HackTool.Win32.OneKeyRe.A

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Hacking Tool drops the following files:

• %System Root%\Boot\BCD_.LOG{Number}
• %System Root%\okldr
• %System Root%\okldr.mbr
• %System Root%\YlmF.ima
• %System Root%\Ghost.ba_
• %User Temp%\Ghost.exe
• %User Temp%\WimaDll.dll
• {Backup Path}\{Backup Filename} → set by the user when creating a backup of the system

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %System%\BCDEdit.exe /export %System Root%\Boot\BCD_
• %System%\BCDEdit.exe /create {GUID} /d "OneKey Recovery" /application bootsector
• %System%\BCDEdit.exe /set {GUID} path \okldr.mbr
• %System%\BCDEdit.exe /displayorder {GUID} /addlast
• %System%\BCDEdit.exe /timeout 3
• %System%\BCDEdit.exe /default {GUID}
• %System%\BCDEdit.exe /set {GUID} device partition=\Device\HarddiskVolume1

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Other Details

This Hacking Tool does the following:

• The dropped Ghost.ba_ contains the following batch commands:
  • Ghost.exe -noide -nousb -clone,mode=pdump,src="{Source Partition Index}",dst="{Destination Partition Index}\Ghost\Bak.GHO" -fr restart
• It is a system backup and restore tool that allows users to create a full system image and restore it when needed.
• It integrates Norton Ghost as its core engine for disk imaging and restoration.
• It offers options to restore or back up the operating system.
• It allows users to install or repair the recovery system.
• It contains a field that allows users to select or input the location of the backup image file.
• It displays all detected drives and partitions which includes the following information:
  • Partition Sequence
  • Volume Label
  • File System Format
  • Free Space
  • Total Capacity
• It allows users to select specific drives or partitions for restoration or backup.
• It allows users to search for backup files such as .GHO within a specified directory depth.
• It offers the following compression levels:
  • No Compression
  • Fast Compression
  • High Compression
  • Maximum Compression
• Users can choose between the following Ghost versions:
  • 11.0.2
  • 11.5.1
  • Other Ghost executables provided by the user
• It has an option to disable access to IDE devices during backup operations.
• It allows users to choose between the operating system boot menu or a hotkey for recovery.
• It provides the following hotkey options for triggering the recovery process during boot:
  • F7
  • F8
  • F10
  • F11
  • F12