HackTool.MSIL.Sharpdump.YPCKQT

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Führt Befehle eines externen, böswilligen Benutzers aus, wodurch das betroffene System gefährdet wird.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor-Routine

Führt die folgenden Befehle eines externen, böswilligen Benutzers aus:

• clr_dumplsass → Dump LSASS memory. It can contain a directory where the dumped LSASS is being stored, or, by default, it will be saved in %systemroot%\Temp
• clr_pwd → Get current Directory
• clr_ls → List current directory or the argument
• clr_cd → Set the current directory with a custom PATH parameter.
• clr_ping → Ping command
• clr_rm → Delete specified file
• clr_cat → Get content of specified file
• clr_ps → List running processes
• clr_netstat → netstat command to get active connections
• clr_getav → List installed AV products
• clr_rdp → Enable RDP on device and return the RDP port number
• clr_adduser → Creates a user under Administrators group with custom username and password
• clr_cmd → Execute custom commands
• clr_exec → Executes a file with specified argument.
  • It accepts the following parameter:
    • "-p" - process name
    • "-a" - argument of process
  • If it does not contain '-p', it works the same way as clr_cmd.
• clr_efspotato → Local Privilege Escalation using EfsPotato
  • it accepts the following parameters:
    • "-p" - target process
    • "-a" - argument
• clr_badpotato → Local Privilege Escalation using Bad Potato.
• clr_download → Contains target URL and target directory where the download will be saved.
• clr_combine → Combine files that contains a custom filename + "_*.config_txt".
• clr_scloader → Shellcode loader that contains a BASE64-encoded string, which is an XORed shellcode along with its XOR key, and injects it into werfault.exe.
• clr_scloader1 → Shellcode loader that contains the FILEPATH of the shellcode and its XOR key, and injects it into werfault.exe.
• clr_scloader2 → Shellcode loader that Injects a shellcode(Not XORed) to werfault.exe.

Andere Details

Es macht Folgendes:

• It is capable to use PingCastle - a tool that can be used to collect information required for attacks in Active Directory environments