Beyond good ol’ Run key, Part 28

February 23, 2015 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

I was curious if any of the phantom DLLs that I wrote about before still exist on Windows 10 TP. It turns out that they do, but less of them exist than could leveraged as a persistence mechanism when compared to the older versions of OS.

Here is a list of groups I found; the process name is in bold and if you see the DLL name in the parenthesis (following the process name) it means that particular DLL is responsible for loading the actual phantom DLL.

%SYSTEM%\Dism.exe (WimProvider.DLL)
  • %SYSTEM%\Dism\wimgapi.dll
%SYSTEM%\Dism.exe
  • %SYSTEM%\DismCore.dll
%SYSTEM%\FileHistory.exe (clr.dll)
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-winrt-l1-1-0.dll
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\ole32.dll
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\urlmon.dll
%SYSTEM%\mmc.exe (clr.dll)
  • %WINDOWS%\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\oleaut32.dll
  • %WINDOWS%\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
  • %WINDOWS%\Microsoft.Net\assembly\GAC_MSIL\MIGUIControls\v4.0_1.0.0.0__31bf3856ad364e35\ntdll.dll
  • %WINDOWS%\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\comctl32.dll
  • %WINDOWS%\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-winrt-l1-1-0.dll
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\ole32.dll
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\VERSION.dll
%SYSTEM%\Narrator.exe (MSTTSEngine.DLL)
  • %SYSTEM%\speech\engines\tts\MSTTSLocEnUS.DLL (I have not explored it, but there is a possibility that on non-English Windows it would be a different localization DLL)
%SYSTEM%\omadmclient.exe
  • cmnet.dll
%SYSTEM%\PresentationHost.exe
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationHost_v0400.dll
%SYSTEM%\provtool.exe (ProvEngine.dll)
  • MvHelper.dll
%SYSTEM%\SearchIndexer.exe
  • %SYSTEM%\msfte.dll
  • %SYSTEM%\msTracer.dll
%SYSTEM%\SearchProtocolHost.exe
  • %SYSTEM%\msfte.dll
  • %SYSTEM%\msTracer.dll

Probably the most interesting are SearchIndexer.exe and SearchProtocolHost.exe as they are running by default. Here is a screenshot capturing the moment when %SYSTEM%\msfte.dll is present on the system and user types something in the Search Box

msfte

Share this :)

Comments are closed.