Jetzt Ausprobieren

FacexWorm Chrome Browser Extension Audit

Software

Find Computers With the Cryptojacking Filled Extensions

Lansweeper’s performance scanning lets you scan detailed performance data from assets such as CPU, memory, disk and network usage. These performance details can be vital in many scenarios like preventing bottlenecks in your environment, migration projects from physical hardware to virtual environment or cloud migration. Additionally, you can keep an eye on the performance data of machines which might provide indications of cryptojacking software being present on the machine. You can find more ways to detect possible cryptojacking software in our cryptojacking blog post.

The report below is specifically crafted to closely monitor CPU usage over a 2 week period. Including different metrics like the average CPU usage in the past 7 days, average CPU usage in the previous week, average CPU usage during the day and during the night in the last 14 days.

Before running the audit, add the following registry keys to your custom registry scanning.

  • Rootkey: HKEY_CURRENT_USER
  • Regpath: SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings
  • Regvalues:
    • akoefpoebeaikfcpoghppjcnhklffcjm
    • ecfpnbgianoaiocjciahnkfognimimhf
    • fanjaialdpcmadoodgppaaaldpccaedc
    • jolmnflkapibjdpmiiofkopkdgklckll
    • kojocamkjcbpcnibahfhomfjnliglfeo
FacexWorm Chrome Extension Report
 

FacexWorm Chrome Extension Audit Query

Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
Case
When SubQuery1.Valuename Is Not Null And SubQuery1.Valuename <> ''
Then 'Yes'
Else 'No'
End As ExtensionsFound,
Case
When TsysLastscan.Lasttime < GetDate() - 1 Then
'Last registry scan more than 24 hours ago! Scanned registry information
may not be up-to-date. Try rescanning this machine.'
End As Comment,
tblAssets.Lastseen,
tblAssets.Lasttried,
TsysLastscan.Lasttime As LastRegistryScan
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Left Join (Select Top 1000000 tblRegistry.AssetID,
tblRegistry.Regkey,
tblRegistry.Valuename,
tblRegistry.Value,
tblRegistry.Lastchanged
From tblRegistry
Where
tblRegistry.Regkey Like
'%Software\Google\Chrome\PreferenceMACs\Default\extensions.settings' And
(tblRegistry.Valuename = 'akoefpoebeaikfcpoghppjcnhklffcjm' Or
tblRegistry.Valuename = 'ecfpnbgianoaiocjciahnkfognimimhf' Or
tblRegistry.Valuename = 'fanjaialdpcmadoodgppaaaldpccaedc' Or
tblRegistry.Valuename = 'jolmnflkapibjdpmiiofkopkdgklckll' Or
tblRegistry.Valuename = 'kojocamkjcbpcnibahfhomfjnliglfeo')) SubQuery1
On SubQuery1.AssetID = tblAssets.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'registry'
Order By tblAssets.Domain,
tblAssets.AssetName

Show

Hide