Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
[Britec09] Fight Back Against Ransomware (McAfee Ransomware Interceptor Review)
Message
<blockquote data-quote="DardiM" data-source="post: 563756" data-attributes="member: 52613"><p>Some scripts (that are like text in files), are obfuscated to make them hard to be understood, and have some vars with the obfuscated <em>content</em> of future files (often encoded strings).</p><p>When the script is run, it deobfusctates itself and also the content data that will be used to create real files (payload, etc). At some point, it run the file(s).</p><p></p><p>The "fileless":</p><p>An example of what I have seen (the malware part is fileless):</p><p style="margin-left: 20px">A script-based file with several vars that are encoded strings (in several parts).</p> <p style="margin-left: 20px">=> one var is the encoded content of a dll :</p> <p style="margin-left: 20px">=> once decoded, the script saves the file with a false extension : .vbs.bin</p> <p style="margin-left: 20px">=> the script registers this dll</p> <p style="margin-left: 20px">=> it then creates an object based on this dll : ActiveX <em>object</em></p> <p style="margin-left: 20px">=> then the script is able to call Windows API using this object.</p><p style="margin-left: 20px">=> allocates memory</p> <p style="margin-left: 20px">=> copy there the loader part once decoded (the "RunPE shellcode") :</p> <p style="margin-left: 20px">=> allocates memory</p> <p style="margin-left: 20px">=> copy there the parts of the malware to be injected once decoded (hard-coded on an array of encoded strings),</p> <p style="margin-left: 20px">=> CallWindowProcW : the loader is called and it injects the malware on the host process (svchost.exe or msbuild.exe if .NET available)</p> </p></blockquote><p></p>
[QUOTE="DardiM, post: 563756, member: 52613"] Some scripts (that are like text in files), are obfuscated to make them hard to be understood, and have some vars with the obfuscated [I]content[/I] of future files (often encoded strings). When the script is run, it deobfusctates itself and also the content data that will be used to create real files (payload, etc). At some point, it run the file(s). The "fileless": An example of what I have seen (the malware part is fileless): [INDENT]A script-based file with several vars that are encoded strings (in several parts). => one var is the encoded content of a dll : => once decoded, the script saves the file with a false extension : .vbs.bin => the script registers this dll => it then creates an object based on this dll : ActiveX [I]object[/I] => then the script is able to call Windows API using this object. [INDENT]=> allocates memory => copy there the loader part once decoded (the "RunPE shellcode") : => allocates memory => copy there the parts of the malware to be injected once decoded (hard-coded on an array of encoded strings), => CallWindowProcW : the loader is called and it injects the malware on the host process (svchost.exe or msbuild.exe if .NET available)[/INDENT][/INDENT] [/QUOTE]
Insert quotes…
Verification
Post reply
Top