I was infected by a Trojan from combatshell[.]com – here’s what happened (Full Malware Analysis)

BCAdmin

A Cautionary Tale: My Encounter with a Trojan from CombatShell.com

Hello readers,

Today, I’d like to share a harrowing experience involving a malicious Trojan that I unknowingly executed, highlighting some critical lessons about cybersecurity. The file in question, named CombatShell.exe, was downloaded from the website http://combatshell.com, and what ensued was quite alarming.

Upon running the executable, the Trojan swiftly bypassed Windows User Account Control (UAC), allowing it to gain administrative rights without my knowledge. It initiated a series of concerning actions that highlighted its dangerous capabilities:

  • Virtual Environment Checks: The malware scanned for virtualization tools like VirtualBox and VMWare, likely to identify if it was under scrutiny.
  • Persistence Mechanism: It established a persistence method by placing itself in the Windows startup folder, ensuring it would run on boot.
  • Registry Modifications: The Trojan modified the Windows Registry to alter the behavior of shortcut files (.lnk), redirecting them to its own executable.
  • System Enumeration: It gathered detailed information about the system, such as BIOS details, CPU vendor, browser information, and even the IP address via an external service.
  • Suspicious File Placement: The malware also inserted multiple files into the Program Files directory, which is a red flag for any malware infection.
  • Use of Dangerous APIs: It exploited critical Windows APIs, such as WriteProcessMemory, SetWindowsHookEx, and AdjustPrivilegeToken, which are often used to escalate privileges or install keyloggers.

One particularly insidious tactic was the Trojan’s ability to hijack msedge.exe (Microsoft Edge) and masquerade as a legitimate process. This clever disguise was likely meant to evade detection by common antivirus solutions.

Recognizing the seriousness of the infection only came after a thorough sandbox analysis, which unveiled the full extent of the malware’s behavior. Without hesitation, I disconnected my machine from the internet, wiped the system clean, and promptly changed all my passwords. However, the lingering worry about potential data breaches remains.

For those interested in deeper insights, I’ve linked to the full behavioral report from the sandbox analysis I utilized. This report contains technical details, including tactics, techniques, and procedures (TTPs) along with indicators of compromise (IOCs):
🔗 Full Triage Report

Stay vigilant in your online

Share this content:

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *