Antivirus Exclusions
Best Practices are to exclude the following default locations from active antivirus file scanning. Some locations may need to be changed slightly for your environment. Include the folders listed and any subfolders.
C:\Program Files (x86)\OpenDoor Software®\
C:\Program Files (x86)\DidItBetterSoftware
C:\Program Files\Microsoft SQL Server\
C:\Users\zadd2exchange\AppData -> Use your account name
C:\Zlibrary
Note that the OpenDoor Software path includes the registered trademark character in the folder name. Copying and pasting the exact path is recommended when creating antivirus exclusions.
The Add2Exchange Service and Add2Exchange Agent are very powerful programs. When run against antivirus detection programs, it often reports may "threats" which a normal program wouldn't do or have privileges to do. There are over 60 threat indicators, which are normal for this system.
Best Practices: Put the system in "learn mode" during updates, and/or whitelist the files when applicable.
Hiding/Stealthiness
- The majority of sections in this PE have high entropy, a sign of obfuscation or packing
- This binary may contain encrypted or compressed data as measured by high entropy of the sections (greater than 6.8)
- This binary tries to hide .NET information
Evasion
- File can check for sandbox username or hostname
- File references anti-VM strings targeting Xen
Execution
- File calls unmanaged code
- File can load XML in .NET
- File can load a .NET assembly
- File can invoke .NET assembly method
- File can generate method through reflection in .NET
- File can execute code through timer in .NET
- File can execute through asynchronous task in .NET
- File can decode data using Base64 in .NET
- File can terminate processes
- File can create processes on Windows
Credential Access
- File can retrieve the name of the current user session
Persistence
- File can set registry values
- File can set file attributes
- File can create or open registry keys
- File can write to files on Windows
- File can create directories
Discovery
- File can retrieve file attributes
- File can list files on Windows
- File can see if a specific file exists
- File can retrieve common file paths
- File can check for the existence of a mutex
- File can retrieve proxy settings
- File can find processes by name
- File can see if a directory exists
- File can see file extension through .NET
- File can access WMI data in .NET
- File can query or list registry values
- File can query or list registry keys
- File can find process by PID
- File can list running processes
- File can retrieve file version information
- File can query environment variables
- File can access .NET resources
- File can retrieve geographical location
Impact
- File can terminate process by name in .NET
General
- File can hash data using MD5
- File was compiled to the .NET platform
- File can decrypt data using RSA
- File can delete registry values
- File can delete registry keys
- File can delete directories
Defense Evasion
- File can encode data using Base64
- File can encrypt data using RSA
- File can allocate unmanaged memory in .NET
- File can encrypt data using AES through .NET
Collection
- File can save images in .NET
- File can find data using regex in .NET
- File can read files on Windows
- File contains SQL statements
Post Exploitation
- File can move directories
Exploitation
- File can manipulate unmanaged memory in .NET
Privilege Escalation
- File can acquire debug privileges