HackTool.Linux.WinExe.A

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Andere Details

Es macht Folgendes:

• It checks for the following service name if present in the system:
  Service Name: winexesvc
• It connects to the following pipe names which allows command executions:
  • \ahexec
  • \ahexec_stdin
  • \ahexec_stdout
  • \ahexec_stderr
• It does the following host commands:
  • Usage:
    • --reinstall ← Reinstalls winexe service before remote execution
    • --system ← Uses SYSTEM account
    • --runas={DOMAIN\USERNAME}{%PASSWORD} ← Run as user and password is sent in clear text over net
    • --runas-file={FILE} ← Run as user options define in a file
    • --interactive={0 or 1} ← Toggle desktop interaction
      • 0 - disallow
      • 1 - allow
        If interactive=1, use also --system switch {Win Requirement}
    • --ostype = {0, 1, or 2} ← Operating System type
      • 0 - 32bit
      • 1 - 64bit
      • 2 - winexe will decide by determining which version (32bit/64bit) of service will be installed
  • Common Samba Options:
    • -d or --debuglevel={DEBUG LEVEL} ← Sets the debug level
    • -s or --configfile={CONFIG FILE} ← Uses an alternative configuration file
    • -l or --log-basename={LOG FILE BASE} ← Basename for log/debug files
    • --debug-stderr ← Sends the debug output to STDERR
    • --option=name=value ← Sets smb.conf option from command line
    • --leak-report ← Enables talloc leak reporting on exit
    • --leak-report-full ← Enable full talloc leak reporting on exit
  • Connection Options:
    • -R or --name-resolve={NAME-RESOLVE-ORDER} ← Uses these name resolution services only
    • -O or --socket-options={SOCKET OPTIONS} ← Defines the socket options to use
    • -n or --netbiosname={NET BIOS NAME} ← Sets the primary Netbios name
    • -S or --signing={ON, OFF or REQUIRED} ← Sets the client signing state
    • -W or --workgroup={WORKGROUP} ← Sets the Workgroup name
    • -i or --scope={SCOPE} ← Defines the Netbios scope
    • -m or --maxprotocol={MAX PROTOCOL} ← Sets max protocol level
    • -V or --version ← Prints version
    • --realm={REALM} ← Sets the realm name
  • Authentication Options:
    • -U or --user={DOMAIN/USERNAME}{%PASSWORD} ← Sets the network username
    • -N or --no-pass ← No password required
    • -A or --authentication-file={FILE} ← Gets the credentials from a file
    • -P or --machine-pass ← Uses stored machine account password
    • -k or --kerberos={STRING} ← Uses Kerberos
    • --password={STRING} ← Sets the network password
    • --simple-bind-dn={STRING} ← Sets the LDAP user distinguished name (DN) to use for simple bind