Weird spyware and how I fixed it

Hello everybody. First of all, I want to apologize if my message is in the wrong topic or category.

I would like to tell you how I came across something strange and how I got rid of it. It all started with the fact that I noticed strange behavior when my computer is at rest. If the system is not loaded with anything for a certain period (approximately 5 minutes), two processes are launched, one of which uses 50% of the processor and 2.5 Gb of RAM. I noticed this because I could hear the CPU cooler starting to work hard. If you open the task manager, these processes are instantly turned off. I was able to see this after downloading a process monitor program.

After running a full scan, Comodo found “ApplicUnwnt@0” here in C:\ProgramData\Windows\Profile\wasp.exe and deleted it. Maybe it’s something else, but I thought I’d add this information. Using a program I downloaded to monitor processes, I was able to see information about running these processes. These two processes were launched via powershell.exe with strange parameters:
-c "107361474;$Ltge=‘fAiNejiaxzOQihQXA’;'t&(og…
-c "4045614830;$fOMY=‘ooZeExKnaaiMuYe’;'5&(vgc…

I started looking for something behind these two numbers and found two registry entries and two files.

The files was here:
C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance\WinDAT
C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance\WinNAT

The registers were here
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\WinDAT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\WinNAT

By default, Windows 10 contains only one file “WinSAT”. I have deleted the registry entries and these two files. Currently, I am no see any strange behavior on my system.

I wanted to attach these two files to my post so the Comodo team can investigate and improve their product. But “new users cannot add files”. However, I hope this information will be useful for the team and other users.

Please submit the files within CIS/CF itself or submit them here for analysis: https://verdict.valkyrie.comodo.com/ You can also upload them onto https://www.virustotal.com/gui/home/upload

You can then post the SHA1 and Valkyrie Verdict here: https://forums.comodo.com/t/submit-malware-here-to-be-blacklisted-2024/360467/59

Sounds like W4SP, a python data stealer that has been out for a couple of years. It works rather efficiently at stealing various items like login, password, etc data which it will store either in the Local/temp directory or the Local/Microsoft/Edge/user data/default directory.

Comodo protects against such theft by both containing the malware and more importantly by alerting to the Network connection attempts by the malware (normally curl.exe will also be blocked).

You should see a Startup entry for this stealer family (under various names) as this is how it persists.

For any that want to play in the sandbox, an oldie version is: 01de9d36bc78cf7cb9fa19cd3ac47d8028cb08dedf318ef4e85b696a8d837c38
Just shut off VirusScope first as everybody and their cat can detect it.

m

2 Likes

The files just XML with a set of parameters and commands, very similar to standard WinSAT. Therefore, they are not recognized as something dangerous. However, the actions performed are quite suspicious.
As you can see, the argument is very long.
Screenshot: https://imgur.com/a/2q091tG

I zipped these two files and uploaded them to a temporary file server (they’ll be gone in a week). Download

Verdict Valkyrie - Can’t verify these files because they don’t have format/extension. :sweat_smile:

With VirusTotal, the situation is better, there are signs of a threat, but I do not understand this report. WinDAT and WinNAT.

The first directory is common for temporary files, so I’m not sure if you can find anything there. I don’t have a second catalog. I hope this is a good sign. However, looking at the modification date of these files (September 2023) makes it sad.

Why turn off VirusScope?
VirusScope is really good at detecting unknown malware and new unseen malware
it does both Static and dynamic analysis with machine learning
why shut it off?