HackTool.Win64.JISCAN.A
UDS:Exploit.Win32.MS17-010.gen (KASPERSKY)
Windows
Threat Type: Hacking Tool
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
8,243,200 bytes
EXE
UPX
No
03 Jul 2024
Drops files
Arrival Details
This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Hacking Tool drops the following files:
- {Hacking Tool execution path}\{IP subnet}.txt → contains the results of "scan" command
- {Hacking Tool execution path}\results.txt
Other Details
This Hacking Tool does the following:
- It scans for HTTP vulnerabilities.
- It does network and port scanning.
- It can generate scripts for a specified shell.
It accepts the following parameters:
- Usage:
- {hacktool filepath} {commands} [flag]
- Commands:
- all → use all scan mode (don't have ssh mode)
- blast → bruteforce
- completion → generate the autocompletion script for the specified shell
- exploit → sshlogin, redisexec
- help → help about any command
- ping → ping scan to find computer
- ps → port scan
- scan {protocol} → scan network using ms17010, proxyfind, snmp, winscan(smb, netbios, oxid), and
- poc
- server {http / socks5} → start http server or socks5 server
- tools {nc}
- Global Flags:
- -h, --help
- --nobar
- -o, --output {path of result file}
- --proxy {ip address}
- -T, --thread
- -t, --timeout {time in seconds}
- -v, --verbose
- If "all" command is used:
- -H, --host {ip subnet}
- --hostfile
- --i, --icmp
- --noburp
- --noping
- --novulscan
- --passdict
- -P, --pasword → set postgres password
- -p, --port {port number}
- -U, --username → set username
- If "blast" is used to brute force username and password:
- ftp
- ldap
- mongo
- mssql
- mysql
- postgres
- rdp
- redis
- smb
- ssh
- If "completion" command is used:
- bash
- fish
- powershell
- zsh
- If "exploit" command is used:
- ldapsearch → ldap queries
- redis
- sshlogin → login using username, password, or key
- If "ping" command is used:
- -d, --discover
- -H, --hosts
- --hostfile
- -i, --icmp
- If "ps" command is used:
- -b, --banner → return banner information
- -H, --host
- --hostfile
- -i, --icmp
- --noping → no ping discovery before port scanning
- --nowebscan → no HTTP scanning
- -p, --port {port number} → specify which port to scan
- -s, --syn → use syn scan
- --vulscan → scan for HTTP vulnerabilities
SOLUTION
9.800
2.740.56
03 Jul 2024
Step 1
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Search and delete this file
- {Hacking Tool execution path}\{IP subnet}.txt
- {Hacking Tool execution path}\results.txt
Step 4
Scan your computer with your Trend Micro product to delete files detected as HackTool.Win64.JISCAN.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.