Date: 2025-10-03

Threat Classification: Backdoor / Remote Access Trojan (RAT)

1. Executive Summary

This report details the analysis of a sophisticated backdoor discovered on a Windows system. The malware, identified by its scheduled task name \\\\Microsoft\\\\Windows\\\\Device Information\\\\DeviceIvl, utilizes advanced techniques for persistence, command-and-control (C2) communication, and self-protection. The malware's primary function is to provide a remote attacker with arbitrary command execution capabilities on the infected system.

Due to the malware's advanced self-protection mechanisms, which involve modifying system permissions, removal from a live system was not possible. This report provides detailed instructions for manual removal in a recovery environment.

2. Technical Analysis

2.1. Persistence

The malware achieves persistence through two primary mechanisms:

• Scheduled Task: A scheduled task named \\\\Microsoft\\\\Windows\\\\Device Information\\\\DeviceIvl is created to execute the malware at regular intervals. The task is configured to run with the highest privileges and is hidden from the user.
• Registry Keys: The malware stores its encrypted payload and decryption logic in the Windows Registry:
  • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\CommsAPHost\\\\934ff675: Stores the encrypted payload as a REG_BINARY value.
  • HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Environment\\\\934ff675: Stores a PowerShell command as a REG_SZ value. This command is responsible for decrypting and executing the payload.

2.2. Execution

The scheduled task executes the following PowerShell command:

$ExecutionContext.InvokeCommand.InvokeScript($env:934ff675)

This command retrieves the content of the environment variable 934ff675 and executes it as a PowerShell script. The environment variable is loaded from the registry key HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Environment\\\\934ff675.

2.3. Decryption

The content of the environment variable is a PowerShell command that decrypts and executes the payload stored in HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\CommsAPHost\\\\934ff675. The decryption is performed using the AES algorithm with a hardcoded key and initialization vector (IV).

• AES Key: 105,201,149,232,136,123,85,176,56,19,130,220,82,40,93,120,9,196,76,239,53,91,88,114,222,161,149,67,67,243,7,175
• AES IV: 248,114,199,61,179,50,120,196,216,70,158,55,141,248,92,114

2.4. Decrypted Payload Analysis