{
	"id": "f57e3ce8-8710-45c0-aa13-f9d1a725f29f",
	"created_at": "2026-04-06T01:30:55.025299Z",
	"updated_at": "2026-04-10T03:20:25.483094Z",
	"deleted_at": null,
	"sha1_hash": "db945347fbf65989353cde2f10b2ed63fc7fde08",
	"title": "Oh, what a boot-iful mornin’",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1472243,
	"plain_text": "Oh, what a boot-iful mornin’\r\nBy Alexander Eremin\r\nPublished: 2020-06-23 · Archived: 2026-04-06 00:48:31 UTC\r\nIn mid-April, our threat monitoring systems detected malicious files being distributed under the name “on the new\r\ninitiative of the World Bank in connection with the coronavirus pandemic” (in Russian) with the extension EXE or\r\nRAR. Inside the files was the well-known Rovnix bootkit. There is nothing new about cybercriminals exploiting\r\nthe coronavirus topic; the novelty is that Rovnix has been updated with a UAC bypass tool and is being used to\r\ndeliver a loader that is unusual for it. Without further ado, let’s proceed to an analysis of the malware according to\r\nthe rules of dramatic structure.\r\nExposition: enter SFX archive\r\nThe file “on the new initiative of the World Bank in connection with the coronavirus pandemic.exe” is a self-extracting archive that dishes up easymule.exe and 1211.doc.\r\nSFX script\r\nThe document does indeed contain information about a new initiative of the World Bank, and real individuals\r\nrelated to the organization are cited as the authors in the metadata.\r\nhttps://securelist.com/oh-what-a-boot-iful-mornin/97365\r\nPage 1 of 10\n\nContents of 1211.doc\r\nAs for easymule.exe, its resources contain a bitmap image that is actually an executable file, which it unpacks and\r\nloads into memory.\r\nLoading the “image”\r\nHook: enter UAC bypass\r\nThe code of the PE loaded into memory contains many sections remarkably similar to the known Rovnix bootkit\r\nand its modules, the source code of which leaked back in 2013.\r\nLeft: source of the malware; right: leaked Rovnix source code (bksetup.c)\r\nhttps://securelist.com/oh-what-a-boot-iful-mornin/97365\r\nPage 2 of 10\n\nHowever, the file under analysis reveals innovations clearly added by authors, based on the original Rovnix source\r\ncode. One of them is a UAC bypass mechanism that uses the “mocking trusted directory” technique.\r\nWith the aid of the Windows API, the malware creates the directory C:\\Windows \\System32 (with the space after\r\nWindows). It then copies there a legitimate signed executable file from C:\\Windows\\System32 that has the right\r\nto automatically elevate privileges without displaying a UAC request (in this case, wusa.exe).\r\nDLL hijacking is additionally used: a malicious library is placed in the fake directory under the name of one of the\r\nlibraries imported by the legitimate file (in this case, wtsapi32.dll). As a result, when run from the fake directory,\r\nthe legitimate file wusa.exe (or rather, the path to it) passes the authorization check due to the\r\nGetLongPathNameW API, which removes the space character from the path. At the same time, the legitimate file\r\nis run from the fake directory without a UAC request and loads a malicious library called wtsapi.dll.\r\nBesides copying the legitimate system file to the fake directory and creating a malicious library there, the dropper\r\ncreates another file named uninstall.pdg. After that, the malware creates and runs a series of BAT files that start\r\nwusa.exe from the fake directory and then clean up the traces by deleting the created directory and the\r\neasymule.exe dropper itself.\r\nDevelopment: enter Rovnix\r\nThe file uninstall.pdg clearly contains a packed executable file. It is designed to unpack the same malicious\r\nlibrary that was previously downloaded using wusa.exe and DLL hijacking.\r\nUninstall.pdg\r\nThe code of the malicious library is kept minimal: the exported function WTSQueryUserToken obviously has no\r\nfeatures required by the original wusa.exe, which imports it. Instead, the function reads uninstall.pdg, and\r\nunpacks and runs the executable from it.\r\nhttps://securelist.com/oh-what-a-boot-iful-mornin/97365\r\nPage 3 of 10\n\nCode of exported malicious library function\r\nThe unpacked uninstall.pdg turns out to be a DLL with the exported function BkInstall — another indicator that\r\nthe malware is based on the leaked Rovnix code. Further analysis of the file confirms this.\r\nGlued inside uninstall.pdg are executable files packed with aPLib. The gluing was done using the FJ utility (also\r\nfrom the Rovnix bootkit), as evidenced by the file-unpacking algorithm and the FJ signatures indicating the\r\nlocation of the joint in the file.\r\nFJ utility signature\r\nThe glued files are the KLoader driver from the leaked Rovnix bootkit and a bootloader. Uninstall.pdg unpacks\r\nthem, overwrites the VBR with the bootloader, and places the packed original VBR next to it. In addition,\r\nKLoader is written to the disk; its purpose is to inject the payload into running processes.\r\nhttps://securelist.com/oh-what-a-boot-iful-mornin/97365\r\nPage 4 of 10\n\nLeft: source code of the malware; right: leaked Rovnix source code (kloader.c)\r\nAs seen in the screenshot, the source code of the malware is not much different from the original. The original\r\ncode was seemingly compiled for use without a VFS and a protocol stack for the driver to operate with the\r\nnetwork.\r\nIn this instance, the driver injects a DLL into the processes, which is that same un-Rovnix-like loader that we\r\nspoke about at the very beginning.\r\nThus, the general execution scheme looks as follows.\r\nExecution scheme\r\nClimax: enter loader\r\nLet’s consider the new loader in more detail. The first thing to catch the eye is the PDB path in the file.\r\nPDB path\r\nWhen run, the malware first fills the structure with pointers to functions. The allocated memory is filled with\r\npointers to functions, to be called subsequently by their offset in the allocated memory area.\r\nStructure with functions\r\nhttps://securelist.com/oh-what-a-boot-iful-mornin/97365\r\nPage 5 of 10\n\nNext, the process obtains access to the Winsta0 and Default desktop objects for itself and all processes created by\r\nthis process, and creates a thread with the C\u0026C communication cycle.\r\nCreating a C\u0026C communication thread\r\nCommunication with C\u0026C\r\nHaving created the thread, the malware checks its presence in the system using OpenMutexA. It then starts a C\u0026C\r\ncommunication cycle, within which a data packet about the infected device is generated. This packet is XOR-encrypted with the single-byte key 0xF7, and sent to C\u0026C.\r\nhttps://securelist.com/oh-what-a-boot-iful-mornin/97365\r\nPage 6 of 10\n\nStructure of sent data\r\nIn response, the malware receives an executable file that is loaded into memory. Control is transferred to the entry\r\npoint of this PE file.\r\nDisplaying the PE file loaded into memory\r\nDenouement: enter testing\r\nThe loader turns out not to be unique: several more instances were discovered during the analysis. They all have\r\nsimilar features, but with slight differences. For example, one of them checks that it is running properly by trying\r\nto register a NetService handler. If it fails (that is, the service is not running in the system), the malware stops\r\nworking.\r\nhttps://securelist.com/oh-what-a-boot-iful-mornin/97365\r\nPage 7 of 10\n\nExample of a different version of the loader\r\nOther instances of the loader do not use the bootkit, but do apply the same UAC bypass method. All indications\r\nare that the loader is currently being actively tested and equipped with various tools to bypass protection.\r\nWe also discovered instances that could serve as a payload for a loader. They contain similar PDB paths and the\r\nsame C\u0026Cs as the loaders. Interestingly, the addresses of the required APIs are got from the function name, which\r\nis obtained from the index in the configuration line.\r\nGetting the API addresses\r\nAt the command of C\u0026C, this malware can run an EXE file with the specified parameters, record sound from the\r\nmicrophone and send the audio file to the cybercriminals, turn off or restart the computer, and so on.\r\nhttps://securelist.com/oh-what-a-boot-iful-mornin/97365\r\nPage 8 of 10\n\nProcessing a received command\r\nThe module name (E:\\LtdProducts\\Project\\newproject\\64bits\\64AllSolutions\\Release\\PcConnect.pdb) suggests\r\nthat the developers are positioning it as a backdoor, which could additionally have Trojan-Spy elements, judging\r\nby some configuration lines.\r\nConfiguration snippet; the lines in Chinese mean “Current user:”, “user password:”, “***Below are the\r\nsystem account and password [%04d-%02d-%02d %02d:%02d:%02d]***”\r\nhttps://securelist.com/oh-what-a-boot-iful-mornin/97365\r\nPage 9 of 10\n\nEpilogue\r\nOur analysis of malware masquerading as a “new initiative of the World Bank” shows that even well-known\r\nthreats like Rovnix can throw up a couple of surprises when their source code goes public. Freed from the need to\r\ndevelop their own protection-bypassing tools from scratch, cybercriminals can pay more attention to the\r\ncapabilities of their own malware and add extra “goodies” to the source code, such as UAC bypass. Kaspersky\r\nproducts detect this threat and its related modules as Trojan.Win32.Cidox, Trojan.Win32.Generic,\r\nTrojan.Win32.Hesv, and Trojan.Win32.Inject.\r\nIOC\r\n7CFC801458D64EF92E210A41B97993B0\r\nE2A88836459088A1D5293EF9CB4B31B7\r\nbamo.ocry[.]com:8433\r\n45.77.244[.]191:8090\r\n45.77.244[.]191:9090\r\n45.77.244[.]191:5050\r\n45.76.145[.]22:8080\r\n149.28.30[.]158:443\r\nSource: https://securelist.com/oh-what-a-boot-iful-mornin/97365\r\nhttps://securelist.com/oh-what-a-boot-iful-mornin/97365\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/oh-what-a-boot-iful-mornin/97365"
	],
	"report_names": [
		"97365"
	],
	"threat_actors": [],
	"ts_created_at": 1775439055,
	"ts_updated_at": 1775791225,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db945347fbf65989353cde2f10b2ed63fc7fde08.pdf",
		"text": "https://archive.orkl.eu/db945347fbf65989353cde2f10b2ed63fc7fde08.txt",
		"img": "https://archive.orkl.eu/db945347fbf65989353cde2f10b2ed63fc7fde08.jpg"
	}
}