Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Shelm
Trojan:Win64/Shelm.M!MTB is a concrete detection of a malicious program from the Shelm family, identified by Windows Defender using machine learning behavioral analysis. This Trojan, likely implemented as a DLL (indicated by DllInstall, DllMain, DllRegisterServer exports), is designed to execute malicious code, establish persistence, or serve as a component in a larger attack. The presence of 'jnnfcoy.cpl' suggests it might masquerade as a Control Panel item for execution or deception.
Relevant strings associated with this threat: - yxsohezazveqzwx.dll (PEHSTR_EXT) - DllInstall (PEHSTR_EXT) - DllMain (PEHSTR_EXT) - DllRegisterServer (PEHSTR_EXT) - DllUnregisterServer (PEHSTR_EXT) - jnnfcoy.cpl (PEHSTR_EXT) - NimMain (PEHSTR_EXT)
rule Trojan_Win64_Shelm_M_2147907802_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/Shelm.M!MTB"
threat_id = "2147907802"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "Shelm"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "4"
strings_accuracy = "Low"
strings:
$x_2_1 = {8b 37 41 8b de 49 03 f1 48 8d 7f ?? 0f be 0e 48 ff c6 c1 cb ?? 03 d9 84 c9} //weight: 2, accuracy: Low
$x_2_2 = {41 8d 0c 30 45 03 ?? 80 34 ?? ?? 44 3b c0} //weight: 2, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}e06d884fe36697b80ca12374142c9d0755f16a1bd7e5ec4e141c432827b64b24Immediately isolate the affected system to prevent further compromise. Perform a full system scan with updated antivirus definitions to remove the detected threat. Investigate for persistence mechanisms (e.g., startup entries, scheduled tasks) and any signs of lateral movement or data exfiltration on the network.