Investigating MyKings Malware Variant With Bootkit Persistence

MyKings Malware Variant With Bootkit Persistence


This malware event was detected and blocked on the 16th of January, 2020, when a malicious application (winnts.exe) used a trusted application (powershell.exe) to download and run a malicious script from a malicious IP address. The malicious script was obtained and further analysis and Incident Response was carried out on the infected Server.
Upon more research and analysis of the batch file, we noticed that the script abused PowerShell and downloaded other malware files from the Command and Control Center IP address.

Powershell Script

Our findings, as detailed in the next section, confirmed that the file is malicious, and subsequently, our analysts were able to contain the attack and remediate it on 4th March, 2020. This malware file attempted to uninstall other antivirus products on the system and created scheduled tasks that runs automatically to use hijack the system resources in order to mine cryptocurrency. The Type of Malware is called “My Kings Malware” which adds the system to a botnet used to mine cryptocurrency for the attacker.

Type of Incident DetectedMalicious Code
Potential Damages by IncidentReduced System PerformanceNetwork Resources Consumption
Attack Source167.88.180.175
Operating System of Affected SystemWindows Server 2012 R2 Standard
Additional System Details:The server has our malware defense suite installed on it, this allowed our analysts to carry out in-depth analysis on the malware, prevent and block the malware from running again.


In other to better analyze the file, we downloaded the script code and ran it in a sandbox with real-time interaction and process monitoring. From the analysis of the behavior activities, both malicious and suspicious, we were able to ascertain the tactics and techniques of the file. The file carried out actions similar to the following tactics and techniques:

  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Command and Control
MITRE Technique Detection

The file used legitimate windows processes such as RegistryPowerShellScheduled Tasks and WMIC to schedule tasks, create and run processes, and dump other malware files in Windows Installation Directory.

Investigation on Sophos Dashboard
Hybrid Analysis Result

Further investigation and analysis on other malware platforms showed the file to be malicious in nature and gave a threat score of 100/100 to the file.

Use of WMIC

The malware attempted to use the Windows Management Instrumentation to uninstall antivirus solutions. It queries popular antivirus solutions and attempts to uninstall them. Below is the command used in attempting to uninstall Norton antivirus program.

“C:\Windows\System32\Wbem\WMIC.exe” product where “name like ‘%Norton Security%’” call uninstall /nointeractive


Registry Edits

We checked to ensure that registry modifications carried out by the malware investigated,  we also identified registry key edit and effectively remove them:



The content of one of the registry keys is seen in the figure below.

Registry Change

Trojan Agent and Downloader

We identified some Trojan downloaders and agents at the following locations respectively,







Scheduled Tasks

Some tasks were scheduled to automatically run the malware. These tasks were found in the windows task scheduler and they include:

  • my1
  • Mysa
  • Mysa1
  • Mysa2
  • Mysa3
  • ok
  • oka
Scheduled Task In Registry

These identified malware tasks were created by the malicious PowerShell script and were subsequently deleted from the server during our remediation attempt.

Rootkit Persistence

The malware installed a rootkit on the server which ensures that the malware gets loaded before the operating system boots up. This ensures that some listed anti-virus solution do not work and ensures that the malware returns after reboot. This was removed from the server. The list of the anti-virus solutions to be terminated are listed in the below.



As identified during the investigation, the system was breached as a result of the Eternal Blue vulnerability existing on the computer. The system was updated and the malicious program was removed and the actions taken by it were reversed.

The following recommendations are to be put in place to prevent future re-occurrence of this incident.

  1. Applications should be downloaded from verified publishers only.
  2. The use of cracked/patched software should be avoided.
  3. Regular Windows update on all systems.
  4. Installation of EDR on all endpoints on the network to stop potential attacks and prevent it from infecting other systems on the network.
  5. Upgrading of the Server with the Windows Server image file so as to fix the problem with windows automatic updates.
  6. Disable unnecessary services such as RDP on internet facing computers.


IP Addresses:



Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top