However, there were some interesting additions, which we discuss in detail in the technical analysis section. Our analysis revealed that the variant retains its basic infrastructure. _FilterToConsumerBinding.Consumer="\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name= \fuckyoumm2_consumer\""",Filter=""\\\\.\\root\\subscription:_EventFilter.Name=\"fuckyoumm2_filter\""" Query: select * from _timerevent where timerid="fuckyoumm2_itimer" _EventConsumer Name : fuckyoumm2_consumer
#Alliance itimer windows
Aside from the autorun registries, we also observed scheduled tasks and Windows Management Instrumentation (WMI) objects (see Tables 1 and 2): The registry entries that were added in 2017ĭuring forensic investigation, we also identified several other persistence mechanisms consistent with our previous research in 2017.
#Alliance itimer download
Unlike infections that start with embedded URLs and files, MyKings is tied together by scripts that simply download everything it needs from remote servers.įigure 1. A large number of the botnet’s components, including references to the C&C server and the download URLs, are accessible online only for a short time and, therefore, are highly volatile. This presents an additional challenge since timing is important in determining MyKings’ actual payload. HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" -Name "start1"ĭigging deeper, we found that the entries were added in 2017, indicating that the malware variant had been hiding in the company’s system for roughly 2 years before it was discovered.HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" -Name "start".HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "start1".HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "start".These registry entries were responsible for the C&C callbacks to the URLs mentioned earlier: Furthermore, we found changes to the machine’s system registry that indicated they were being used as a persistence mechanism. This gave us the first clues as to what the threat was. The URLs contained the word “mykings,” which was similar to the command-and-control (C&C) servers that were used in our previous analysis of the botnet in August 2017. hxxp://jsmykings.top:280/helloworldmsi.A few days later, we managed to find evidence of communication from one of the company’s machines to the following URLs (which we confirmed to be disease vectors): After the discovery, we sent our first alert to the company regarding the possible threat. In May, during the Managed Detection and Response service on-boarding process of an electronics company in the Asia-Pacific region, we noticed suspicious activity via the Trend Micro ™ Deep Discovery ™ Inspector that turned out to be related to EternalBlue, an exploit perhaps more popularly known for being used in the WannaCry attacks.
0 kommentar(er)
