so first make sure your system is absolutely clean, because you are about to whitelist everything you got!

on the applications tab, whitelist the entire contents of your various programs folders, including subfolders.
do the same with Windows folder.

then, untick allow system processes, and untick allow program folder, and put the tick by don't trust signed processes.

you can add whatever you want to the vulnerable processes list. The basics are already there.

I think that should do it.

I did not recognize a lot of your screenshots. We must not be on the same version.
Ok Thanks for your patience and valuable advice.
 
  • Like
Reactions: AtlBo and XhenEd

Av Gurus

Level 29
Trusted
Malware Hunter
Verified
if you want lockdown mode, so first make sure your system is absolutely clean, because you are about to whitelist everything you got!

1.untick allow system processes, and untick allow program folder
2.put the tick by don't trust signed processes.

I did not recognize a lot of your screenshots. We must not be on the same version.
1.Like this
Clipboard01.jpg

2. Like this
Clipboard02.jpg

Version is 3.1 (24062015)
Clipboard03.jpg
 

shmu26

Level 79
Content Creator
Trusted
Verified
@Av Gurus: about mshta, yes, you are right, the place to add it is vulnerable processes.
Anything that you add to that list will produce a prompt, even if you have whitelisted it somewhere else.
The only way to stop prompting for something on the VPL is to whitelist a particular command-line string.