File download information...
exe Last but not least, the injected code will execute an embedded Mimikatz binary in order to steal locally stored credentials and possibly perform lateral movement. Payload two: Variant of ShadowWali Our investigation led us to a compromised Japanese site where the attackers uploaded their malicious PHP code and the other xxmm payload (scommand.txt, SHA-1: 52921e7b488ee1a48ca098247a07d17ce610c235). Similar to the previous C&C payload, the scommand.txt file also contains an encrypted payload: Scommand.txt SHA-1: 52921e7b488ee1a48ca098247a07d17ce610c235 After Wali uses the hard-coded decryption key to decrypt the payload in memory, it writes the decrypted contents to a .tmp file in %temp% folder. Once the .tmp file is written to disk and executed, it will also create a batch file that will be used for self-deletion: This self-deletion mechanism is consistent to both backdoors of the "xxmm" family, and is found in the code of its "loadsetup" component: C:\Users\123\Documents\Visual Studio 2010\Projects\xxmm2\Release\loadSetup.pdb Downloaded payload details: File name: rr2E9E.tmp (original name: test.exe) SHA-1: 133C7B74E35D9DCC3BD43764CB18E59C1B74190F PDB Path: C:\Users\123\Documents\Visual Studio 2010\Projects\shadowWalker\x64\Release\BypassUacDll.pdb rr2E9E.tmp binary’s file timestamp is from May 2016: The resources section of the PE file contains two additional PE files: 102 (32bit payload)- 8123534DDE8AC4AF983DB302A06427AAB00EDD55 105 (64bit payload) - BC725B8FF4446A72539F5C5B0532CC0264A51D9C ShadowWali: Another xxmm backdoor ShadowWali is also a member of the xxmm backdoor family, written by the 123 author and can be considered Wali’s older brother. The timestamp of most of the observed backdoor sample dates back to 2015 and continues until mid-2016. Wali’s timestamps, meanwhile, run between 2016 and 2017. This could be viewed as either an older version of Wali or as a separate, older project the 123 author developed. Although there are many similarities between... Read more↗
|Updated||7 months ago|
|Checked||2 weeks ago|
|Keywords||asia ka what malware authors don want you to know evasive hollow process injection wp|
asia-17-KA-What-Malware-Authors-Don't-Want-You-To-Know-Evasive-Hollow-Process-Injection-wp.pdf is a portable multi-platform document format that may contain an ebook, report, manual or general purpose data. The download size as indicated by the server is 15.31MB (16057501 bytes). The host server on www.blackhat.com has returned application/pdf as the content type of the download which was updated on 05/11/2018 and was last checked by Webeaver.com crawlers on 11/23/2018. You may use one or more of the following keywords [asia ka what malware authors don want you to know evasive hollow process injection wp] to search for other files related to the one you are about to download.