Tedi HeriyantoEvil on Schedule: Investigating Malicious Windows Scheduled Tasks: https://www.thedfirspot.com/post/evil-on-schedule-investigating-malicious-windows-tasks
hasamba🦠 Malware Analysis
===================
🦠 Malware Analysis
Executive summary: Fake utility installers (including speedtest,
manual-reader/finder, PDF tools, and some AI frontends) have been
observed to bundle a portable Node runtime, extract an obfuscated
JavaScript payload, and install a Scheduled Task to execute that JS on
a recurring cycle. The JS speaks to a C2 (observed domain:
cloud.appusagestats[.]com), exfiltrates system identifiers and can
execute arbitrary commands returned by the server.
Technical details:
• The installers are packed with an Inno-Packer and drop a portable
Node runtime folder alongside the visible application executable.
• Persistence is implemented via a Scheduled Task (task.xml) that
executes the dropped node.exe with an obfuscated *.js script on an
approximate 12-hour cadence.
• The JavaScript is heavily obfuscated but decodes into JSON-formatted
POST payloads (e.g., a version string like "0.2.1" and a
JSON.stringify body). The script queries
HKLM\Software\Microsoft\Cryptography for MachineGuid via reg.exe to
uniquely identify hosts.
• The C2 interaction includes encoded/obfuscated POSTs and server
responses that can include commands such as powershell -NoPr... for
remote execution.
Impact and attack mechanics:
• The visible app functions normally, reducing suspicion while the
background agent provides persistent C2 connectivity and remote
execution capabilities.
• This separation increases attack surface: defenders may see only a
benign UI app while a persistent Node-based agent operates
independently.
Detection guidance:
• Search for Scheduled Tasks invoking node.exe outside known
development contexts.
• Detect unexpected portable Node runtimes co-located with third-party
installers.
• Monitor outbound POSTs to uncommon domains like
cloud.appusagestats[.]com and inspect request bodies for JSON
structures and Base64-encoded payloads.
• Track registry queries for
HKLM\Software\Microsoft\Cryptography\MachineGuid from non-standard
processes.
Mitigations:
• Block or alert on execution of portable runtimes from user-writable
directories.
• Restrict scheduled task creation to privileged installers; monitor
changes to task scheduler.
• Enforce egress filtering to limit access to suspicious domains and
use TLS inspection where policies allow.
References & notes:
• Observed artifacts: Inno-Packer installer, portable Node folder,
obfuscated *.js, task.xml, C2 domain cloud.appusagestats[.]com.
🔹 nodejs #powershell #scheduledtask #obfuscation #persistence
🔗 Source: https://security5magics.blogspot.com/2025/09/fake-online-speedtest-application.html
Evil on Schedule: Investigating Malicious Windows Scheduled Tasks: https://www.thedfirspot.com/post/evil-on-schedule-investigating-malicious-windows-tasks
Hunting Scheduled Tasks: https://cherrabinesrine.github.io/posts/Hunting_Scheduled_Tasks/
Ænðr E. FeldstrawMake sure that the first scheduled trigger of a #Windows #ScheduledTask lies in the future, due to a bug in Windows #TaskScheduler introduced with #Microsoft Windows Server 2016. The task will never start otherwise.
#TIL: when you use the #schtasks command in #MSWindows to update a #ScheduledTask, and you previously had the task switches to disabled, then schtasks will be happy to enable that task. Whether you like it or not.
#TodayILearned
#TodayILearned
#TIL: #MSWindows #ScheduledTask triggers must be scheduled to a future date in order to get kicked off automatically. Otherwise the #TaskScheduler will simply and silently ignore the trigger.
This is an unexpected change from older behavior, in which the operating system simply extrapolated the next run time and would trigger the task.
Also, if you schedule for daily execution, auto trigger won't kick in until tomorrow. Instead, schedule once with infinite repeat.
Lovely.
This is an unexpected change from older behavior, in which the operating system simply extrapolated the next run time and would trigger the task.
Also, if you schedule for daily execution, auto trigger won't kick in until tomorrow. Instead, schedule once with infinite repeat.
Lovely.
What the heck are you doing, #Microsoft #Windows?
At my wit's end, I have an idea. Maybe I can have the #MSDosBatch script create the drive letter so it will be available during the #ScheduledTask session? Yes, I can! With the #NetUse command.
On first try: fail! Drive letter already is mapped - 3/4
At my wit's end, I have an idea. Maybe I can have the #MSDosBatch script create the drive letter so it will be available during the #ScheduledTask session? Yes, I can! With the #NetUse command.
On first try: fail! Drive letter already is mapped - 3/4
#TodayILearned: #Microsoft #Windows is terrible at #accessPrivileges.
I've got a #ScheduledTask that runs as a network user. I've done this a million times and I know how to get Windows to accept it.
This time, I need that task to run a #DosBatch script. It runs statements invoking #java and #DOS commands.
One of those is #MOVE. It only works on local disks, including mapped drive letters. It does not speak #UNC.
So I map a drive. I assign privileges to that network user - 1/4
I've got a #ScheduledTask that runs as a network user. I've done this a million times and I know how to get Windows to accept it.
This time, I need that task to run a #DosBatch script. It runs statements invoking #java and #DOS commands.
One of those is #MOVE. It only works on local disks, including mapped drive letters. It does not speak #UNC.
So I map a drive. I assign privileges to that network user - 1/4
How to make a #Windows #ScheduledTask run at a higher #CPU speed without altering your code:
https://docs.microsoft.com/en-us/windows/desktop/taskschd/tasksettings-priority
