0xdf
In this YouTube video on malicious Lnk and JavaScript analysis, the speaker analyzes a Link file and a JavaScript file uploaded to Malware Bazaar that appear to be related. The video goes through the steps of how the Link file leads to the JavaScript file and how it downloads and executes it. The speaker then analyzes the hundreds of lines of JavaScript code and explains how it sets up downloads and runs another execute. The video also covers the analysis of a piece of malware, the creation of sub-functions within the malware, and the identification of suspicious techniques used by adversaries to bypass countermeasures. The analysis is done using a Windows VM and Linux.
In this section, the speaker analyzes a Link file and a Javascript file that were uploaded to Malware Bazaar by the same person and appear to be related. The speaker notes that the Link file leads to the Javascript file and goes through the steps of how it downloads and executes it. They then move on to analyzing the hundreds of lines of Javascript code and describe how it sets up downloads and runs another execute. The speaker notes that the Link file runs CMD with a specific string as a command, giving insight into how attackers use com spec to run cmd.exe. The analysis is done using a Windows VM and Linux.
In this section, the speaker explains the process of analyzing a malicious JavaScript file. The script is decoded from a base64 string encoded in a JavaScript variable that directs the results to null. The decoded JavaScript is then called through a Windows call that uses the file extension to run it with wscript.exe, so the code is encoded and run on the system. The speaker uses Visual Studio Code to examine and rename the functions in the file to better understand the script's functionality. The script ultimately fails due to a 403 Forbidden error, but the analysis provides insight into the techniques used by attackers to hide their processes and evade detection.
In this section of the video, the speaker explores a JavaScript code snippet and tries to understand its purpose. They use Node.js to test some of the functions and rename variables to better understand what each part does. They discover that the code includes references to System32, BitsAdmin.exe, and Spool Drivers Color, which are common in application whitelisting bypass methods. Although the exact purpose of the code is not clear yet, the speaker is making progress in identifying what each part does.
This section of the video discusses the analysis of a piece of malware, specifically the creation of sub-functions within the malware that serve different purposes. One sub-function involves setting flags and passing different URL options, while another deals with creating and running different files within the malware. The analysis goes through each sub-function step-by-step, identifying how each operates and what it contributes to the overall purpose of the malware.
In this section, the speaker analyzes the colorcpl.exe file and predicts that it will copy the legitimate bits admin executable to the color directory, which is known for being on the AppLocker bypass list. Upon running color CPL and bits admin, a copy of bits admin can be found in the color directory. Further research on GitHub and Twitter reveals that this execution is a suspicious technique used by adversaries to get around countermeasures. The script then proceeds to download several files, including an executable, to a specific path and runs it. The domain being used by the script is also identified but may not be accessible due to internet issues.
In this section, the speaker explains that they attempted to run the URL in their host but it is already down. However, they were able to analyze the link file and determine that it downloads a Javascript file which is then decoded to download multiple binaries, databases, and other files to the host in a file around the root of c. It is presumed that this downloaded file is the bot that will continue to run. The speaker concludes by thanking the audience and indicating the end of the video.
No videos found.
No related videos found.
No music found.