HackTool.Win64.WinExe.AF

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Hacking Tool drops the following files:

• %System Root%\winexesvc.log → contains log activities of the hack tool

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Other Details

This Hacking Tool does the following:

• It checks for the service:
  • Service name: winexesvc
• It creates the following pipe and connects to the following pipe names which allow command execution:
  • \.\pipe\ahexec_stdin
  • \.\pipe\ahexec_stdout
  • \.\pipe\ahexec_stderr
  • \.\pipe\ahexec
• It does the following set of commands:
  • run(execute set of commands)
  • Log-on User
  • Open and Duplicate Process Token
  • Open Thread Token
  • Revert to Self (Terminate impersonation)
  • Get:(Fetch commands)
  • system(System information)
  • implevel(Impersonate Name Pipe Client)
  • profile(User Profile)
  • runas(Runas Credentials)
  • Set:(Set information to itself)
  • Version(Retrieve Hacking tool's Version)
  • codepage(Update codes to itself)
• After connection is established, this hack tool will be able to create processes remotely