Home / malwarePDF  


First posted on 14 August 2018.
Source: Microsoft

Aliases :

There are no other names known for HackTool:Win64/Reflectivensa.gen!A.

Explanation :

These malicious DLL components of malware typically used in targeted attacks employ the reflective DLL loading technique to run specific commands on a compromised system.

When loaded in memory, these DLL components \can execute their payload. Some of the payloads we have observed are the following:

  • Drop malware:
  • %Windows%\IME\winload.exe - detected as Trojan:Win32/Leafremote.A
  • %Windows%\IME\svchost.exe - Backdoor:MSIL/Sorcas.A
  • Run malware
  • Stop Windows Update service
  • Create an admin user for Remote Desktop Protocol (RDP) access, and add an account called "vmware" and add it to the Administrators group
  • Create and activate an admin user using a hardcoded password
  • Change Administrator password
  • Enable the Windows Remote Desktop Protocol (RDP) service and Start terminal service to allow the traffic through firewall
  • Reboot the system

Analysis by: Ric Robielos

Last update 14 August 2018