Malware detected but i couldn't find the source

Hi,

i have a pc where "sophos endpoint" detecte periodically a malware. This malware has been cleaned. Here the log.

Feb 11, 2019 2:16 PM Malware cleaned up: 'Mal / Generic-R' at 'C: \ Windows \ System32 \ cbdglkue.bo'
Feb 11, 2019 2:15 PM Malware detected: 'Mal / Generic-R' at 'C: \ Windows \ System32 \ cbdglkue.bo'

I execute "sophos clean" but it does not find any risk.

Which is the source of this malware?

  • Hello Fonderia Corra,

    the Source of Infection tool might be of help (can't say if it also runs on Win10).

    Christian

  • In reply to QC:

    Hi Christian,

    the tools give me this log

    2019/02/12 14:09:54,"C:\Windows\System32\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50","Process","C:\Windows\System32\services.exe"
    2019/02/12 14:56:46,"C:\Windows\System32\config\netlogon.ftl","Process","C:\Windows\System32\lsass.exe"
    2019/02/12 15:06:15,"C:\Windows\System32\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50","Process","C:\Windows\System32\services.exe"
    2019/02/12 15:48:38,"C:\Windows\System32\Tasks\At8","Process","C:\Windows\System32\svchost.exe"
    2019/02/12 15:48:38,"C:\Windows\System32\Tasks\At8","Process","C:\Windows\System32\svchost.exe"

    Unfortunately is not helpful for me. Any idea?

    The file checked as bad is

    Path:
    c:\windows\system32\cbdglkue.bo
    Name:
    cbdglkue.bo
  • In reply to Fonderia Corra:

    Hello Fonderia Corra,

    which options did you use for SOI?

    Christian

  • In reply to QC:

    Hi,

    i used -p -a "folder"

  • In reply to QC:

    Hi, i find  at8.job in C:\Windows\Tasks\At8 and not in C:\Windows\System32\Tasks\At8.

    I try to delete it.

    I'm waiting for sophos end point response

  • In reply to Fonderia Corra:

    Hello Fonderia Corra,

    I'd use neither -p nor -n, maybe restrict it with -ext bo, and use -loglevel 1. It has to run until you get the detection.
    BTW: Mal/Generic-R is not necessarily malicious

    Christian

  • In reply to QC:

    Hi Christian,

    your suggestions were useful. 
    This is the log
     
     
    2019/02/19 10:50:53 1 User2Kernel, user: \\?\C:\Windows\System32\cbdglkue.bo kernel: \Device\HarddiskVolume2\Windows\System32\cbdglkue.bo

    2019/02/19 10:50:53 1 File \Device\HarddiskVolume2\Windows\System32\cbdglkue.bo written by PC-SIMONATO\Administrator from 192.168.4.178

    2019/02/19 10:50:53 1 FileClose N 4 \Device\HarddiskVolume2\Windows\System32\cbdglkue.bo C:\Windows\System32\cbdglkue.bo 192.168.4.178
     
     
    So, is the problem the pc with IP 192.168.4.178?
     
  • In reply to Fonderia Corra:

    Hello Hello Fonderia Corra,

    is the problem the pc with IP 192.168.4.178?
    not only, I'd say. Yes, the file is written from this PC. But furthermore the connection is made as PC-SIMONATO\Administrator, PC-SIMONATO's local administrator it seems. How is 192.168.4.178 to do this?
    You should try to obtain a sample of cbdglkue.bo and submit it. Can't say what you'll find on 192.168.4.178 and how to deal with it. Perhaps it's better to ask for some advice.
     
    Christian