Interesting List of Windows Processes Killed by Malicious Software

综合技术 2017-09-07 阅读原文

Just a quick blog post about an interesting sample that I found today. Usually, modern pieces of malware implement anti-debugging and anti-VM techniques. They perform some checks against the target and when a positive result is found, they silently exit… Such checks might be testing the screen resolution, the activity of a connected user, the presence of files on the desktop, etc. But they also search for interesting processes that could reveal that they are being monitored or debugged. This is achieved via the GetProcessesByName
system call. Example:

processName = "tool_executed_by_analyst"
processList = Process.GetProcessesByName(processName)
If processList.Count > 0 Then
    ' Process is running, exit silently...
Else
    ' Process is not running, do our malicious stuff...
End If

This time, the sample did not search for running processes. Instead is a stealthy exit, it just executed a long list of taskkill.exe
commands with process names like this:

taskkill.exe /IM  /T /F

“/IM” refers to the process image name, “/T” means to terminate all child processes and “/F” means to kill the process forcefully. This is a quite agressive technique!

Some processes are well-known, others were more exotic. Here is the full list:

avpmapp.exe
econceal.exe
escanmon.exe
escanpro.exe
TRAYSSER.EXE
TRAYICOS.EXE
econser.exe
VIEWTCP.EXE
FSHDLL64.exe
fsgk32.exe
fshoster32.exe
FSMA32.EXE
fsorsp.exe
fssm32.exe
FSM32.EXE
trigger.exe
FProtTray.exe
FPWin.exe
FPAVServer.exe
AVK.exe
GdBgInx64.exe
AVKProxy.exe
GDScan.exe
AVKWCtlx64.exe
AVKService.exe
AVKTray.exe
GDKBFltExe32.exe
GDSC.exe
virusutilities.exe
guardxservice.exe
guardxkickoff_x64.exe
iptray.exe
freshclam.exe
freshclamwrap.exe
K7RTScan.exe
K7FWSrvc.exe
K7PSSrvc.exe
K7EmlPxy.EXE
K7TSecurity.exe
K7AVScan.exe
K7CrvSvc.exe
K7SysMon.Exe
K7TSMain.exe
K7TSMngr.exe
nanosvc.exe
nanoav.exe
nnf.exe
nvcsvc.exe
nbrowser.exe
nseupdatesvc.exe
nfservice.exe
cmd.exetaskkill/IMnwscmon.exe
njeeves2.exe
nvcod.exe
nvoy.exe
zlhh.exe
Zlh.exe
nprosec.exe
Zanda.exe
NS.exe
acs.exe
op_mon.exe
PSANHost.exe
PSUAMain.exe
PSUAService.exe
AgentSvc.exe
BDSSVC.EXE
EMLPROXY.EXE
OPSSVC.EXE
ONLINENT.EXE
QUHLPSVC.EXE
SAPISSVC.EXE
SCANNER.EXE
SCANWSCS.EXE
scproxysrv.exe
ScSecSvc.exe
SUPERAntiSpyware.exe
SASCore64.exe
SSUpdate64.exe
SUPERDelete.exe
SASTask.exe
K7RTScan.exe
K7FWSrvc.exe
K7PSSrvc.exe
K7EmlPxy.EXE
K7TSecurity.exe
K7AVScan.exe
K7CrvSvc.exe
K7SysMon.Exe
K7TSMain.exe
K7TSMngr.exe
uiWinMgr.exe
uiWatchDog.exe
uiSeAgnt.exe
PtWatchDog.exe
PtSvcHost.exe
PtSessionAgent.exe
coreFrameworkHost.exe
coreServiceShell.exe
uiUpdateTray.exe
VIPREUI.exe
SBAMSvc.exe
SBAMTray.exe
SBPIMSvc.exe
bavhm.exe
BavSvc.exe
BavTray.exe
Bav.exe
BavWebClient.exe
BavUpdater.exe
MCShieldCCC.exe
MCShieldRTM.exe
MCShieldDS.exe
MCS-Uninstall.exe
SDScan.exe
SDFSSvc.exe
SDWelcome.exe
SDTray.exe
UnThreat.exe
utsvc.exe
FortiClient.exe
fcappdb.exe
FCDBlog.exe
FCHelper64.exe
fmon.exe
FortiESNAC.exe
FortiProxy.exe
FortiSSLVPNdaemon.exe
FortiTray.exe
FortiFW.exe
FortiClient_Diagnostic_Tool.exe
av_task.exe
CertReg.exe
FilMsg.exe
FilUp.exe
filwscc.exe
filwscc.exe
psview.exe
quamgr.exe
quamgr.exe
schmgr.exe
schmgr.exe
twsscan.exe
twssrv.exe
UserReg.exe
/dev/random

责编内容by:/dev/random阅读原文】。感谢您的支持!

您可能感兴趣的

SECCON2016取证题WriteUP 取证100 给了一个文件,提示是内存取证,使用volatility分析。 题目描述是找出假的svchost进程访问的页面,那么先看看svchost都有几个。 # lightless @ lightless-pc in ~/Desktop/seccon2016/volatility_2.5...
Microsoft patches first critical Linux on Windows ... Microsoft's monthly Patch Wednesday bundle of fixes sees a total of 25 critical vulnerabilities in several products taken care of, including the first...
想要清理你的 Windows 电脑?用这 4 款清理工具就对了... 虽然 Windows 自带卸载软件和磁盘清理功能,但是在清理软件这件事情上我更愿意使用第三方的清理软件。因为使用过系统自带的卸载软件功能后,你就会发现所有卸载的软件最后还是会残留一些文件在你的电脑里。比如,你明明卸载了某个软件但是在「开始」菜单栏里还能见到某个软件的快捷方式。 这些残留通常不会对电...
magicmime – go bindings for libmagic to dete... magicmime https://travis-ci.org/rakyll/magicmime https://godoc.org/github.com/rakyll/magicmime magicmime is a Go package which allow...
Windows渗透测试工具:RedSnarf RedSnarf是一款由Ed William 和 Richard Davy开发的,专门用于渗透测试及红队的安全工具。RedSnarf通过OpSec技术,从Windows工作站,服务器和域控制器中检索散列和凭据。 RedSnarf的主要任务包括以下两项: 不在入侵/渗透...