Random malware I found at
work today and was messing around with, it was not detected by 4 antiviruses so I thought it might be interesting. Wrote up some quick info
I don't have
the dropper all I have is what I found on an active infection. A coworker started deleting files so I didn't get everything, I stopped him and started making copies of what was left. Looks like
infection occurred about 2 weeks ago.
infected
machine was running windows 7
All files
located in %appdata%/roaming/ + random folder names such as 5KHgSUq
random .lnk
files in startup and run registry locations
The .lnks
point towards the .exes in the roaming folder. Also a scheduled task was found pointing to the .exe. If you delete anything the files just get re-created.
Each randomly
generated folder in roaming contains 3 files, a malicious .dll, a microsoft signed .exe from 2009-2011 time and a random file that is static amongst all those folders. The malicious .dll is
listed on the import list of the microsoft signed executable. I assume it's using dll hijacking and these old Windows executables maybe weren't protected yet against this attack method.
One folder has these files:
slc.dll
malicious, posing as windows file
VirusTotal
slui.exe
signed by microsoft from 2010
VirusTotal
encrypted/obfuscated file
in the same folders
VirusTotal
The second
folder had the same encrypted file with a different random file name
dwm.exe from
2009 signed by microsoft:
VirusTotal
uxtheme.dll
which was malicious but someone else deleted the file before I got to it, it's listed in dwm.exe's import list, like the last one
I removed the malware by:
Deleting 2
registry entries for Startup and Run
Deleted
task
I ran
KillEmAll to stop all unnecessary running processes
Deleted all
the files
Restarted
explorer.exe
Ran
KillEmAll
Deleted the
couple remaining files
Restarted
explorer.exe
Confirmed
clean
More info to
follow if I have time to take a look later this appears to be dridex btw, you can read more here
More Articles from Reverse-Engineering