dwm_lut icon indicating copy to clipboard operation
dwm_lut copied to clipboard

Published 20 hours ago verified publisher icon ledoge

Windows defender

Open alansleep opened this issue 4 years ago • 4 comments

Hello there, general ledoge, thanks again for your awesome work :) however I can't use the 3.2 version, the antivirus deletes .exe immediately with a message "Trojan:Win32/Wacatac.B!ml", I've used every single version and it's the only one that behaves like that, sadly

alansleep avatar Nov 25 '21 22:11 alansleep

Yeah, no idea why it suddenly thinks that version is malicious when it didn't do that for older versions... I reported the false positive to Microsoft just now, maybe that'll do something?

ledoge avatar Nov 26 '21 00:11 ledoge

So, if I'm trying to duplicate what windows defender is doing, where do I find the trojan called, "Trojan:Win32/Wacatac.B!ml"?

Is the trojan a dll? Is it a section of the code? Is it in the object files? Is it in a DLL? Is it in a dependency of the project downloaded from vcpkg? Are there tools I can use to inspect the output of the build (It's happening on the DwmLutGUI.exe)?

What is the source of the "false positive" claim made to Microsoft? What's going on with the trojan that exhibits the behavior that is triggering the windows defender to quarantine the file?

activedecay avatar Feb 14 '23 18:02 activedecay

After uploading the generated executable to VirusTotal, this is the result from the behavior tab:

 Execution  data-description="The adversary is trying to run malicious code.

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. "

  | Native API   T1106
-- | --
Execution TA0002
	Native API T1106

.NET source code references suspicious native API functions
Execution TA0002
	Command and Scripting Interpreter T1059

accept command line arguments
Privilege Escalation TA0004
	Process Injection T1055

.NET source code contains process injector
Privilege Escalation TA0004
	Process Injection T1055

write process memory
Defense Evasion TA0005
	Process Injection T1055

.NET source code contains process injector
	Virtualization/Sandbox Evasion T1497

Checks if the current process is being debugged
	Disable or Modify Tools T1562.001

Creates guard pages, often used to prevent reverse engineering and debugging
Defense Evasion TA0005
	Process Injection T1055

write process memory
Discovery TA0007
	Process[ Discovery ](https://www.virustotal.com/gui/search/attack_tactic%253ATA0007)T1057

Queries a list of all running processes
	System Information Discovery T1082

Queries the cryptographic machine GUID

Reads software policies

Queries the volume information (name, serial number etc) of a device
	Virtualization/Sandbox Evasion T1497

Checks if the current process is being debugged
	Security Software Discovery T1518.001

Checks if the current process is being debugged

AV process strings found (often used to terminate AV products)
Discovery TA0007
	Process[ Discovery ](https://www.virustotal.com/gui/search/attack_tactic%253ATA0007)T1057

find process by name
	File and Directory Discovery T1083

check if directory exists

check if file exists

activedecay avatar Feb 14 '23 19:02 activedecay

by inspection, the code seems OK. I'm just curious why some virus scans detect it as a trojan.

cheers! :)

activedecay avatar Feb 14 '23 19:02 activedecay