Month: July 2017

Let’s Learn: Reversing Credential and Payment Card Information Stealer ‘AZORult V2’

Goal: Reverse the second version of the popular credential and payment card information stealer “AZORult”
Original find: @DynamicAnalysis
Source:  AU2_EXEsd.exe
Tool: OllyDBG, CFF Explorer

Brief overview: AZORult Version 2 Stealer, written in Borland Delphi collects informations, sends a report to the C2 server, then self-deletes. AZORult steals cookies, saved passwords, and saved credit card information from browsers. It also steals XMPP and Bitcoin wallet information Additionally, the malware is able to grab files from Desktop with specified extensions. It supports .bit domain communication.
Command-and-Control (C2) Serverparking-services[.]us/gate[.]php
Mutex: as8d749s8adq98w4d65sa1


AZORult’s getcfg=ADE97CA-F64C8173-1D26C270-B040AB046 value


It encodes streams and separates the report information as follows:
  • Browsers\AutoComplete\_CC.txt
  • Browsers\AutoComplete\__.default
  • Browsers\Cookies\__.default.txt
  • IP.txt
  • Passwords.txt
  • CookieList.txt
  • SYSInfo.txt
AZORult’s custom base64-like alphabet:
Obtains Windows version via ProductName Registry value:
The harvested SYSINFO victim information is in the following format:

  • BIN: 
  • MachineID :   -> SOFTWARE\Microsoft\Cryptography\MachineGuid
  • EXE_PATH  :  
  • DLL_PATH  :  
  • Windows    :  – > SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
  • Comp(User) : 
  • CPU Model: ->   HARDWARE\DESCRIPTION\System\CentralProcessor\0\ ProcessorNameString
  • [System Process]
  • [Programms]

AZORult obtains the user and computer information via usual GetUserName and GetComputerName APIs.


The stealer targets the following applications for credential harvesting:

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} li.li1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} span.s1 {font-kerning: none} ul.ul1 {list-style-type: disc}

  • Google Chrome (including x64)
  • YandexBrowser
  • Opera
  • Firefox
  • Orbitum
  • Chromium
  • Amigo
  • Outlook
  • FileZilla
  • WinSCP
  • Thunderbird
  • 360Browser
  • Vivaldi
  • Bromium
  • InternetMailRu
  • Bromium
  • Nichrome
  • RockMelt
  • Skype
  • Steam
The stealer collects  XMPP/Jabber credentials from the following apps:

  • PsiPlus
  • Psi
  • Pidgin

Moreover, AZOrult aslo appear to collet the following cryptocurrency files:
  • wallet.dat
  • \wallet.dat
  • electrum.dat
  • \electrum.dat
  • .wallet
  • \.wallet
  • %APPDATA%\MultiBitHD
  • mbhd.wallet.aes
  • \MultiBitHD\
  • \mbhd.wallet.aes
  • \mbhd.checkpoints
  • mbhd.checkpoints
  • \mbhd.spvchain
  • mbhd.spvchain
  • \mbhd.yaml
  • mbhd.yaml
  • wallet_path
  • Software\monero-project\monero-core
  • \Monero\
Desktop file grabber of files with .txt & .dat extensions.

For example, here is AZORult’s cookie/credit card grabber from Mozilla Firefox’s Sqlite tables: 
  • SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
  • SELECT host_key, name, encrypted_value, value, path, secure, expires_utc FROM cookies
  • SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
  • SELECT fieldname, value FROM moz_formhistory
  • SELECT name, value FROM autofill
  • SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
Self-delete function:

li.li1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} span.s1 {-webkit-text-stroke: 0px #000000} span.s2 {font-kerning: none} ul.ul1 {list-style-type: disc}

07-15-17: Fake "Gmail Notification" Leads to Scareware

Source: Email spam
Date:  July 15, 2017
SubjectMessage notification
From: Gmail Notification

Goal: Review the email infection/redirection chain leading to scareware.
Background: Previously, the same campaign led to the weigh loss and scareware spam via the Amazon theme
Tools: Fiddler, any JS debugger

Here is the full spam chain:


  • First email href redirect

    • hxxp://cafevillan[.]com/steels[.]php

  • Obfuscated href JS redirect

    • hxxp://weight4losspremium[.]world/?a=401336&c=cpcdiet&s=51207175

  • Third-layer PHP redirect

    • hxxp://checktimenow[.]com/d/r6t0b27039?rtb=c2da1390dbacd52002e62d397bb5e4f7.0&h=1.23&rtc=85474_ae3e8edaee4e456bfc314eda161e6629_1d496eab7185b1313998aa2f2f47a6301500262006.8435_100&subid=NDAxMzM2LU5URXlNRGN4TnpVPQ%3D%3D

  • Fourth-layer PHP redirect

    • hxxp://blobar[.]org/d/r6t0b27039?k=cb4771fda26bfb56027d6ae4c757eaf6.1500261371.850.1&rtb=c2da1390dbacd52002e62d397bb5e4f7.0&h=1.23&rtc=85474_ae3e8edaee4e456bfc314eda161e6629_1d496eab7185b1313998aa2f2f47a6301500262006.8435_100&subid=NDAxMzM2LU5URXlNRGN4TnpVPQ%3D%3D&r=&z=240 

  • Final landing page

    • hxxp://www[.]micro-soft-alert[.]cf/call-microsoft-support-at-1-855-633-1666

    Analysis:

    I. “Gmail – Message notification” email href link leads to the following website:
    • hxxp://cafevillan[.]com/steels[.]php

    II. Retrieve the code via curl > code.html, paste the JavaScript function into the JS debugger.
    Comment out setTimeout and add “alert” on the function shorte() and observer the next redirect to the following website:
    • hxxp://weight4losspremium[.]world/?a=401336&c=cpcdiet&s=51207175

    III. Launch Fiddler and track the redirection chain to scareware
    • hxxp://www[.]micro-soft-alert[.]cf/call-microsoft-support-at-1-855-633-1666

    *Message source:
    Authentication-Results: spf=fail (sender IP is 89[.]30.155.66)
     smtp.mailfrom=faxaway[.]com; hotmail.com; dkim=none (message not signed)
     header.d=none;hotmail.com; dmarc=none action=none header.from=faxaway.com;
    Received-SPF: Fail (protection.outlook.com: domain of faxaway.com does not
     designate 89[.]30.155.66 as permitted sender) receiver=protection.outlook.com;
     client-ip=89[.]30.155.66; helo= web01.multiserve.nl;
    Received: from web01[.]multiserve.nl ([89[.]30.155.66]) by BAY004-MC5F15.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
    Fri, 14 Jul 2017 21:21:48 -0700
    From: Gmail Notification
    Date: Sat, 15 Jul 2017 06:21:49 +0000
    Content-Transfer-Encoding: 7bit
    Message-ID:
    Firearms-Christianizer-Shard: 1f161d59242f7a
    To: REDACTED*
    Content-Type: text/html; charset=”UTF-8″
    Subject: Message notification
    Return-Path: colluney@faxaway[.]com

    Let’s Learn: Reversing Packed Betabot Trojan

    Goal: Reverse engineer a packed Betabot binary and unpack the final payload of this malware.
    Credit@avman1995
    Tools: ProcDOT, OllyDBG, XVI32

    Original Betabot88048D5970AB122865986928C79FF325718B800D

    Steps:
    (1) Observe the malware cryptor behavior via reversing or dynamic analysis.

    The original import address table contains two DLL imports: kernel32.dll and user32.dll.

    (2) Observe the creation of the suspended process in OllyDBG.
    (3) Locate injected buffer by placing the WriteProcessMemory breakpoint in OllyDBG. Follow Betabot’s injected payload and dump the binary.

    (4) Patch and edit the binary using by searching for “MZ” header.

    (5) Observe the unpacked import address table of the Betabot payload.
    (6) Profit. Continue analyzing this feature-rich malware.
    Some notable feature of the Betabot Trojan:
    • Anti-analysis checks [sandbox.sand box.malware.maltest.test user]
    • Targeted browser [chrome.exe..firefox.exe.opera.exe.safari.exe.360browser.exmaxthon.exe]
    • Usermode rootkit
    • Anti-VM
    • [drivers.vboxvideo.sys.vboxguest.sys.vmhgfs.sys. prl_boot.sys]
    • Anti-Debugger
    • Bitcoin miner module
    • [stratum.-u, btcguild, pool.itzod.ru, bitcoinpool.com, pool0.btcdig.com, triplemining.com, bitparking.com, mining.eligius.st., bitcoin.cz.mint,bitminter.com]
    • Formgrabber and POP3/FTP stealer
    • Mobile devices connections checker
    • USB spreader module
    • Bot killer module
    • and many others

    Let’s Learn: Extracting Trickbot Banker IOCs

    Goal: Extract indicators of compromise related to Trickbot’s serv710 campaign by tracing WriteFile function. All in all, reversing basic Trickbot functions is rather trivial.
    Credit: @dvk01uk -> https://myonlinesecurity.co.uk/yet-another-spoofed-hm-revenue-customs-secure-communication-malspam-delivering-trickbot-banking-trojan/


    I. Trickbot’s “ser710” main config:

    1000027ser710194.87.95[.]60:443190.228[.]169.106:44394.42.91[.]27:443118.91.178[.]114:443186.103.161[.]204:443163.53.206[.]187:44346.160.165[.]16:443191.7.30[.]30:44346.160.165[.]31:443197.248.210[.]150:443
    195.133.201[.]149:44394.140.121[.]250:44383.234.136[.]55:44393.99.68[.]140:443118.91.178[.]145:443168.194.82[.]174:443190.34.158[.]250:443

    II. Here is the Trickbot server config:

    ..1514678400
    195.69.196[.]77:447
    91.206.4[.]216:447
    189.84.113[.]83:447
    118.91.178[.]98:447
    195.2.253[.]95:447
    195.133.49[.]207:447
    194.87.235[.]155:447
     


    III. Trickbot’s module config is as follows:


    yesyes


    <conf ctl=“dpost” file=”dpost” period=”60″/>

    197.248.210[.]150:443
    195.133.201[.]149:443
    94.140.121[.]250:443
    83.234.136[.]55:443
    93.99.68[.]140:443118.91.178[.]145:443168.194.82[.]174:443
    190.34.158[.]250:443

    <module name="injectDll”/>

    IV. Trickbot also contains importDll32, mailsearcher32, systeminfo32, injectDll32 and outlookDl32 modules.

    V. Trickbot also installs certificate and collects host information as follows:

    VI. Observed redacted webinject modulestargeting international financial institutions:


    A. REDACTED*
    REDACTED*
    ccsarewkpsmofyibdhqcgvnltzxj[.]net
    91.247.37[.]9:443


    B.  REDACTED*
     REDACTED*
    qasaswzlpmdufjxevhociqngybrt[.]net
    */error_path/404[.]html*
    91.247.37[.]9:443


    Observed Trickbot Network Calls:

    *UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

    • /ser710/…/5/sinj/
    • /ser710/…/10/62/HZYRBNEEKG/1/
    • /ser710/…/5/mailsearcher32/
    • /ser710/…/1/Yi72wVESSb7gGU47/ 
    • /ser710/…/1/ualliSoSstzF12hYpHOt/
    • /ser710/…/1/7Faztb8AfD8pdO2ysayPh1ydPEdaZr75/ 
    • /ser710/…/5/injectDll32/
    • /ser710/…/64/importDll/Firefox/grabber/ 
    • /ser710/…/64/importDll/DebugLog/grabber/ 
    • /ser710/…/64/outlookDll/getdata/test/
    • /ser710/…/284115/

    Miscellaneous:

    I. mailconf

    no








    Mailsearcher PDB: C:\Work\Email_grabber\Win32\Release\mailsearcher[.]pdb


    Let’s Learn: In-Depth Reversing Popular QuantLoader 1.45

    Goal: Reverse the “sleepy” QuantLoader version 1.45 with the anti-virus check functions and process integrity check, its interesting file permission lock function amongst others.
    Original find@Avman1995
    Tools: Ollydbg, IDA

    Malware Analysis Steps:
    I.  Extract the payload following buffer in WriteProcessMemory and save data to a file. The packer is not sophisticated, so it is trivial to unpack and extract the original payload.

    The sequence of Windows API calls is as follows:

    • CreateProcessA *(suspended)
    • SetThreadContext
    • ReadProcessMemory
    • VirtualAllocEx
    • WriteProcessMemory
    • ResumeThread

    II. Go to Expression -> type “Sleep” and modify/patch 180 second sleep interval for 0 second sleep time.

    III. QuantLoader’s strings are encoded/decoded using the hardcoded string value.
    IV. The Decode function as it is viewed in IDA Pro in C++ pseudocode using the hardcoded  “b769929ffbdd0dc9fe159b6d8586bd58” string.
    New parameters after the decode function (!):
    V. When the QuantLoader starts it will copy itself to 

    %APPDATA%\\svchost.exe OR %APPDATA%\Roaming\\svchost.exe where < BOTID> is an eight-digit ID generated for the bot. The payload is masked as svchost.exe.

    The BOTID is created by extracting UID numbers only from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cryptography and copying only first 8 ones starting from the fifth one.

    VI. Determines if the bot is 32-bit or 64-bit via 

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86). 

    If it exists, it is 64-bit, if it does not, it is 32-bit.


    VI. The Quantloader also adds the firewall rule and executes it.
    netsh.exe advfirewall firewall add rule "name=Quant" "program=c:\users\appdata\\svchost.exe" dir=Out action=allow
    VII. Install for persistence as 

    “QT”=c:\users\appdata\\svchost.exe” 

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key.

    Method of operation:
    • If there is no directory %AppData%\\, then the bot creates it.
    • If it is not in %AppData%\\svchost.exe, it registers this path in Windows Firewall and copies it there using the cmd command.
    • If the copy is successful, then:
    • *Removes Zone:Identifier from the malware, which removes the ‘flag’ that highlights it as “Downloaded from the Internet”
    • *Sets on the file permissions that prohibit everything, except reading; effective for persistence of the bot using using the calc command
    • *Run a copy using ShellExecute in SW_HIDE using “runas” then “open”
    One of the most interesting functions is the User Account Control (UAC) integrity check one. Here is the pseudocode:
    Simply put, if the UAC control is optimized to allow the run “runas” command without checking, the bot obtains elevated privileges.
        SHELLEXECUTEINFO si; 
        memset( &si, 0, sizeof( si ) ); 
        si.cbSize = sizeof( si ); 
        si.hwnd = 0; 
        si.lpVerb = “runas“; 
        si.lpFile = path; 
        si.nShow = SW_NORMAL; 
        si.fMask = SEE_MASK_NOCLOSEPROCESS; 
        bool res = ShellExecuteEx( &si ); 
    VIII. Sets on the file permissions that prohibit everything, except reading; effective for persistence of the bot using using the calc command.

    cmd /c echo Y|CACLS “c:\users\\appdata\roaming\\svchost.exe” /P “USER:R””

    IX. The loader runs itself using ShellExecute’s “open” command and sleeps for one minute.
    Finally, the QuantLoader decrypts its C2 addresses and sends a request to each of them containing the following fields:
    • “id” – the botid of the machine based on the “MachineGuid” registry value
    • “c” – the current number of C2s, the value will be “2”
    • “mk” – a hardcoded value likely a campaign identifier
    • “il” – an integrity value checker. If the bot gets elevated privileges, it is il=H, otherwise, it is il=L
    • “vr” – a bot version. This version is 1.45.
    • “bt” – a bit type of the operating system, i.e., 32-bit or 64-bit one.
    The bot also queries for the following anti-virus installs:
    • Kaspersky -> SOFTWARE\KasperskyLab\LicStrg
    • Panda -> SOFTWARE\Panda Software\Setup
    • Norton Security -> SOFTWARE\Classes\Applications\NS.ex
    • Dr. Web -> SYSTEM\ControlSet001\services\DrWebLw
    • Bit Defender -> SOFTWARE\Bitdefender Agent\Install
    • Bullguard -> SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\bullguard.exe
    QuantLoader’s decoded strings: 

    “ProgramFilesDir (x86)”
    “SOFTWARE\Microsoft\Windows\CurrentVersion”
    “1.45”
    “netsh advfirewall firewall add rule name=””
    “” program=””
    “” dir=Out action=allow”
    “urlmon”
    “URLDownloadToFileA”
    “Qt”
    “:Zone.Identifier”
    “SOFTWARE\Microsoft\Cryptography”
    “MachineGuid
    “Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”
    “svchost.exe”
    “kis”
    “SOFTWARE\KasperskyLab\LicStrg”
    “FirewallName”
    “SOFTWARE\Panda Software\Setup”
    “TaskbarGroupIcon”
    “SOFTWARE\Classes\Applications\NS.exe”
    “DisplayName”
    “SYSTEM\ControlSet001\services\DrWebLwf”
    “InstallPath”
    “SOFTWARE\Bitdefender Agent\Install”
    “SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\bullguard.exe”
    “SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
    “hxxp://trackingbase[.]net/track06858565670k64/index[.]php”
    “?id=”
    “&c=”
    “&mk=”
    “&il=”
    “&vr=”
    “&bt=”
    “hxxp://college37672[.]website/track06858565670k64/index[.]php”
    “?id=”
    “&c=”
    “&mk=”
    “&il=”
    “&vr=”
    “&bt=”
    Snort Rule
    <!– /* Font Definitions */ @font-face {font-family:"Cambria Math”; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:-536870145 1107305727 0 0 415 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:-536870145 1073786111 1 0 415 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:””; margin:0cm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:Calibri; msoascii-font-family:Calibri; msoascii-theme-font:minor-latin; msofareast-font-family:Calibri; msofareast-theme-font:minor-latin; msohansi-font-family:Calibri; msohansi-theme-font:minor-latin; msobidi-font-family:”Times New Roman”; msobidi-theme-font:minor-bidi; msofareast-language:EN-US;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-family:Calibri; msoascii-font-family:Calibri; msoascii-theme-font:minor-latin; msofareast-font-family:Calibri; msofareast-theme-font:minor-latin; msohansi-font-family:Calibri; msohansi-theme-font:minor-latin; msobidi-font-family:”Times New Roman”; msobidi-theme-font:minor-bidi; msofareast-language:EN-US;} @page WordSection1 {size:595.0pt 842.0pt; margin:2.0cm 42.5pt 2.0cm 3.0cm; mso-header-margin:35.4pt; mso-footer-margin:35.4pt; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} –>

    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Possible QuantLoader 1.45 check-in alert”; flow:established,to_server; content:”/track06858565670k64/”; http_uri; content:”?id=”; http_uri; content:”&c=”; http_uri; content:”&mk=”; http_uri; content:”&il=”; http_uri; content:”&vr=”; http_uri; content:”&bt=”; http_uri; reference:url,http://www.vkremez.com/2017/07/lets-learn-in-depth-reversing-popular.html; classtype:Trojan-activity; rev:1;)
    Indicators of Compromise 

    MD5 (loader):
    • 23646295E98BD8FA022299374E4F76E0
    C2:
    • hxxp://college37672[.]website/track06858565670k64/index[.]php
    • hxxp://trackingbase[.]net/track06858565670k64/index[.]php
    <!–table {mso-displayed-decimal-separator:”\,”; mso-displayed-thousand-separator:\00A0;} @page {margin:.75in .7in .75in .7in; mso-header-margin:.3in; mso-footer-margin:.3in;} td {padding-top:1px; padding-right:1px; padding-left:1px; mso-ignore:padding; color:black; font-size:12.0pt; font-weight:400; font-style:normal; text-decoration:none; font-family:Calibri, sans-serif; mso-font-charset:0; mso-number-format:General; text-align:general; vertical-align:bottom; border:none; mso-background-source:auto; mso-pattern:auto; mso-protection:locked visible; white-space:nowrap; mso-rotate:0;} –>

    <!– /* Font Definitions */ @font-face {font-family:"Cambria Math”; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:-536870145 1107305727 0 0 415 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:-536870145 1073786111 1 0 415 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:””; margin:0cm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:Calibri; msoascii-font-family:Calibri; msoascii-theme-font:minor-latin; msofareast-font-family:Calibri; msofareast-theme-font:minor-latin; msohansi-font-family:Calibri; msohansi-theme-font:minor-latin; msobidi-font-family:”Times New Roman”; msobidi-theme-font:minor-bidi; msofareast-language:EN-US;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-family:Calibri; msoascii-font-family:Calibri; msoascii-theme-font:minor-latin; msofareast-font-family:Calibri; msofareast-theme-font:minor-latin; msohansi-font-family:Calibri; msohansi-theme-font:minor-latin; msobidi-font-family:”Times New Roman”; msobidi-theme-font:minor-bidi; msofareast-language:EN-US;} @page WordSection1 {size:595.0pt 842.0pt; margin:2.0cm 42.5pt 2.0cm 3.0cm; mso-header-margin:35.4pt; mso-footer-margin:35.4pt; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} –>

    Let’s Learn: Debugging EternalPetya’s MBR Destroyer Function with OllyDBG Part I

    Goal: Study the Petya destructive component after its Kaspersky AV detection by emulating desired process name “avp.exe.”
    Malware SHA1: 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
    Credit: MicrosoftCarbon Black

    Source: Microsoft


    1-2. Appears to be the compromised Ukrainian accounting company Me-DOC through compromised software update process.

    3. Load the EternalPetya ransomware using Ollydbg and rundll32.exe
    *Setting up a breakpoint on the privilege lookup function and stepping inside the function (F7) 

    kernel32.GetCurrentProcess
    advapi32.OpenProcessToken
    ·      hProcess = FFFFFFFF
    ·      DesiredAccess = TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES
    ·      phToken = 0007B4DC

    advapi32.LookupPrivilegeValueW
    ·      SystemName = NULL
    ·      Privilege = “SeShutdownPrivilege” | “SeDebugPrivilege” | “SeTcbPrivilege”
    ·      pLocalId = 0007B4CC

    advapi32.AdjustTokenPrivileges
    ·      hToken = 000000B8 (window)
    ·      DisableAllPrivileges = FALSE
    ·      pNewState = 0007B4C8
    ·      PrevStateSize = 0x0
    ·      pPrevState = NULL
    ·      pRetLen = NULL

    *Setting up a breakpoint on the AV process check function and emulate Kaspersky’s “avp.exe” process using renamed Notepad.exe


    4. Multi-threaded execution of the code
    The Destructive Component: Post-Kaspersky "avp.exe" (emulated with Notepad.exe)
    I. CreateFileA
    CreateFile function creates or opens a file or I/O device
    00076A1C   00A343C4  |FileName = "\\.\C:"
    00076A20   40000000  |Access = GENERIC_WRITE
    00076A24   00000003  |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
    00076A28   00000000  |pSecurity = NULL
    00076A2C   00000003  |Mode = OPEN_EXISTING
    00076A30   00000000  |Attributes = 0
    00076A34   00000000  \hTemplateFile = NULL
    II. DeviceIOControl
    *DeviceIoControl function sends a control code directly to a specified device driver, causing the corresponding device to perform the corresponding operation.
    00076A18   000000FC  |hDevice = 000000FC (window)
    00076A1C   00070000  |IoControlCode = IOCTL_DISK_GET_DRIVE_GEOMETRY
    00076A20   00000000  |InBuffer = NULL
    00076A24   00000000  |InBufferSize = 0
    00076A28   00076A48  |OutBuffer = 00076A48
    00076A2C   00000018  |OutBufferSize = 18 (24.)
    00076A30   00076A44  |pBytesReturned = 00076A44
    00076A34   00000000  \pOverlapped = NULL
    III. SetFilePointer 
    *SetFilePointerEx function moves the file pointer of the specified opened file.
    00076A28   000000FC  |hFile = 000000FC (window)
    00076A2C   00000200  |OffsetLo = 200 (512.)
    00076A30   00000000  |pOffsetHi = NULL
    00076A34   00000000  \Origin = FILE_BEGIN
    IV. WriteFile
    *This function is designed for both synchronous and asynchronous operation.
    00076A24   000000FC  |hFile = 000000FC (window)
    00076A28   0014E148  |Buffer = 0014E148
    00076A2C   00000200  |nBytesToWrite = 200 (512.)
    00076A30   00076A44  |pBytesWritten = 00076A44
    00076A34   00000000  \pOverlapped = NULL
    V. CreateFileA
    

    000769E4   00A343CC  |FileName = "\\.\PhysicalDrive0"
    000769E8   40000000  |Access = GENERIC_WRITE
    000769EC   00000003  |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
    000769F0   00000000  |pSecurity = NULL
    000769F4   00000003  |Mode = OPEN_EXISTING
    000769F8   00000000  |Attributes = 0
    000769FC   00000000  \hTemplateFile = NULL
    

    VI. DeviceIOControl
    

    00076A18   000000FC  |hDevice = 000000FC (window)
    00076A1C   00070000  |IoControlCode = IOCTL_DISK_GET_DRIVE_GEOMETRY
    00076A20   00000000  |InBuffer = NULL
    00076A24   00000000  |InBufferSize = 0
    00076A28   00076A48  |OutBuffer = 00076A10
    00076A2C   00000018  |OutBufferSize = 18 (24.)
    00076A30   00076A44  |pBytesReturned = 00076A44
    00076A34   00000000  \pOverlapped = NULL
    

    VII. DeviceIOControl
    

    

    00076A18   000000FC  |hDevice = 000000FC (window)
    00076A1C   00070000  |IoControlCode =     FSCTL_DISMOUNT_VOLUME
    00076A20   00000000  |InBuffer = NULL
    00076A24   00000000  |InBufferSize =     NULL
    00076A28   00076A48  |OutBuffer = 00076A2C
    00076A2C   00000018  |OutBufferSize = 18 (24.)
    00076A30   00076A44  |pBytesReturned = 00076A44
    00076A34   00000000  \pOverlapped = NULL
    

    VIII.  WriteFile
    

    

    000769EC   000000FC  |hFile = 000000FC (window)
    000769F0   0014E148  |Buffer = 0014E148
    000769F4   00001400  |nBytesToWrite = 1400 (5120.)
    000769F8   00076A2C  |pBytesWritten = 00076A2C
    000769FC   00000000  \pOverlapped = NULL