The content of “ installer.bat” file is also minimal and points to a more complex text file "007.tmp", later renamed as "007.bat". Then it runs installer.bat (the filename) with the parameter " 0" (WindowStyle hidden, to avoid hidden windows because it may trigger AntiViruses heuristics) and " true" (WaitOnReturn). Its content is minimal and quickly redirect the execution to a small batch file, “installer.bat” contained in the same folder.
After the auto-extraction, the first file run is “ run.vbs”. On the right of Figure 1 it is possible to see the SFX configuration file. 16 temporary files used during execution.
#Photominer worm spreads via insecure ftp servers archive#
The archive contains more than a dozen of files. Opening the sample with a common archive manager like WinRAR or 7z, unveil its content. The usage of archive like SFX allows the attacker to hide the content of the malicious PE and significantly reduce the detection rate. Table 1: Static Information about the miner dropper A quick recon revealed it actually is an SFX archive containing several other files. Technical AnalysisĪs anticipated, the file downloaded from the BitTorrent network is an executable.
Recently, our threat monitoring operations pointed us to an interesting file named “ Lucio Dalla Discografia Completa”: this file pretends to be a collection of the discography of a famous italian singer, but it actually hides malicious intents.įor this reason, Cybaze-Yoroi ZLAB dissected this malware threat revealing its hidden virulent nature. We discussed how crooks easily lure their victims to download malware along with the desired content. In the past months we published a white paper exploring the risks that users can encounter when downloading materials from P2P sharing network, such as the Torrent one.
0 kommentar(er)
