This technique was used in other parts of Crackonosh, sometimes with SHA1. Some nodes are grouped for better readability. In this image, you see the function searching for a file by hash of file name from winrmsrv.exe. Winlogui.exe contains coinminer XMRig and in newer versions the serviceinstaller drops winlogui and creates the following registry entry: In older versions of serviceinstaller.exe it drops windfn.exe which is responsible for dropping and executing winlogui.exe. It also drops StartupCheckLibrary.dll and winlogui.exe to %SystemRoot%\system32\ folder. This way Crackonosh could delete older versions of Avast or current versions with Self-Defense turned off. Older versions of serviceinstaller.exe used pathToSignedProductExe to obtain the containing folder. It has names of folders, where they are installed and finally it deletes %PUBLIC%\Desktop\. If it finds any of the following antivirus products it deletes them with rd /s /q command where is the default directory name the specific antivirus product uses. #Crack program using ollydbg 2 0 softwareIt also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct. #Crack program using ollydbg 2 0 windowsThis can enable the malicious Serviceinstaller.exe to easily disable and delete Windows Defender. While the Windows system is in safe mode antivirus software doesn’t work. MSI Viewer screenshot of serviceinstaller.msi Using Safe Mode to Disable Windows Defender and Antivirus Reconstructed Crackonosh Inno Setup installer script If it finds it’s “safe” to run malware, then installs the Crackonosh malware to %SystemRoot%\system32\ and one configuration file to %localappdata%\Programs\Common and creates in the Windows Task scheduler the tasks InstallWinSAT to start maintenance.vbs and StartupCheckLibrary to start StartupcheckLibrary.vbs. The installer Inno Setup executes the following script. #Crack program using ollydbg 2 0 archiveThis shows us that Crackonosh was packed in a password protected archive and unpacked in the process of installation.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |