NET compiled and obfuscated with ConfuserEX, a free and open-source protector for. All the executables in this campaign are. The executable is extracted and executed from the %AppData% folder. The password-protected RARsfx contains one file, an executable payload. In later samples, some of the RARsfx archives do not have a decoy file, and moreover, the destination path of the RARsfx components is changed to the %temp% folder.įigure 6: The email sample containing a RARsfx with no decoy component The Payload Along with this process, a command prompt is invoked, and the decoy image or PDF attempts to hide this from view.įigure 4: The command prompt invoked by the batch file from the RARsfx in Figure 1įigure 5: Malicious RARsfx in action with image decoy The batch script specifies the password of the archive and destination folder where the payload will be extracted. The execution of the batch file leads to the installation of the malware lurking within the password-protected RARsfx. The batch file is launched first followed by an image or PDF file. The script commands from the parent RARsfx silently extract these components to the %AppData% folder with existing files overwritten.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |