Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Odd program from Google Chrome? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Odd program from Google Chrome?
Sorry if this is the wrong place to post this, but it is the first place I think of when thinking of reverse engineering unknown programs. The past 2 days there has been an influx of activity on my computer, the name of said file is aebasdf.exe. I have no idea what it is doing, but i have been killing the processes and deleting the data it stores on my computer. I have uploaded it to virustotal, but the site has not found any wrong-doing, yet. Anyhow, two things about the program bother me. Everytime I delete it, it re-writes itself into a different directory inside of AppData/LocalLow. First it wrote itself to Adobe, after i killed it and removed it, it wrote itself into a Unity directory and finally after that, it wrote itself into a Microsoft directory. It also uses Network Bandwidth. I am quite the novice when it comes to reverse engineering malware, still studying :) I tried to load it up into Immunity Debugger but really did not glean much information from it (epic fail on my part). I will fire up wireshark and see if I can capture some packets to try to get some idea of what and who it is communicating with.

I just figured that perhaps something like this would be interesting to the group of people in this forum and to perhaps check and see if you are getting the same thing. From what I can tell it is a part of Google Chrome (found in file details, though could be yet just another malware trick). It does not use the same persistance mechanizism common to most other malware/viruses I have dealt with before. Nothing in Task Scheduler, nothing in the registry, nothing in appdata\temp, or programdata or commonfiles. No extensions in google chrome or add-ons in IE. it has me befuddled.

Another thing, when you delete the directory it resides in, after killing the processes of course. the next time you reboot your PC it will re-install itself in another directory located insdie c:\users\[username]\appdata\LocalLow\[random directory]. it is easy to detect, just start up taskmanager and you will see a boat-load of exe's with the same name firing off.

Cheers
xParticle

1 Posts
This might be the Asprox/Kuluoz trojan. It runs in memory. I've seen it recently.

Referenced from the follow article
http://herrcore.blogspot.com/2014/01/inside-new-asproxkuluoz-october-2013.html

Once the asprox.dll has been successfully injected into svchost.exe it kills its parent processes (the processes started by the packer) leaving an orphan svchost.exe process running under explorer.exe. This is our second IOC; an svchost.exe process running under explorer.exe. Again this IOC is common to many families of malware and not unique to asprox.

So kill the process and hopefully you're av/active protection will pick it up. I didn't notice until C&C traffic brought to my attention.

Hope this helps.
zazmataz

1 Posts
I just ran into an issue similar to yours, on a user's laptop this morning. It was a random named .exe masquerading as a Google Chrome process. Many of the same process running in Task Manager. In my case, it had created load points in the user's registry pointing back to one each (.dll and .exe) in the appdata/roaming directory. Anonymous

-
Quoting Anonymous:I just ran into an issue similar to yours, on a user's laptop this morning. It was a random named .exe masquerading as a Google Chrome process. Many of the same process running in Task Manager. In my case, it had created load points in the user's registry pointing back to one each (.dll and .exe) in the appdata/roaming directory.
how it is running ?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!