MalwareAnalysisSeries

This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules

---

Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham

MedusaLocker: Persistence

MedusaLocker uses a different way of achieving persistence. It uses official Microsoft Documented Code for achieving persistence by scheduling a task with repetition of 15 minutes indefinitely. Typically, malware uses either at.exe or schtasks.exe which are Windows apps for scheduling tasks, but in this case the malware scheduled task programmatically in c/c++ using official code from MSDN page of Microsoft.

The malware creates a copy of itself with the name of “svhost.exe” in %APPDATA% of the system and registers itself in task scheduler to be executed after every 15 minutes indefinitely. In this TTP, instead of copying itself, it copies cmd for demonstration purposes.

Necessary Headers

#include <taskschd.h>
#pragma comment(lib, "taskschd.lib")
#pragma comment(lib, "comsupp.lib")
#pragma comment(lib, "credui.lib")

Initialize COM

    //  Initialize COM.
    HRESULT hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
    if (FAILED(hr))
    {
        std::cerr << "Failed 1" << std::endl;
        return -1;
    }

    //  Set general COM security levels.
    hr = CoInitializeSecurity(
        NULL,
        -1,
        NULL,
        NULL,
        RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
        RPC_C_IMP_LEVEL_IMPERSONATE,
        NULL,
        0,
        NULL);

Create Instance

//  Create an instance of the Task Service. 
ITaskService* pService = NULL;
    hr = CoCreateInstance(CLSID_TaskScheduler,
        NULL,
        CLSCTX_INPROC_SERVER,
        IID_ITaskService,
        (void**)&pService);

//  Connect to the task service.
    hr = pService->Connect(_variant_t(), _variant_t(),
        _variant_t(), _variant_t());

Registration for task and other settings

//  Get the registration info for setting the identification.
    IRegistrationInfo* pRegInfo = NULL;
    hr = pTask->get_RegistrationInfo(&pRegInfo);

//  Set up principal logon type to interactive logon
    hr = pPrincipal->put_LogonType(TASK_LOGON_INTERACTIVE_TOKEN);

//  Create the settings for the task
    ITaskSettings* pSettings = NULL;
    hr = pTask->get_Settings(&pSettings);

...

Add repitions on triggers

    // Get a pointer to the IRepetitionPattern interface
    IRepetitionPattern* pRepetition = NULL;
    hr = pTrigger->get_Repetition(&pRepetition);

    // Task Repitition Set: 15 minutes indefinitely
    hr = pRepetition->put_Interval(_bstr_t("PT15M"));

Set paths and parameters

    // Set the path of task to your executable
    hr = pExecAction->put_Path(_bstr_t(wstrExecutablePath.c_str()));

    // Give arguments for executable... (if any)
    hr = pExecAction->put_Arguments(_bstr_t(wstrArguements.c_str()));

Task Registration

    //  Save the task in the root folder.
    IRegisteredTask* pRegisteredTask = NULL;
    hr = pRootFolder->RegisterTaskDefinition(
        _bstr_t(wszTaskName),
        pTask,
        TASK_CREATE_OR_UPDATE,
        _variant_t(),
        _variant_t(),
        TASK_LOGON_INTERACTIVE_TOKEN,
        _variant_t(L""),
        &pRegisteredTask);

Find Complete Code Click Here: Shaddy43/MalwareAnalaysisSeries

Disclaimer

Intended for educational purposes only!