The value of is converted to lowercase and “pl2d4vfegvbqddddkms0zhqii0i” is created as the file name under the %TEMP% directory, and the written content is a random value of 8 to 32 bytes. MHwwfDEyQ051S2tLSzF4TEZvTTlQNTh6V1hrRUxNeDF5NTF6Nll8MTJDTnVLa0tLMXhMRm9NOVA1OHpXWGtFTE14MXk1MXo2WXwwĪHR0cDov元J1LXVpZC01MDczNTI5MjAucHAucnUvZXhhbXBsZS5leGU= This action is used to combat some sample analysis sandboxes.Īfter passing the environmental inspection, the Trojan starts to create threads to execute its real malicious function modules.įirst, the Trojan will load its own resources, and Base64 decode them, and finally get the configuration content: The putt圓.exe downloaded to the local will first check whether the current environment is a virtual machine or a virus analysis environment. net and the internal name is Poullight.exe.
FILE SECURE TROJAN DOWNLOAD
The system will execute the powershell command according to the content of the “target” customized by the attacker, download the malicious program https//iwillcreatemediacom/build.exe, set it as a hidden attribute, and run it.Īfter analysis, the downloaded malicious program was compiled with.
FILE SECURE TROJAN CODE
In this way, the user originally thought to open a txt file, but actually executed the code prepared by the attacker. At the same time, if the attacker sets the icon of the lnk file as a notepad icon, it is easy for the user to mistake it for a txt file with no harm, which is extremely confusing. Using RLO technology, the phishing file originally named “ReadMe_” will be displayed as “ReadMe_knl.txt” on the user’s computer. The attacker will first drop a phishing file using RLO (Right-to-Left Override) technology. This attack proved that it has begun to spread and use overseas. The Poulight Trojan has been put into use since last year and has complete and powerful functions. This attack uses a secret-stealing Trojan called Poulight. Recently, 360 Security Center’s threat monitoring platform has detected an email phishing attack.
0 kommentar(er)
