Can you share that Json file, You got me curious, I wrote a script to gather all the Ctac that will be found on all machines on our network it, will take a while to complete run. it has to wait for reboots to work.
Ok already one reported it's not MS official and was found in \program data\microsoft\windows\onesettings\
Not the regular place to find it...;
MD5:
285572E8242306001D9FE0D237138411
What are you using to beautify that soup ?
I will as soon as I can. I live in the country and have a 15meg connection on my system. Trying to save bandwidth to get software I need back. All I used once I recognized signs of what it was doing was visualstudio in restricted mode and worked with a copy. In the json it integrates with notepad so don't load them in notepad. Give me a sec I'll see if I can't pull a copy on here through my phone while it's downloading kali vb. There are several scripts I later found linked through the system registry changes made that display fake md5s and sha256 sums. Switch to sha512 I didn't find anything showing that was altered.
- - - Updated - - -
So update as I wait for my phone to finish downloading. There are a series of drivers that are partially signed or not signed at all claiming to be oem showing up now in device manager. Only 3 I've found seem to be legit. I believe these drivers are what it was rolling back to in the background. They link everything on a software level, including processor cores both physical and logical. The certs are just as interesting. They look at a glance correct in some cases, but when you take a closer look aren't properly signed if actually signed and have various non matching sources. One in particular xtu component, has 18 different security certs for it, almost all of which appear to have issues on the certs, some of which give access to bios when they're obviously forged. Q11rel, an alias I recognize, seems to be the author of some of these forged certs. I'm now removing them from my system as best I can, but some are repopulating and per logs it's from the system calling on an "old os"
I find it extremely interesting that the original two posts in this thread were from April of 2019. And yet the virus alarm sounded by @Pooflinger is 2 years and 8 months later! Really? And @Pooflinger posts:
Ok. I'll take the bait. Leave it to the Army to try to solve a problem that is more than 2 1/2 years old..... Just sayin'
I am going to stand by my statement that the files in question were part of an update that Microsoft released 2 1/2 years ago!
2.5 year virus response. Wow.
Have a nice day.... or should I say have a nice 2.5 years!
And if you'd read the kb you'd understand it's not something that was force patched, only by option, because it requires a file on the system to be the attack point. Besides, that's a kb that describes a similar issue to what I've observed. It may not be the exact exploit being taken.
- - - Updated - - -
Update your browser to use Google Drive, Docs, Sheets, Sites, Slides, and Forms - Google Drive Help
That folder contains a pic of every line of code in it. There are 10.
When I thought I had it stabilized it showed exactly where the files the root keeps putting on and the drivers its using were, so I got on Kaspersky remote desktop to show them. The person that connected messed with a few things then locked me out as they disconnected. After a couple hours of having no access after the efi loaded, I finally glitched it into recovery mode. The only thing that works is the command line, so I opened notepad and found the json that was injected into an update on 6/5 at 409 am, and using notepad in recovery I've been able to photograph it. As you can see, it's scanning for any form of consistently updated anti-virus, changing the keys in the registry, and taking steps to cover its tracks, all through this 1 ctac.json. no ctac.json ever legitimately made by Microsoft does what that one does. It's highjacking updaters and reprogramming the registry to turn any infected system into a spy machine, and is burying itself deep in the root.
- - - Updated - - -
Update your browser to use Google Drive, Docs, Sheets, Sites, Slides, and Forms - Google Drive Help
That's from the file ctac.json redirects the tpm stuff to, which installs completely new generalized keys and blocks secure boot.
- - - Updated - - -
Update your browser to use Google Drive, Docs, Sheets, Sites, Slides, and Forms - Google Drive Help
The code in that document has a general public key and tells the program accessing it how to highjack the windows error reporting system and event logger so it can't be tracked.
- - - Updated - - -
Update your browser to use Google Drive, Docs, Sheets, Sites, Slides, and Forms - Google Drive Help
And finally, this is a pic of the xml that a dll accesses after being activated by one of the numerous exes loaded against your will that has the dll rewrite your entire fiilesystem into whatever it wants.
Look guy, I've been doing this crap chances are as long as youve been alive. I have 15 years+ direct industry experience, plus another 12 when I was teaching myself how to do cyber stuff.
If you'd like, I have a crossover cable for ethernet and we can hook our pcs together and let's just see how long your system stays running fresh. Find something better to do, like learn what your trying to pick a fight on, before coming on here and pissing me off when I'm trying to catalog what this is from similar experiences online and maybe be able to find out how to make sure this rootkit doesn't become a massive issue by submitting it to as many security platforms as possible.
Last edited by essenbe; 10 Jan 2022 at 01:35. Reason: Remove insults
After reading this post I got curious so checked out my system. It appears to have these files so I ran MS Defender, Zemana Anti-Malware, Hitman Pro, Malwarebytes and AdwCleaner. All came up clean. Secure boot is showing enabled. My laptop runs fine with no signs of any problems.
Based on above I'm going with NavyLCDR on this.
From what I can see the majority of the "commands" in these files look for certain conditions known to interfere with Windows updates and build versions successfully completing and migrating settings, if these conditions are met then remedial action is taken, such as resetting relevant registry keys, temporarily disabling some 3rd party services etc, in an attempt to minimise errors and failures. I can't find anything that would cause a system to exhibit any of the unusual behaviour mentioned in this post, and certainly nothing that could cause a "re-write of the entire file system" by some nefarious .dlls and .exes.
I have these files in several folders, including system folders and the WinSXS folders, and my secure boot is working fine, anti-virus and anti-malware apps work fine, there is no suspicious network traffic and even notepad works as it should (specifically mentioned by @Pooflinger as being hacked by these configuration files), my file system has not been changed/ altered either.
Virus total shows no issues with any of the files, from any location, or with any other files within the same folders (randomly sampled).
I am open to be proven wrong but so far there has been no irrefutable evidence presented that the ctac.json file is doing any of the things claimed, at least on my system.
It would be useful if @Pooflinger would like to post the lines claimed to be causing his issues in a code box with an explanation of how each suspect line executes and the claimed results.
Not many people using this forum are going to click external links, especially considering this forum provides plenty of options for including relevant items.
I'm going to backtrack a bit here. I just submitted my CTAC.json file to Virus Total and it doresn't show signed by microsoft. Also shows suspicious by one 1 of 55 security vendors. Should I be concerned ?
In the vendors report you can find why it was flagged for.
ASCII text with very long lines, no line terminators
So nothing to be concerned about (I guess the fact that it isn't signed by MS has me worried) ?
Last edited by OldGuyFromCdn; 11 Jan 2022 at 15:35.
They're archived in a winzip. Again, this has been confirmed now through multiple platforms including Kaspersky.
Right now, due to the issue with Kaspersky, the laptop is being scanned in as secure an environment as my friends and I made. Look, if I could show you I would, but for now you're going to have to take my word for this. I'll post proof when I can. Here is what I've been able to uncover:
Instead of an MBR based windows system, the background service rewrote it as GPT and displays it as normal.
Through a driver the root keeps installing, even after zeroing the hdds and doing a complete net install(per logs), something keeps popping up called p9rdrservice in multiple places and starts activating custom exes. These exes are coming from the system root. They are replacing in the recovery filesystem the exes and ddls that are normally included. Once windows activates the netos hive, these dlls kick in and start redirecting the net installer to use "settings and files from old os". The net installer then starts reading these preexisting settings and files, which shouldn't exist from a clean reset of the hds and zero of the hds by a separate system with a different filesystem, and starts making installs with, instead of the latest supplied drivers by Microsoft update for windows 11 systems, drivers from 2019 and 2020 for the graphics cards and the cpu. They also load a 3rd driver that links the bios to network services on a logical layer. Now, again per logs, the device then uses old registry settings, from a hive that no longer exists anywhere, to tell windows during the system reset to a new list of exes. This included the systemreset.exe program located on every single recovery partition of a legit copy of windows install. Now when it's replaced, it's by a file called syreset.exe. I will show this as soon as I can. This file is no longer able to be accessed by any user or user group on the system, including both the system and trusted installer, so the system cannot be reset again.
If anyone would like to see what I'm dealing with, please feel free to bring any windows computer over running windows 10 or 11 and I'll plug in my crossover cable for you to connect directly to my system. Let's see what happens to yours then.
- - - Updated - - -
Are you looking at the one I provided or the code lines? What's your source? Can you display what your seeing? I've been able to confirm in addition to hijacking the windows chromium and steam updaters it also hijacks windows reporting service. You may have to manually submit.
- - - Updated - - -
@OldGuyFromCdn this bug is only shown as suspicious currently by a couple of vendors. Yes the affected ctac.json will not show signed by Microsoft. Can you post code?
- - - Updated - - -
Hang on everyone I found a way to prove it so people quit with the doubt bs and can focus on trying to get as much info as possible
This is a link from a microsoft regarding the file names and SIZE(in kilobytes) that should be in every windows 10(and as far as I can tell 11) recovery engine, or winRE.
https://support.microsoft.com/en-us/...7-23856c280424
This is a link to a public Google drive folder containing a picture of the recovery files on this filesystem shown using "dir r*" in the correct folder when I put the hds back in after imaging and booted into recovery, with file sizes as always in command line listed in bytes(1 kilobyte =1024 bytes for math purposes):
Update your browser to use Google Drive, Docs, Sheets, Sites, Slides, and Forms - Google Drive Help
The file sizes are altered and some are extra.
I'll be updating the pictures in the drive link to show most of the files are correctly name but their size is altered and their are many extras that shouldn't exist.
