Aukill An Silent EDR Killer Malware

Mohitrajai

4 min readMay 28, 2023

Executive Summary

SHA256 hash

1934b4641ca540ac4fd39c37e6f8b6878ddf111b5c8eb2de26c842cb6bd7b9b8

08a248de098e0f9edec425ce37d13c827eaf4c54c93182f4ddf1c5b3801cf540

MD5 hash

42bc883e7a31b011d2687eba178c2525

811bd70aa6d099716b49794870c07b7d

What is Aukill Malware?

An Aukill is new defense evasion tool which have capabilities to Disable EDR & Endpoint security Solutions. Aukill malware used the older version of Process Explorer which is part of Genuine Microsoft sysinternels tools.

Using This Utility Aukill first Disable Security Solutions like EDR, Antivirus after Disabling its Deploying Either a backdoor or ransomware on the target System.

After the Disable the EDR & Endpoint Security Solutions it will Deploy Medusa Locker ransomware & Lockbit ransomware.

Aukill itself is a tool that falls into the Bring your own Vulnerable Driver category.

What is Bring your own Vulnerable Driver:

BYOVD is an attack technique in which threat actors install a legitimate but vulnerable driver on a target machine. This vulnerable driver is then exploited to elevate privileges or execute code on the target system.

How Aukill Malware Works?

As we know Aukill use the vulnerable Process Explorer driver for taking leverages like other drivers has privileged access on installed systems and can interact with and terminate running processes.

In Microsoft Windows AN Drivers are the low-level system components that can access critical security structures in kernel memory. An Microsoft Windows by default have feature called Driver Signature Enforcement that ensures kernel-mode drivers have been signed by a valid code signing authority before Windows will permit them to run. This signature serves as a sign of trust to verify the identity of the software and to protect a user’s system.

Attackers take the advantages of driver both created by and signed by Microsoft. a process Explorer driver is a part of Microsoft Sysinternals suite of administration tools.

For this Aukill take advantages of the process Explorer and drops a driver named PROCEXP.SYS into the C:\Windows\System32\drivers path. The legitimate Process Explorer driver is named PROCEXP152.sys, and its normally found in the same location.

Technical Analysis:

I Put the sample in Pestudio & first check its Shows some malicious Indicators. A manifest file has administrator level privileges.

There are embedded files with this Executable which is packed.

This Aukill Version Used the Above Windows APIs For Malicious Purposes. Where They have rights to create the Services, terminate the services etc.

Its also have the capabilities to create and Change the Registry values.

Move on to the further in the String tab I found some interesting Strings.

Terminate process basically used for stop EDR process for Backdoor.

In the string function its use the shell api function of the windows.

In the manifest Section it requested to Administrator Privileges.

For further I used the Floss tool for extract some useful string from this and I found www.sysinternals.com URL might be download for process Explorer which is vulnerable.

In further I also found the artifacts where the vulnerable process explorer Downloaded and executed.

For further I used the CAPA tool which have the capabilities to automatically Identify Malware capabilities. Which results are below.

There are several capabilities I found like boot or auto start execution, Create or modify system processes.

When I Run the Sample, I observed that its tried to check windows services which is related to Sophos EDR. But in this case service Is not there Result is not found.

Further its open the BAM (background Activity moderator) registry for user setting.

Further it’s open the user Shell folders where all the specific user related data was stored. In windows an user shell folder is store the users startup data, recent accessed data, History etc.