In this post i am going to analyze a recent Rovnix dropper that is able to install its Bootkit component on a x86 and x86-64 Windows OS, the dropper contains at-least two previously known exploits in order to elevate its privileges on the system in case it doesn't have enough permissions to access the VBR.
This post will cover:
- Environment info - Which information is sent by the dropper to the C&C server and where in the registry the dropper writes its configuration.
- Anti-Analysis - The technique used by the dropper and the driver in order the detect sandboxes and to prevent the launching of analysis tools.
- Bootkit installation preparations - Which steps the dropper takes in order to make sure it will be able to install the Bootkit component.
- Payload - How the actual payload is installed in the system.
- Code and Module storage - How and where the dropper stores the files and shellcode that it uses throughout the installation process.