MALWARE on WordPress site | LNK file MALWARE ANALYSIS and HTA Deobfuscation

1.568 Lượt nghe

00:00

Update Required To play the media you will need to either update your browser to a recent version or update your Flash plugin.

Tải MP3

MÔ TẢ MP3TIẾP THEO

MALWARE on WordPress site | LNK file MALWARE ANALYSIS and HTA Deobfuscation

Analysis of a malicious LNK file which uses a compromised Uzbekistan website to launch a malicious HTA file, that in turn downloads and runs FormBook malware.

** Find me at **
Twitter/X - https://twitter.com/CyberRaiju
Blog - https://www.jaiminton.com/
Mastodon - https://infosec.exchange/@CyberRaiju

** Tools **
FLARE VM - https://github.com/mandiant/flare-vm
Notepad++ - https://notepad-plus-plus.org/
HxD - https://mh-nexus.de/en/hxd/
Urlscan - https://urlscan.io/
CyberChef - https://github.com/gchq/CyberChef
Detect-It-Easy - https://github.com/horsicq/Detect-It-Easy
LECmd - https://ericzimmerman.github.io/#!index.md
Link Parser - https://code.google.com/archive/p/link-parser

** Sample **
https://bazaar.abuse.ch/sample/77e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c/
https://bazaar.abuse.ch/sample/075d39cc0b27cbdb32eaffbf1a4536fdafc5238c7eba1e32c2001d9862e0fe7b
https://urlscan.io/responses/c1fb5c1305d935a96ad60a093298ecff9b3f309b446678fd6dcb619a4ac61b06/

** Website Scans **
https://urlscan.io/result/5271d468-7940-45a0-a32b-d823cd8eb61d/
https://urlscan.io/result/fc3a005d-ec54-4ea7-899e-41225f483ce5/#summary
https://urlscan.io/result/de9ff7fe-e1be-4902-bab4-a79466e3fd12/#summary

** Further Reading **
https://learn.microsoft.com/en-us/windows/win32/secauthz/security-identifiers
https://attack.mitre.org/software/S1074/

** Timestamps **
00:00 - Intro
00:13 - LNK shortcut file overview
01:02 - Analysing LNK files
02:04 - Mshta.exe running malicious .hta
02:42 - Parsing malicious LNK files
03:15 - LNK Parser Cmd
03:51 - Understanding Security Identifiers
04:30 - Tracking overlap between malicious LNK files
04:52 - LECmd
05:35 - Demonstrating useful LNK attributes
07:00 - Analysing compromised Wordpress website
07:54 - Analysing malicious HTA file
09:12 - Deobfuscating HTA with CyberChef
12:15 - Analysing 3rd stage payload
13:28 - Malware author mistake
14:56 - Deobfuscating PowerShell with CyberChef
15:48 - Locating final payload
16:56 - Outro

Credits:
SFX by Pixabay					

MALWARE on WordPress site | LNK file MALWARE ANALYSIS and HTA Deobfuscation

Nhạc Theo Chủ Đề

Liên kết website