I encountered a malware using a way to stay persistence which I had never seen before. So I’d love to share it here. You can get the malware here.

http://www.malware-traffic-analysis.net/2018/01/02/index2.html

So let’s take a quick look how it stays persistence by dynamic analysis.

Yeah, it creates a task to run at 0:00 every day. So how does it do this? You can open the string subview in IDA and find this key string.

Double click it, it will leads you to the string and you can use “CTRL+x” to go to the function that achieves persistence.

Ok, there we go. Here is the schtasks command.
Take a deep look at it.

You can have a better understanding at the arguments by looking at the document here.

https://msdn.microsoft.com/en-us/library/windows/desktop/bb736357(v=vs.85).aspx

But yeah, all it does is just let the malware starts at 0:00 every day.

And actually, the malware starts the browser and goes to a malicious fake website. If we check the domain we can see this.

That’s all for today. Any question, please contact me at xudong_shao@hotmail.com.