DEPLOYLOG

Description

(Cybereason) DEPLOYLOG (dbghelp.dll) is a 64 bit DLL, with two purposes:

• The first one is responsible for extracting and executing the attackers’ rootkit, dubbed WINNKIT, from the CLFS log file. • After a successful deployment of the WINNKIT rootkit, DEPLOYLOG switches to its second task, which is communicating both with the remote C2 and the kernel-level rootkit.

It’s noteworthy to mention that to evade detection, the attackers deployed DEPLOYLOG as dbghelp.dll, a generic, widely used name leveraged to masquerade as a legitimate file at the same location as PRIVATELOG (C:\Windows\System32\WindowsPowerShell\v1.0).

Names

Name
DEPLOYLOG

Type

Loader

Information

https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive

Other Information

Uuid

c8cfd354-2ba8-4668-bd5b-73cf20816f26

Last Card Change

2022-07-19

Threat Intelligence Garden

Explorer

DEPLOYLOG

DEPLOYLOG

Description

Names

Category

Type

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks