Windows Defender identifying my program as multiple trojans(“Wacatac” & “Persistence”) - presumably caused by overwriting a Registry Key

John Eskew 41 Reputation points
2021-01-25T21:05:01.86+00:00

The 2 trojans:

Wacatac.G!ml

wacatac

Persistence.G!ml

persistence

Here's the code that I believe is causing the issue. The purpose is to create/modify a registry key to make the program run on startup:

   void CSoftwareDlg::SetSURegValue(string regValue) {  
     
   	string regSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\");  
   	string regValueName = "Software";  
   	DEBUG_PRINT(regValue)  
   		  
   	try  
   	{  
   		size_t bufferSize = 0xFFF; // If too small, will be resized down below.  
   		auto cbData = static_cast<DWORD>(regValue.size() * sizeof(char) + sizeof(char));  
   		HKEY hKey;  
   		DWORD position;  
   		  
   		auto rc = RegCreateKeyEx(HKEY_CURRENT_USER, regSubKey.c_str(), 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &position);  
   		if ((position == REG_OPENED_EXISTING_KEY || position == REG_CREATED_NEW_KEY) && rc == ERROR_SUCCESS) {  
   			if (position == REG_OPENED_EXISTING_KEY) {  
   				DEBUG_PRINT("Key already exists & has been opened.")  
   			}  
   			else if (position == REG_CREATED_NEW_KEY) {  
   				DEBUG_PRINT("Created new key.")  
   			}  
     
   			auto rc = RegSetValueEx(hKey, regValueName.c_str(), 0, REG_SZ, (BYTE*)regValue.data(), cbData);  
   			if (rc != ERROR_SUCCESS){  
   				throw std::runtime_error("Windows system error code: " + to_string(rc));  
   			}  
   		}  
   		else if(rc != ERROR_SUCCESS){  
   			DEBUG_PRINT("Error setting key.\n")  
   		}  
   		else {  
   			DEBUG_PRINT("UNKNOWN ERROR: Key does not exist, and a new key was not created.")  
   		}  
   	}  
   	catch (std::exception& e)  
   	{  
   		DEBUG_PRINT(e.what())  
   	}  
   }  

In my attempts to solve this issue I began testing different scenarios of creating/modifying the key, but my results became inconclusive when I realized that Windows Defender had seemingly stopped logging each run as "new threats" and seemed to log them together as a single "permeant threat" I guess? Not really sure.

With that said, Windows Defender did not seem to log the threat when I would initially create the key or when I would open it and assign it the same value, but did appear to log the threat when I would move the program to a new directory(and the program would attempt to change the value of the "Software" registry value to the new EXE location).

That's left me with several questions:

  • Does my program mimic the behavior of the 2 trojans through some coding mistake?
  • Or do I have some latent, opportunistic piece of malware on my machine that's just been waiting to take advantage?
  • Is deleting the existing value necessary before attempting to change it? The behavior of RegCreateKeyEx leads me to believe this is not the case.
  • Is writing to the registry without elevated permissions a no-no? If so... why does my machine let me do it?
  • Am I doing some incorrect type conversion in the RegSetValueEx() function?

If #4 is the case, I guess I'm just really surprised that I was notified by Windows Defender and not Visual Studio or a UAC prompt.

Also: No engines on VirusTotal.com detected the file as malware.

Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,689 questions
C++
C++
A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.
3,787 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,956 questions
0 comments No comments
{count} votes

Accepted answer
  1. Joy Qiao 4,901 Reputation points Microsoft Employee
    2021-01-29T02:16:39.043+00:00

    Hi,

    Thank you for your reply.

    "This has happened for me with the following 3 file locations"

    As the executable file type is different with defined file type in Document subfolder. Could you try to check if it occur again in C:\Users\Username\AppData\Local or roaming. Aos9

    As you prepare to use this script as a public source, and apply it on multiple devices, I would also recommend to submit a file for analysis in my first reply.

    As there is a special forum for Windows Defender, try to create a thread there and check if any develop related resources for you.

    Microsoft Security and Compliance

    More resource for developer when app blocked by defender.

    Software developer FAQ

    Bests,

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Joy Qiao 4,901 Reputation points Microsoft Employee
    2021-01-26T02:49:39.673+00:00

    Hi,

    Does the Syslet.exe run on a specific machine or deployed to multiple computers?

    If it runs on a specific machine, or few machines, we could add an exclusion to Windows Security, so that, you can stop Windows Security from alerting you or blocking the program.

    If you deployed to multiple computers and will use it proceed, we should Submit a file for malware analysis to check if those code has modify any important system files to cause them flagged as trojans.

    By the way, according to my know, I think there is no problem with your code, but for a professional analysis, I also recommend to use the upper analysis website.

    Here is a similar thread with your issue, might be those replies under that thread are useful for you.

    Windows Defender flagged my C++ Program as Trojan

    Bests,

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.