SecurityHome.eu HackTool:Win32/Reflectivensa.gen!A

Home / malware PDF

HackTool:Win32/Reflectivensa.gen!A

First posted on 14 August 2018.
Source: Microsoft
Aliases :
There are no other names known for HackTool:Win32/Reflectivensa.gen!A.
Explanation :
These malicious DLL components of malware typically used in targeted attacks employ the reflective DLL loading technique to run specific commands on a compromised system.

When loaded in memory, these DLL components \can execute their payload. Some of the payloads we have observed are the following:

Drop malware:

%Windows%\IME\winload.exe - detected as Trojan:Win32/Leafremote.A

%Windows%\IME\svchost.exe - Backdoor:MSIL/Sorcas.A

Run malware

Stop Windows Update service

Create an admin user for Remote Desktop Protocol (RDP) access, and add an account called "vmware" and add it to the Administrators group

Create and activate an admin user using a hardcoded password

Change Administrator password

Enable the Windows Remote Desktop Protocol (RDP) service and Start terminal service to allow the traffic through firewall

Reboot the system

Analysis by: Ric Robielos
Last update 14 August 2018

TOP

Malware :

Last 20

Family:

HackTool:Win32/Reflectivensa.gen!A