Investigating Recycle Bin Manipulation in Malware i found on Internet
I found a text file from the Internet while i was seeking for some malwares. It was a C code in .txt format, so i downloaded it and did some investigations on that code and i found those.
The C code in .txt file is actually a low level windows malware that designed to interact with the system and potentially manipulate the recycle bin. It uses advanced Windows API calls, dynamic linkings and also manual memory management. The code has characteristics of malware that used to hide files, perform reconnaissance and evade detection.
Inclusion of Windows-Specific Headers
#include <Windows.h>windows.h is a header file in the windows OS’s SDK. It has system level funtianalities like file handling, security operations, process management and etc, it allows to the malware to interact directly with critical system components, such as File System Interaction, Dynamic libraries and system calls.
Dynamic DLL Loading
“LdrLoadDll” and “GetInMemoryLibraryHandle” are some functions that used to dynamically load system libraries at run time. Those functions Avoids static detection by not importing functions explicitly. And also provides flexibility to use critical functions like “NtOpenFile” and “NtQueryInformationToken” .
PEB Inspection
“GetPeb()” is a function i saw in the code and it used to retrieves the Process Environment Block (PEB), which holds process-specific information, often used by malware developers to access process specific data that is not available through standerd APIs. PEB is a structure that holds informations about running process, loaded modules and system settings. This is used for Enumerationg loaded DLLs and identifying specific modules in memory. And also Checking for debuggers.
Recycle Bin Enumeration
“OleInteroptEnumRecycleBinShellObject” . This function is the centerpiece of this malware. It interact with the Recycle Bin directory (C:\$RECYCLE.BIN) to enumerate and manipulate its contents. Uses the “SHGetFolderLocation” API to locate the Recycle Bin and “IShellFolder” interfaces to enumerate objects within it. And then Constructs paths for files and directories within Recycle Bin, potentially to Hide files for persistence and Collect information about deleted files for exfiltration.
SID-Based Path Construction
The function “GetUserSecurityId ”retrieves the Security Identifier (SID) of the current user. This SID is appended to the Recycle Bin path:
\\??\\C:\\$RECYCLE.BIN\\<UserSID>It shows that the malware tailors its behavior to the current user, possibly for Targeted attacks and Persistence.
based on my analysis of the code, it seems like a prototype Malware code. Because of several reasons.
1. Developer Comments.
There was a comment in the code:
/* holy mother of christ im getting cooked, i have so much more work to do */2. No Payload.
The code performs enumeration of the Recycle Bin, retrieves user-specific identifiers (SID), and dynamically loads critical functions, it does not include any explicit malicious payload.
But there is a code line as “\\ItsJustAPrankBro” . maybe it can be a placeholder for malicious actions or payload.
3. No Network Interaction
A complete malware program often includes networking capabilities to communicate with a Command-and-Control (C2) server to Exfiltrate data or download additional payloads. But this code does not implement any network communication.
4.No Obfuscation
Most advanced malware obfuscates its code to evade detection. This code is relatively transparent, making it easier to analyze.
Based on these observations, it’s clear that this is likely a prototype malware rather than a fully developed threat. While it lacks key features of complete malware, it still provides insight into the methods and techniques malware developers experiment with. This analysis was a valuable learning experience, even as someone not professionally trained in malware analysis.
