rootkit: dcprotect.sys - Githubissues

magicsword-io / LOLDrivers

Living Off The Land Drivers

https://www.loldrivers.io/

Apache License 2.0

1.04k stars 123 forks source link

rootkit: dcprotect.sys #154

Closed Wack0 closed 11 months ago

Wack0 commented 12 months ago

bundled with chinese application "DrvCeo" is a set of rootkits:

encrypted 7z archive (password: 3BuW!$2PDVP^!Mc9u*AJ3CEasM4JDmgg ) containing the drivers: https://www.virustotal.com/gui/file/68485b81c96438a821c3a11557ac6551a02e78d7c37152be2c266d2c08955136

drivers themselves: https://www.virustotal.com/gui/file/55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03 https://www.virustotal.com/gui/file/1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3 https://www.virustotal.com/gui/file/c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633 https://www.virustotal.com/gui/file/f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6 https://www.virustotal.com/gui/file/ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8 https://www.virustotal.com/gui/file/9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504 https://www.virustotal.com/gui/file/3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb https://www.virustotal.com/gui/file/b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71

the malicious functionality:

prevents registry value writing where the registry key or value includes "dcprotect" or "drvceo"
prevents file deletion if pathname contains "driverdownload", "program files\sysceo", "program files (x86)\sysceo"

MHaggis commented 11 months ago

Thank you @Wack0 , we got it in there!