Home / malware
First posted on 14 August 2018.
There are no other names known for HackTool:Win64/Reflectivensa.gen!A.
These malicious DLL components of malware typically used in targeted attacks employ the reflective DLL loading technique to run specific commands on a compromised system.
When loaded in memory, these DLL components \can execute their payload. Some of the payloads we have observed are the following:
- Drop malware:
- %Windows%\IME\winload.exe - detected as Trojan:Win32/Leafremote.A
- %Windows%\IME\svchost.exe - Backdoor:MSIL/Sorcas.A
- Run malware
- Stop Windows Update service
- Create an admin user for Remote Desktop Protocol (RDP) access, and add an account called "vmware" and add it to the Administrators group
- Create and activate an admin user using a hardcoded password
- Change Administrator password
- Enable the Windows Remote Desktop Protocol (RDP) service and Start terminal service to allow the traffic through firewall
- Reboot the system
Analysis by: Ric Robielos
Last update 14 August 2018