General
-
Target
https://github.com/MalwareStudio/Rover-The-Desktop-Assistant
-
Sample
240420-pfawbshb6t
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/MalwareStudio/Rover-The-Desktop-Assistant
Resource
win10-20240404-en
Malware Config
Targets
-
-
Target
https://github.com/MalwareStudio/Rover-The-Desktop-Assistant
Score10/10-
Modifies WinLogon for persistence
-
Manipulates Digital Signatures
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
3Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Pre-OS Boot
1Bootkit
1