Trojan:Win32/Wacatac.H!ml

Trojan:Win32/Wacatac.H!ml Threat Analysis & Removal
Wacatac is a name for a wide group of dropper malware, that can deliver ransomware

Trojan:Win32/Wacatac.H!ml is a detection of Microsoft Defender that may flag several different malware families. Once installed, it can deliver additional malicious payloads, manipulate system settings, and encrypt user data. On the other hand, it can sometimes be a false positive detection.

Trojan:Win32/Wacatac.H!ml Overview

Trojan:Win32/Wacatac.H!ml is a detection of Microsoft Defender that flags a wide range of malware, which share similar functionality. In particular, Wacatac.H!ml appears when there is a ransomware active in the system, or a dropper (loader) malware that is known to deploy ransomware. Nonetheless, such a dropper may deliver literally any other type of malicious program – from adware to spyware or backdoors.

Trojan:Win32/Wacatac.H!ml detection notification screenshot
Trojan:Win32/Wacatac.H!ml detection notification

Wacatac.H!ml often gets into the system when the user downloads or installs cracked programs, keygens or similar sketchy software. Sometimes, users are tricked into downloading the malware by disguising it as a legitimate file or software update. Right off the start, Wacatac.H!ml changes registry settings and system settings and masquerades as a benign process, to further proceed with downloading other malware. It hides its presence on the infected system through various means, such as code obfuscation and polymorphism.

The “ml” in Trojan:Win32/Wacatac.H!ml stands for machine learning, which means it may sometimes be a false positive, as evidenced by many reviews on the Internet. For example, Defender may flag a simple home application written in C++ as Trojan:Win32/Wacatac.H!ml. I will pay this a bit more attention later in the article.

Technical Analysis

It is not particularly hard to find a sample of Trojan:Win32/Wacatac.H!ml: dropper malware is a backbone of malware infrastructure these days. As I’ve already mentioned, dodgy apps or cracked games are the most widespread source of this virus. Still, to simplify the task, I have got a ready sample to work on.

Like the majority of dropper malware, before getting to actual execution, Wacatac.H!ml performs a check for a virtual environment or sandbox. It checks the following registry values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\CVH\VirtualProductInfo
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData

These keys contain system information that the malware uses to determine whether it is in a virtual environment or sandbox. Next, Trojan:Win32/Wacatac.H!ml collects some basic information about the system through the calls to SecurityHealthService and WMI:

C:\Windows\system32\SecurityHealthService.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

The data these queries return allow the malware to fingerprint the system – an essential thing for further activity. Depending on the system configuration, Wacatac may deploy different malware samples. One more part of the fingerprinting is enumerating programs by checking mutexes present in the system.

A08D74470003000000006BC5_CACHEMUTEX
Global\552FFA80-3393-423d-8671-7BA046BB5906
Installing
Local\10MU_ACB10_S-1-5-5-0-182969
Local\10MU_ACBPIDS_S-1-5-5-0-182969
Local\2BF388D5-6F8C-40A0-A7EE-996D005C4E14_Office16

This is a rather unusual tactic that most likely aims at avoiding the usage of more common system calls that antivirus software may track. To make the detection even harder, Wacatac deletes the following registry keys to hide traces of its activity:

HKEY_CURRENT_USER\Control Panel\MMCPL\mlcfg32.cpl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance\Disable Performance Counters

Payload Execution

Next, Wacatac.H!ml performs its primary function of deploying the payload. It uses an encrypted connection over TCP port 204.79.197.203:443, which is associated with Microsoft, specifically Office365. The malware drops quite a few files:

FRMCACHE.DAT
4086b4f4db.exe
hb4h80jb.exe
bdoe923.tmp.bat
~WRS{C12DF935-B9DB-4568-9CBB-CB1340274738}.tmp

Wacatac.H!ml runs each of these files through DLL injection, by abusing the C:\Windows\system32\svchost.exe -k DcomLaunch -p command. Though, it can run them as plain executable programs, too, and probably does so when there is no antivirus installed.

Is Trojan:Win32/Wacatac.H!ml False Positive?

Trojan:Win32/Wacatac.H!ml may be a false positive, and there are user complaints regarding this being the case. This detection comes from Microsoft’s AI engine – this is what the “!ml” part means – and thus requires additional checks from other systems. When these systems, namely heuristics and databases, fail to provide the confirmation, the AI system may proceed with flagging a bening software as malicious.

Wacatac.H!ml Reddit

Considering that the key activity the Wacatac malware group is known for is loading, the false detection may appear to any program or script that has networking activity. It is especially true for some self-made apps that do not have certificates or anything that can prove they are not malicious.

How To Remove Trojan:Win32/Wacatac.H!ml?

Since Trojan:Win32/Wacatac.H!ml primarily targets Windows Defender, you will most likely need a third-party anti-malware solution. I recommend using GridinSoft Anti-Malware, as it allows you to find and neutralize the threat in just a few clicks.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *