Just a quick blog post about an interesting sample that I found today. Usually, modern pieces of malware implement anti-debugging and anti-VM techniques. They perform some checks against the target and when a positive result is found, they silently exit… Such checks might be testing the screen resolution, the activity of a connected user, the presence of files on the desktop, etc. But they also search for interesting processes that could reveal that they are being monitored or debugged. This is achieved via the GetProcessesByName system call. Example:
processName = "tool_executed_by_analyst" processList = Process.GetProcessesByName(processName) If processList.Count > 0 Then   ' Process is running, exit silently... Else   ' Process is not running, do our malicious stuff... End If
This time, the sample did not search for running processes. Instead is a stealthy exit, it just executed a long list of taskkill.exe commands with process names like this:
taskkill.exe /IM <string> /T /F
“/IM” refers to the process image name, “/T” means to terminate all child processes and “/F” means to kill the process forcefully. This is a quite agressive technique!
Some processes are well-known, others were more exotic. Here is the full list:
avpmapp.exe econceal.exe escanmon.exe escanpro.exe TRAYSSER.EXE TRAYICOS.EXE econser.exe VIEWTCP.EXE FSHDLL64.exe fsgk32.exe fshoster32.exe FSMA32.EXE fsorsp.exe fssm32.exe FSM32.EXE trigger.exe FProtTray.exe FPWin.exe FPAVServer.exe AVK.exe GdBgInx64.exe AVKProxy.exe GDScan.exe AVKWCtlx64.exe AVKService.exe AVKTray.exe GDKBFltExe32.exe GDSC.exe virusutilities.exe guardxservice.exe guardxkickoff_x64.exe iptray.exe freshclam.exe freshclamwrap.exe K7RTScan.exe K7FWSrvc.exe K7PSSrvc.exe K7EmlPxy.EXE K7TSecurity.exe K7AVScan.exe K7CrvSvc.exe K7SysMon.Exe K7TSMain.exe K7TSMngr.exe nanosvc.exe nanoav.exe nnf.exe nvcsvc.exe nbrowser.exe nseupdatesvc.exe nfservice.exe cmd.exetaskkill/IMnwscmon.exe njeeves2.exe nvcod.exe nvoy.exe zlhh.exe Zlh.exe nprosec.exe Zanda.exe NS.exe acs.exe op_mon.exe PSANHost.exe PSUAMain.exe PSUAService.exe AgentSvc.exe BDSSVC.EXE EMLPROXY.EXE OPSSVC.EXE ONLINENT.EXE QUHLPSVC.EXE SAPISSVC.EXE SCANNER.EXE SCANWSCS.EXE scproxysrv.exe ScSecSvc.exe SUPERAntiSpyware.exe SASCore64.exe SSUpdate64.exe SUPERDelete.exe SASTask.exe K7RTScan.exe K7FWSrvc.exe K7PSSrvc.exe K7EmlPxy.EXE K7TSecurity.exe K7AVScan.exe K7CrvSvc.exe K7SysMon.Exe K7TSMain.exe K7TSMngr.exe uiWinMgr.exe uiWatchDog.exe uiSeAgnt.exe PtWatchDog.exe PtSvcHost.exe PtSessionAgent.exe coreFrameworkHost.exe coreServiceShell.exe uiUpdateTray.exe VIPREUI.exe SBAMSvc.exe SBAMTray.exe SBPIMSvc.exe bavhm.exe BavSvc.exe BavTray.exe Bav.exe BavWebClient.exe BavUpdater.exe MCShieldCCC.exe MCShieldRTM.exe MCShieldDS.exe MCS-Uninstall.exe SDScan.exe SDFSSvc.exe SDWelcome.exe SDTray.exe UnThreat.exe utsvc.exe FortiClient.exe fcappdb.exe FCDBlog.exe FCHelper64.exe fmon.exe FortiESNAC.exe FortiProxy.exe FortiSSLVPNdaemon.exe FortiTray.exe FortiFW.exe FortiClient_Diagnostic_Tool.exe av_task.exe CertReg.exe FilMsg.exe FilUp.exe filwscc.exe filwscc.exe psview.exe quamgr.exe quamgr.exe schmgr.exe schmgr.exe twsscan.exe twssrv.exe UserReg.exe
One comment