HackTool.Win64.WinExe.AF

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• %System Root%\winexesvc.log → contains log activities of the hack tool

(Nota: %System Root% es la carpeta raíz, normalmente C:\. También es la ubicación del sistema operativo).

Otros detalles

Hace lo siguiente:

• It checks for the service:
  • Service name: winexesvc
• It creates the following pipe and connects to the following pipe names which allow command execution:
  • \.\pipe\ahexec_stdin
  • \.\pipe\ahexec_stdout
  • \.\pipe\ahexec_stderr
  • \.\pipe\ahexec
• It does the following set of commands:
  • run(execute set of commands)
  • Log-on User
  • Open and Duplicate Process Token
  • Open Thread Token
  • Revert to Self (Terminate impersonation)
  • Get:(Fetch commands)
  • system(System information)
  • implevel(Impersonate Name Pipe Client)
  • profile(User Profile)
  • runas(Runas Credentials)
  • Set:(Set information to itself)
  • Version(Retrieve Hacking tool's Version)
  • codepage(Update codes to itself)
• After connection is established, this hack tool will be able to create processes remotely