Wednesday, September 6, 2017

Interesting List of Windows Processes Killed by Malicious Software

Just a quick blog post about an interesting sample that I found today. Usually, modern pieces of malware implement anti-debugging and anti-VM techniques. They perform some checks against the target and when a positive result is found, they silently exit… Such checks might be testing the screen resolution, the activity of a connected user, the presence of files on the desktop, etc. But they also search for interesting processes that could reveal that they are being monitored or debugged. This is achieved via the GetProcessesByName system call. Example:

processName = "tool_executed_by_analyst"
processList = Process.GetProcessesByName(processName)
If processList.Count > 0 Then
    ' Process is running, exit silently...
Else
    ' Process is not running, do our malicious stuff...
End If

This time, the sample did not search for running processes. Instead is a stealthy exit, it just executed a long list of taskkill.exe commands with process names like this:

taskkill.exe /IM <string> /T /F

“/IM” refers to the process image name, “/T” means to terminate all child processes and “/F” means to kill the process forcefully. This is a quite agressive technique!

Some processes are well-known, others were more exotic. Here is the full list:

avpmapp.exe
econceal.exe
escanmon.exe
escanpro.exe
TRAYSSER.EXE
TRAYICOS.EXE
econser.exe
VIEWTCP.EXE
FSHDLL64.exe
fsgk32.exe
fshoster32.exe
FSMA32.EXE
fsorsp.exe
fssm32.exe
FSM32.EXE
trigger.exe
FProtTray.exe
FPWin.exe
FPAVServer.exe
AVK.exe
GdBgInx64.exe
AVKProxy.exe
GDScan.exe
AVKWCtlx64.exe
AVKService.exe
AVKTray.exe
GDKBFltExe32.exe
GDSC.exe
virusutilities.exe
guardxservice.exe
guardxkickoff_x64.exe
iptray.exe
freshclam.exe
freshclamwrap.exe
K7RTScan.exe
K7FWSrvc.exe
K7PSSrvc.exe
K7EmlPxy.EXE
K7TSecurity.exe
K7AVScan.exe
K7CrvSvc.exe
K7SysMon.Exe
K7TSMain.exe
K7TSMngr.exe
nanosvc.exe
nanoav.exe
nnf.exe
nvcsvc.exe
nbrowser.exe
nseupdatesvc.exe
nfservice.exe
cmd.exetaskkill/IMnwscmon.exe
njeeves2.exe
nvcod.exe
nvoy.exe
zlhh.exe
Zlh.exe
nprosec.exe
Zanda.exe
NS.exe
acs.exe
op_mon.exe
PSANHost.exe
PSUAMain.exe
PSUAService.exe
AgentSvc.exe
BDSSVC.EXE
EMLPROXY.EXE
OPSSVC.EXE
ONLINENT.EXE
QUHLPSVC.EXE
SAPISSVC.EXE
SCANNER.EXE
SCANWSCS.EXE
scproxysrv.exe
ScSecSvc.exe
SUPERAntiSpyware.exe
SASCore64.exe
SSUpdate64.exe
SUPERDelete.exe
SASTask.exe
K7RTScan.exe
K7FWSrvc.exe
K7PSSrvc.exe
K7EmlPxy.EXE
K7TSecurity.exe
K7AVScan.exe
K7CrvSvc.exe
K7SysMon.Exe
K7TSMain.exe
K7TSMngr.exe
uiWinMgr.exe
uiWatchDog.exe
uiSeAgnt.exe
PtWatchDog.exe
PtSvcHost.exe
PtSessionAgent.exe
coreFrameworkHost.exe
coreServiceShell.exe
uiUpdateTray.exe
VIPREUI.exe
SBAMSvc.exe
SBAMTray.exe
SBPIMSvc.exe
bavhm.exe
BavSvc.exe
BavTray.exe
Bav.exe
BavWebClient.exe
BavUpdater.exe
MCShieldCCC.exe
MCShieldRTM.exe
MCShieldDS.exe
MCS-Uninstall.exe
SDScan.exe
SDFSSvc.exe
SDWelcome.exe
SDTray.exe
UnThreat.exe
utsvc.exe
FortiClient.exe
fcappdb.exe
FCDBlog.exe
FCHelper64.exe
fmon.exe
FortiESNAC.exe
FortiProxy.exe
FortiSSLVPNdaemon.exe
FortiTray.exe
FortiFW.exe
FortiClient_Diagnostic_Tool.exe
av_task.exe
CertReg.exe
FilMsg.exe
FilUp.exe
filwscc.exe
filwscc.exe
psview.exe
quamgr.exe
quamgr.exe
schmgr.exe
schmgr.exe
twsscan.exe
twssrv.exe
UserReg.exe

[The post Interesting List of Windows Processes Killed by Malicious Software has been first published on /dev/random]



from Xavier

No comments:

Post a Comment