question

JohnEskew avatar image
0 Votes"
JohnEskew asked JohnEskew commented

Windows Defender identifying my program as multiple trojans(“Wacatac” & “Persistence”) - presumably caused by overwriting a Registry Key

The 2 trojans:

Wacatac.G!ml

wacatac

Persistence.G!ml

persistence

Here's the code that I believe is causing the issue. The purpose is to create/modify a registry key to make the program run on startup:

void CSoftwareDlg::SetSURegValue(string regValue) {

    string regSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\");
    string regValueName = "Software";
    DEBUG_PRINT(regValue)
        
    try
    {
        size_t bufferSize = 0xFFF; // If too small, will be resized down below.
        auto cbData = static_cast<DWORD>(regValue.size() * sizeof(char) + sizeof(char));
        HKEY hKey;
        DWORD position;
        
        auto rc = RegCreateKeyEx(HKEY_CURRENT_USER, regSubKey.c_str(), 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &position);
        if ((position == REG_OPENED_EXISTING_KEY || position == REG_CREATED_NEW_KEY) && rc == ERROR_SUCCESS) {
            if (position == REG_OPENED_EXISTING_KEY) {
                DEBUG_PRINT("Key already exists & has been opened.")
            }
            else if (position == REG_CREATED_NEW_KEY) {
                DEBUG_PRINT("Created new key.")
            }

            auto rc = RegSetValueEx(hKey, regValueName.c_str(), 0, REG_SZ, (BYTE*)regValue.data(), cbData);
            if (rc != ERROR_SUCCESS){
                throw std::runtime_error("Windows system error code: " + to_string(rc));
            }
        }
        else if(rc != ERROR_SUCCESS){
            DEBUG_PRINT("Error setting key.\n")
        }
        else {
            DEBUG_PRINT("UNKNOWN ERROR: Key does not exist, and a new key was not created.")
        }
    }
    catch (std::exception& e)
    {
        DEBUG_PRINT(e.what())
    }
}


In my attempts to solve this issue I began testing different scenarios of creating/modifying the key, but my results became inconclusive when I realized that Windows Defender had seemingly stopped logging each run as "new threats" and seemed to log them together as a single "permeant threat" I guess? Not really sure.

With that said, Windows Defender did not seem to log the threat when I would initially create the key or when I would open it and assign it the same value, but did appear to log the threat when I would move the program to a new directory(and the program would attempt to change the value of the "Software" registry value to the new EXE location).

That's left me with several questions:

  • Does my program mimic the behavior of the 2 trojans through some coding mistake?

  • Or do I have some latent, opportunistic piece of malware on my machine that's just been waiting to take advantage?

  • Is deleting the existing value necessary before attempting to change it? The behavior of RegCreateKeyEx leads me to believe this is not the case.

  • Is writing to the registry without elevated permissions a no-no? If so... why does my machine let me do it?

  • Am I doing some incorrect type conversion in the RegSetValueEx() function?

If #4 is the case, I guess I'm just really surprised that I was notified by Windows Defender and not Visual Studio or a UAC prompt.

Also: No engines on VirusTotal.com detected the file as malware.


windows-apic++windows-10-security
image.png (18.2 KiB)
image.png (17.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JoyQiao-MSFT avatar image
1 Vote"
JoyQiao-MSFT answered JohnEskew commented

Hi,

Thank you for your reply.

"This has happened for me with the following 3 file locations"

As the executable file type is different with defined file type in Document subfolder. Could you try to check if it occur again in C:\Users\Username\AppData\Local or roaming. Aos9

As you prepare to use this script as a public source, and apply it on multiple devices, I would also recommend to submit a file for analysis in my first reply.

As there is a special forum for Windows Defender, try to create a thread there and check if any develop related resources for you.

Microsoft Security and Compliance

More resource for developer when app blocked by defender.

Software developer FAQ

Bests,

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @JoyQiao-MSFT. Sorry for the slow reply. I've quit worrying about this issue to pursue bigger issues with the code.

I had already submitted a file for analysis, but didn't reply to your original message, but it seems to have expired now. My apologies.
I've also now published the source code, and will post it in the future if necessary.

Thanks again for your assistance.

0 Votes 0 ·
JoyQiao-MSFT avatar image
0 Votes"
JoyQiao-MSFT answered JoyQiao-MSFT converted comment to answer

Hi,

Does the Syslet.exe run on a specific machine or deployed to multiple computers?

If it runs on a specific machine, or few machines, we could add an exclusion to Windows Security, so that, you can stop Windows Security from alerting you or blocking the program.

If you deployed to multiple computers and will use it proceed, we should Submit a file for malware analysis to check if those code has modify any important system files to cause them flagged as trojans.

By the way, according to my know, I think there is no problem with your code, but for a professional analysis, I also recommend to use the upper analysis website.

Here is a similar thread with your issue, might be those replies under that thread are useful for you.

Windows Defender flagged my C++ Program as Trojan

Bests,

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JoyQiao-MSFT,

Thanks for responding. SysLat.exe is built on my personal Windows 10 machine, but will be released as an open source project in the very near future, and will be run as a facilitator program for a commercial USB device I'm creating. I'd like it to be able to run on as many version of Windows as possible.

FYI, this issue appears to be occurring specifically when I move the executable, and try to run from that new location(meaning that it attempts to update the "startup registry" value with the new location of the executable.

0 Votes 0 ·

Hi,

Do you mean the issue occur after changed the executable file location?
Would you provide the path of old location and new location?

Bests,

0 Votes 0 ·

I get the Windows Defender alert when I run it from any second location after it's already created the registry value. If I delete the registry value and then run it from the new location, the Windows Defender alert doesn't appear to happen.

This has happened for me with the following 3 file locations(bidirectionally from each directory):
"D:\Users\Skewb\Downloads\SysLat.exe"
"D:\Users\Skewb\Documents\repos\SysLat_Software\Release\SysLat.exe"
"D:\Users\Skewb\Documents\repos\SysLat_Software\Debug\SysLat.exe"

0 Votes 0 ·