Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/095651e1704b501123b41ea2e9736820.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Agent.xaamkd
Vulnerability: Insecure Permissions 
Description: The malware creates an dir with insecure permissions under c:\ drive and grants change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.
Type: PE32
MD5: 095651e1704b501123b41ea2e9736820
Vuln ID: MVID-2021-0342
Disclosure: 09/20/2021


Exploit/PoC:
C:\>cacls SangClub
C:\SangClub BUILTIN\Administrators:(OI)(CI)(ID)F
            NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
            BUILTIN\Users:(OI)(CI)(ID)R
            NT AUTHORITY\Authenticated Users:(ID)C
            NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C

C:\>dir SangClub
 Volume in drive C has no label.

 Directory of C:\SangClub

03/17/2015  06:08 AM           172,032 AniGIF.ocx
11/06/2009  07:56 AM            34,882 audioplay.swf
01/16/2009  09:06 AM           566,272 bsFileClientSDK.dll
06/24/2018  02:06 AM           177,525 CandleFormation.SS7
06/24/2018  02:06 AM            39,164 CandleFormUsers.SS7
11/02/2007  01:36 AM         1,337,264 Codejock.Controls.v11.2.1.ocx
04/22/2012  10:01 PM         1,931,256 Codejock.Controls.v15.2.1.0423.ocx
07/05/2012  09:28 AM               103 CommInfo.ini
09/17/2021  08:07 PM    DIR          dat
06/15/2003  09:05 AM           133,632 DWEASY36.OCX
06/15/2003  09:02 AM           115,712 DWSBC36.OCX
10/26/2003  12:02 AM           145,920 DWSHK36.OCX
09/14/2003  04:30 PM            77,824 DWSPY36.dll
04/22/1999  09:50 AM            14,848 dwspy5.dll
10/13/1999  01:00 AM           122,880 dwspyvb6.dll
02/22/2007  05:27 AM           344,064 FLICapture.dll
04/22/2011  11:44 AM           335,872 fmtkit60.dll
08/17/1999  08:54 PM           180,224 ijl11.dll
09/17/2021  08:07 PM    DIR          Image
07/21/1998  11:00 AM            13,824 INETKO.DLL
05/28/2019  10:02 AM         3,565,736 JetSound.exe
05/28/2019  09:49 AM           751,464 LiveStart.exe
03/08/2004  10:00 AM           132,880 MSINET.OCX
06/01/2011  02:58 AM                27 Regcom.bat
03/22/2009  03:47 AM            10,000 regsvr32.exe
11/16/2016  07:44 AM           515,064 SabuStart.exe
05/28/2019  09:49 AM           128,872 SangCapture.exe
06/22/2019  11:57 PM        12,318,776 SangClub.exe
03/28/2008  12:44 AM           143,360 Sangcomm.dll
05/28/2019  09:50 AM         4,081,512 SangPlayer.exe
05/29/2019  12:27 AM             3,629 ScoreList.SS7
03/17/2015  06:08 AM            77,824 Shape.ocx
02/01/2007  08:51 AM           626,688 SKComdCM.dll
02/01/2007  08:51 AM            53,248 SKComdEM.dll
02/01/2007  08:51 AM           503,808 SKComdIF.dll
02/01/2007  08:51 AM            73,728 SKComdSC.dll
12/26/2006  09:30 PM            65,536 SKCommIC.dll
04/07/2007  05:08 AM            63,120 skcommtm.exe
11/26/2006  08:42 PM            28,672 SKCommWB.exe
09/17/2021  08:07 PM    DIR          Skins
01/20/2006  02:00 AM           223,232 sqlite3.dll
09/17/2021  08:07 PM    DIR          Sys
05/28/2019  09:50 AM         4,970,344 VODPlayer.exe
03/21/2006  09:45 PM           292,696 XceedFtp.dll
01/10/2001  04:12 AM           147,456 XecureS.dll
01/05/2017  07:49 PM           237,568 XingAPI.dll
01/02/2017  06:30 AM            28,672 xingAPI4VB.dll
              43 File(s)     34,787,210 bytes

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).