The 2 trojans:
Wacatac.G!ml
Persistence.G!ml
Here's the code that I believe is causing the issue. The purpose is to create/modify a registry key to make the program run on startup:
void CSoftwareDlg::SetSURegValue(string regValue) {
string regSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\");
string regValueName = "Software";
DEBUG_PRINT(regValue)
try
{
size_t bufferSize = 0xFFF; // If too small, will be resized down below.
auto cbData = static_cast<DWORD>(regValue.size() * sizeof(char) + sizeof(char));
HKEY hKey;
DWORD position;
auto rc = RegCreateKeyEx(HKEY_CURRENT_USER, regSubKey.c_str(), 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &position);
if ((position == REG_OPENED_EXISTING_KEY || position == REG_CREATED_NEW_KEY) && rc == ERROR_SUCCESS) {
if (position == REG_OPENED_EXISTING_KEY) {
DEBUG_PRINT("Key already exists & has been opened.")
}
else if (position == REG_CREATED_NEW_KEY) {
DEBUG_PRINT("Created new key.")
}
auto rc = RegSetValueEx(hKey, regValueName.c_str(), 0, REG_SZ, (BYTE*)regValue.data(), cbData);
if (rc != ERROR_SUCCESS){
throw std::runtime_error("Windows system error code: " + to_string(rc));
}
}
else if(rc != ERROR_SUCCESS){
DEBUG_PRINT("Error setting key.\n")
}
else {
DEBUG_PRINT("UNKNOWN ERROR: Key does not exist, and a new key was not created.")
}
}
catch (std::exception& e)
{
DEBUG_PRINT(e.what())
}
}
In my attempts to solve this issue I began testing different scenarios of creating/modifying the key, but my results became inconclusive when I realized that Windows Defender had seemingly stopped logging each run as "new threats" and seemed to log them together as a single "permeant threat" I guess? Not really sure.
With that said, Windows Defender did not seem to log the threat when I would initially create the key or when I would open it and assign it the same value, but did appear to log the threat when I would move the program to a new directory(and the program would attempt to change the value of the "Software" registry value to the new EXE location).
That's left me with several questions:
- Does my program mimic the behavior of the 2 trojans through some coding mistake?
- Or do I have some latent, opportunistic piece of malware on my machine that's just been waiting to take advantage?
- Is deleting the existing value necessary before attempting to change it? The behavior of RegCreateKeyEx leads me to believe this is not the case.
- Is writing to the registry without elevated permissions a no-no? If so... why does my machine let me do it?
- Am I doing some incorrect type conversion in the RegSetValueEx() function?
If #4 is the case, I guess I'm just really surprised that I was notified by Windows Defender and not Visual Studio or a UAC prompt.
Also: No engines on VirusTotal.com detected the file as malware.