Get rid of BroCoiner!rnf in my UE-V application

Today was a special today. I -finally- upgraded to Windows 10 1709. Fall Creators update has reached ITExperience! Woohoo! ;-) Together with that update, I was also updated to the latest Windows Defender Security Center with lots of improvements. And it was this update that notified me of a nasty coinminer virus:

Trojan:HTML/Brocoiner!rfn

My Windows Defender pointed me to the exact location. But although it told me to have cleaned the file, the Brocoiner virus kept returning.  Cause? I’m using UE-V, and because of that Windows Defender kept cleaning the redirect location, but never the original location. Sigh…

brocoiner!jrn brocoiner brocoiner!jrn details brocoiner

So, to solve this returning issue, I had to determine the mapping of a PKGDAT file to its source file. In my case: 45A93803-F314-43C5-9D08-4EA8BDE5775F.pkgdat
Also note the UE-V application name in the folder path in above’s screenshot: Google-chrome-v-0.pkgx.Current.1284.2

In Powershell I executed the following cmdlet:

(Export-UevPackage C:\Users\%username%\AppData\Local\Temp\Google-Chrome-chrome-v-0.pkgx.Current.1284.2\Google-Chrome-chrome-v-0.pkgx).split("n") | select-string VT_FILE | select-string -pattern "45A93803-F314-43C5-9D08-4EA8BDE5775F.pkgdat"

This cmdlet exports the exact file location of the pkgx file, with all it’s child files. By using select-string -pattern I’m filtering the results so only the relevant pkgdat file is showing its redirect file

This cmdlet returned one line which pointed me to the original infected file

<Setting Type="VT_FILE" Name="file://%SystemDrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000371" 
Action="Create">45A93803-F314-43C5-9D08-4EA8BDE5775F.pkgdat</Setting>

In above’s case you can see the location %SystemDrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000371

Navigating to that location indeed triggered a new Trojan warning. I could now easily remove the threat by running a folder scan with Windows Defender

 

Thanks and credits go to Description of UE-V Files stored in the Settings Storage Path for some background information related to UE-V and powershell

 

0 0 vote
Article Rating
Subscribe
Notify of
guest
1 Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Tim

Hi Christian,

Windows Defender alterted me with the same issue. My threat was located in or was:
C:\Users\%username%\AppData\Local\Mozilla\Firefox\Profiles\k2ajkgn0.default\cache2\entries\CE94BF5164C04AE312403C4CA6A85F4F3B1133A2
I’m not sure if deleting this file would solve the issue.

1
0
Would love your thoughts, please comment.x
()
x