HackTool.Linux.WinExe.A
HEUR:RemoteAdmin.Linux.Winexe.a (KASPERSKY)
Linux
Threat Type: Hacking Tool
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other Details
This Hacking Tool does the following:
- It checks for the following service name if present in the system:
- Service Name: winexesvc
- It connects to the following pipe names which allows command executions:
- \ahexec
- \ahexec_stdin
- \ahexec_stdout
- \ahexec_stderr
- It does the following host commands:
- Usage:
- --reinstall ← Reinstalls winexe service before remote execution
- --system ← Uses SYSTEM account
- --runas={DOMAIN\USERNAME}{%PASSWORD} ← Run as user and password is sent in clear text over net
- --runas-file={FILE} ← Run as user options define in a file
- --interactive={0 or 1} ← Toggle desktop interaction
- 0 - disallow
- 1 - allow
If interactive=1, use also --system switch {Win Requirement}
- --ostype = {0, 1, or 2} ← Operating System type
- 0 - 32bit
- 1 - 64bit
- 2 - winexe will decide by determining which version (32bit/64bit) of service will be installed
- Common Samba Options:
- -d or --debuglevel={DEBUG LEVEL} ← Sets the debug level
- -s or --configfile={CONFIG FILE} ← Uses an alternative configuration file
- -l or --log-basename={LOG FILE BASE} ← Basename for log/debug files
- --debug-stderr ← Sends the debug output to STDERR
- --option=name=value ← Sets smb.conf option from command line
- --leak-report ← Enables talloc leak reporting on exit
- --leak-report-full ← Enable full talloc leak reporting on exit
- Connection Options:
- -R or --name-resolve={NAME-RESOLVE-ORDER} ← Uses these name resolution services only
- -O or --socket-options={SOCKET OPTIONS} ← Defines the socket options to use
- -n or --netbiosname={NET BIOS NAME} ← Sets the primary Netbios name
- -S or --signing={ON, OFF or REQUIRED} ← Sets the client signing state
- -W or --workgroup={WORKGROUP} ← Sets the Workgroup name
- -i or --scope={SCOPE} ← Defines the Netbios scope
- -m or --maxprotocol={MAX PROTOCOL} ← Sets max protocol level
- -V or --version ← Prints version
- --realm={REALM} ← Sets the realm name
- Authentication Options:
- -U or --user={DOMAIN/USERNAME}{%PASSWORD} ← Sets the network username
- -N or --no-pass ← No password required
- -A or --authentication-file={FILE} ← Gets the credentials from a file
- -P or --machine-pass ← Uses stored machine account password
- -k or --kerberos={STRING} ← Uses Kerberos
- --password={STRING} ← Sets the network password
- --simple-bind-dn={STRING} ← Sets the LDAP user distinguished name (DN) to use for simple bind
- Usage:
SOLUTION
Step 1
Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:
- Troj.ELF.TRX.XXELFC1DFF026
Step 2
Scan your computer with your Trend Micro product to delete files detected as HackTool.Linux.WinExe.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.