persist via Windows service #1100
Description
sample:
https://www.virustotal.com/gui/file/41d097e47778252aec073666502f9ab7eda2e47c6800f529064128dff186f39d
verdict:
0x404427,persist via Windows service,FP,"Function modifies NetBT parameters (NetbiosOptions), does not create or modify a service binary path for persistence.","Verify registry value is ImagePath or StartType."
decompilation:
undefined4 __cdecl FUN_00404427(LPCSTR param_1,char *param_2)
{
char cVar1;
LSTATUS LVar2;
undefined4 uVar3;
HKEY local_410;
CHAR local_40c [1024];
BYTE local_c [8];
memset(local_40c,0,0x400);
lstrcpyA(local_40c,"SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters\\Interfaces\\Tcpip_");
lstrcatA(local_40c,param_1);
LVar2 = RegOpenKeyExA((HKEY)0x80000002,local_40c,0,0x20006,&local_410);
if (LVar2 == 0) {
local_c[4] = '\x04';
local_c[5] = '\0';
local_c[6] = '\0';
local_c[7] = '\0';
cVar1 = *param_2;
if (cVar1 == '0') {
local_c[0] = '\0';
}
else if (cVar1 == '1') {
local_c[0] = '\x01';
}
else if (cVar1 == '2') {
local_c[0] = '\x02';
}
else {
local_c[0] = '\0';
}
local_c[1] = 0;
local_c[2] = 0;
local_c[3] = 0;
RegSetValueExA(local_410,"NetbiosOptions",0,4,local_c,4);
RegCloseKey(local_410);
uVar3 = 1;
}
else {
uVar3 = 0;
}
return uVar3;
}