![]() The “clean.bat” is responsible for killing malwarebytes “mbamservice.exe” process, stopping or deleting more services related to AV products and coin miners like “MinerGate”. The “temp.bat” is a cleanup batch file that will delete some of the dropped files and add a hidden attribute on the created directory C:\Programdata\Windows. ![]() The loader will drop files as seen in Figure 6. Using the attrib and icacls Windows binaries, it will set the hidden attribute and a deny permission access on several AV product installation root folders like what we see in Figures 4 and 5. Figure 3 shows the netsh command that modifies firewall rules. It will attempt to block SMB ports (445, 139 and update the firewall configuration to allow its dropped malicious files to perform network connections. Figure 2 shows the code list of those services. It will also try to stop, delete and even modify the configuration of some services as part of its execution and disable antivirus products. Figures 1.1 and 1.2 shows screenshots of the autoit script code that modifies those registry values. It will also disable several registry keys related to the Windows Defender application feature and other AV products to evade their detections. C:\Windows\System32\wbem\wmic.exe product where name="Microsoft Security Client" call uninstall /nointeractive If the “msseces.exe” process is running, it will try to uninstall the “Microsoft Security Client” by using the wmic.exe command shown below. It will also terminate its execution if the OS version of the compromised host is “winxp”. Defense EvasionĪzorult implements a hardcoded sandbox evasion checklist: It looks for specific usernames, files on the desktop, hostnames and processes running on the targeted host. This loader is an autoit compiled executable that contains a self-extracting stream in its resource sections along with several files. (For a larger resolution of this diagram visit this link) Azorult LoaderĪzorult loader is a classic “Trojan Horse” that contains several components including the Azorult malware itself and additional embedded files to enable remote access and data collection. In this blog, the Splunk Threat Research Team will do a deep dive analysis on “Azorult loader” and its several components to understand tactics and techniques that may help SOC analysts and blue teamers defend against these types of threats. This software restriction policy may be abused by adversaries, like the “Azorult loader,” a payload that imports its own AppLocker policy to deny the execution of several antivirus components as part of its defense evasion. This feature advances the functionality of software restriction policies and enables administrators to create rules to allow or deny applications from running based on their unique identities (e.g., files) and to specify which users or groups can run those applications.ĪppLocker has the ability to control the execution of executables (“.exe” and “.com”), scripts (“.js”, “ps1”, “vbs”, “.cmd” and “.bat”), windows installer (“.msi, “.mst”, “.msp”), dll modules, packaged apps, and app installer. Microsoft continues to develop, update and improve features to monitor and prevent the execution of malicious code on the Windows opearting system.
0 Comments
Leave a Reply. |