registryopf.blogg.se

Reconstructed Crackonosh Inno Setup installer script If it finds it’s “safe” to run malware, then installs the Crackonosh malware to %SystemRoot%\system32\ and one configuration file to %localappdata%\Programs\Common and creates in the Windows Task scheduler the tasks InstallWinSAT to start maintenance.vbs and StartupCheckLibrary to start StartupcheckLibrary.vbs. The installer Inno Setup executes the following script. This shows us that Crackonosh was packed in a password protected archive and unpacked in the process of installation.

/Create /SC ONLOGON /TN "Microsoft\Windows\Application Experience\StartupCheckLibrary" /TR StartupCheck.vbs /RL HIGHEST /F.

/Create /SC ONLOGON /TN "Microsoft\Windows\Maintenance\InstallWinSAT" /TR Maintenance.vbs /RL HIGHEST /F.

-ir!*.*? e -pflk45DFTBplsd -y "\Programs\Common.

The following strings were found in uninstallation logs: Hunting led us to uncover uninstallation logs containing Crackonosh unpacking details when installed with cracked software. The only clue to what happened before the Maintenance.vbs creates this registry key and how the files appear on the computer of the victim is the removal of InstallWinSAT task in maintenance.vbs. It is easy to find out that serviceinstaller.exe is started from a registry key created by Maintenance.vbs.

Wksprtcli.dll extracts newer winlogui.exe and drops winscomrssrv.dll and winrmsrv.exe which it contains, decrypts and places in the folder.įrom the original compilation date of Crackonosh we identified 30 different versions of serviceinstaller.exe, the main malware executable, from up to.

StartupCheckLibrary.DLL downloads and runs wksprtcli.dll.

Serviceintaller.exe drops StartupCheckLibrary.DLL.

Serviceinstaller.msi registers and runs serviceinstaller.exe, the main malware executable.

Maintenance.vbs then starts the installation using serviceinstaller.msi.

First, the victim runs the installer for the cracked software.