[New WTFBin]: Cisco Jabber outputs system info to files

mttaggart / wtfbins

WTF are these binaries doing?! A list of benign applications that mimic malicious behavior.

MIT License

150 stars 12 forks source link

[New WTFBin]: Cisco Jabber outputs system info to files #45

Closed Alex-Walston closed 8 months ago

Alex-Walston commented 1 year ago

**Contributor Name: Alex Walston @konk_____
**Application/Executable: CiscoJabberPrt.exe
**WTF Behavior Description: cmd /C ipconfig.exe /all >> C:\Users\UserID\AppData\Local\Temp\SystemInfo.txt cmd /C systeminfo.exe >> C:\Users\UserID\AppData\Local\Temp\SystemInfo.txt cmd /C tasklist.exe >> C:\Users\UserID\AppData\Local\Temp\SystemInfo.txt
**Link to Documentation of Behavior: No documentation available
Please provide any images for additional evidence.

Alex-Walston commented 1 year ago

Additional WTF Behavior Description:

CiscoJabberPrt.exe will pipe "ipconfig.exe /all" "systeminfo.exe" "tasklist.exe" into file named Systeminfo.txt inside of the users temp folder.

mttaggart commented 1 year ago

Thanks for the submission! I have a couple of questions before we proceed:

How often does this occur? We have a couple other items like this, but the frequency of the occurrence is part of the WTF-ness.
What user is this running as?
Is this a service?

If you can provide these details, I'd really appreciate it!

Alex-Walston commented 1 year ago

It is automatically run when Cisco Jabber encounters an unrecoverable error, unhandled exception, or crash. So not very often but if you have enough clients with Cisco Jabber you will start to see it.
User
No

mttaggart commented 8 months ago

Thank you for this submission, and your patience! Added in 607837a9e.

Alex-Walston commented 8 months ago

Appreciate you adding this,

Could you possibly correct my name on the website (Alex Walston) and change to my new twitter (@4ayymm)

mttaggart commented 8 months ago

Fixed! Sorry about that.

Alex-Walston commented 8 months ago

You got my name wrong again, it is Walston

mttaggart commented 8 months ago

My sincere apologies! It has been fixed

On Tue, Jan 23, 2024 at 11:43 AM Alexander Walston @.***> wrote:

You got my name wrong again, it is Walston

— Reply to this email directly, view it on GitHub https://github.com/mttaggart/wtfbins/issues/45#issuecomment-1906805150, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABT7BKCVQ6RCYUO2M2CHEF3YQAHGNAVCNFSM6AAAAAAXG4UD52VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBWHAYDKMJVGA . You are receiving this because you modified the open/close state.Message ID: @.***>

-- Michael Taggart

Fediverse @.> YouTube @.> Twitch https://twitch.tv/mttaggart