SmartService Rootkit (and Trojan.Yelloader)

Forum for analysis and discussion about malware.
Post Reply
Posts: 7
Joined: Fri Oct 30, 2015 3:15 pm

SmartService Rootkit (and Trojan.Yelloader)

Post by Aura » Sat Apr 07, 2018 4:15 pm

That rootkit has been running rampant for a bit over a year now I would say. There's still no real technical write up of it, and the only articles about it can be found on BleepingComputer. ... -use-error ... -software/ ... ce-rootkit

SmartService prevents any security software from running: Antivirus, Antimalware, Firewall, you name it. You can get some programs to run, but they won't detect anything (it's a rootkit after all).


Code: Select all

Multiple randomly named folders in %LocalAppData%, following this pattern:

C:\Windows\System32\drivers\$8_RAND_CHAR.sys (ie: wimbehlo.sys)
C:\Windows\System32\*******svc.exe (ie: msapibhsvc.exe)

IOCs from a FRST log: ... oval-help/

Code: Select all

(TOSHIBA CORPORATION) C:\Windows\System32\msapibhsvc.exe
() C:\Users\netdisk\AppData\Local\wmcagent\wmcagent.exe
() C:\Users\netdisk\AppData\Local\upsciml\iacdkvb.exe
HKLM\SYSTEM\CurrentControlSet\Services\klgpmctx <==== ATTENTION (Rootkit!)
2018-03-23 14:38 - 2018-03-23 14:38 - 000145232 ____N C:\WINDOWS\system32\Drivers\wimbehlo.sys
2018-03-23 10:08 - 2018-03-23 10:09 - 000000000 ____D C:\Users\netdisk\AppData\Local\wmcagent
2018-03-09 11:55 - 2018-03-10 19:49 - 000000000 ____D C:\Users\netdisk\AppData\Local\pwnzghb
2018-02-26 18:00 - 2018-03-23 15:10 - 000000000 ____D C:\Users\netdisk\AppData\Local\upsciml
2018-02-26 18:00 - 2018-02-26 18:00 - 000000000 ____D C:\Users\netdisk\AppData\Local\cgkepoh
2018-02-26 17:58 - 2018-03-23 14:39 - 002888704 _____ (TOSHIBA CORPORATION) C:\WINDOWS\system32\msapibhsvc.exe
2018-02-26 17:58 - 2018-02-26 17:58 - 000000000 ____D C:\WINDOWS\SysWOW64\dwhkoea
2018-02-26 17:58 - 2018-02-26 17:58 - 000000000 ____D C:\WINDOWS\system32\dwhkoea
2018-02-26 17:58 - 2018-02-26 17:58 - 000000000 ____D C:\Users\netdisk\AppData\Roaming\et
C:\WINDOWS\system32\drivers\wimbehlo.sys -> Access Denied <======= ATTENTION
The driver gets renamed on every restart, but the first three letters of the driver filename always stays the same (so in the example I provided above, it'll be renamed to wim****.sys).

Note that SmartService is almost always delivered with Trojan.Yelloader (Malwarebytes definition), so some folders belongs to it (the ones in %LocalAppData%, which contains a Chromium-based program used as a clicker).

Of all the threads I've worked on with this infection, I can almost never find a dropper for it. Though I'll keep an eye open and provide one if I can.

This being said, I'm just creating this thread to start a discussion about this rootkit, since there's not a lot of information about it and I think there should be, as the malware removal forums are flooded with SmartService infection.

I'm currently working on a few threads with SmartService and I'll grab fresh samples of all the files I listed above and attach them here. If there's anything specific you need, just let me know.

Edit: Just saw that Windows Defender is flagging SmartService as Trojan:Win64/Detrahere. The Technical information tab provides more information. ... /Detrahere
Last edited by Aura on Sat Apr 07, 2018 8:32 pm, edited 1 time in total.

Posts: 7
Joined: Fri Oct 30, 2015 3:15 pm

Re: SmartService Rootkit (and Trojan.Yelloader)

Post by Aura » Sat Apr 07, 2018 8:23 pm

Alright, here are some samples for you guys.

redcxgb.exe: ... /detection (Trojan.Yelloader)

wmcagent.exe: ... /detection
wow_helper.exe: ... /detection

uprhcldsvc.exe: ... /detection

All these were located inside the C:\Windows\system32\$RAND_FOLDER
coihbpz.exe: ... /detection
coihbpz.sys: ... /detection
coihbpzdrv.sys: ... /detection

Apparently the user isn't able to get the main .sys driver (SmartService). Working with him to get it.

Also, here's a list of the whole FRST Quarantine I got from that system, if it gives you more insight. Be aware that there were other payloads on the system other than SmartService and Yelloader.

Usual password for the archive.

Edit: And we finally have the driver!

iahzcfim.sys: ... /detection
You do not have the required permissions to view the files attached to this post.

Post Reply