blackice

Level 27
Verified
You always learn something new :) Although I will never admit I did not know that and I will deny every accusation of it.
I’ve never known @Robbie to be wrong, now Roboman... :ROFLMAO:

I would say it would be nice if companies used consistent terminology between home and enterprise products, but the reality is most users of each don’t see the other. So, it doesn’t really matter for them. My biggest wish is that companies would document/explain modules better. I know they need their secret sauce, but understanding what a module actually does is sometimes hard to figure out.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
My first thought was that the big batch file contained base64 encoded malware which was next decoded by using the command-line "certutil -decode" like in the below example:
BAT file based Ransomware targeting people in China – SonicWall
But, the ver. 3.3 did not use such a command-line, only "certutil -encode" was used. The video also suggests using only "certutil -encode" command-line.
When I made a closer look at a code of this BAT, I found a few "certutil -decode" commands after many "certutil -encode" commands. Some files were hidden in the BAT file as an array of bytes, like for example the whole mp3 file. But, the files extracted/decoded from the malware were not related to encrypting files on disk. As @cruelsister noticed, the ransomware job was done by very simple code. The malware followed this path:
Loop (rename file ---> encode to another file by using "certutil -encode")
delete the renamed files
.... (some additional actions)
Delete traces
 
Last edited:

Andy Ful

Level 63
Verified
Trusted
Content Creator
In the wild, the malicious BAT was wrapped in the EXE file which pretended to be an Excel document, so the BAT malware was not executed manually by the user. This means, that the malware could also bypass SysHardener protection for BAT files and some SRP configs based on Default Security Level = "Basic User" (the "Disallowed" setting will block it).
It is possible that Kaspersky's proactive protection could block the initial EXE, especially with tweaked Application Control.
 
Top